Texas Security and Risk Management

3.0 Risk Analysis

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Absolute security which assures protection against all threats is unachievable. Therefore, a means is required of weighing losses which may be expected to occur in the absence of an effective security control against the costs of implementing the control. Risk analysis is the vehicle for a systematic process of evaluating vulnerabilities of a processing system and its data to the threats facing it in its environment. It is an essential part of any security and risk management program. The analysis identifies the probable consequences or risks associated with the vulnerabilities and provides the basis for establishing a cost-effective security program that eliminates or minimizes the effects of risks.

The risk analysis process provides agency management with the information it needs to make educated judgements concerning security and disaster recovery issues. It identifies the security policies and procedures that should be established to preserve the agency's ability to meet state program objectives in the event of the misuse, loss, or unavailability of information assets.

State policy requires that each agency establish a continuing information management planning process. Information management planning includes planning for the security of each agency's information assets. Each agency is required to report the results of the security planning process in its biennial strategic plan for information management.

Thus, the goals of risk analysis include identifying the preparations, procedures, and controls that:

Use this guideline as a resource during the risk analysis process. The remaining sections provide information relative to identifying the security policies and procedures that maintain an effective and efficient security and risk management program.

3.1 When to Conduct a Risk Analysis

Systems Acquisition. Security measures designed during the development of a system are generally more effective than those superimposed later. A risk analysis should be included in the conceptual analysis and design phases of every system.

Security & Risk Management Program. Risk analysis is a vital part of each agency's ongoing security and risk management program. It is not a task to be accomplished once for all time. The risk analysis process should be conducted with sufficient regularity to ensure that each agency's approach to risk management is a realistic response to the current risks associated with its information assets.

STANDARD. The Information Security Function within each agency shall require a comprehensive risk analysis of all information processing systems be performed on a periodic basis as set by agency standards. Risk analysis results shall be presented to the owner of the information resource for risk management. Each step of the risk analysis process must be documented. The degree of risk acceptance (i.e., the exposure remaining after implementation of the recommended protective measures) must be identified.

GUIDELINES. Risk analysis will assist management in the identification of controls appropriate for system standards which amplify or supplement the state minimum requirements. Agency management should consider conducting or updating risk analyses whenever there are significant system changes.

3.2 Management and Security Issues

Managing information security within the agency requires commitment and support on the part of executive, technical, and program management. Employees may recognize the need for information security and risk management but normally attach an importance to it in accordance with the interest and emphasis demonstrated toward it by management. Agency management should be involved in the risk analysis process and in the development and implementation of a security plan.

Risk analysis can best be accomplished by a team of individuals representing a variety of disciplines. Agency management should demonstrate its support for information security by:

The success of a security and risk management program depends on management involvement. There should be no doubt that agency management intends to rely on the findings of the risk analysis team.

Demonstrating commitment to the risk analysis process includes reviewing the findings produced by the risk analysis team. Milestones should be established at various points in the risk analysis process so that management can become meaningfully involved in reviewing progress and decision-making.

The risk analysis report documenting the risk assessment should be prepared by the team and submitted to executive, technical, and program management for review, approval, and action. It should be acted on promptly.

3.3 The Risk Analysis Study Team

Planning for information security and risk management begins with identifying the agency's information assets and their related vulnerabilities and risks. These tasks are the basis for the risk analysis process. Risk analyses should be coordinated by the agency Information Security Function and are best performed by a team of individuals representing the following disciplines:

1) data processing operations management
2) systems programming (operating systems)
3) systems analysis
4) applications programming
5) data base administration
6) auditing
7) physical security
8) communication networks
9) legal issues
10) functional owners
11) system users

These entities should be represented on the team by people who are well informed both of their own component's mission and its relationship to the overall organizational mission.

The agency head, or the IRM acting on delegated authority, should designate in writing the team members, its leader, their duties, responsibilities and any accompanying authority for conducting the risk analysis. The team should include owners, custodians, and users of information from the above disciplines as well as the head of the agency's Information Security Function. Users can provide valuable input in terms of how a particular system is used and identify vulnerabilities that may not be apparent to custodians or owners of information. Each participant should understand what is to be achieved. The relationship between information security objectives and agency program objectives should be explained to the team. Again, agency management should make it clear that it intends to rely on the team's findings.

If the agency utilizes the services of another agency's data center (or outsourcing firm), include the center's (or firm's) IRM or Information Security Officer as a team participant throughout the risk analysis process.

The first analysis carried out by the team is usually the most time-consuming and requires the most resources. Subsequent analyses will (to some extent) be based on previous work and the time required will decrease as expertise is gained.

3.4 Phased Approach to Risk Analysis

Identifying the vulnerabilities and assessing the risks associated with an agency's existing information assets in a single comprehensive risk analysis may not be practical. Establish priorities for a phased approach that first assesses the risks associated with the agency's most critical assets and then continue with assessments of less important assets.

GUIDELINES. Generally, those information assets that are critical to agency operations should be assigned highest priority. Those information assets where data confidentiality or disclosure and dissemination are controlling factors should be given the next priority. Next, information assets which are sensitive or where data integrity is the controlling factor will maintain third priority. Finally, all other information assets are assigned lower priority. To set priorities:

Conduct a risk analysis on those information assets that are critical to the agency's operations or are assigned the highest priority. When you have completed that task, conduct a risk analysis on those information assets with the next highest priority and so on until you have completed the risk analysis process.

3.5 Selecting a Risk Analysis Methodology

The analytical process, or methodology, analyzes the relationships between assets, threats, vulnerabilities and/or safeguards, and possibly other elements (i.e., likelihood or frequency of occurrence) and seeks to determine potential losses that result from harmful events. It is the principal step in the entire risk analysis process. There are numerous risk analysis methodologies from which to choose and no solution is clearly best. Current methodologies for measuring loss include orders of magnitude estimates, fuzzy reasoning, event trees, fault trees, and others. Some are strictly quantitative, others strictly qualitative while yet others are a combination of both. The argument for justifying quantitative risk analysis is that cost-effective safeguards cannot be evaluated against losses unless the risks are quantified. Conversely, quantitative methods have been criticized for forcing precise estimates even in cases where there is no reliable input data. Qualitative methodologies often emphasize descriptions rather than calculations.

A risk analysis methodology enables us to compare possible losses to the agency with the cost of security safeguards designed to protect against the losses. Risk analysis methodologies are similar in their approach. After inventorying the organization's information assets, the vulnerabilities associated with each asset are identified.

Some methodologies suggest identifying vulnerabilities for applications systems by analyzing the cycle of the item from data entry, to processing, to dissemination, to storage. Once vulnerabilities are identified they are ranked according to a combination of the dollar exposure and the probability of occurrence to determine the level of potential risk. After ranking, appropriate control measures are selected to minimize the effects of risks.

To be useful, a risk analysis methodology should produce a quantitative statement of the impact of a risk or the effect of specific security problems. The two key elements in risk analysis are:

Risk analysis methodologies differ in terms of their quantitative calculation methods. A comprehensive methodology, with examples, is presented in Guidelines for Automatic Data Processing Risk Analysis, Federal Information Processing Standards Publications (FIPS PUB) 65, N.T.I.S., Springfield, VA(1979). A similar approach is described in the U.S. Department of Agriculture, DIPS Manual Supplement, August 15, 1977, Appendix A, Risk Analysis Procedures.

The risk analysis team leader should designate a team member to maintain the required documentation, which includes a description of the methodology and its tools (worksheets, checklists, and quantitative calculation methods).

3.6 Risk Analysis Software Packages

Risk analysis software packages are available in the marketplace. These tools provide an alternative to conducting the risk analysis process manually in that they provide an automated means of executing portions of the risk analysis process. While a few risk analysis tools run on mainframes, most will use microcomputers. Some are designed to handle the analysis of large integrated information systems while others evaluate smaller, stand-alone systems.

Agencies should determine if an available software package provides a cost- effective means of assisting them in conducting the risk analysis process. This should be done in combination with methodology selection as most risk analysis tools perform either a quantitative or qualitative analysis, while a few combine both.

Another option to consider in performing a risk analysis is outside support. There are reliable commercial firms which perform risk analyses on contract. However, that option should not be chosen in lieu of understanding the purpose and techniques of risk analysis, but rather in the interest of efficient resource utilization. The individuals who should serve on a risk analysis team are the same ones who will be needed to supply information to the contractor and they should be readily available throughout the risk analysis process.

The following subsections describe the sequence of risk analysis steps independent of whether the process is done manually, through the use of commercially available risk analysis software or through the use of an outside contractor.

3.7 Identifying Information Assets at Risk

The risk analysis team's first major task is to identify and inventory the agency's information assets and prepare a checklist of those items. Generally, risk analysis methodologies provide procedures defining how this information may be collected, organized, and documented. Risk analysis methodologies generally include examples of checklists and worksheets which the study team may use or adapt.

Items subject to loss in an information technology environment include application systems, data bases, data files, documentation manuals, operating procedures, operating systems, computer hardware and related equipment, physical equipment, buildings, personal computer systems and software, and the continuity of operations.

Ask the owners of information to classify the application systems as critical or otherwise and indicate whether the data bases and files contain confidential or sensitive information. This information is essential for determining the security controls required for the information.

Consider grouping data bases and/or data files by application system. Remember to include back-up files. For this purpose, consider a worksheet that contains the following information:

Next, a facilities inventory should identify buildings, backup sites, the equipment in the buildings, computer hardware, data processing support equipment (e.g., key entry machines), data media, hardcopy documentation, operating instructions, operating material (e.g., card decks, diskettes, etc.), and associated software such as communications or operating system software. Hardcopy documentation for a specific application should be identified by application. Consider identifying facilities by site location and including the following information on a worksheet:

This information should be obtained from persons familiar with the agency's information assets, including its application systems and facilities. Information should be solicited from technical and program personnel.

Preparing a listing of the agency's information assets is essential to the next step in the risk analysis process_identifying potential threats.

3.8 Identifying Vulnerabilities and Risks

The risk analysis team's next task is to identify and document vulnerabilities (or threats) associated with the agency's information assets and the potential risks of each. The literature on the subject of risk analysis discusses common vulnerabilities and risks associated with information assets. The risk analysis methodology the agency has selected may include suggestions, including checklists and worksheets, for completing this task and documenting the information.

Obvious vulnerabilities of information assets include fire, water damage to electronic equipment, and damage to tapes from mishandling. Every bit as real are vulnerabilities resulting from employees who intend no harm but are not careful, employees who disclose confidential information, hardware errors caused by poorly maintained equipment, and intruders.

Common vulnerabilities that affect application systems and data files may be effectively identified based on an analysis of the "key points" within a system at which data is entered, processed, and disseminated.

Common vulnerabilities may be identified or categorized in a variety of ways which will be influenced to some degree by the risk analysis methodology the agency selects. In general, vulnerabilities are categorized in terms of "Major" and "Minor Threats." Alternatively, they may be categorized in terms of:

Specific risks should be addressed during the risk analysis process. These risks include, but are not limited to, those associated with:

The risks associated with common vulnerabilities include jeopardizing professional relationships (including ones with other governmental entities), lawsuits, punitive damages, and the loss of:

When identifying the risks or impact associated with fire, keep in mind that fire can deprive owners, custodians, and users of information of valuable technical support services without destroying or damaging the data processing complex itself. In high-rise buildings, fire on any floor below a computing facility, and frequently on any floor above, can disable the facility by depriving it of power, air conditioning, communications, or access. A fire that destroys the agency's supply of pre-printed paper forms can seriously cripple any function dependent on those forms.

Identifying common vulnerabilities and risks is essential to the next phase of the risk analysis process which requires analyzing the information technology environment and identifying the specific vulnerabilities and risks that apply to it.

3.9 Risk Assessment

During risk assessment the risk analysis team assembles the facts necessary for selecting adequate, cost-effective safeguards to protect the agency's information assets.

Risk assessment involves evaluating the current security posture of the agency's information environment and identifying areas of weakness. Potential problems should be identified and evaluated in relation to existing controls. If a new system is being developed, no existing controls exist and identifying potential security problems requires careful scrutiny of the system's design. Assemble a list of issues (or vulnerabilities). Based on an analysis of risks (or likely consequences and probable losses), and probabilities of occurrence, the agency's security requirements will be identified.

Risk assessment entails a careful inspection of application systems and their data bases or files. It provides the risk analysis team and the custodians and owners of information with the ability to assess the quality and completeness of the existing security system, including its backup and recovery procedures. Evaluating the security of application systems can be accomplished by focusing attention on and analyzing each stage of the information life cycle which begins with data origination and continues with data entry, processing, dissemination, storage, and disposal. Rather than focus on a limited portion of an information flow, an entire process should be selected as the subject of a risk assessment. Examine all the aspects of computer processing and carefully consider the manual operations involved.

Next, risk assessment requires identifying the risks (or probable consequences and losses) associated with the agency's information assets and estimating the probability (or likelihood) of undesirable events occurring. These risk assessment activities are described in the material that follows.

3.10 Risks and Probabilities of Occurrence

Risk analysis presumes that the cost of controlling any risk should not exceed the maximum loss associated with the risk. To arrive at cost-effective security solutions, risk analysis requires identifying the probable loss or quantifying the value of an item to the agency.

Risk analysis methodologies differ in their quantitative calculation and evaluation methods. To be useful, the methodology should produce a quantitative statement of the impact of a risk or the effect of specific security problems.

The key elements in risk analysis are:

Together, these elements form the basis for identifying the dollar value of a loss.

Using the list of vulnerabilities associated with the agency's information assets (assembled by the team during the previous step), identify the risks (or impact and likely events) associated with each threat. Next, determine the potential economic impact of those risks or events. Then, estimate the probability of the undesirable events occurring within a specified period of time (usually one year). The risk analysis methodology that the agency selects should suggest the risk assessment tools, including checklists, worksheets, and quantitative calculation and evaluation methods, necessary to identify and document this information.

Identifying risks and their economic impact does not directly lead to identifying which security exposures are worth corrective action and which are not. Estimating and considering the likelihood or probability of the undesirable events is vital. For example, many events such as a flood or earthquake have catastrophic consequences. However, if they appear to have a low probability of occurrence they might not justify protective measures and it may decided to tolerate the risks.

Once the dollar exposure or the annual dollar value of a loss is estimated, the following options are available:

Unless we quantify the risk or impact and the probability of its occurrence, we have no basis for making an informed decision. Estimating the annual dollar value of a loss provides the information necessary to determine whether security safeguards are needed and if so, the cost that can be allocated to safeguard that item. Additionally, estimating the annual dollar loss associated with each risk provides a common denominator for determining the magnitude of each risk. An agency may then develop safeguards against the high dollar loss risks.

After determining the dollar value of a loss, the risk analysis team is ready to identify alternative security safeguards and provide recommendations for cost-effective security solutions.

3.11 Identifying Protective Measures and Their Costs

So far, the risk analysis study team has:

Next, the team's efforts will be devoted to identifying the requirements or protective measures necessary to reduce the impact of identified threats to an acceptable level. Prior to undertaking this task, the team's findings should be reviewed by agency management. Based on those findings, management should determine which risks warrant security solutions.

Protective measures include technical security solutions and policies and procedures. Information does not suddenly become confidential or sensitive when it is written on magnetic media, entered on to a mainframe or personal computer application system, or accessible via a communication network. Information should be protected both before and after it is automated by implementing policies and procedures that impact human behavior and the machine-user interface.

Identifying alternative solutions to security inadequacies requires the expertise of well-informed technical and program staff who together maintain knowledge about:

These attributes should be considered in the composition of the study team and its participants. The owners of information should be prepared to develop, in conjunction with the custodians of information, a scheme for achieving the required level of security for the agency's information assets.

As protective measures are identified, the study team may find that one countermeasure will function as an effective means of managing the risks attached to multiple assets.

Develop exhibits or tabular relationships between protective measures and the threats, information assets, and risks they are intended to manage. The risk analysis methodology the agency has chosen may provide suggestions as to how these relationships may be documented. Next, identify the costs (usually associated with technical solutions in terms of hardware and software lease or purchases) associated with the protective measures. Determine the development, implementation, and maintenance costs associated with each safeguard. The relationship between safeguards and risks, and the costs associated with each, enables the study team to determine and quantify the impact of a countermeasure. Will it lower the impact or the expected dollar value of a loss to an acceptable level? Will it lower the probability of the loss occurring? Once the impact of a countermeasure is determined and quantified so is the amount of risk that may still remain. Assuming a countermeasure is adopted, is the amount of risk or expected dollar loss that still remains acceptable or are other alternative or additional countermeasures required?

3.12 Selecting Cost-Effective Security Solutions

The risk analysis process attempts to strike an economic balance between the impact of risks and the cost of security solutions intended to manage them. The process highlights the risks that exist and enables the selection of cost-effective security solutions. At the basis of selecting cost-effective protective measures is the assumption that the cost of controlling any risk should not exceed the maximum loss associated with the risk. For example, if the potential loss attributable to a risk is estimated to be $100,000, the cost of the protective measures intended to prevent that loss should not exceed that amount. Consider the sum of averted risks if a single remedy will reduce several risks. Also consider and evaluate the use and interaction of multiple remedies. One may improve or negate the effectiveness of another.

The risk analysis team has:

This information forms the basis for determining which protective measures are the most cost-effective. After having evaluated the dollar loss of each risk, assessments can be made about the dollars that can be allocated to lessen the estimated annual dollar loss to an acceptable level. With information on dollar loss before and after the application of controls, cost evaluations will indicate which security safeguards are most cost-effective. The team should identify the protective measures that should be implemented giving consideration to the greatest risks first.

The risk analysis methodology the agency has selected (including the quantitative cost analysis methods) will more than likely suggest the use of cost indicators or common denominators that function to identify the most cost-effective security solutions. The following cost indicators provide a basis for comparison among protective measures:

The cost-benefit analysis and its data should be as complete as possible even with the inevitable unknowns. The risk analysis study team should make an effort to identify all costs. If the analysis is incomplete, plans should be made to obtain the necessary data. Whenever possible, the benefits associated with a countermeasure should be tangible. Dollar benefits, in terms of cost avoidance, should be identified. Other benefits, such as improved delivery of service or expected reductions in attempted security violations, should be expressed in measurable terms.

Once the cost-benefit analysis task has been completed and documented, the team's findings should be reviewed by agency management. The team should identify which protective measures it recommends for implementation and provide agency management with the necessary information, including cost- benefit analyses, to support its findings and recommendations.

Once agency management reviews and concurs with the team's findings, the risk analysis process requires the preparation of a risk analysis report.

3.13 Preparing the Risk Analysis Report

The risk analysis process has enabled us to identify the information assets that are at risk and attach a value to the risks. Additionally, it has identified protective measures that eliminate or minimize the effects of risk and assigned a cost to each countermeasure. The risk analysis process has also determined whether the countermeasures are cost-effective. Once the analysis is complete, the study team is ready to prepare a report documenting the risk assessment.

STANDARD. A risk analysis report documenting the risk assessment must be submitted to the agency head. The risk analysis process provides the basis for preparing the agency's risk analysis report.

The risk analysis report serves as the vehicle for presenting to agency management the study team's findings and recommendations for information asset security. It provides agency management with the information they need to make intelligent and well informed decisions related to security issues. The report is forwarded to the agency head for review, approval, and action. Once agency management receives the report it should be reviewed and its findings and recommendations promptly acted on.

As a general rule, the report should include only summary information. Maintain the working papers and detailed analyses that support the findings and recommendations outlined in the report for reference purposes and as a resource for future risk analyses. The risk analysis report and its related documentationshould be considered sensitive information and protected accordingly. They are not intended for general distribution.

Figure 3-1 (located on the following page) provides suggestions in terms of the organization and content of the risk analysis report. The outline includes the suggested subject matter which should be addressed in the report.

Figure 3-1. Suggested Risk Analysis Report Outline

3.14 The Security Plan

Risk analysis aids in developing a security strategy for the agency. It provides the basis for establishing a cost-effective security program that eliminates or minimizes the effects of risk. Preparation of the risk analysis report marks the completion of the risk analysis process or cycle. Once the report is forwarded to the agency head and approved, the planning process necessary to establish the technical and procedural protective security measures (identified in the report) should begin.

The successful implementation and continuation of the agency's security program depends on agency management involvement. This involvement includes planning for the security of information assets. The planning process identifies needs, establishes priorities, determines the appropriate means of implementing objectives, obtains resources, and secures commitment to the security plan, which includes a Contingency Plan for Information Resources Services Resumption. The purpose of developing a security strategy is to implement the sufficient set of policies and procedures (identified in the risk analysis report) to counter identified threats and thereby strengthen security.

Begin by developing an implementation plan and a schedule for instituting the proposed technical and procedural protective security measures. Additionally, develop an action program that identifies how the objectives will be implemented. The action program should assign security responsibilities to agency management, the Information Security Function and to the owners, users, and custodians of information. The success of the agency's security action program depends on the proper assignment of security responsibilities. For information related to assigning responsibilities relative to the security of information assets, refer to Sections 2 and 4 of this guideline.

The security plan should also include strategic impact statements describing the impact the strategy will have on the agency if it is undertaken. Impact statements might address the financial, service delivery, personnel, capital expenditure, legislative, policy, or legal impact. A statement addressing the impact of future technology might also be included. An analysis should be made of anticipated technical problems and proposed solutions. The results should be included in the security plan.

The security plan should require periodic evaluations of the agency's protective measures. Specifically, agency management should periodically evaluate the security and risk management program. When security safeguards are in place and operating, a review or audit should be made of their effectiveness. This may entail actual testing of the security system to assure that its objectives are being met. For example, it may require assuring that the owners, custodians, and users of information are complying with internal security policies and procedures.

The risk analysis process should be conducted with sufficient regularity to ensure that the agency's approach to risk management is a realistic response to the current risks associated with its information assets. Consequently, the agency's security plan may require reassessment and interim updates should significant changes in security issues occur.

Develop a security plan and include a contingency plan (for continuing operations in case of disaster) for all installations. Consider delegating security responsibilities to each location if the agency has information processing facilities at multiple sites. Functions related to the security of information assets should be represented on-site wherever data is processed or stored. If multiple but small installations exist, none of which require individual security or contingency plans, an overall plan will suffice.

3.15 The Agency Contingency Plan For Service Resumption

STANDARD. All information resources determined by agency management to be essential to the agency's critical mission and functions, the loss of which would have an unacceptable impact, shall have a written and cost effective Contingency Plan that will provide for the prompt and effective continuation of critical state missions in the event of a disaster. The Contingency Plan shall be tested and updated at least annually to assure that it is valid and remains current.

GUIDELINES. The owners of information will play a major role in the development and implementation of the agency's Contingency Plan. For example, the owners of information, in cooperation with the custodians, should be prepared to address the following issues and include the information in the agency's Contingency Plan:

3.16 Data and Software Backup

Contingency planning includes procedures and actions to recover from losses ranging from minor temporary outages to comprehensive disaster recovery planning in preparation for catastrophic losses of information resources. On-site backup is employed to have readily available current data in machine-readable form in the production area in the event operating data is lost, damaged, or corrupted, without having to resort to reentry from source material. Off-site backup or storage embodies the same principle but is designed for longer term protection in a more sterile environment, requires less frequent updating, and is provided additional protection against threats potentially damaging to the primary site and data.

STANDARD. Data and software essential to the continued operation of critical agency functions shall be backed up. The security controls over the backup resources shall be as stringent as the protection required of the primary resources.


3.17 Sensitivity of Agency Security Plans

The Texas Open Records Act and the Texas Open Meetings Act apply to governmental records and presume that all records are open to the public. In the absence of specific statutory exemption from disclosure, state law specifies that final determination of whether a particular document or piece of information is exempt from disclosure must be determined on a case-by-case basis. The Attorney General of Texas has ruled that certain computer software programs, the release of which would pose a security risk, and certain personnel records and research activities are exempt from disclosure under the aforementioned statutes.

Accordingly, the risk analysis report and the security and contingency plans should be considered sensitive and potentially confidential information and protected as such. It is strongly recommended that a ruling be obtained from the Office of the Attorney General before the following types of documents or information are released without a specific "need-to-know", as determined by agency management:

GUIDELINES. Agencies should review the following types of reports and documentation to determine if state security systems could be revealed if these records were made public.