STEP 1: Identify and model business activities
The cost of a potential incident can only be estimated in terms of the impact it may have on business activities. Therefore, the first step towards controlling risks is to identify and model the key business activities that depend on Information and Communication Technology (ICT) infrastructure. A simple method for creating a model of business activities is described below:
- Identify key business activities.
- Identify inputs and outputs for each activity. These may be data or tangible assets, such as products, documents etc.
- Decompose activities into sub-activities (or tasks) and identify inputs and outputs of each sub-activity. Demonstrate the resulting model with a simple sketch.
Figure 1: Example business activity model
If you seek for a deeper analysis, you may add controls and mechanisms to each sub-activity and thus create an IDEF0 diagram. In Figure 2, "production schedule" represents a control object and "machine operator" and "production machines" represent mechanisms.
Figure 2: Example activity with inputs, outputs, controls, and mechanisms
STEP 2: Identify the ICT systems
Now, identify the ICT systems that support the above activities. It is recommended that you sketch a diagram for each system. An ICT system consists of hardware and software components in interconnection. It also includes services provided by external providers (e.g. Internet services provided by an Internet Service Provider). Choose a descriptive name for each system and write it down. Then write down the components comprising the system.
The level of granularity is a matter of choice. In an example case, the system that supports a Website is given the name "Web Publishing System". It consists of a Database Server, a Web Server, a Router, the DBMS Software, the Webserver Software, and a Connection to the Internet.
STEP 3: Identify main data sets
Data are the core assets in every information system. At Step 3 you only need to identify and name the main data sets. You don't have to get into much detail. For example, you may name all customer-related data "Customer Data" and consider this a single data set.
STEP 4: Map activities to assets
Data and ICT systems are the assets you need to protect. In order to show how they relate to business activities you need to build a matrix showing the relationship between assets and activities. You may use a simple word processor or spreadsheet. Most activities are supported by a whole ICT system, in which case it suffice to show the relationship between the system and the activity it supports. Some activities, however, use specific ICT components; these relationships should also be recorded in the matrix.
Table1: Example asset/ activity matrix
STEP 5: Assess threats and vulnerabilities
Make a list of potential threats and then, for each threat, identify vulnerabilities in the system that may allow the threat to realize. Consider:
- Intentional human threats (e.g. hacking, denial of service, theft)
- Unintended human threats (e.g. data input errors, maintenance errors)
- Environmental threats and failures (e.g. fire, flood, hardware failure).
Rate each threat according to the likelihood of the threat occurring. Consider how probable it is that the threat occurs and affects the system, perhaps by exploiting some vulnerability. Do not take into account the damage it will cause; this is the objective of asset valuation (see next step). Use a 0 to 5 scale.
Now, compose worst-case scenarios and check if they are plausible. Consider equipment failures, physical disasters, thefts, vandalism, viruses, hacking etc. Use the above scenarios to assess the possible impact of a security incident on business activities. Estimate how a security incident would affect each asset and consequently the business activities that depend on this asset. Consider for each asset the loss of availability, confidentiality, and integrity, separately. Use a 0-10 scale, where zero means no value and ten is reserved for life-threatening situations. Select a value for each of the security attributes (i.e. availability, confidentiality, and integrity) according to the loss or disruption to business activities.
STEP 6: Estimate risks
This is the only computational task and therefore you will need a spreadsheet. The measure of risk is estimated as follows:
- Delete threats with values less than two and assets with value less than three.
- Create threat/asset pairs, for each case that a threat may affect an asset.
- For each threat/asset pair multiply the value given to each asset attribute with the degree of the corresponding threat.
- Divide by five and round off the result to the nearest whole number. This is the measure of risk.
STEP 7: Develop your IT security plan
Previous steps aimed at assessing and analyzing risks. The next step is to select a set of measures that will mitigate these risks. This set of measures constitutes the "Security Plan". This is done simply by choosing one or several countermeasures for each asset/threat pair.
Start from high risks first and continue until you have covered all asset/threat pairs in your list. If you have no previous experience you may find it difficult to find the appropriate countermeasures. Luckily, there are several lists of measures and guidelines freely available in the Internet. One most comprehensive list is available (in both English and German) from BSI, which is the German Federal Agency for IT Security. Check their Web Site at http://www.bsi.de, you will find the IT Baseline Protection Manual at http://www.bsi.de/english/
STEP 8: Implement and monitor
Having compiled a security plan, the final step is to implement the selected countermeasures and to monitor their application. It is often difficult to implement all measures at once. Therefore, you will need to prioritize measures and to implement them gradually.