ISSeG logo

 Training and Dissemination web site

 FP6 logo

Integrated Site Security for Grids

 A project co-funded by EU FP6 programme
Home page

Top Recommendations
Top Threats
Security Checklists
Risk assessment

my Role
my Site
my Community
All Recommendations
All Threats
Training
Downloads

Security terms


Contact
ISS & ISSeG

Risk assessment

Printer-Friendly Version

 

 

 

 

Introduction

Back to Top
All organisations contain assets that they wish to protect from harm. The harm may be the result of an accidental or deliberate act by an individual or the result of some external event, e.g.

Accidental- A user deletes all there data files
Deliberate - An external attacker tries to access finance information
External event - Flooding of a data centre or loss of power

The senior managers within organisations are often required to establish a process to manage risks within the organisation as part of a corporate governance strategy. Often a risk management process is established to support this understanding of risk so that it can:

Identify the assets to protect

Analyse the existing security controls and prioritize risks

Implement any identified and resourced improvement plans

Monitor the existing controls to see that they are effective.

The process should be objective and repeated periodically within organisations. 

See also the What is a risk? presentation (PDF), (PPT) aimed at management and suitable for all audiences, which explains what a risk is, whether risks change over time, whether there are Grid-specific risks and emerging risks. For information on emerging risks, please visit the ENISA website.

ISSeG risk assessment questionnaire

Back to Top

Based on practical experience at a number of Grid sites, the ISSeG project have developed a risk assessment questionnaire that can help you assess the security of your site.

warning triangle

The questionnaire has been developed as a Microsoft Excel® spreadsheet that requires the use of macros. If you do not have access to Microsoft Excel®,  you may wish to use the Excel Viewer 2003 available from the Microsoft web site.

Download the Questionnaire (Excel 2003 format) 

Open the Excel file, read the introduction, then select the tab entitled “Questionnaire”. With Macros enabled, clicking the button “Questionnaire Wizard” starts the questionnaire.

The questionnaire is divided into two parts, part 1 helps you identify the assets you need to protect, part 2 assesses the current security measures you have in place at your site.

Once you have completed the questionnaire you can prioritize the risks and identify which improvements are needed, for more details see the Integrated Site Security method below.

To get an overview of the questionnaire, you can view the risk assessment questions and their relevant recommendations.

The Integrated Site Security method

Back to Top

Integrated Site Security is a practical method for improving security at a Grid site. It consists of four steps:

(a) Identify assets to protect
(b) Analyse existing security controls and prioritize risks
(c) Implement security improvements
(d) Monitor and review

These steps are explained below:

(a) Identify assets to protect

Back to Top

Part 1 of the risk assessment questionnaire (questions 1-16)identifies the assets on the site that must be protected and assesses their criticality. Assets are classed as either baseline assets (assumed to be present on all sites) or specific assets that some sites may have.

For the baseline assets (questions 1-7), default responses for their criticality are pre-entered (shown below in italics). These can be amended by a site if necessary when completing the risk assessment questionnaire but are assumed to be the default for Grid sites:

  1. Desktop computers (Windows/Linux PCs, Mac…) Medium criticality*
  2. Network (LAN, WAN, Internet access) High criticality**
  3. Backups (e.g. tape drive on server) Medium criticality
  4. Office servers (file and print) High criticality
  5. Application servers High criticality
  6. Centralized authentication (directory, or server-based authentication) High criticality
  7. Grid resources ***High criticality

* Medium criticality: A site cannot achieve efficiently its mission without these assets or services
** High criticality: A site cannot achieve its mission at all without these assets or services
*** A Grid resource is any equipment, software or data required to run a service on the Grid.

For the specific assets (questions 8-16), sites can identify whether they have the assets on their site and if so what their critically might be. The ISSeG project has proposed the following list of specific assets:

  1. Expensive and/or dangerous equipment
  2. Services provided across the Internet
  3. Local email service (managed on site)
  4. Confidential information stored on site
  5. Confidential data exchanged with off-site partners
  6. Services with high availability requirements
  7. Visitor access services (i.e. allowing visitors to access local resources such as file & print, applications, etc.)
  8. External user access services (i.e. access site resources from a remote network)
  9. Centralized backup service.

(b) Analyse existing security controls and prioritize risks

Back to Top

Part 2 of the risk assessment questionnaire (questions 17-107) reveals how secure the site currently is. Your answers to these questions reveal your existing security controls and highlight any security holes your site may have. For each question, you must rank the degree to which your site meets a security control.

Once questions are answered, the questionnaire provides a prioritised list of threats and a list of the weakest security controls. Together these help you to prioritise the risks to your site. You then need to look at these risks and use the knowledge of your site to decide which ones are acceptable, if any, and address the others.


(c) Implement security improvements

Back to Top

Unacceptable risks can be mitigated by additional technical, administrative or educational security measures. You should evaluate the cost and benefit of each measure when planning which to implement. ISSeG recommendations can help you to implement improvements and these can be reached in a number of ways, as outlined below.

The results of the risk assessment questionnaire can lead you to recommendations tailored to the needs of your site. When you have completed the questionnaire, your prioritised list of threats (the 'Top threats' tab of your Excel file) contains hyperlinks from each threat to its corresponding page on the ISSeG web site. This page contains links to the threat's associated recommendations. Alternatively, you can use the threats page. For example, threat T2 “Password compromise” links to three relevant recommendations:

  • R27 “Implement a formal management process for password allocation”
  • R28 “Enforce good practices in the selection and use of passwords”
  • R30 “Adopt appropriate security measures for remote and mobile computing”.

Each recommendation description contains links to other related recommendations.

You can also examine the 'Answers analysis' tab of your Excel file and link from a weak security control to a recommendation using the risk assessment questions page. For example, question Q056 “Are all connections with external networks protected by a firewall?” links to recommendation R19 “Implement intrusion detection and prevention mechanisms including firewalls”. This gives you practical advice for improving perimeter security. R19’s description also contains links to other related recommendations.

You can also go straight to the full list recommendations

Using the recommendations you can now prepare an implementation plan. This can be done by creating an implementation plan (see example below). This should list the tasks to be done, with sub-tasks if necessary, each with a timeframe and person/team responsible. Below is a non-site specific example, based on ISS deployment at ISSeG partner sites.

Extract of an example implementation plan

Security training needs to be targeted at the specific needs of at least the three groups comprising end users, system administrators and developers. The Training web page divides training resources into those for general users, system administrators, developers and managers. From this page, links can be followed to security checklists and useful presentations tailored for the specific audience. The following two ISSeG recommendations provide further advice:

  • R56 “Adapt training to requirements of users, developers and system administrators”

  • R57 “Integrate security training and best practice into organisational structures”


(d) Monitor and review

Back to Top

Security is an evolving process and the effectiveness of the security controls needs to be monitored, for example using intrusion detection and statistical logs and records. The following ISSeG recommendations provide specific advice:

  • R19 “Implement intrusion detection and prevention mechanisms including firewalls”
  • R23 “Enable audit logging of user activities, exceptions and security events”
  • R35 “Establish a procedure for reporting security events and weaknesses”

Regularly review the effectiveness of security controls as attackers are constantly finding new ways to attack a site. Security personnel need a “virtuous circle” to ‘protect’ the site, ‘detect’ attacks and ‘respond’ accordingly. The following ISSeG recommendations provide specific advice:

  • R0 “Perform a site security risk assessment”
  • R52 “Adapt incident detection to meet evolving trends”
  • R55 “Review and enforce existing policies”
  • R56 “Adapt training to requirements of users, developers and system administrators”
  • R58 “Maintain administrative procedures in step with evolving security needs”
Copyright (c) Members of the
ISSeG Collaboration
2008		 Top of page Home page Information Society and media logo

This is version 5.2 of the website - view release notes
 -view visitor statistics