Summary Show This contribution provides a high-level description of the process by which risk management can be carried out. Two models are overviewed: �Risk Management Guide for Information Technology - NIST SP 800-30�, and ISO/IEC 27005:2008, Information technology - Security techniques -Information security risk management. 1. Introduction The explosive growth in the use of the information and communication technologies (ICT) infrastructure has increased the reliance of organizations and individuals on the protection of the information transmitted and stored over telecommunications networks. This has led to a heightened awareness of the need to protect the
To meet these security objectives, organizations practice safe security techniques based on specialized methodologies to manage potential risks. Security risk management plays a critical role in protecting an organization�s information from security risk and it is defined as the logical and analytical process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Security risks are managed by:
Managing security risks means defining what is at risk, the magnitude (impact) of harm caused by a threat, the causes or events with the potential to cause harm to an ICT infrastructure, and what to do about the risk. A threat and risk assessment is one means to manage risk. Other means of managing risk would be education and awareness, security policies, operational standards, and technical documentations. The following section provides a description of risk management approaches in general as well as applications to manage potential security�s risks. 2. Risk Management Overview A number of Risk Management Frameworks are available in the open literature. Although these frameworks, and processes defined within them, differ in detail, there is considerable overlap in the material covered. The following themes recur [1], [2], [3], [4], [5], [6], [7]: a) Identification of critical assets As it is not cost-effective to protect all assets, it is essential that the critical assets be identified so that particular care may be taken to protect them. The designation should be made from the business context, through consideration of the impact of the loss or degradation of an asset on the business as a whole. b) Identification of risks A disciplined, comprehensive identification of risks should be undertaken. It should include environmental risks, as well as those caused by humans. The �accidental insider� group includes human error as well as accidental misconfiguration conducted by inadequately trained personnel. When people are the threat, the analysis should include who they are, their motivation for threatening the system, and the means by which they would attempt to achieve their goals. c) Impact Assessment It is necessary to relate each risk to one or more of the architectural components and determine the potential impact of the threat on the asset.. d) Treatments This activity involves planning and implementing the best course of action: accepting the risk as it exists today; actively managing the risk; watching for changes in risk characteristics (and modifying the plan as needed); and investigating more about the risk until enough is known that one of the others planning options becomes appropriate. e) Reporting Who needs to know about the risks? Who needs to know about incidents? Who needs to know about threats that succeed? f) Information Sharing What information should be shared? How should the sharing occur? What are the restrictions on sharing (e.g., should the data be anonymized before sharing?) g) Monitoring/Audit Is there a need for internal audits? Is there a need for third-party (external) auditors? Do the regulators require audits? Do the shareholders require audits? h) Regulatory/Legislative What is the regulatory environment? What laws need to be followed? What security requirements are imposed by external bodies? 3. Security Risk Management Process Information security risk analysis/risk management methods usually support the general concepts specified in ISO/IEC 27000 standards [4] and are designed to assist all types of organizations in the satisfactory implementation of information security based on a risk management approach. The following sub-sections describe a risk management process followed for an overview of security risk management guidelines. 3.1. Risk Management Guide for Information Technology - NIST SP 800-30 The NIST approach [5] involves a three-step process: risk assessment; risk mitigation; and evaluation and assessment. Risk assessment This process allows determining the level of the potential threat and their risks associated with an ICT system. The risk assessment process includes:
Risk mitigation Risk mitigation is a systematic methodology to reduce risk. It involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. The implementation of the best course of action may vary depending on the organization. There are four risk mitigation options: 1. Risk retention: to accept the potential risk and continue operating, or to implement controls to lower the risk to an acceptable level 2. Risk avoidance: to avoid the risk by eliminating the risk cause and/or consequence 3. Risk reduction: to limit the risk by implementing controls that minimize the adverse impact of a threat exercising a vulnerability 4. Risk transference: to transfer the risk by using other options to compensate for the loss, such as purchasing insurance. After identifying the possible controls and evaluating their viability and effectiveness, a cost-benefit analysis to determine which controls are appropriate to allocate resources is conducted. Its purpose is to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk. The cost-benefit analysis encompasses:
Once the cost of implementation has been established and by comparing their results, it can be decided whether or not to implement the risk control measures. Evaluation and Assessment The network (components and software applications), personnel and security policies are likely to change over time. These changes mean that new risks will rise and risks previously mitigated may again become a concern. Thus, the risk management process continues with the identification of new or re-emerging risks for as long as the infrastructure activity or business process is ongoing. In evaluating this process the following actions are available:
The next section describes a security risk management guideline based on the ISO/IEC 27005 standard which intends to provide fundamental contributions to the well being and security of any organization. 3.2. Security Risk Management Guideline The Security Risk Management guideline described below is based on the ISO/IEC 27005 standard [4] which intends to provide fundamental contributions to the well being and security of any organization. This guideline creates an ongoing process that drives the organization towards to effective controls to mitigate security risks. The follow general practice references many industry accepted standards for managing security risk and incorporates the first three phases of the risk management process described before. First phase: Risk Assessment Steps in this phase include planning, data gathering, and risk prioritization. Risk prioritization involves qualitative and quantitative approaches to provide reliable risk information within reasonable trade-offs of time and effort. Second phase: Risk Treatment Options During this phase it is determining how to address the key risks in the most effective and cost efficient manners. The control solutions to be implemented are defined after an evaluation of all the recommended controls, estimated costs, and degrees of risk reduction are measured. The output of this phase is a clear and actionable plan to control or accept each of the top risks identified in the Assessing Risk phase. Third phase: Treatment Evaluation During this phase it is created and executed plans based on the control solutions that emerged during the decision support process to measure the effectiveness of the program. When the previous phases of the security risk management process are complete, organizations estimate their progress with regard to security risk management as a whole. The follow flowcharts (from ISO/IEC 27005) provide a brief of the information Security Risk Management phases described above.
Figure 1. Risk Management Process (ISO/IEC 27005) Finally, the most important keys for implementing a successful security risk management program will build on:
4. Summary This contribution provides Security Risk Management input to the Technical Notebook on Cyber security. It provides a high-level description of the process by which risk management can be carried out. Two models are overviewed: �Risk Management Guide for Information Technology - NIST SP 800-30�, and ISO/IEC 27005:2008, Information technology - Security techniques -Information security risk management. It is recommended that the Cyber security Rapporteur of the Working Group on Policy and Regulatory Matters to consider incorporating this contribution in Chapter 3 of the Technical Notebook of Cyber Security. Oscar Avellaneda & Magdoly Rondon What is the final stage of the business impact analysis when using the NIST SP 800 34?What is the final stage of the business impact analysis when using the NIST SP 800-34 approach? Identify recovery priorities for system resources.
What should be included in a business impact analysis?Consider the Impact. Lost sales and income.. Delayed sales or income.. Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.). Regulatory fines.. Contractual penalties or loss of contractual bonuses.. Customer dissatisfaction or defection.. Delay of new business plans.. Which of the following is the first major task in the BIA?The first major BIA task is to analyze and prioritize the organization's business processes based on their importance or criticality to the organization's overall operations.
Which is the first step in the contingency planning process among the options listed here?To develop a contingency plan, first conduct a risk assessment: identify your business-critical operations, identify the threats to those operations, and analyze the potential impact of each threat.
|