..

Risk Assessment and Management

For many of us that works in Information Security, many of us sees risk as a negative thing. But risk is an essential part of a business. From ISO/IEC 31000 - Risk is the effect of uncertainty on an objective. An effect is a deviation from the expected - positive and/negative.

Risk Standards

  • ISO/IEC 31000 - Risk Management Principles and Guideline
  • ISO/IEC 27005 - Information Technology - Security Techniques - Information Security Risk Management
  • NIST SP800-39 - Managing Information Security Risk
  • COBIT 5 for Risk
  • NIST SP800-30 Rev 1 - Guide for Conducting Risk Assessment
  • HTRA - Harmonized Threat and Risk Assessment

Risk Management begins with:

  • Knowing what has to be protected
    • Identification of assets
    • Determining asset value
  • Understanding risk culture of the organization
    • Risk acceptance
    • Risk tolerance

Risk Relative to Information Security Management

Information Security Risk is a potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

Strategic risk <-> Business risk <-> Information system (3)

Implementation of Risk Management

  • Obtain mandate and commitment from the management
  • Design a risk management framework
    • Understand the organization
      • Unique requirements
  • Implement risk management
  • Monitor and review the risk framework
  • Continuously improve the risk framework

Elements of Risk Management

  • Policy - what seems to be the most important to the organization
  • Resources - people, budget
  • Accountability - who is the owner of the risk
  • Integration into business processes - integrating a risk culture to the business process
  • Reporting structure - risk register, risk assessment report, audit report

Risk management works effectively when it is implemented based on a framework adapted to the needs of the organization and consistently applied.

Risk Management Terminologies

  • Assets - an item or property of value to its owner

    • Tangible - could be cash or money
    • Intangible - could be your reputation, name, morale

  • Asset Value - the value of an asset is often affected by both internal and external factors

    • Value to business operations - example: the value of a hard drive failure effect on the business
    • Liability - breach or loss of data would be crucial
    • Value to an adversary - information of the company could be valuable to the competitors
    • Intellectual Property (IP) - patents, trademarks, copyrights, trade secrets

  • IT Assets - a major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems

  • Threats - any circumstance or event with the potential to adversely impact:

    • organizational operations,
    • organizational assets,
    • individuals,
    • other organizations, or
    • the Nation

    through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service

  • Threat Source - element which alone, or in combination, has the potential to give rise to risk

  • Vulnerability - weakness in:

    • an information system
    • system security procedures
    • internal controls
    • implementation

    that could be exploited by a threat source

  • Impact - outcome of an event

  • Likelihood - chance of something happening

  • Residual Risk - risk that remains after risk treatment (after mitigating the risk down to an acceptable level)

  • Risk Acceptance - the level of risk of the management is willing to tolerate

References