Risk Assessment In Computer Systems

Risk assessment in computer systems

Introduction.

.Information Security Risk Management. It is the one that "allows an organization to evaluate what you are trying to protect, and why, as an element of support for the decision in the identification of security measures". Assets categorization. It is the way the company has classified its assets. As stated by Isotools Excellence, ISO 27001 states that “all information assets must be identified in a clear way and have to be carried out and maintain an inventory in which all important information assets appear”.

Criticality of assets. This is defined according to how necessary it is for the activities of an area or the mission of the organization. Information Security, encompasses a set of techniques and measures to control all the data that is handled within an institution and ensure that they do not leave that system established by the company.

Developing.

Other definitions to be used in this research

ISO. International Organization of Standardization (in English: International Organization for Standardization). It is an independent, non -governmental organization which is composed of members of more than 160 countries, through which experts to share knowledge and develop international consensus standards, which support innovation and provide solutions to global challenges.

• ISO 27005: 2011. "It is the international standard that deals with information security risk management.

  Wait! Risk Assessment In Computer Systems paper is just an example!

  Get an unique paper

  ". SGSI. They are the acronym for the Information Security Management System, a concept on which the ISO 27001 standard is based. It is a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information. 

• Risk. It is the probability that a security incident occurs, materializing a threat and causing losses or damages. 
• Threat. It is any action that takes advantage of a vulnerability to attempt against the security of an information system. 
• Vulnerabilities. “These are the conditions and characteristics of the systems of an organization that make it susceptible to threats. 
• Impact. The effect of a threat on the mission of the organization and business objectives.
• Active. Something of value for the company. Information technology assets are the combination of physical and logical assets and are grouped into specific classes, systems, services and applications, people.
• Risk management. It is a cyclic identification, evaluation and decision -making process that seeks to reduce the risk to an acceptable level. 

Operational Definitions of Research.

Periodicity of awareness. Periodicity is the "frequency with which a repetitive thing happens or performed". . Awareness is the "action of raising awareness among someone or awareness of something", that is, it is the action of "acquiring awareness or knowledge of something". Therefore, based on the previous definitions, it can be said that the periodicity of awareness is the frequency with which teaching/learning activities are carried out, in this case, information security.

Information Security Risk Management Criteria. The criterion is the norm, rule or guideline, which a certain person will continue to know the truth or falsehood of a thing or issue. Based on the previous definition, the term criteria for the management of information security risk refers to the guidelines taken into account to manage (analyze, evaluate and treat) the information security risks.

Information Security Risk Management Methodologies. When talking about methodology, we are talking about methods, "a group of rational mechanisms or procedures, used to achieve an objective". So information security risk management methodologies are the methods used to manage information security risks. Example of these methodologies are Octave and Magerit.

Information Security Risks. Based on the definitions of risk and safety of information, the probability of an incident that affects the measures and techniques used to protect the information from possible losses and/or damages can be understood as information safety irrigation.

Elements to determine risk controls. The risk control aims to "analyze the operation, effectiveness and compliance with protection measures to determine and adjust your deficiencies". (Risk management in computer security, 2019) On the other hand, an element is a “fundamental foundation, means or resource for something.”(Royal Spanish Academy, 2019). So when mentioning elements to determine risk controls, we are talking about what is necessary to establish or define the protection measures that will mitigate the risks.

Theoretical framework

Security of the information

Before talking about information security, it is necessary. On the one hand, “computer security, refers to the protection of infrastructure of information and communication technologies…, and on the other, information security refers to the protection of information assets.

Information security is a set of measures that companies take in order to protect their information from any threat that can alter their integrity, availability and confidentiality . Give. Today vulnerabilities are more common and sophisticated, as well as the internal risks of the company, to which you have to pay close attention since the attacks do not always come from outside but from within.

To protect the information properly, it is necessary not only to take into account the technical part, but also a management must be carried out in which the necessary protection systems and controls for it are involved for it. To achieve this, it is necessary . An SGSI is a tool that contributes to minimizing the risks, through the identification and assessment of the assets and the risks related to them, taking into account the impact for the organization and thus executing the most efficient controls that are in accordance with thebusiness strategies.

Information assets

Active is everything that represents some value for companies. Information technology assets are a mixture between physical and logical assets, grouped into specific categories. These are divided into the following categories:

• Information: refers to documented paper or electronic media.
• Systems: It is a combination of information, software and hardware that processes and stores information.
• Services and applications is related to software applications and services that process, store or transmit information.
• People: refers to those people who are in the institution and who distinguish themselves by their unique knowledge, experience and skills, so they are difficult to replace. 

ISOTOOLS indicates that according to ISO/IEC 27001, assets have different characteristics according to the State, matter, levels of confidentiality, integrity and availability. In that sense, a series of substrates can be mentioned such as: Authentication substitute, substitute for confidentiality, substitute integrity, substitute availability;each showing characteristics according to the pillar of the information it represents.

The criticality of an asset is defined based on the need or dependence that an area has for performance its activities, or the organization for the achievement of its mission. To determine the criticality of the same, there is a standardized assessment in which the information owner classifies it according to the three main characteristics of information security (integrity, confidentiality, availability). 

A way of how to do it could be having, for example, a value scale from 0 to 3, where 0 is null, 1 is low, 2 is average and 3 is high. Depending on the asset, a value is assigned to each feature and then remove an average of those values;The final result will say the criticality of the asset based on the scale of values that was initially defined. (National University of Luján, 2019)

Risks that affect information security

For a risk to occur, there must be two elements together: threats and vulnerabilities. Vulnerability is a weakness in information assets facilitating the presence of threats. A threat is an unhappy situation, which, if happening, brings negative consequences on information assets, affecting its availability. That said, the risk is the probability that a threat will be materialized, causing losses and damage such as: interruption in service, economic losses, reputational damage, among others (INCIBE, 2015).

As indicated by Oceano It (2019) some of the most common threats are:

• Malware: Malicious code in which the operation of the computer varies without the user being able to notice it. It has the capacity to corrupt and/or destroy some files that have been saved on the hard drive.
• Spyware: It is a kind of spy that is installed on the computer subtracting and transmitting valuable information such as bank accounts, keys, etc., This without the user can notice.
• Ransomware: Applies to computers as for mobile phones. The attacker blocks the device (computer or telephone) encrypting the information, that is, puts it in a non -legible format, and leaves a message where he requests a rescue (money) to be able to release the information.
• Phishing: It is a type of threat that arrives through the email in which the user is asked to access a web page, such as that of a bank, which seems to be authentic, to update personal information while it herselfIt is stolen.
• Trojans: It is a type of malicious code that when executing provides the attacker the ability to control the infected device remotely.

But how can threats be avoided or mitigated and therefore possible risks? A risk analysis must be performed, and once finished, determine the treatment that will be given to them, that is, due risk management must be done. The risk analysis consists in identifying the assets of the company, what are its threats, the probability of happening and its possible impact. This verifies the level of risk that the organization accepts. As for the treatment of risks, those that are above the desired level are identified in order to make the best decision on how to decrease it. This decision is taken into account that the cost of treatment that will be given does not exceed the cost of decreased risk. Depending on the result, it is decided to avoid it, mitigate it, transfer it to third parties or accept it. (INCIBE, 2015)

Risk controls

INCIBE defines controls as protection measures to reduce risk. The controls are also defined as safeguards that contribute to the reduction of the impact produced by a threat or in any case, the frequency with which it appears.

These are classified as preventive controls, detective controls, protection controls and corrective controls.

• Preventive controls: they act on the cause of risk in order to reduce their probability of occurrence. They constitute the first line of defense.
• Detective controls: they are the second line of defense and are used to verify the effectiveness of preventive controls. Alert about the presence of risks allowing immediate actions.
• Protection controls: They are used to minimize the effects of risks, require training reinforcement and are more expensive than preventive controls.
• Corrective controls: they are used when previous controls do not work and allow improving their efficiency. They are more expensive because they act after the damage is done. This type of control is usually administrative and requires policies or procedures for execution. 

Before implementing a control, existing controls must be identified to determine whether or not to implement a new one will be necessary. As they are identified, it is convenient that its correct operation be proven and based on the result of making a more objective decision (Mintic, 2019).At the time, the following points must be taken into account: effectiveness of the control to be implemented, adaptation to current laws and norms, operational impact of the modifications, reliability of the selected control (National University of Luján, 2019).

Information Security Risk Management

Any activity that cares about maintaining the risks below the threshold that has been set, is part of risk management. Risk management is composed of two basic activities that are: risk analysis and risk treatment. 

The risk analysis consists of several steps or phases, which may vary depending on the methodology used. These phases are:

Phase 1- Define the scope: Where are the risks to be analyzed?

Phase 2- Identify assets: identify the most important assets and the relationship they keep with the area or process subject to study.

Phase 3- Identify threats: Given to the large number of threats that exist, a practical and applied approach must be maintained.

Phase4- Identify vulnerabilities and safeguards (controls): In this phase the characteristics of assets are studied in order to identify their vulnerabilities.

PHASE5- Evaluate the risk: upon reaching this phase there is already an asset inventory, the threats to which they are exposed, their vulnerabilities and the controls that are had;So you can calculate the risk. Risk is equal to impact x probability.

Phase6- Treat the risk: once you have the risk, there are 4 strategies that can be applied;These are: transfer it to a third party, eliminate it, assume or place the necessary controls to mitigate it. (INCIBE, 2017B)

Risk management methodologies

For information security risk management there are various guides of good practices and/or methodologies that can be adopted by companies taking into account the nature of the business. Among the most outstanding methodologies are internationally:

• ISO 31000: It is an international standard that was created by the International Organization for Standardization and is characterized by the identification, analysis, evaluation, treatment, communication and monitoring of any type of risk that affects the company.
• MAGERIT: This methodology was prepared by the Higher Council of Electronic Administration in Spain, is characterized by evaluating how much a company puts into play in a process and how to protect it.
• Octave: It is an international recognition methodology and was developed by Engineering Institute software. It is characterized by offering a set of criteria through which other can be created.
• NST 800-30: International Recognition Methodology and created by National Institute of Standards and Technology. Seeks to ensure information systems.
• CRAMM: It is internationally recognized, prepared by Central Computer and Telecommuications Agency (CCTA). It is characterized by the identification and assessment of assets, threats and vulnerabilities, as well as the selection of countermeasures.
• ISO 27005: International Standard that was prepared by the International Organization for Standardization. It offers recommendations and guidelines for information security risk management, following the ISO 27001 requirements.

conclusion.

A good and adequate risk management reduces costs in the company, increases the level of satisfaction of customers and employees, leads to the achievement of organizational objectives, helps to avoid situations that generate unexpected losses.