Information systems are becoming more and more important to organizations. As they rely more heavily on ICT systems, they also become increasingly vulnerable to attacks. In case of failure of a backoffice system, manual intervention is often not a feasible option due to the huge amount of data that is being processed and the transactional dependencies between different systems. And that while in many cases the value of the data processed cannot easily be estimated.
Nowadays no computer systems are built without a thorough analysis of the system's requirements. The same definitely goes for a security system where high interests are at stake.
A general analysis model includes an organization's assets and their value to the organization, the threats it is exposed to and its weaknesses and vulnerabilities. Based upon this information, the risks can be derived for the organization, different subsystems, databases and data items. Subsequently, it allows for countermeasures to be set up, and codes of practice, standards and security guidelines to be formulated.
First, a review boundary is set up. At the core of the review are the assets; external elements to the analysis can include the public telephone network, third parties that have access to internal databases and financial systems, etc. These are supposed to be given and they cannot be modified. Assets now are subject to deliberate threats (attacks for instance) and accidental threats (negligence, carelessness,...). Assets can be hardware, software or data. There exist dependencies between these elements and it is important to recognize them: unwanted access to one of these components can result in other crucial systems or data becoming exposed. To be exposed to a threat however means that this threat has to have an impact. Factors that can make a threat a reality and harm you -- i.e. have an impact -- are vulnerabilities. Furthermore, an impact requires an external or internal action to be taken or an event to take place. Unlike accidental threats, deliberate threats are triggered. Here we can distinguish between motivation and determination: why would someone want to attack the system -- how attractive is it? -- and how far is (s)he willing to go? Other factors include an attackers resources and capability. For the appropriate controls to be put in place, these different impacts have to be measured7.4.
Based upon the asset-threat-impact model, countermeasures can be devised. On the side of the assets one can remodel the system to reduce dependencies and communication between systems, or prevent incompetent people from accessing systems they have no knowledge of. As far as threats are concerned, the idea is to reduce motivation --laws have proved to be rather unsuccessful at this point though-- and vulnerability. A common example is the installation of a network firewall. Next one can consider trying to reduce the impact once an attacker has penetrated, for instance by distributing data over multiple machines or by putting different levels of physical protection in place according to the sensitivity of the systems or data.
Conducting a risk analysis involves determining the value of assets and their dependencies, assessing threats and identifying the safeguards that are already in place. One aspect of identifying threats is gauging the likelihood of their occurrence and the severity of the impact. For the selection of additional or revised safeguards, one should keep the security objectives in mind. In general, any system's implementation has to consider a number of constraints (time, technical, financial, environmental, sociological7.5,...). These have to be identified and will influence the selection of safeguards.
A final step is to think of detection of security breaches, for instance by setting up a decent audit system. Contingency and disaster recovery plans (including backups) are the ultimate precautions you hope you will never need. Note however that your measures become more effective as they are closer to the assets7.6.