The National Institute of Standards and Technology, Essay Example

Introduction

The National Institute of Standards and Technology (NIST), notes that due to the Computer Security Act of 1987, the Federal Information Resources Management Regulation (FIRMR) and the OMB Circular A-130, agencies both in the private and public sector are required to setup security systems to secure sensitive systems and mitigate the risk involved with these systems. The purpose of this form of computer security risk management is for organizations to establish conscious protocols to protect valuable resources such as information hardware and software.

Body System Characterization

A system is characterized based on its operating location as either being mobile, portable or static. A mobile system are usually functional when they are installed in a vehicle, where as portable systems are just not installed in fixed locations but they are operable in both fixed locations, vehicles as well as out in the open (NIST, 2012). Static systems are those that must be installed in fixed locations. The actual physical locations of these systems in regards to security measures taken to dictate location and reduce risk, is entirely reliant on the potential threat that may occur. For example, the threat of roof leaks, fire, or unauthorized access that can’t be regulated. All of these characteristics full under the category of account management. Account management entails  minimizing the cost of the system monitoring   billing and distribution of services to ensure they are balanced. The specific items involved with this level include products like routers and switches, hardware, circuits, and inventory management for more efficiency in response to changes in service requirements.

Threat Identification

Threat identification entails isolating questionable behavior by either the system or individuals engaging and interacting with system functions and scanning or evaluating them for their integrity.  System hardware can be stolen and software can be corrupted. The threat of theft is a major potential risk. Another threat can come in the form of loss of control over system integrity. For example, if a hacker is able to acquire access to the central processing unit of the system, they can circumvent logical access controls and reboot the system. This poses the threat of fraud, disclosure of sensitive data, introducing Trojan horses to the system or other potentially damaging events.  If these threats are not identified early on, they can be very hard to trace the cause or determine what corruptions of file changes have been made.   Threat identification systems monitor of complete IT infrastructure in safeguarding the efficiency of applications and services.   When a system failure occurs, an effective threat identification system warns tech support early on and potentially allows users with needed information to prevent outages from impacting end users, business practices or customers. Specifically the system allows users to plan for upgrades in their infrastructure before aspects of their system are outdated. It supplements account management practices to prevent outages from impacting the bottom line of the companies or organizations utilizing the system.  also automatically fixes problems upon identifying them and ensures all SLAs of users are met.

Vulnerability Identification

Vulnerabilities are weaknesses in the system that are exploited by threats. They are the tell tale signs that risk assessments teams search for to avert threats. Vulnerabilities are assessed by measuring the threat environment. Vulnerabilities can also be created by programming errors, or system crashes. In some cases data entry errors or programming errors done on the job can be a bigger threat and cause vulnerabilities that a threatening environment might impose. Programming development errors, or bugs’ can cause severe security risks. The NIST cites a 1989 study performed by the House Committee on Science, Space and Technology, which noted that “As expenditures grow, so do concerns about the reliability, cost and accuracy of ever-larger and more complex software systems. These concerns are heightened as computers perform more critical tasks, where mistakes can cause financial turmoil, accidents, or in extreme cases, death”(NCIST, 2012).

Likelihood Determination

Likelihood determination entails identifying the possibility that a potential risk may occur. The process of likelihood determination is executed through a process of identifying system vulnerabilities. Through quantitative and qualitative reports measuring system consistency and integrity, the likelihood of potential risks can be evaluated and measured. Security management is the level solely responsible for preventing the system from crashing due to external malicious factors. Security management entails regulating access to the network, specifically in regards to limiting unauthorized access by those who want to modify the system for unproductive reasons. The security management level is in charge of protecting the system from vulnerabilities such as cyber attacks. One key way utilized to protect the network from intrusion includes setting up firewalls, or security protocols such as registration requirements or security clearances for users. A significant aspect  of this layer is to identify which areas need improvement and can be modified on for the best overall enhancement.

Control Analysis

Control analysis involves the assessment of controls put in place to mitigate security risks. The ability of a computer security system to reduce risk is directly related to the level of control an administrator has over the functionality of their system. For example, all tools utilized to scan  system functions are only as effective as their ability to resolve system issues. “merely selecting appropriate safeguards does not reduce risk; those safeguards need to be effectively implemented. Moreover, to continue to be effective, risk management needs to be an ongoing process. This requires a periodic assessment and improvement of safeguards and re-analysis of risks…. periodic risk assessment is an integral part of the overall management of a system” (NSIT, 2012). Modifying hardware or implementing programming protocols are also task commonly implemented during through control management and analysis. Inventory is also a part of configuration management as sound configuration management systems handle tracking and monitoring the use of inventory.

Impact Analysis

Impact Analysis entails calculating cost considerations, and the influence threats could have on business operations if they were to evolve into larger issues verses the cost of risk management protocols, specifically the cost of implementing security policy. This is due to the fact that implementing new policies can often require extensive training, which can be costly. Asset valuation also plays a major part in impact analysis as the intrinsic value of assets must be acknowledge in relation to the long term consequence that can occur if it’s corrupted or compromised.  Consequence assessment is also a significant aspect of impact analysis as it involves measuring the degree of damage or loss could potentially arise. NIST notes that most impacts result in modification, destruction, disclosure, or denial of service, but the consequences refer to the long term results. Examples of consequences are privacy violations, loss of system life, failure of system to perform its intended function, loss of business or brand reputation.

Result Documentation

Risk Analysis results are documented qualitatively and quantitatively alike. In terms of quantitative results, risk analysis is measured in the form of monetary losses, as well a single loss occurrence or annualized loss expectancies. NSIT notes that, “Limiting the risk interpretation activity to the most significant risks is another way that the risk management process can be focused to reduce the overall effort while still yielding useful results” (NSIT, 2012). Furthermore, qualitative results are measured with rankings like high low, and 1-10. This measurement ranking method is used to assess the quality of potential risk. In regards to qualitative risk assessment NCIST notes that, “in some cases, the amount of work required to achieve high-quality input will be too costly. In other cases, achieving high-quality input may be impossible, especially for such variables as the prevalence of a particular threat or the anticipated effectiveness of a proposed safeguard” (NCIST, 2012). Computer security teams of respective organizations take the results of these reports and utilize them to assess risk threats and make recommendations to managing officers to implement new policies based on an analysis of all potential benefits, constraints and account solutions. Through determination and analysis of results, controls are also set to mitigate risk.

Conclusion

In sum, Risk management requires a wide range of tools that ensure network problems are identified and they are resolved. Potential issues that could arise in the future problems are also identified so the network stays operational, and downtime is minimized.  When a system failure occurs,  risk assessment and risk management  warns tech support early on and potentially allows users with needed information to prevent outages from impacting end users, business practices or customers. Specifically the system allows users to plan for upgrades in their infrastructure before aspects of their system are outdated. It supplements account management practices to prevent outages from impacting the bottom line of the companies or organizations utilizing the system.

National Institute of Standards and Technology. (2012). Guideline for the Analysis of Local Area Network Security. Federal Information Processing Standard Publication 191. November.