How To Analyze Security Needs
May 1, 2004 12:00 PM, By SAL DePASQUALE
Developing a comprehensive security plan requires methodical and deliberate analysis. Starting with a macro understanding of an organization and progressing to micro security tasks, it takes structure to compile and analyze a security plan. The resulting series of recommendations are orchestrated to complement and support each other.
It is a formidable undertaking, because few industry models exist. Few security programs are products of a comprehensive analysis; most are developed on an ad-hoc basis in response to a security incident. In fact, many security operations are designed for investigations after an event occurs, not for prevention.
The object of a security analysis is to identify security exposures in a methodical and thorough manner so that a security program is based on broad analysis and not simply on the last security incident. Analysis ensures that expenditures for security are directed appropriately based on local needs, thus protecting critical resources while accepting the risks stemming from lesser concerns.
The goal, however, is not to develop a foolproof security plan. An underlying concept is that an asset cannot be protected completely, without absorbing extravagant costs and without inhibiting business operations. The goal instead is to make it difficult — but not impossible — for an adversary to breach security. The level of difficulty depends upon the value of the asset and the organization's tolerance for risk.
The analysis process is divided into five phases: asset definition; threat assessment; vulnerability analysis; selection of countermeasures; and implementation. The process is arranged for a deliberate analysis and requires completion of each phase before proceeding to the next.
Asset definition begins with a broad understanding of the organization's operation, its tasks and functions, and its operating environment. At the beginning of an analysis, interviews are conducted with the organization's management and operating personnel to identify the resources essential for operations. This includes production equipment, operating systems, raw materials, finished product, inventory control and management systems, and the infrastructure of power, water, natural gas and telecommunications. Often, intangible assets are the most significant and are only discernible by examining the organization's operation beyond surface appearances. In effect, this step defines targets for attack.
Each asset may be further subdivided into micro components. An analysis may indicate that a particular asset must be defined in detail because of its criticality. Information technology is an example of the generally defined asset that may be further subdivided into an extensive list of system components, including equipment hardware, operating systems, applications software, database management systems, telecommunications and system documentation.
Both tangible and intangible assets should be categorized as vital (the loss would prove catastrophic); important (the loss would prove seriously disruptive but survivable); or secondary (the loss would be relatively insignificant).
A comprehensive security plan requires a broad definition of threats so that a range of exposures is considered. Through the analysis, the focus should narrow to target those threats that are deemed the most applicable.
Assessment begins by compiling data on past security incidents, including incidents at the site, within the company and within the industry. Determine if patterns of criminal behavior exist and define their nature. Review loss records, safety records and legal judgments involving the organization. Consult the company's legal counsel and examine court settlements to identify exposures with an implication for security.
Conduct interviews with management, insurance underwriters and local emergency management authorities to identify applicable threats. Review criminal data and compare crime rates for the nation, state, metropolitan statistical area, and the municipality.
Identify threats unique to the area and to the organization; locations where concentrations of hazardous materials are stored; and transportation avenues commonly used for transport of materials. Consider threats that may not have occurred yet, but are applicable because of the nature of the business and because of political and social issues.
A threat assessment is a qualitative analysis, although some quantitative techniques are used. It is important to emphasize that an assessment is a snapshot in time. As circumstances change, so does the threat environment. Consequently, the assessment must be updated to ensure that the security program is consistent with the needs of the time.
Each threat should be categorized as probable (expect the event to occur); possible (circumstances are conducive for an event); or unlikely (do not anticipate the event to occur). The severity of each issue should also be categorized as catastrophic (a disastrous event); moderate (a survivable event); or insignificant (relatively inconsequential).
Security countermeasures represent obstacles in the path of a threat event. The objective is to make the event less likely to occur by making it more difficult for a perpetrator to accomplish the deed. Before introducing obstacles, however, the process for an event must be defined. Vulnerability analysis provides a mechanism for construction of security event scenarios defined in step-by-step detail.
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.