Using business impact analysis to address network security risks
- Published: Wednesday, 01 November 2017 13:02
Asher Benbenisty looks at how organizations can apply the business impact analysis methodology to remediate risk within the network security infrastructure - and ensure security is business driven.
Risk lurks in all corners of any business: from operational, financial and strategic risk, to IT and security risk. The potential consequences of those risks include loss of revenue and possible legal action, to application outages and inability to deliver key customer services. To address these issues, enterprises typically use a range of approaches - from the non-technical (such as business risk assessments) to the highly specialized, such as deploying vulnerability scanners and code inspectors.
However, these solutions typically produce such overwhelming volumes of risk-related data that it simply isn’t possible for the business to properly review, assess and prioritize it. So, to counter this, many organizations have adopted a business impact analysis (BIA) approach to risk, aiming to identify and evaluate the potential effect of risks on critical business operations, and thereby enable organizations to prioritize and address them according to the likely impact on the business.
One of the most critical risks organizations face is disruption to their key business applications, such as e-commerce, email, purchasing, etc, leading to loss of revenue or productivity. As such, it’s important that the network and security operations teams focus their risk mitigation efforts on ensuring that the applications, servers and network infrastructure that support and drive key revenue-generating business processes are hardened against potential disruption or compromise. So how can IT teams approach this?
Identifying network security risk
First and foremost, organizations must identify the potential risks points within their enterprise networks. Key to this is identifying all firewalls and routers in the network, and then conducting an in-depth examination of each device including all the policies and rules that each device supports. When done manually, this is an extremely time-consuming process of mapping and documenting flows; it can be accelerated dramatically with an automated security management solution.
Once every device’s policies and rules are fully documented and traffic flows mapped, it is then possible to identify the risks that exist within the network and security infrastructure – which will generally speaking fall into one of three categories.
The first of these is incorrect device configuration, which occurs when IT teams fail to ensure that each network security device is configured in accordance with vendor guidelines.
Risk is also introduced into the security fabric in instances where it fails to support the compliance and regulatory requirements of the organization, either in terms of the capabilities of the solutions deployed, or the rule sets that must be implemented.
The final risk category is where security is not configured in accordance with industry best practices, such as utilizing good network segmentation.
Utilizing BIA principles
With the risks in the network infrastructure identified it is now possible to start remediating them using BIA methodology principles.
At the heart of this is establishing which of the processes affected by these risks are critical to business operations. By taking the inventory of firewall devices, policies and rules and overlaying it with map of all of the applications in the network and their connectivity flows, organizations can then identify how these flows support business processes and, more importantly, which of those processes are critical to core business functions.
As part of this, the IT team will need to interview all business units to establish what processes and applications they use and which are critical to carrying out business activities. The IT team will then be able to classify each one of them according to the different BIA criticality parameters, such as loss of revenue or customer service impact. In the event that the BIA approach is already employed by another department the business processes will already be mapped to their respective applications saving time and money, which will ease the business process mapping efforts at this stage.
Finally, the IT team can then prioritize the network security risks based on their impact on business-critical applications, and remediate them accordingly.
Less risk, enhanced business-driven security
Identifying network security risks is critical to any business. However, it is likely that there will be too many risks to address all at once. By aligning with the BIA methodology, the IT team will not only have greater visibility of the risks that exist, but also how those risks will impact the organization if they are not remediated. And ultimately, this enables the IT team to ensure that the organizations security infrastructure is strategically supporting, and driving, the needs of the business.