risk management

Information Security Risk Assessments

January 19, 2012 by binoy Leave a Comment

Information security risk assessment is an integral process in developing an effective information security management system. Unless the organization understand and document the information security status or the information security risk posture, they would not be able to perform risk mitigations.

IT Risk Assessment frameworks helps organizations to fast track the process of information security risk assessments. In this post, I am trying to list a number of information security risk assessment frameworks for easy reference.

List of Information Security Risk Assessment standards

the below list of information security risk assessment standards are not exclusive. These are standards I have some experience with and additions can be expected as and when I get a chance to explore other standards

NIST Risk Management Framework

NIST RMF is a framework where the information risk assessment in defined in a 6 step process. These steps are Categorize, Select, Implement, Assess, Authorise & Monitor. The approach is slightly different from other approaches. It is primarily developed for US government agencies, however it can be adapted to any organization

OCTAVE Risk Assessment framework

Operationally Critical threat, Asset and Vulnerability evaluation (OCTAVE) is a set of tools, techniques and methods for performing information security risk assessments. These tools is developed by CERT and Carnegie Mellon University in efforts towards information security development.

Under the OCTAVE risk assessment methodology information assets such as people, hardware, software and systems are considered for risk assessment. OCTAVE has different versions suitable for different size and type of the organizations. OCTAVE model is for large organizations while OCTAVE-S is for smaller organizations. OCTAVE . Allegro is a streamlined process focused towards information security risk assessments and assurance.

checkout the OCTAVE site for more information

FACTOR ANALYSIS OF INFORMATION RISK

FAIR Risk Assessment framework provides an avenue for understanding, analysing and measuring information risks. FAIR risk assessment method helps organizations in performing sophisticated what-if analysis, which is not very common in other models. This information security risk assessment standard helps you speaking in the management terms than the technical risk terms.

It should be noted that the full methodology is not publically available and not enough guides are available on educating the users about how to use the fair methodology for risk assessment. This leads to less adaption of this method within the information security community.

More details about the FAIR methodology is available here

TARA, Threat Agent Risk Assessment

TARA is developed by Intel who is making large investments in the IT Security product space. The TARA approach towards information security risks. The TARA methodology relies on three main
references to reach its predictive conclusions:

Threat agent library (TAL)
Common exposure library (CEL)
Methods and objectives library (MOL)

TARA Methodology is developed by Intel for performing their internal information security risk assessments and later it has been published to become public. TARA is focused on monitoring and assessing selected security controls in information systems on a continuous basis, including documenting changes to the systems, conducting security-impact analyses of the associated changes, and reporting the security status of the systems to appropriate organizational officials on a regular basis

Homeland Security has adapted TARA methodology in defining the Information Technology Sector Baseline Risk Assessment (ITSRA).

EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité)

EBIOS is a comprehensive set of guides (plus a free open source software tool) dedicated to Information System risk managers. Originally developed by the French government, it is now supported by a club of experts of diverse origin. This club is a forum on Risk Management, active in maintaining EBIOS guides. It produces best practices as well as application documents targeted to end-users in various contexts. EBIOS is widely used in the public as well as in the private sector, both in France and abroad. It is compliant with major IT security standards.

EBIOS gives risk managers a consistent and high-level approach to risks. It helps them acquire a global and coherent vision, useful for support decision-making by top managers on global projects (business continuity plan, security master plan, security policy), as well as on more specific systems (electronic messaging, nomadic networks or web sites for instance). EBIOS clarifies the dialogue between the project owner and project manager on security issues. In this way, it contributes to relevant communication with security stakeholders and spreads security awareness.

ISO/IEC 13335-2 (ISO/IEC 27005)

ISO/IEC 13335-2: Management of information and communications technology security – Part2: Information security risk management. Remark: This standard is currently under development; completion is expected for 2006. Subject to endorsement of ISO JTC1 the title will change to ISO/IEC 27005 “Information security risk management”

ISO/IEC IS 13335-2 is an ISO standard describing the complete process of information security Risk Management in a generic manner. The annexes contain examples of information security Risk Assessment approaches as well as lists of possible threats, vulnerabilities and security controls. ISO/IEC IS 13335-2 can be viewed at as the basic information Risk Management standard at international level, setting a framework for the definition of the Risk Management process.

SP800-30 (NIST)

This product is one of the Special Publication 800-series reports (NIST SP800-30). It gives very detailed guidance and identification of what should be considered within a Risk Management and Risk Assessment in computer security. There are some detailed checklists, graphics (including flowchart) and mathematical formulas, as well as references that are mainly based on US regulatory issues

There are many more risk assessment frameworks available. Most of the above risk assessment frameworks are free for download and use. When you decide on the risk assessment framework for your information security requirements, the above listed risk assessment frameworks may come handy. If you find anymore free and useful risk assessment framework, share it in the comments

IT Risk Management

December 31, 2011 by binoy Leave a Comment

Risk Management is a key term we keep discussing every now and then when we talk about information security. It often is the closing aspect of the identified risks.

Risk is the probability of a vulnerability being exploited by a threat and the resulting business impact

Common elements of a Risk Management framework include:

Identification of assets (Information assets and other related assets) : During this process all the assets should be identified. It should be ensured that no critical assets are left out from this process.
Valuation of assets: Valuing the assets based on its importance towards business need to be performed as the next step. This provides insights about how much impact these assets can have on the business and plays a key part in deriving the risk status
Threat & Vulnerability identification: Potential vulnerabilities and threats related to the assets need to be identified as part of the risk assessment. Some schools of thought claims that the threat need to be assessed before the vulnerability assessment and some others claim it the other way. You may choose to have them in the order you are comfortable.

Vulnerability . Weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset. It is also considered as lack of countermeasure

Threats . Someone or something uncovering a vulnerability and exploiting it

Once you have the above information, then the process of Risk Assessment requires information on the probability of the threat exploiting the vulnerability.
The impact to the business from the risk also should be considered before arriving at a conclusion.
Risk value: Based on the above information the IT Risks shall be assessed in the context of business and assign a value to it. In a qualitative risk assessment, the values can be High, Medium , Low or something similar.

To have an effective risk management program, the identified risks need to be prioritized based on the risk values. It is important to understand that all risks cannot be eliminated or mitigated within a small timeframe. Widely accepted Risk Management processes are:

Risk Mitigation or Risk reduction: Implement controls and reduce the risk by reducing the impact and/or probability eventually reducing the total risk value.
Risk Transfer: Transfer the risk to a third party; a typical approach is to purchase insurance
Risk Avoidance: Avoid the activity or asset which brings in the risk.
Risk Acceptance: Do nothing and accept the risk. two reasons typically heard of risk acceptance are (1) Business can absorb the impact in case of the said risk materialize (2) The cost of risk reduction is higher than the cost of asset

The above diagram represents the Risk Management process in detail. Leave your questions in the comments section

New guidance on risk appetite

September 27, 2011 by binoy Leave a Comment

Risk appetite today is a core consideration in any enterprise risk management approach. As well as meeting the requirements imposed by corporate governance standards, organisations in all sectors are increasingly being asked by key stakeholders, including investors, analysts and the public, to express clearly the extent of their willingness to take risk in order to meet their strategic objectives.

The Institute of Risk Management (IRM) has published new guidance on the subject of risk appetite and tolerance aimed at helping organizations better understand the risks they take when pursuing their strategic objectives. IRM’s guidance document has been endorsed by the Chartered Institute of Internal Auditors, the Chartered Institute of Management Accountants, the Institute of Chartered Secretaries and Administrators, The Chartered Institute of Public Finance and Accountancy and Alarm, the public risk management association.

The guidance is endorsed / supported by organizations such as

alarm . The Public Risk Management Association
Chartered Institute of Internal Auditors
Chartered Institute of Public Finance and Accountancy
Chartered Institute of Management Accountants (CIMA)
Institute of Chartered Secretaries and Administrators (ICSA)
Charterhouse Risk Management

Risk Appetite is always a debated topic and many of the entities would have defined it very vaguely. This guidance on the risk appetite would be a good start if you have not already started the work on this or looking forward for improvements.

The IRM paper Risk Appetite and Tolerance is available for free download at http://www.theirm.org/publications/risk_appetite.html

Building an Information Security Plan

January 11, 2011 by binoy Leave a Comment

Building a comprehensive Information Security plan requires a detailed understanding of the business and the related requirements. An Information Security plan should ensure that the business requirements are captured and the related risks and controls are addressed in the plan.The plan shall provide “Defense in Depth” for the information

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

March 9, 2010 by binoy Leave a Comment

NIST has recently released the final publication of the “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”.

This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website.

As per this guide, the Certification and Accreditation process of the federal government information systems transformed into a Risk Management Framework that stresses security from an information system.s initial design phase through implementation and daily operations

It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.

This is similar to the various Secure Software Development processes such as MS SDL and OWASP CLASP.

The guide can be downloaded from here