3 Risk
Assessment
| This site constitutes a dynamically changing security protocol. This is only the beginning of its possibilities. It is designed to assist Indiana School Boards, Administrators, and Teachers to implement safe data and information systems. As schools develop policies and encounter changing technological systems, there will be a need for amendments to this document. If school districts would like to share documents that could be used on this site as examples, we would welcome that. Suggestions, additions, comments, or questions about this protocol should be directed to the webmaster at <securityinfo@purdue.edu>. Thank you. |
|
"In a world of limited budgets, risk assessment provides an organization with the information it requires to accurately prioritize its needs. Options for meeting those needs can then be considered, ranked accordingly, and funded to reflect priority." [NCES. Safeguarding Your Technology: Practical Guidelines for Electronic Education Information Security, p. 13.]
A risk exists when a threat takes advantage of a vulnerability and causes harm to a system. The object of risk assessment is to reduce vulnerabilities and risk and to determine what policies are needed.
The extent of the risk assessment is determined by
1) the level of threats an organization faces
It is important to assess all four areas when
assembling a policy document, so that it will be applicable to the extent of the
risk. If the risks are high, then the extent of the policy document should
reflect that. If the risks are low, then general policies may
suffice. 3.1 Information Asset Inventory An inventory of all information assets is needed to be able to re-establish a system in the event of a disaster. This inventory should include all hardware, software, automated files, databases, and data communications links.
An organization's data must be categorized according to its sensitivity to loss or disclosure. Based on this categorization, appropriate access requirements can be defined. Owners of the data should assume responsibility for categorization levels, with management review. That means that whoever is responsible for the data or information should categorize various kinds of information that they work with into the level they feel is appropriate. After this original categorization, an overall management review of all categorizations should be done. Any adjustments should be made, using an overall organizational data assessment approach.
All persons who are asked to categorize information should agree on and use the same definitions for data categories. Four specific sensitivity classifications are generally used. Each classification has its own handling requirements. The categories are as follows:
|
| 3.2.1 Sensitive: Information that requires special
precautions to assure the integrity of the information, by protecting it
from unauthorized modification or deletion. It is information that
requires a higher than normal assurance of accuracy and completeness.
Examples of sensitive information include school financial transactions
and regulatory actions. 3.2.2 Confidential: The most sensitive student information that is intended strictly for use within the school. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. Its unauthorized disclosure could seriously and adversely impact the school, its students and their parents, its teachers and administrators, and the school board. Health care-related information should be considered at least CONFIDENTIAL. 3.2.3 Private: Personal information that is intended for use within the school setting. Its unauthorized disclosure could seriously and adversely impact the school district and/or its employees. 3.2.4 Public: All other information that does not clearly fit into any of the above classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact the school, its employees, and /or its students or their parents. [Citation] |
|
After all data is categorized, the next step is to
assess the potential threats to the data assets from inside and from outside the
system. 3.3 Asset Inventory To ensure protection of all information assets each network administrator should maintain an inventory of information systems. This inventory should indicate all existing hardware, software, automated files, databases, and data communications links.
3.4 Potential Threats to assets -- Risk Profile Matrix Once the data or information is identified and categorized, the next step is to look at the data and assess what the potential threat risk to the information. All information is assessed individually according to an agreed upon scale of risk. The following is an example of a Risk Profile Matrix to Assist Administrators in their risk assessment of their system.
3.4.1 Profile Matrix |
Risk Profile Matrix
|
Threats |
Rating |
Visibility |
Rating |
Score |
|
None identified as
active; |
1 |
Very low profile; |
1 |
|
|
Unknown state or multiple exposures |
3 |
Middle of the pack,
|
3 |
|
|
Active threats, multiple exposures |
5 |
Lightning rod, active publicity |
5 |
|
|
Threats |
Rating |
Visibility |
Rating |
Score |
|
Consequences |
Rating |
Sensitivity |
Rating |
Score |
|
No cost impact; well within planned budget; risk transferred |
1 |
Accepted as cost of doing business; no organization issues |
1 |
|
|
Internal functions impacted; budget overrun; opportunity costs |
3 |
Unacceptable business unit management impact; good will costs |
3 |
|
|
External functions impacted; direct revenue hit |
5 |
Unacceptable corporate management impact; business relationships affected |
5 |
|
|
|
Total |
|
|
|
|
Rating: Multiply Threat rating by Visibility rating. Multiply Consequences rating by Sensitivity rating. Add the two values together and compare to the risk scale below: | |
|
| |
|
Source: |
Adapted from Barbara Guttman and Robert Gatwill, National Institute of Standards and Technology, U.S. Department of Commerce, Internet Security Policy: A Technical Guide [1998? Draft] |
|
After policy makers decide what level of risk
that they are working with, they will then need to decide which defenses are
most applicable to their situation and level of risk. 3.5 Network Vulnerabilities and Defenses The following table illustrates the potential areas of vulnerability that may exist on the Internet, within the State's network, and within a school's Local Area Network (LAN) and/or Wide Area Network (WAN). The vulnerabilities are listed in the first column. The defenses against these vulnerabilities are listed in the second column. |
Network Vulnerabilities and Defenses
|
Vulnerability |
Defenses |
|
Internet |
Firewall |
|
|
Authentication, and/or encryption. Virus scanning software should also be used. |
|
Inappropriate URL Content |
URL Content Filtering Products |
|
Web site Security |
Web server firewall, Authentication, Intrusion detection |
|
Denial of Service Attack |
Authentication, Service filtering, Firewall |
|
Spoofing |
Authentication |
|
Sniffing |
Encryption |
|
FTP/Telnet |
Firewall, Authentication, Administration |
|
Sensitive/Confidential Information traveling the network & Internet |
Encryption / Not allowing information to traverse the network or the Internet |
|
Viruses |
Virus Scanners for Workstation and E-mail |
|
3rd Party Access |
Single Point of Access/ Access Rights |
|
Dial-up Access |
Authentication/Access Rights |
|
Unauthorized Access to an Agency |
Authentication/Access Rights, Intrusion detection software, Firewall |
|
Unauthorized Access to another Agency from within an Agency |
Authentication/Access Rights |
|
Application Level Security |
Authentication/Access Rights, Intrusion detection |
|
Secure Remote Access |
Authentication, Tokens, Smart Card |
|
Source: Adapted from Table 1, Network Security http://www.its.state.ms.us/et/security/secpaper.htm Suite 508 301 North Lamar Street Jackson, Mississippi 39201-1495
|
|
See also another method of risk assessment at the IASEP security page at http://iasep.education.purdue.edu/Training_info/SecurityThreats.htm This page also has links to scenarios for applying the risk assessment format. Readers might try using both formats to discover which works best for their setting. After vulnerabilities are assessed and the applicable defenses identified and planned, a set of operating statements about the system are necessary to facilitate the proper operation of the system defenses. |
 |
 |
|
Draft version #3 7/3/00
Updated 10/23/00.
Copyright © 1999 - 2000 Purdue Research Foundation, Inc. All Rights Reserved.
Questions? Comments? Suggestions? Additions? Send them to the webmaster at securityinfo@purdue.edu.