Kategorier: Alle - processes - methodologies - leadership - resources

av r r 3 år siden

393

Certified Risk Manager

Certified Risk Manager

Controls

Administrative

Legal

Managerial

Standards & Methodolgy

Certified Risk Manager

Domain 3: Information security risk management framework and process based on ISO/IEC 27005

Risk Acceptance
7.1 Accept the Risk Treatment Plan

Presenting to mgmt

Risk Owners to accept

Residual Risk

Risk Treatment

Avoid

Don't Implement Tech

Transfer

Contracts

SLAs

Accept

Regular Reviews Needed

Cost/Benefit Analysis output

Reduce

Implement Controls

Residual risk = Inherent risk – Treated risk

— the rationale for selection of the treatment options, including the expected benefits to be gained; — those who are accountable and responsible for approving and implementing the plan; — the proposed actions; — the resources required, including contingencies; — the performance measures; — the constraints; — the required reporting and monitoring; — when actions are expected to be undertaken and completed.

Risk Assessment Using a Quantitative Method

Exposure factor (EF) This factor, expressed as a percentage, represents a measure of the extent of loss or impact on the value of the asset. For example, it is estimated that on average a computer attack affects three quarters of a network, the exposure factor of this threat would be 75%. Single Loss Expectancy (SLE) This value determines the monetary loss for a single risk occurrence. Calculating the single loss expectancy loss: the asset value x exposure factor (SLE = AV X EF). For example, if the value of computer equipment is $100,000 and that the exposure factor is 75%, the single loss expectancy (SLE) would then be $75,000. Annual rate of occurrence (ARO) This term characterizes, on an annual basis, the frequency that a risk occurs. This annual rate of occurrence is between 0 (never) and 1 (always). For example, if the probability of a cyber attack on a specific computer equipment, to occur, during the year, is once in a thousand years, the annual rate of occurrence (ARO) is 0.001. If the probability was once every 5 years, the annual rate of occurrence would be 0.2. Annual Loss Expectancy (ALE) The expected annual loss is the combination of the anticipated loss and the anticipated annual rate of occurrence. It determines the maximum amount to spend to protect an asset against a particular threat. The calculation is as follows ALE = SLE x ARO For example, if the single loss expectancy (SLE) was $75,000 and the annual rate of occurrence is 0.2, then the expected annual loss (ALE) is $15,000

Risk Evaluation

NOTE: SUPPORTING is Laptop and File Server

NOTE: PRIMARY is Patient data and Client contracts

ISO/IEC 27005, Annex E.2.3 Example 2 — Ranking of Threats by Measures of Risk A matrix or table such as that shown in Table E.3 can be used to relate the factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects). The first step is to evaluate the consequences (asset value) on a predefined scale, e.g. 1 through 5, of each threatened asset (column “b” in the table). The second step is to evaluate the likelihood of threat occurrence on a predefined scale, e.g. 1 through 5, of each threat (column “c” in the table). The third step is to calculate the measure of risk by multiplying (b × c). Finally, the threats can be ranked in order of their associated measure of risk. Note that, in this example, 1 is taken as the lowest consequence and the lowest likelihood of occurrence.

Risk Analysis

Example presentation of impact

Human Impact

Monetary

generally most times you'll do a qualitative assessment

Risk Identification
Activities to identify

Identify Consequences/Impact

Real Life Example

Quantitatively

Qualitatively

Identify Vulnerabilities

Example

existing controls

Threats ISO/IEC 27005, clause 8.2.3

See ANNEX C, ISO 27005

Examples

Natural

Deliberate

Accidental

3.1 Assets

Supporting Assets

assign value

Each asset must have an owner

Primary Assets

Business process and activities

Information

Information Gathering Techniques

Scanning Tools

Code Review

Pen testing

Vulnerability scanning

Documentation Review

Interviews

cover all subjects

take notes

Open-ended questions and clarify responses

Questionanaires

DOMAIN 4: Other information security risk assessment methods

Methodologies

OCTAVE-Allegro

OCTAVE-S

Subtopic
Efficient Communication Strategy

DOMAIN 1 Fundamental principles and concepts of information security risk management

2. Context Establishment
2.5 Define the Scope and Boundaries - clause 7.3

Constraints - Annex A.3

Organisational

managerial

development

admin

Maintenance

Operation

Methods

Time

Environmental

Financial

Technical

Interfaces have to be taken into account

Exclusions have to be justified and documented

2.4 Determine the Basic Criteria

Risk Acceptance (clause 7.2.4) Annex E 2.2

Quantitative or Qualitative

Acceptance Maintenance Criteria

technology

social and humanitarian factors

finance

operations

business criteria

Impacts (to the org caused by an info sec event)

impairment of operations (internal or 3rd party)

breaches of info sec (CIA)

damage to rep

classificaion of impacted info asset

Evaluation of Risk (clause 7.2.2)

stakeholders' expectations and perceptions

operational and business importance of CIA

criticality of the info assets involved

strategic value of business info process

2.3 Determine the Objectives (of the risk management activity)

Internal Polocies

Market

Standards

Laws and Regulations

2.2 Identification and Analysis of Stakeholders
2.1 Understanding the Organisations Context

Establish Internal and External Context

Strategies

Ask people "what keeps you up and night?"

STEP (Social, Technical, Economical, Political)

PEST (Political, Economic, Social, Technological)

SWOT (Strengths Weaknesses, Opportunties, Threats)

Understand Key Processes

Objectives

Values

Mission

Risk Management Objectives

1. Risk Management Program
1.10 Provide the Resources - clause 7.1
1.9 Plan Activities for Risk Assessment
1.8 Select a Risk Assessment Methodology

CRAMM

NIST 800-30

MEHARI

OCTAVE

1.7 Select and Information Assessment Approach

Output

List of assessed risks that are prioritsed

Action

Risks Idenified, quantitavely or qualitiively

Input

Scope

1.6 Implement a Risk Management Process - clause 7.4
1.5 Establish a Risk Management Policy

Is readily available within the organisation

Becomes part of the culture of the organisation

1.4 Ensure Accountability

Identify individuals who have the accountability and authority to manage risk

Risk Management = core business responsibility

1.3 Define Responsibilites of Principal Stakeholders

Internal audit

Public relations

Legal service

regulatory and contractual

IT Technician

implement technical solutions for measuring and managing the daily operations

Info Sec

Identify controls to manage risk

HR

Finance

Cost/Benefit analysis

Top Mgmt

1.2 Assign Responsibility for Risk Management

Assign to roles

1.1 Demonstrate Leadership and Commitment

Support from senior leaders

Demming
Alignment of ISMS and Information Security Risk Management Process

Information Security Risk Management Framework and processes based on ISO/IEC 27005

Annexes are very good
clause 7-12