2.3 Current State of Controls
It is very important for a risk practitioner to determine the current state of control before making any recommendation. Regular review of IT risk and control environments will help to determine current position.
A gap analysis is done to determine the gap between desired state of control vis-Ã -vis current state. It helps to identify the disparity and to determine further level controls to bridge the gap or disparity.
A risk practitioner can determine current state of control by evaluating following documents and procedures:
Risk Assessment
Audit Reports & Third-Party Assurance
Business Continuity and Disaster Recovery Plans
Capability maturity models
Control Self-Assessment
Incident Reporting Procedure and Logs
Vulnerability Assessment and Penetration Testing
Let us discuss each in detail:
Risk Assessment
Risk assessment is the process to identify and evaluate the risk and its potential impact.
Main objective of performing a risk assessment is to:
To determine the current state of risk
To justify and implement a risk mitigation strategy
Risk assessment should be performed at a frequent interval to address the change in business processes and new threats.
Audits
Audit is an evidence-based verification process and helps to determine effectiveness, efficiency and adequacy of current controls.
Review of audit reports, helps the risk practitioner to determine the internal control system of the organization.
It is the responsibility of the system auditor to provide continuous feedback to senior management about the effectiveness of internal controls within the organization.
Business Continuity Plan
Objective of the business continuity plan is to prepare the organization for continuity of critical processes during the disaster. In absence of a well-documented business continuity plan, a disaster can adversely impact the business processes. Thus, BCP supports an organization to survive a disastrous interruption.
Disaster Recovery Plan is about IT capability to support the business continuity and recovery objectives.
Both BCP and DRP should be kept updated and tested at periodic intervals for continuous improvement.
Business Impact Analysis
Business Impact Analysis (BIA) determines the critical business processes by analyzing the impact of disaster on each process.
BIA is a process to determine critical processes that have considerable impact on business processes. It determines processes to be recovered on priority to ensure organization's survival.
For determining business impact, two independent cost factors are to be considered. First one is the downtime cost. Example of downtime cost includes drop in sales, cost of idle resources, interest cost etc. Another element of cost is with respect to alternative collective measures such as activation of BCP and other recovery costs.
Once the business impact is available for each process, it is important to prioritize the processes which need to be recovered at the earliest. This criticality analysis should be performed in co- ordination with IT & business users.
Business process owners possess most relevant information about processes and hence they are considered as the best source for determining criticality of the process.
Once the critical assets are determined through BIA, the next step is to develop a recovery strategy that ensures that critical assets are recovered at the earliest to minimize the impact of disaster. Recovery strategy is primarily influenced by business impact analysis.
Prime criteria to determine severity of service disruption is the period for which system will remain down. Higher the system downtime, higher the severity of disruption.
Capability Maturity Models
Capability maturity models are useful to determine the maturity level of the risk management process.
Following table indicates different maturity level of an organization:
The capability maturity model (CMM) indicates a scale of 0 to 5 on the basis of their maturity level and CMM is the most common method applied by the organization to measure their existing state and then to determine the desired one.
Maturity models identify the gaps between the current state of process and the desired state to help the organization to determine necessary remediation steps for improvement.
Capability maturity model is best technique to enable a peer review of an organization's risk management process
Capability maturity model requires an organization to have the defined and reliable processes that it follows consistently and continuously seeks to improve.
A matured organization is much more likely to prevent incidents, detect incidents sooner and recover rapidly from incidents.
A maturity model determines the current status as against the desired level and thus is most helpful for improvement of the risk management process.
Level of performance is the most important factor when using a capability maturity model. Performance is achieved when the objective of the implemented process is met.
Control Tests
Through control testing, a risk practitioner can evaluate the effectiveness, efficiency and adequacy of control and advise the risk owner of any gap identified.
A threat and vulnerability assessment involves evaluating the business process for threats and vulnerabilities and identifies the likelihood of occurrence and impact on business processes.
Risk assessment techniques are used to evaluate and implement a risk mitigation strategy as efficiently as possible.
Incident Reports
Risk practitioners should evaluate the incident management procedure to determine the current state of controls.
Incident management process includes awareness amongst staff for incident reporting, analysis and root cause analysis for the incidents, corrective as well as preventive actions, appropriate training for the response team etc.
Main objective of the incident management process is to minimize the impact on an incident by getting the affected systems and processes back into normal service at the earliest.
Qualitative analysis of threat will help to design an effective incident response plan. Knowledge of type, kind and impact of the incident will be of great help for incident response efforts.
Enterprise Architecture
Enterprise Architecture provides a current state of IT along with a futuristic strategy and vision.
The risk practitioner should determine the maturity of enterprise architecture and where EA is either immature or absent, the risk practitioner must place greater emphasis on technology specific risk assessment and compatibility.
Logs
Log files should be properly protected considering it helps immensely during forensics.
Maintenance of log file should have appropriate segregation of duties. Log should be only read only mode i.e. write, edit and delete should be prohibited.
It is important to ensure the regulatory requirements are complied with. The organization may be fined for non-compliance and failing to properly track regulation-related transactions.
Media Reports
Media Reports provides useful sources of information about industry level threats or incidents.
The risk practitioner should ensure that the organization has capability to track the media communication impacting the organization or its employees, customers or business partners.
Organization should have a well-defined and documented policy to respond to a threat mentioned in the media impacting the organization.
Self – Assessments
Control self-assessment requires the involvement of the line managers in monitoring risk and control effectiveness within their areas of responsibility.
Control self-assessment provides assurance about control effectiveness and may also reduce the need for more intense audits.
Third Party Assurance
Third-party assurance in forms reviews, audits and compliance verification provides an independent source of information about the current state of control.
In case of an outsourcing of a service, the first step for a risk practitioner is to validate that all the required security clauses are addressed in service level agreement.
User Feedback
Feedback from the system users helps to determine risk and control the environment of the system.
Vendor Reports
Computer emergency response teams (CERTs) and other security vendors provided inputs on current threats and vulnerabilities, new types of malware or emerging attack methods are of immense help for making control environments more stringent.
Vulnerability Assessments and Penetration Testing
VAPT reports are reliable means of estimating the level of IT risk in the organization.
Penetration tests should be conducted at regular intervals and also after a major infrastructure change as changes in the infrastructure is more likely to introduce new vulnerabilities.
In black box testing kind of attack scenario, the tester is provided with limited or no knowledge of the target’s information systems. Inappropriate plan and timing of the attack may cause the system to fail. It is very important that the tester is well experienced and aware about the clear scope of the test.