• United States



by Audrey Dorofee

Asset-Based Information Security Risk Assessments

Jun 30, 20055 mins
CSO and CISOData and Information Security

Protecting a company now includes not only its systems and networks but also its physical property and employee practices. Companies are moving beyond buying vulnerability checking tools and applying patches to protecting information; they are now seeking ways to proactively improve corporate resilience rather than waiting to react to each new vulnerability alert.

This new posture is motivated in part by self-preservation but also by increasing legislation and regulation. Information security assessments have rapidly become a requirement in both government and industry-related domains. The Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) are driving efforts to improve corporate security practices to meet a defined standard of due care. Reducing security risk is no longer a luxury; it’s an essential part of business success.

Method Possibilities

Many types of information security risk assessments are available in both the public and private domains. Organizations can conduct some assessments themselves; external consultants should conduct others. To choose the right assessment method, consider your organization, business objectives, current legislation, and any partnerships and supply chains. Also consider the method’s ability to accomplish the following:

  1. Assess security risks without disrupting organizational operations
  2. Assess risks in context for relevant ROI.
  3. Enable targeted improvements.
  4. Assess risks in relation to your own business goals, objectives, mission, and so forth.

Why is it so difficult to find the right assessment method? No single method works under all circumstances or for all organizations. Vulnerability evaluations examine only specific systems or components to identify known weaknesses but can’t identify unknown weaknesses or estimate the company-specific impact and probability of an exploited weakness.

Model-based assessments such as CRAMM, COBRA (Consultative, Objective, and Bi-Functional Risk Analysis), or any HIPAA-specific Method indicate how well your company can approach a designated ideal, but may not identify risks. System certification relies on predefined standards of what a secure system should be and on the system developer’s ability to define and implement the right operational security requirements.

Asset-Based Assessments

Asset-based assessments, on the other hand, examine the information that must be protected and how well systems and security practices provide that protection, thus providing a broader view of your organization’s security posture. They look at the information that is critical to meeting business objectives, then examine the systems that support this information. Asset-based assessments answer the following questions:

  1. What needs to be protected?
  2. From whom and from what must it be protected?
  3. How is it threatened?
  4. What happens if it’s not protected?
  5. How can protection be improved?

Focusing on critical assets also makes effective use of scarce resources. Ensuring intelligent choices about spending money is essential to avoid an unbalanced security budget that focuses on technological solutions at the expense of employee education and training. Further, protecting critical assets usually provides sufficient protection for less critical assets.

Multiple Objectives

So how does a company efficiently meet multiple objectives if a single method doesn’t exist? Conducting several assessments one right after another is exhausting and requires extensive resources. A better approach is to combine assessment methods and techniques. A standard of due care such as HIPAA or ISO 17799 can be embedded within asset-based assessments (such as OCTAVE(r)) to measure compliance and identify risks for security improvement efforts.

General guidelines. Determine the required objectives of the security assessment: practice improvement, compliance, controls audit, risk reduction, and so forth. One objective is primary; the rest are likely secondary. You should investigate the best available methods that meet the primary objective to determine whether any meet or can be adapted to meet the secondary objectives. If you cannot find a method or tailor one, you may need to use multiple methods and combine several activities to streamline the process. If specific, unique activities are required to meet a secondary objective, determine the best placement of that activity within the assessment method and integrate it. It’s also wise to include experts in applicable standards on the assessment team.

A rule of thumb is to gather information once but analyze multiple times. Most risk assessment methods involve similar activities or techniques for gathering information; the differences usually arise in the way the gathered information is organized, analyzed, and presented. Combining results can be tricky without preparation to ensure that the data being collected is sufficient for all the methods in use. Methods supported entirely by automated tools or a collection of tools may prove too difficult or expensive to adapt (if it is even possible to adapt them), and any combination or reuse of information for multiple purposes must occur independently of automated tools.

Note also that consultants or vendors who supply proprietary methods or tools are not likely to support this kind of integration without suitable incentive. This is a powerful reason for acquiring a method from the public domain and creating your own internal ability to assess security risk.


During the assessment and at the end of the assessment, the results should be reviewed to identify any unexpected gaps or missing information. Collect any missing information before proceeding too far into the assessment. If gaps aren’t discovered until the end, ensure that there’s time to finish the needed activities. Adapted methods should have a plan and schedule that allows for the unexpected. Finally, if you use any form of enterprise risk management or attempt to integrate security risks with other corporate risks, compare the results of the security assessment with other assessments and identify the overlaps and conflicts in risks and mitigation plans and make adjustments as needed.

It is a waste of resources and energy to run multiple, standalone security risk assessments. While there is no single solution for all security risk assessment needs, some can be used for multiple purposes. An asset-based method, for example, can be combined or expanded to meet many assessment objectives. Consider both short- and long-term needs before selecting an approach, and then fit these resources to your needs.

(c) 2005 Cutter Consortium. All rights reserved.