Risk Frameworks – ISO27005, 31000, NIST, HTRA
- Risk assessments are used to justify security policies and processes we put in place
- Risk Management provides a foundation for the Security Program and efforts of the Security Manager
Examples of Risk Standards
- ISO/IEC 31000 – Risk Management Principles and Guidelines – Note this one is ENTERPRISE risk and not specific to IT risks
- ISO/IEC 27005 – Information Technology – Security Techniques – Information Security Risk Management – This is designed to work with the ISO27000 series of standards and is specific to IT Risks.
- NIST SP800-39 – Managing Information Security Risk
- COBIT 5 for Risk
- NIST SP800-30 rev 1 – Guide for Conducting Risk Assessment – talks about how to go about conducting the risk assessment process.
- HTRA – Harmonised Threat and Risk Assessment
There are many more but the above list are the Risk Standards which are authoratitve and complete and which have stood the test of time so far.
From a governance perspective the selection of a standard framework should create a controls environment that is as follows:
What is Risk?
It is the effect of uncertainty on an objective
- An effect is a deviation from the expected outcome – either positive or negative.
The CISSP CBK defines Risk as “The possibility of damage or harm and the likelihood that damage or harm will be realised”
Risk Management is all about
– Avoiding loss
- In IT, risk is often / mostly seen as an adverse event
- We need to understand how the risk might IMPACT on our assets
- We also need to understand the LIKELIHOOD of an exploit.
Risk Management begins with knowing what has to be protected:
– What are the assets to be protected?
– What is the value of the assets? (So we don’t spend more protecting them than it would cost to simply replace them)
Also understanding the organisations risk culture
– How prepared are they for Risk acceptance?
– How prepared are they for Risk tolerance?
IT Risk Management includes managing the risk to Information and Information System
System risk is influenced by information risk
Understanding business dependancies – IT Risk is a subset of business risk as so much of modern business depends on IT Systems being Available
ISO/IEC 27005 – Information Technology – Security Techniques – Information Security Risk Management says “Information security risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation.”
Risk has to be managed at different levels in the organisation:
Business (Unit / Product / Service)
Information System Information System Information System
We need to Balance Risk
We need to make sure that we understand the value of the asset so we don’t spend more than it’s worth to protect it. In other words we need to find a balance and put ADEQUATE controls in place.
Implementation of Risk Management
- Obtain a mandate and commitment from management
- Design a risk management framework which can be used consistently across the organisation so that the results can be compared across the organisation.
- We need to understand the business – org chart, structure, unique requirements
- Implement risk management process
- Monitor, review the risk framework in a process of continual improvement.
Elements of Risk Management
2. Resources – people, budget, software, time, access
3. Accountability – who is responsible for fixing a risk, what are the laws
4. Integrate into business processes – so changes and new developments are reviewed at a strategic, tactical and operational level.
5. A clear reporting structure, for example Risk Register, Audit Reports etc and who these go to.
Risk Management works effectively when it is implemented based on a standard framework which has been adapted to the needs of the organisation and consistently applied.
Risk Management Terminology
Being familiar with and using the risk management terminology in a consistent manner is important to establishing an enterprise wide risk management framework.
Risk Management: is all about protecting assets, with the general principle being:
- Provide an appropriate level of protect for an asset
- Don’t spend more to protect it than it is worth
Asset: An item of property of value to its owner, tangible or intangible
Asset Value: the value of an asset is often affected by both internal and external factors, what is it’s value to business operations? What is the liability is there was a breach or failure, What is the value to an adversary? What is the Intellectual Property (IP)?
IT Assets: A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
Threat: Any circumstance or event with the potential to adversely impact, organisational operations including, mission, functions, image or reputation, anything which could impact the organisations assets, individuals, other organisations, or the Nation, through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service.
Threat Source: The element which alone or in combination has the potential to give rise to risk.
Vulnerability: weakness in, information system, system security procedures, internal controls or in their implementation…..that could be exploited by a threat source.
Impact: Outcome of an event
Likelihood: Chance of something happening.
Residual Risk: Risk that remains after treatment (risk mitigation controls) – not the same as acceptable risk. This is what we have whereas acceptable is what we want.
Governance is Accountability
Risk Governance Objectives
- To establish and maintain a COMMON VIEW OF RISK across the organisation
- To INTEGRATE risk management into all the enterprise processes
- To make RISK-AWARE / INFORMED business DECISIONS
- To MONITOR that RISK management CONTROLS are implemented and OPERATING CORRECTLY.
- Accountability for the protection of the companies assets
- Accountability for the effective use of the resources of the organisation
Governance is primarily the responsibility of the risk owners and they are usually:
- The Board of Directors
- The Senior Management Team
Governance is also then cascaded down to individual specialist departments:
- The CFO (Chief Financial Officer) or FD (Finance Director) running the Accounting department will be Th for Financial Accountability
- The COO (Chief Operations Officer) or maybe the MD (Managing Director) in a smaller business will be accountable for Operational effectiveness
- The HR (Human Resources / Personnel) Director will be responsible for Legal and human resources compliance.
- Social responsibility to the communities in which we operate – probably sits with HR
- Governance of IT investment, operations and control.
Risk and Governance
- Risk management supports governance
- Risk management identifies risk to assets of the organisation
- Management requires accurate information ro
- Understand each risk
- Consider what risk mitigations can be put in place to reduce or eliminate the risk
- Monitor risk
Governance of IT directs the current and future use of IT
- Evaluation of IT
- Direction of IT aligned with the business
- Control and audit of IT
- Value creation
- Ensure that IT creates value
- Are resources being used well – are we spending too much or too little
- Are benefits of investments being realized?
- Are risks being optimised?
- Ensure that IT creates value
The 4 fundamental Governance questions you should always ask:
- Are we doing the right things? (Making the right product / service / right project etc)
- Are we doing the right things, in the right way?
- Are we doing these things well / efficiently / competitively?
- Are we getting the promised benefits / profits?
Enterprise Risk Management
- Risk must be managed in a consistent manner across the enterprise
- As everything is so interconnected a risk in one area is a threat to all other areas of the enterprise.
Risk Management Process
FRAME = Context in which the risk management is being carried out. The external and internal parameters to be taken into account when managing and agreeing risk criteria. For example:
- Laws of the countries in which we operate
- Culture of the company – do they like risk and see it as opportunity or do they want to avoid risks?
- Competition – what are our competitors doing in the market place
- Customer expectations – do they expect a certain level of service, availability, price etc
- Financial strength – do we have the budget to respond to risks the way we might like to?
This is the process of:
- Identifying risk
- Prioritizing risks to be addressed
- Estimating risks
This includes determining the extent to which adverse circumstances or events could impact an enterprise.
Uses the results of threat and vulnerability assessments to identify risk to organisational operations and evaluates those risks in terms of:
- How likely is the risk to happen
- What is the impact of it happens
The output from a risk assessment is a list (Risk Register) of estimated, potential impacts and unmitigated vulnerabilities.
Having completed the Risk Assessment we then have to consider how we are going to treat each risk, the options are:
- Accept the risk: If the worst happens then we’ll just pay to put it right.
- Reduce/mitigate: for example we’ll install a sprinkler system to address the risk of fire
- Avoid: We may think it’s too dangeous for staff to operate in some countries and decide to close an office.
- Transfer / Share: For example we think it’s too risky to paint the tower ourselves so we outsource the job to a specialist. Or we think a new product is a good opportunity but risky so we for a joint venture with one or more partners.
- needs to be continual
- eg daily checks
- Critically observing
- Determine the status
- Everyone needs to speak the same language – common terminology
- Methods of assessment