Security Evaluation and

Assessment Methodology
Introduction
Self Introduction
• Name: Mohammad Shahriar Rahman
• Designation: Professor
• Experience:
• Professor: CSE, UIU, 2022-
• Associate Professor & HoD, CSE, ULAB: 2017-2021 & 2018-2019
• Senior Researcher: KDDI Research, Japan, 2015-2017
• Assistant Professor: University of Asia Pacific, 2012-2017
• Visiting Faculty: BUP, 2014
• Research Intern: National Institute of Information and Communications
Technology (NICT), Japan, 2010
Self Introduction
• Education:
• PhD + MSc: Japan Advanced Institute of Science and Technology
(JAIST) 2012, 2009

• BSc: CSE, University of Dhaka 2006

• HSC + SSC: Mirzapur Cadet College, Tangail 1999,1997
• Research:
• Cyber Security
• Privacy-preserving Technology
• Security in IoT, Healthcare, Smartcities, FinTech
About the Course
• Security Evaluation Criteria and Methodology- Concepts and Related
Activities
• Basics of Risk Assessment
• Risk Assessment Preparation
• Administrative, Technical and Physical Data Gathering
• Security Risk Analysis, Mitigation and Reporting
• Risk Assessment Project Management
• Risk Assessment Tools and Methods
• Recent Literature on Security Evaluation and Methodology
 About the Course
Assessment:
SL Criteria Marks
1. Attendance 5%
2. Class Participation 5%
3. CT 20%
4. Assignments 15%
5. Mid 25%
6. Final 30%
THE SECURITY RISK ASSESSMENT HANDBOOK- A Complete
Guide for Performing Security Risk Assessments by DOUGLAS J.
LANDOLL, 2nd Edition, CRC Press
Other reading Materials will be provided as we move forward
Introduction
The Role of the Information Security Manager

Set of responsibilities:
• Preventing loss, fraud, and sensitive data breaches
• Demonstrating regulation compliance
• Managing security policies
• Ensuring business continuity
• Planning incident and disaster response, and
• Prioritizing security initiatives
Include all of these responsibilities with information security personnel
as organizational structures may place responsibility of fraud or
business continuity in other departments?
Introduction

Despite the structural differences between organizations, the threat or

regulation environment, or even across economic conditions, there is
always a limit to the available funding and staff required to perform
security initiatives. It is not enough to know a set of desired security
projects for the organization to improve its security posture. Need to be
able to justify their next project and defend these decisions.
Audit as a Driver for Security Initiatives
Being the primary driver for determining the next security initiative:
• The organization has no clear security strategy.
• The findings need to be addressed but reliance on these results as the
guide to improving the organization’s security posture is short-sighted.
• Audits by their nature are reviews of what have been done against
policies and procedures that have been established.
• A security strategy based only on what the auditors find will be in a
constant state of catch-up. Improvement priorities will be audit-based,
which is limited to the threats to our organization that we already know
about and have written policies and procedures to address.
Technology as a Driver for Security Initiatives
• Another approach to developing a security strategy that is often
arrived at by default is a technology-based security strategy.
• Technologists and vendors have been able to supply the industry with
a steady stream of improvements and new security products.
• In many cases, these products are just what an organization needs to
enact protection measures for their assets.
• However, a security strategy that relies too heavily on technology to
dictate the security solutions will find the administrative and physical
areas of their protection measures lacking.
Compliance as a Driver for Security Initiatives
• Information security regulations and industry requirements seem a natural
place to start when creating a security strategy for an organization.
• An organization needs to address customer and business mission requirements
as well.
• Organizations that take a compliance-driven strategy to security may find
themselves battling the silo approach (e.g., HIPAA security effort, PCI DSS
effort, Privacy effort, etc.).
• Reliance on compliance regulations leads to the inevitable discovery that
regulations do not provide adequate guidance for implementation.
• Furthermore, it is difficult to plan for the next iteration of changes to
regulations.
Risk as a Driver for Security Initiatives
• A more complete security strategy can be created based on an analysis of
security risk. It is risk to the organization’s assets that needs to be addressed.
• The best way to address it is to first measure it.
Q1: Given your limited resources, are you confident that your initiatives are
addressing the largest security risks to your organization’s assets?
Q2: How do you demonstrate that your initiatives are addressing the largest
security risks to your organization’s assets to management?
• Hard to demonstrate that the limited resources are being utilized to address
security risk efficiently if security risk is not measured or not measured
adequately.
Security Risk Assessment
• Utilizing the value of information assets, risk assessment measures the
strength of the overall security program.
• Provides the information necessary to make planned improvements
based on information security risks.
• A tool for senior management that gives them an effectiveness
measurement of their security controls and an indication of how well
their assets are protected
Security Risk Management
Four stages of the security risk management process:
• security risk assessment: reviews the organization’s threat environment, the asset
values, the system’s criticality, the security controls’ vulnerabilities, and the
expected losses impact, provides recommendations for additional controls to
reduce security risk to an acceptable level. Helps to determine if additional
security controls are required.
• test and review: examine the security controls against the security requirements.
Testing can be applied to any number of or subset of security controls, such as
physical controls testing (e.g., doors, access control), vulnerability scanning
(e.g., external interfaces), or social engineering (e.g., user behavior). Typically
performed more frequently than security risk assessments
Security Risk Management (cont..)
Four stages of the security risk management process:
• security risk mitigation: Either the reported security risks are accepted
or risks are reduced through the implementation of new security
controls or the improvement of existing controls. Security test and
review efforts provide information on how to keep existing controls up
to date.
• operational security: Daily and weekly activities such as applying
patches, performing account maintenance, and providing security
awareness training are essential for maintaining an adequate security
posture
Security Risk Assessment Definition
• NIST “Risk Management Guide” (2002): “the process of identifying the risks
to system security and determining the probability of occurrence, the resulting
impact, and additional safeguards that would mitigate this impact.”
• NIST “Guide for Security Certification and Accreditation”: The periodic
assessment of risk … is an important activity required by [Federal Information
Security Management Act of 2002] FISMA … The risk assessment includes: (i)
the identification of threats to and vulnerabilities in the information system; (ii)
the potential impact or magnitude of harm that a loss of confidentiality,
integrity, or availability would have on agency operations (including mission,
functions, or reputation) or agency assets should there be a threat exploitation
of identified vulnerabilities; and (iii) the identification and analysis of security
controls for the information system.
Security Risk Assessment Definition (cont..)
• ISO 27001/2: “systematic consideration of the business harm likely to
result from a security failure… and the realistic likelihood of such a
failure occurring in the light of prevailing threats and vulnerabilities,
and the controls currently implemented” (ISO, 2000).
• According to our textbook: A probability determination of asset losses
based on asset valuation, threat analysis, and an objective review of
current security controls effectiveness.