Date post: | 06-May-2015 |
Category: |
Documents |
Upload: | s-periyakaruppan-cismiso31000c-ehitilf |
View: | 1,441 times |
Download: | 3 times |
Information Systems Risk Assessment Framework(ISRAF)
(Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 )
Prepared byS. Periyakaruppan (PK)
Need of Addendum/ Revision ?
ENSURE CONVERGED & INTEGRATED PROCESS ADDRESS THE CHALLENGES IN TRADITIONAL APPROACH ADAPTIVE & MODULAR WORKING MODEL OF INFORMATION SYSTEMS
RISK ASSESSMENT. IMPROVE THE ORGANIZATIONS RISK BASED DECISION. BRING IN VALUE ADDITION TO BUSINESS
Should It get transformed ? ! Why
TO MAKE RISK MANAGEMENT AN INTEGRAL PART OF BUSINESS AND PROJECT MANAGEMENT, IT LIFE CYCLE MANAGEMENT.
TO FACILITATE WITH PRACTICAL APPROACH TO ADDRESS RISK. TO EVOLVE BUSINESS ALIGNED APPROACH. TO TAILOR DOWN THE MODEL OF DOMAIN AGNOSTIC APPROACH.
Does it need a Model/Framework ??
EVOLVE DESCRIPTIVE PROCESS AND SYSTEMATIC THINKING. EMERGING BUSINESS DEMAND AND PROCESS CONVERGENCE ENHANCE COMMUNICATION AMONG FUNCTIONAL ENTITIES. INVOKE RESULT ORIENTED APPROACH PREDICT RESULTS IN THE SYSTEMATIC MODEL
!!!!!!! ???
Assessing risk – What & Why
TO IDENTIFY THE POTENTIAL OPPORTUNITY OF A PROBABLE CONSEQUENCE OF AN ADVERSE IMPACT DUE TO A WEAKNESS IN THE INFORMATION SYSTEMS.
TO SUPPORT BUSINESS WITH RISK BASED DECISION. TO IDENTIFY EXTERNAL AND INTERNAL THREAT EXPOSURES TO AN
ORGANIZATION FROM NATION AND ANOTHER ORGANIZATION, VICE VERSA.
TO MONITOR THE ON-GOING RISK EXPOSURE OF THE ORGANIZATION. TO OBSERVE THE EFFECTIVENESS OF INFORMATION SECURITY PROGRAM. TO ASSIST WITH METRICS FOR INFORMATION SECURITY PROGRAM
MANAGEMENT.???????
Assessing risks - When DURING ARCHITECTURE DEVELOPMENT –( ORG,PROCESS & INFORMATION
SYSTEM) DURING FUNCTIONAL AND BUSINESS SYSTEMS INTEGRATION. DURING ALL PHASES OF SDLC (SYSTEMS ACQUISITION AND DEVELOPMENT
LIFE CYCLE) DURING ACQUISITION OF NEW SECURITY OR BUSINESS/FUNCTION SOLUTION. DURING MODIFICATION OF MISSION CRITICAL/BUSINESS CRITICAL SYSTEMS. DURING THIRD PARTY VENDOR/PRODUCT ACQUISITION. DURING DECOMMISSIONING OF SYSTEMS/FUNCTIONS/GROUPS OF THE
ORGANIZATION
Risk framing Model ???
DETERMINE THE UNCERTAINTY OF THE RISK AND ASSOCIATED RISK CONSTRAINTS.
DEFINE THE RISK TOLERANCE AND PRIORITY, AND TRADEOFFS. DETERMINE THE SET OF RISK FACTORS, ASSESSMENT SCALE AND
ASSOCIATED ALGORITHM FOR COMBING FACTORS ASSIST IN PRECISE RISK COMMUNICATION AND SKETCH OUT
BOUNDARIES OF INFORMATION SYSTEM AUTHORIZATION. ENHANCE THE RISK DECISION WITH APPROPRIATE INFORMATION. INCORPORATE DE-DUPLICATION IN HIERARCHICAL RISK
MANAGEMENT MODEL. DETERMINE THE CONTEXT OF THE ENTIRE RISK ASSESSMENT
PROCESS/ASSESSMENT/APPROACH.
The Model/Framework
Respond
Monitor
Assess
Organizational
Business/Functional Group
The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
Tier 1
Tier 2
Tier 3
Frame(CONTEXT)
The Focus
Assess
Respon
d
Monito
rRisk Assessment is a key element of risk management
Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk
assessments. Method of communicating risk results across
organization.
Strategy/Approach
Frame the risk• Freezing the scope
(Organization risk frame)
• Context of the business/function to an information system
Freeze the method• Determine risk
assessment methodology
• Determines analysis approach
Define Risk Model• Define the risk
factors and its relationship amongst the risk model
• Define Assessment and analysis approach for a framed risk model
Risk – Key concepts RISK AGGREGATE CONSOLIDATION OF INDIVIDUAL TIER1/TIER2/TIER3
RISKS IN TO A CUMULATIVE RISKS TO IDENTIFY RELATIONSHIP AMONG RISKS AT VARIOUS LEVELS.
THREAT SHIFTING THE DYNAMIC VARIATION ON THREAT SOURCE IN RESPONSE TO THE PERCEIVED COUNTERMEASURES.
RESIDUAL RISK TOLERABLE RISK REMAIN POST THE MITIGATION TO AN EXTENT POSSIBLE TO REDUCE THE LEVEL OF ADVERSE IMPACT TO THE ORGANIZATION.
ADVERSARIAL RISK RISK THAT HAS AN ADVERSE EFFECT BY ADVERSARIAL THREATS.
ADVERSARIAL THREATS THREAT HAS AN INTRINSIC CHARACTERISTICS OF DIRECT ADVERSE IMPACT. – EX., BUSINESS OPERATION INTERRUPTION.
NON-ADVERSARIAL THREATS THREATS HAS NO DIRECT OR IMMEDIATE EFFECT OF A THREAT IMPACT. – EX., EXPOSURE OF SYSTEM ERRORS, COMPETITIVE INTELLIGENCE GATHERING.
Risk – Key Factors THREAT EVENT POSSIBLE ADVERSE IMPACT THROUGH A POTENTIAL
CIRCUMSTANCES/EVENT TO ORGANIZATION FROM NATIONAL AND ANOTHER ORGANIZATION, VICE VERSA.
THREAT SOURCE THE INTEND AND THE METHOD OF EXPLOITATION OR ATTACK VECTOR.
LIKELIHOOD THE PROBABILITY OF A THREAT BECOME REALITY. VULNERABILITY FLAW IN AN INFORMATION SYSTEM THAT CAN LEAD TO A
POTENTIAL THREAT. ADVERSE IMPACT THE NEGATIVE CONSEQUENCES /DAMAGE LEADS TO
POTENTIAL IMPACT TO THE BUSINESS / ORGANIZATION/ NATION BY THE CONSEQUENCES OF AN EXERCISED VULNERABILITY
PREDISPOSING CONDITION THE EXISTING AND KNOWN LACK OF CONTROLS/ IN ADEQUATE COUNTERMEASURES AS PART OF AVAILABLE SOLUTION.
RISK MEASURE/ UNIT OF THE EXTENT TO WHICH AN ENTITY IS THREATEN BY A POTENTIAL CIRCUMSTANCES.
Assessing Risk – High Level Process
Prepare Conduct Communicate Maintain
Step -1 Step -2 Step -3 Step -4
Prepare for Assessment
Risk Assessment Preparation
Identify the purposeIdentify the Risk Model
(Assessment &
Analysis approach)
Identify the source of inputs
Identify the scope
Identify the assumptions and constraints
Initial assessment ?Re-assessment ?Risk base line determination ?
The Tiers (Org,BFP,IS) addressedResult Validity periodDecision supporting assessmentFactor influence re-assessmentAuthorization boundaryRegulatory requirements/constraints
Risk Tolerance and priorities/TradeoffsThreat source/eventsVulnerabilities and pre-disposing conditionsUncertainty and analytical approachLikelihood of Impacts
PolicyProcessProcedureReportsExternal agencies
Defined risk factorsDefined risk responseQualitative analysisQuantitative analysisSemi Quantiative analysis
Conducting AssessmentIdentify Threat source and events
Identify vulnerabilities and pre-disposing conditions
Determine likelihood of Occurrence
Determine Magnitude of Impact
Determine Risk
Step 1
Step 2
Step 3
Step 4
Step 5
Intent,Target,CapabilityCapability of adversariesRange of effects
Effect of existing controlsIntentional/accidental flaw /weakness in system/process
Depends on the degree of Step 1 and the effect of Step 2
Result of BIADepends on effective BCP/DRMTTR/MTBFRTO/RPO
Risk Combination of Step 3 and Step 4
Method of Risk Analysis
Threat oriented• Identify threat source
and event• Developing Threat
scenario and model• Identify
vulnerabilities in context of threats
Vulnerability oriented• Identify pre-
disposing conditions• Identify exploitable
vulnerabilities• Identify threats
related to the known/open vulnerabilities
Asset/Impact Oriented• Identify
mission/business critical assets
• Analyze the consequences of the adversarial threat event
• Identify vulnerabilities to the threat events/scenario of critical assets with severe adverse impact.
Method of Risk Assessments
• Objective oriented assessment• Using non-numerical values to define risk factors• Likelihood and impact with definite value based
on individual expertise
• Subjective oriented approach• Using numerical values to define risk factors• Likelihood and impact with definite number
based on history of events.
• Contextual analysis and result oriented approach• Using Bin values (numerical range) with unique
meaning and context.• Likelihood and impact derived with range of
numerical values with degree of unique context
Sample Assessment Scale
Qualitative Quantitative Semi Qualitative
Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
Communicate Result
Determine the appropriate method of
communication
Communicate to the designated
organizational stakeholders
Furnish evidence comply with organizational
policies & Guidelines
Format defined by organization.Executive briefingsPresenting Illustrative risk figuresRisk Assessment DashboardsOut sketch the organizational prioritized risk
Identify appropriate authority.Ensure right information reach right person at right time. Present contextual information in accordance with risk strategy
Capture appropriate analysis data support the result.Include applicable supporting documents to convey the degree of results Identify and document the source of internal and external information.
Maintain Risk Posture
Identify Key Risk factors
•Monitor the key risk factors•Document the variations.•Re-define the key risk factors
Define Frequency of revisit
•Track the risk response as required•Initiate the assessment when needed•Communicate the results to organizational entities
Reconfirm the scope and assumptions
•Get the concurrence of scope and assumptions from appropriate authorities•Document the plan of action with respect to the risk response.
Applications of Risk AssessmentOrganizationTier -1
Functional/businessTier -2
Information Risk Strategy decisionsContribute EA design decisionsIS Policy/Program/Guidance decisionsCommon Control/Security Standards decisions.Help risk response – Avoid/Accept/Mitigate/TransferInvestment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy)
Support EA(Enterprise Architecture) integration in to SA.Assist in business/function information continuity decisionsAssist in business process resiliency requirements
Contribute IS systems design decisionsSupports vendor/product decisionsSupports on-going system operations authorizations
Risk Assessment in RMF life Cycle
Categorize
Select
Implement
Assess
Authorize
Monitor
Initial risk assessment at Tier 1 supports strategic level security categorization
Categorization decide security baseline in-turn assist in appropriate selection.
Supports selective implementation based on identified vulnerabilities and pre-disposing condition
Support actual implementation risk reports in Tier 3 to reveal and assess the risk posture
Furnish risk based decision to authority in all the tiers
Support Continuous improvement of risk management by Tier 3 assessments
1
4
3
2
5
6
Organizational cultural effects on Risk assessment
RISK MODELS DIFFER BASED ON PRIORITIES AND TRADEOFFS WITH RESPECT TO THE PRE-DISPOSING CONDITION OF ORGANIZATIONAL CULTURE
DETERMINATION OF RISK FACTORS AND VALUATION OF RISK FACTORS TO CONSTANT VALUES OR QUALITATIVE APPROACH DEPENDS ON ORGANIZATIONAL CULTURE
DETERMINATION OF RISK ASSESSMENT APPROACH AND ANALYSIS APPROACH DEPENDS ON ORGANIZATIONAL CULTURE.
ASSESSMENT AND ANALYSIS APPROACH MAY VARY WITH IN ORGANIZATION IN DIFFERENT TIERS.