John B. Weaver CISSP, CISA, CISM, CPP
President/CEOPrincipal Consultant
ISO 27005:2008 A Standard-Based Approach to IT Risk ManagementPresented to:Secure 360Updated October 22, 2008
What is Risk?
Information Assets
Threats
“Hackers”MalwareDishonest
EmployeesNew ServicesCompetitors
Legal & RegulatoryRequirements
Technology Customer Data IP & Trade Secrets Key Contributors
Vulnerabilities
Poorly ManagedTechnologyInconsistent
PoliciesInformal
Processes
Impact
LostProductivity
LostMarket Share
Brand Deterioration
PenaltiesLitigationJail Time
Likelihood
DailyWeeklyMonthlyAnnually
(H, M, L)
(H, M, L)
© 2008 JBW Group International Inc.
What is Risk Assessment?
Risk
Time
© 2008 JBW Group International Inc.
Now
Vulnerability Assessment
Zero-dayVulnerabilities
Change in Environment
EmployeeJob Change
What is Risk Management?
Risk Management is a system for:
Identifying information assets
Identifying relevant legal and business requirements
Determining valuation of assets
Determining vulnerabilities associated with the identified assets
Anticipating threats that may exploit asset vulnerabilities
Assessing the likelihood of occurrence
Calculating the level of risk
© 2008 JBW Group International Inc.
Then . . .
What is Risk Management?
Evaluating the risk and determine an acceptable level of risk
Identifying a risk treatment strategy
Implementing the risk treatment strategy
Assessing the implementation of controls
Monitoring and reporting effectiveness
Reviewing and re-assessing risks to the organization
Improving the ongoing Risk Management activities
© 2008 JBW Group International Inc.
ISO 27001:2008
Risk Management
Risk
Time
© 2008 JBW Group International Inc.
Now
Vulnerability Assessment
Zero-dayVulnerabilities
Change in Environment
EmployeeJob Change
Standards-based Approach
Process Approach
Foundations in regulatory guidance
Identification of relevant components
Plan development and maintenance
Fact-Specific, Risk-Based, Continual Improvement
Process as applied to security controls must adapt/respond to existing threats and to changes in the business and information environments
Core components
Asset inventory; periodic risk assessment; controls appropriate to risks; pre-determined acceptance criteria; monitoring and testing; review and revise, responsibility and authority assigned organizationally, risk assessor competency
See Thomas Smedinghoff, “The New Law of Information Security: What Companies Need to do Now”, The Computer and Internet Lawyer Journal, November 2005.
© 2008 JBW Group International Inc.
ISO 27005:2008
Risk management guidelines designed for use as a companion to ISO 27001:2005 and requires:
Business case for Information Security
Clearly defined scope of the security program (ISMS)
Policy in clear support for information security
Risk management methodology
Information security risks in the organizational context
© 2008 JBW Group International Inc.
ISO 27005 Risk Assessment
Risk assessment process
Identification of assets
Identification of legal and business requirements
Valuation of assets
Identification and assessment of threats and vulnerabilities
Assess the likelihood of occurrence
Evaluation of risk
Calculation of risk
Assessment against a pre-determined scale
© 2008 JBW Group International Inc.
Risk Calculation and Evaluation
Impa
ct
Likelihood of Occurrence
© 2008 JBW Group International Inc.
Low Medium
Medium High
ISO 27005 Risk TreatmentRisk treatment occurs through:
Prevention and detection controls
Avoidance of risk
Acceptance of risk
Transfer risk to another entity
Some combinationManagement decision-making criteria
What is the impact?
How frequently is it expected to occur?
What is the cost to manage the risk?
Green dollars
Resources
Current business priorities© 2008 JBW Group International Inc.
Organizational Risk Tolerance
Degree of Assurance determined by:
Level ofRisk
Risk TreatmentStrategy
Risk AssessmentProcess
Input
Output
ResidualRisk
OutputDegree of Assurance
Risk = Vulnerabilities + Threats + Probability + Impact
© 2008 JBW Group International Inc.
Ongoing Risk Management
Monitoring and maintenance
Management review
Risk reviews and re-assessment
Audits
Control of documentation
Corrective actions
Preventative actions
Reporting and communications
Risk management role
© 2008 JBW Group International Inc.
Plan-Do-Check-Act
PlanAssess and
Evaluate Risks
Risk Tolerance
Continuous Improvement
Cycle
Output Managed
Risk
Select & Implement
Controls
Do
Monitor &Review Risks
Check
Maintain & Improve the Risk Controls
Act
© 2008 JBW Group International Inc.
ISO 27005 Annexes
Annex A – Defining the scope and boundaries of the information security risk management process
Annex B – Identification and valuation of assets and impact assessment
Annex C – Examples of typical threats
Annex D – Vulnerabilities and methods for vulnerability assessment
Annex E – Information security risk assessment approaches
Annex F – Constraints for risk reduction
© 2008 JBW Group International Inc.
ISO 27001 History
1990 1995 2000 2005 2007
Industry working group releases
Code of Practice
BS 7799 Part 1
released
BS 7799 Part 2
released
BS ISO/IEC 17799:2000
released
BS 7799- 2:2002
published
BS ISO/IEC 27001:2005 Published
BS 7799 withdrawn
BS ISO/IEC 27006:2007 published
5100+ registered
ISMSs in 72 countries worldwide
© 2008 JBW Group International Inc.
This slide needs updating
ISO 27000 Series
ISO 27000 – Information Security techniques, fundamentals and vocabulary
ISO 27001:2005 – Information Security Management System Requirements
ISO 27002:2005 – Code of Practice (formerly ISO 17799:2005)
ISO 27003 – ISMS Implementation (proposed)
ISO 27004 – Guide for Information Security Metrics and Measures (proposed)
ISO 27005 – Guide for Risk Management (formerly BS 7799-3:2006)
ISO 27006:2007 – International Accreditation Guidelines (10/2007 implementation deadline)
© 2008 JBW Group International Inc.
Focused on all information in any form, and all information assets within the organization
Information security, not just IT security (the architecture- networks, applications, databases, hardware)
More than technology tools or “solutions”
Purchase orders for vendor products (firewalls, monitoring tools, encryption, content filters, other) aren’t the same thing as an information security strategy
More than acceptance of a recognized control set
Use and implementation of controls should be driven by security strategy and governance tied to business objectives and risk management priorities
Applicable risk management methodology
Reasonable Security
© 2008 JBW Group International Inc.
John B. Weaver CISSP, CISA, CISM, CPP President/CEO – Principal ConsultantJBW Group InternationalPO Box 19393Minneapolis, MN 55419 USA
+1.877.97.27001www.JBWGroup.com