All organisations contain assets that
they wish to protect from harm. The harm may be the result of an
accidental or deliberate act by an individual or the result of some
external event, e.g.
Accidental- A user deletes all there data files
Deliberate - An external attacker tries to access finance information
External event - Flooding of a data centre or loss of power
The senior managers within organisations are often required to establish a process to manage risks within the organisation as part of a
corporate governance strategy. Often a
process is established to support this understanding of risk so that it can:
||Identify the assets to protect
Analyse the existing security controls and prioritize risks
Implement any identified and resourced improvement plans
Monitor the existing controls to see that they are effective.
The process should be objective and repeated periodically within organisations.
See also the What is a risk? presentation
aimed at management and suitable for all audiences, which explains what a risk is, whether risks change over time, whether there are
Grid-specific risks and emerging risks. For information on emerging risks, please visit the ENISA
Based on practical experience at a number of Grid sites, the
ISSeG project have developed a risk assessment questionnaire that
can help you assess the security of your site.
The questionnaire has been developed as a Microsoft Excel®
spreadsheet that requires the use of macros. If you do not have
access to Microsoft Excel®, you may wish to use the Excel Viewer 2003
available from the Microsoft web site.
Download the Questionnaire (Excel 2003 format)
Open the Excel file,
read the introduction, then select the tab entitled “Questionnaire”. With Macros enabled, clicking the button “Questionnaire Wizard” starts
The questionnaire is divided into two parts, part 1 helps you identify the assets you need to protect,
part 2 assesses the current security measures you have in place at your site.
Once you have completed the questionnaire you can prioritize the risks and identify which
improvements are needed, for more details see the Integrated Site Security method below.
To get an overview of the questionnaire, you can view the risk assessment questions
and their relevant recommendations.
Integrated Site Security is a practical method for improving security at a Grid site. It consists of four steps:
(a) Identify assets to protect
(b) Analyse existing security controls and prioritize risks
(c) Implement security improvements
(d) Monitor and review
These steps are explained below:
Part 1 of the risk assessment questionnaire
(questions 1-16)identifies the assets on the site that must be protected and assesses their
criticality. Assets are classed as either baseline assets (assumed to be present on all sites) or specific
assets that some sites may have.
For the baseline assets
(questions 1-7), default responses for their criticality are
pre-entered (shown below in italics). These can be amended by a site
if necessary when completing the risk assessment questionnaire but
are assumed to be the default for Grid sites:
- Desktop computers (Windows/Linux PCs, Mac…) Medium criticality*
- Network (LAN, WAN, Internet access) High criticality**
- Backups (e.g. tape drive on server) Medium criticality
- Office servers (file and print) High criticality
- Application servers High criticality
- Centralized authentication (directory, or server-based authentication) High criticality
- Grid resources ***High criticality
* Medium criticality: A site cannot achieve efficiently its mission without these assets or services
** High criticality: A site cannot achieve its mission at all without these assets or services
*** A Grid resource is any equipment, software or data required to run a service on the Grid.
For the specific assets (questions 8-16), sites can
identify whether they have the assets on their site and if so what
their critically might be. The ISSeG project has proposed the
following list of specific assets:
- Expensive and/or dangerous equipment
- Services provided across the Internet
- Local email service (managed on site)
- Confidential information stored on site
- Confidential data exchanged with off-site partners
- Services with high availability requirements
- Visitor access services (i.e. allowing visitors to access local resources such as file & print, applications, etc.)
- External user access services (i.e. access site resources from a remote network)
- Centralized backup service.
(b) Analyse existing security controls and prioritize risks
Back to Top
Part 2 of the risk assessment questionnaire (questions 17-107) reveals how secure the
site currently is. Your answers to these questions reveal your existing security controls
and highlight any security holes your site may have. For each question, you must rank the degree to which your site meets a security control.
Once questions are answered, the questionnaire provides a prioritised list of
threats and a list of the weakest security controls.
Together these help you to prioritise the risks to your site. You
then need to look at these risks and use the knowledge of your site
to decide which ones are acceptable, if any, and
address the others.
Unacceptable risks can be
mitigated by additional technical, administrative or educational
security measures. You should evaluate the cost and benefit of each
measure when planning which to implement. ISSeG recommendations can
help you to implement improvements and these can be reached in a
number of ways, as outlined below.
The results of the risk assessment questionnaire can lead you to recommendations tailored to the
needs of your site. When you have completed the questionnaire, your
prioritised list of threats (the 'Top threats' tab
of your Excel file) contains hyperlinks from each threat to its
corresponding page on the ISSeG web site. This page contains links
to the threat's associated recommendations. Alternatively, you can
use the threats page.
For example, threat T2 “Password compromise” links to
three relevant recommendations:
- R27 “Implement a formal management process for password allocation”
- R28 “Enforce good practices in the selection and use of passwords”
- R30 “Adopt appropriate security measures for remote and mobile computing”.
Each recommendation description contains links to other related recommendations.
You can also examine the 'Answers analysis' tab of your Excel file and link from a weak security
control to a recommendation using the risk assessment questions page.
For example, question Q056 “Are all connections with external networks protected by a firewall?” links to recommendation
“Implement intrusion detection and prevention mechanisms including
firewalls”. This gives you practical advice for improving perimeter
description also contains links to other related
You can also go straight to the full list recommendations.
Using the recommendations
you can now prepare an implementation plan. This can be done by
creating an implementation plan (see example below). This
should list the tasks to be done, with sub-tasks if necessary, each
with a timeframe and person/team responsible. Below is a non-site
specific example, based on ISS deployment at ISSeG partner
Extract of an example implementation plan
Security training needs to
be targeted at the specific needs of at least the three groups
comprising end users, system administrators and developers. The
Training web page divides training resources into those for
From this page, links can be followed to security checklists and
useful presentations tailored for the specific audience. The
following two ISSeG recommendations provide further advice:
“Adapt training to requirements of users, developers and system
“Integrate security training and best practice into organisational
Security is an evolving process and the effectiveness of the security
controls needs to be monitored, for example
using intrusion detection and statistical logs and records. The
following ISSeG recommendations provide specific
- R19 “Implement intrusion detection and prevention mechanisms including firewalls”
- R23 “Enable audit logging of user activities, exceptions and security events”
- R35 “Establish a procedure for reporting security events and weaknesses”
Regularly review the effectiveness of security
controls as attackers are constantly finding new ways to attack a site.
Security personnel need a “virtuous circle” to ‘protect’ the site,
‘detect’ attacks and ‘respond’ accordingly. The following ISSeG
recommendations provide specific advice:
- R0 “Perform a site security risk assessment”
- R52 “Adapt incident detection to meet evolving trends”
- R55 “Review and enforce existing policies”
- R56 “Adapt training to requirements of users, developers and system administrators”
- R58 “Maintain administrative procedures in step with evolving security needs”