Organizations of all types are concerned with threats that could compromise information security. Managing this aspect is usually a primary concern for information technology (IT) departments. In this context, Information Security Risk Management should be an integral part of all information security management activities and should be applied both to the implementation and the ongoing operation of an Information Security Management System (ISMS). In fact, a systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective ISMS.
The ISO/IEC 27005:2008, a new standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), describes the Risk Management Process and its activities for information security and provides guidelines for Information Security Risk Management and supports the general concepts specified in ISO/IEC 27001:2005. The ISO information security risk management process can be applied to the organization as a whole; any discrete part of the organization (e.g. a department, a physical location, a service); any information system; and any existing, planned, or particular aspect of control (e.g. business continuity planning).
The information security risk management process consists of:
• Context Establishment: intends to define the risk management’s boundary.
• Risk Analysis (Risk Identification & Estimation phases): intends to evaluate the risk level.
• Risk Assessment (Risk Analysis & Evaluation phases): used to make decisions and take into account the objectives of the organization.
• Risk Treatment (Risk Treatment & Risk Acceptance phases): to reduce, retain, avoid or transfer the risks.
• Risk Communication: to achieve agreement on how to manage risks by exchanging and/or sharing information about risk between the decision makers and other stakeholders
• Risk Monitoring and Review: to detect any chances in the context of the organization at an early stage, and to maintain an overview of the complete risk snapshot.
Figure 1 - ISO/IEC 27005:2008 Risk Management Program
During the Context Establishment phase, all information about the organization relevant to the information security risk management context is established. This involves setting the basic criteria necessary for information security risk management (risk evaluation criteria, impact criteria, risk acceptance criteria, etc.), defining the scope and boundaries (all relevant assets, business objectives, business processes, strategies and policies, legal and regulatory requirements applicable to the organization, interfaces, etc.) and establishing an appropriate organization operating the information security risk management (roles and responsibilities).
The Risk Identification phase determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified and determines the potential consequences. In particular, Risk Identification consists of the following activities:
• Assets Identification (within the established scope): performs at a suitable level of detail that provides sufficient information for the risk assessment. The level of detail used on the asset identification influence the overall amount of information collected during the risk assessment. The level can be refined in further iterations of the risk assessment.
• Threats Identification: in this activity threats are identified generically and by type (e.g. unauthorized actions, physical damage, and technical failures). In this activity internal experience from incidents and past threat assessments should be considered.
• Controls Identification: identification of existing controls and check to ensure that the controls are working correctly. Controls that are to be implemented according to the risk treatment implementation plans should be considered in the same way as those that already implemented. For the identification of existing or planned controls, could be review documents containing information about the controls, check with the people responsible for information security and the users as to which controls are really implemented, conduct an on-site review of the physical controls and review results of internal audits.
• Vulnerabilities Identification: that can be exploited by threats to cause harm to assets or to the organization.
• Consequences Identification: identification of damage or consequences to the organization that could be caused by an incident scenario. An incident scenario is the description of a threat exploiting a certain vulnerability or set of vulnerabilities in an information security incident. The impact of the incident scenarios is to be determined considering impact criteria defined during the context establishment activity.
Risk Estimation is the phase for assigning values to the probability and consequences of an identified risk. It consists of the following activities:
• Risk Estimation Methodologies: identification of Risk Analysis Methodology. It may be qualitative or quantitative, or a combination of these, depending on the circumstances. Qualitative estimation uses a scale of qualifying attributes to describe the magnitude of potential consequences (e.g. Low, Medium and High) and the likelihood that those consequences will occur. An advantage of qualitative estimation is its ease of understanding by all relevant personnel while a disadvantage is the dependence on subjective choice of the scale. Quantitative estimation uses a scale with numerical values (rather than the descriptive scales used in qualitative estimation) for consequences and likelihood, using data from a variety of sources. The quality of the analysis depends on the accuracy and completeness of the numerical values and the validity of the models used.
• Assessment of Consequence: assess consequences or business impact upon the organization that might result from possible or actual information security incident (taking into account the consequences of a breach of information security such as loss of confidentiality, integrity or availability of the assets). Consequences may be expressed in terms of monetary, technical or human impact criteria, or other criteria relevant to the organization. In some cases, more than one numerical value is required to specify consequences for different times, places, groups or situations The business impact value can be expressed in qualitative and quantitative forms, but any method of assigning monetary value may generally provide more information for decision making and hence facilitate a more efficient decision making process.
• Assessment of Incident Likelihood: assess likelihood of each incident scenario and impact occurring, using qualitative or quantitative estimation techniques. This should take account of how often the threats occur and how easily the vulnerabilities may be exploited.
• Level of Risk Estimation: assign values (quantitative or qualitative) to the likelihood and the consequences of a risk. The estimated risk is a combination of the likelihood of an incident scenario and its consequences.
In the Risk Evaluation phase the level of risk is compared against risk evaluation criteria and risk acceptance criteria (defined during the context establishment phase). Risk evaluation criteria used to make decisions should be consistent with the defined external and internal information security risk management context and take into account the objectives of the organization, the importance of the business process or activity supported by a particular asset or set of asset and stakeholder views etc.