An ‘information security event’ is an identified occurrence of a system, service or network state, indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
An ‘information security risk’ is the combination of the probability of an ‘information security event’ and its impact.
Back to top
In the early days of information security, and even nowadays, in some companies, security measures were/are implemented without performing any prior specific risk assessment.
The approach in implementing security measures in this case is either based on the ‘baseline approach’, the ‘intuitive approach’ or a combination of both.
The baseline approach’ target is to obtain a 100% compliance with the company - or a standard set of security policies (e.g. ISO/IEC 27002). Assuming that these company policies are complete, the result is in general a far too costly and unrealistic level of security. Costly because experience shows that residual risk decreases quickly when implementing consecutive security measures and unrealistic because benchmarking shows that most of the top performers do not even reach a 95% compliancy level (e.g. with ISO/IEC 27002).
The intuitive approach where security measures are implemented according to the risk focus and the technical competencies of the decision maker leads to ineffective and unbalanced (and hence also costly) security.
Beside this clear evidence of the need of risk assessment in Information Security, there is also the new ISO/IEC 27001 standard for Information Security Management Systems (ISMS) , which is gaining momentum and forms the basis for obtaining an Information Security certification.
Systematic risk management is a key requirement in this ISO/IEC 27001 standard.
Back to top
A ‘risk management’ process typically includes 3 sub-processes:
- risk assessment
- risk acceptance or risk treatment
- risk communication
A ‘risk assessment’ process identifies risks, estimates these risks - by assigning values to their probability and impact - and compares the estimated risks against given risk criteria to determine the significance of the risks.
‘Risk acceptance’ is the informed and approved decision to accept an assessed risk; ‘risk treatment’ is the process of selection and implementation of measures to bring an assessed risk to a more acceptable level. Alternative ways of risk treatment are risk avoidance and risk transfer.
‘Risk communication’ is the culture, the processes and the structure to communicate and consult those people and organisations that affect, be affected by or perceive themselves to be affected by any decision and/or activity concerning the risks.
Back to top
A risk management method and associated tools will generally perform, for the systems and assets under its scope:
- the identification of the relevant threats
- an assessment, given the actual vulnerability level, of these threats’ probability and impact
- a representation of the actual risks, using the probabilities, impact and control measures (safeguards) already in place
- a decision support for acceptability or non-acceptability of risks
- a decision support for selection of appropriate safeguards for the treatment of the non-acceptable risks
- an expression of the projected residual risks when the selected safeguards will be implemented
- graphical representations and reports to support the risk communication process
A common problem with many existing risk management methods and tools is that they are too complex and time-consuming. Some causes:
Reinventing the wheel syndrome:
many methods maintain an own set of vulnerabilities and safeguards. But these safeguards are very similar to the known security standards (e.g. ISO/IEC 27002). These methods then face the challenge to map their own safeguards on these international accepted security standards as well as to link their vulnerabilities to their own mitigating safeguards in order to be able to recommend (their own) appropriate improvements. This adds to the complexity.
Configuration management: :
In many methods one must provide a detailed technical breakdown of the components, and their dependencies, of the system(s) under review. However, Information Security risk assessments do not justify a too great extend of detail as complex component links provide a precision level that cannot be exploited in the relative simple, approximate assessment process. Configuration management should be done within an organisation but not within a risk management method. This is time consuming and redundant with existing configuration management tools or processes (e.g. ITIL).
One can learn that an appropriate risk management method should have the following characteristics:
- effectiveness
- SMART improvement simulation and residual risk determination
- support of ISO/IEC 27001 Statement Of Applicability (SOA)
- efficiency and flexibility
This represents quite a challenge for a risk management method.
Effectiveness:
Every (whether or not partial) non-compliancy with a security control or safeguard represents a potential vulnerability. The risk management method should allow defining and quantifying the risk reducing capability of reducing these vulnerabilities, given the actual security risks. This allows ranking of improvement actions (increase in compliancy) by effectiveness.
SMART improvement simulation and residual risk determination:
The risk management method should allow taking into account (simulate) the decreased risk reducing capability of the remaining improvement actions once an improvement action has been implemented. It should also allow quantifying the residual risk after a number of improvement actions has been implemented.
Support of ISO/IEC 27001 Statement Of Applicability:
This requires a documented statement describing the ISO/IEC 27002 control objectives and controls that are relevant for the organisation’s Information Security Management System (ISMS), including:
- the control objectives and controls selected together with the reasons for their selection
- the control objectives and controls currently implemented
- the exclusion of any control objectives and controls, together with the justification for their exclusion
Hence compliancy with the ISO/IEC 27002 controls has to be expressed within the risk management method. The risks must also be assessed by asset, be evaluated against criteria for risk acceptability and it must be possible to determine the residual risks that would result from selected control implementation.
Efficient and flexible:
As it is a good practice and increasingly demanded by international standards, risk assessments in most organizations must be performed on a large scale as well as frequently in time. So one cannot afford to spent months on an individual risk assessment: efficiency is key!
On the other hand it is also required to assess risk for the most important assets, which can be numerous and complex. So also flexibility is a key requirement!
As a result, it must be possible to perform a risk assessment in a few hours, but when required, an in dept multi-asset based risk assessment, requiring obviously more time and resources, must be possible as well.
Quantified approach, economical justification and improvement action challenge:
When the risk management method quantifies the risk decreasing capability (hence the effectiveness), of a reduction of these vulnerabilities, we can compare this risk reduction capability with the cost of implementation of this reduction. In this way an economical justification and challenge can be expressed for the improvement action.
Such ‘Return On Investment (ROI)’ based approach considerably facilitates risk communication, management perception and acceptation, decision support and comparison to other operational and financial company risks. It allows for optimal security budget determination and spending.
Back to top
In response to the constantly changing business requirements of the 21st century, Branswijck has created a dedicated consultancy team active in IT Risk Management, Compliance & Governance services. This independent team advises organisations on the best way to keep their ICT strategy in line with business objectives.
Branswijck’ Risk Management helps identify a company’s risk profile and protect high-value systems. Uniquely, we have both a structured methodology and the required ICT knowledge to translate business objectives in ICT strategy, to perform well-balanced risk assessments and ICT (compliance) audits. Our consultants support the installation and continuous improvement of IT Governance mechanisms that can quickly become value generating and value-proven management tools.
Branswijck has built a substantial experience when it comes to understanding business needs and delivering adequate capacity.
Branswijck’ Risk Management in combination with IT Governance provides a balanced and pragmatic service of strategic CxO advice, as a trusted third party, and broad technical expertise, by taking advantage of cross-domain competences within the Branswijck organisation. The Branswijck’ consultants are holding various certifications (CISSP, CISA, CISM, ISO-27000 Lead Auditor...) in order to advise and support your company in the best way.
Back to top