Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1
Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: ‘Risk management 2. Guide for Information Technology Systems’ (see the SIO website). Variants on ISO 2700* 2
Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 3
Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 4
Recap on information security Recap • ISO 27001 describes a ‘security management system’, a methodology to select and maintain security controls (from ISO 27002) based on risk assessments. This system is called Information Security Management System (ISMS) • Fundamental to ISO 27001 is that it considers IS as a continual improvement process and not as a product • The ISMS scope is an important decision • This process is known as the PDCA cycle, risk assessment is the engine in this cycle • ISO 27001 leaves room for various implementations, getting a more secure organization instead of a ‘paper tiger’ is an attention point • An organization’s ISO 27001 implementation can be formally certified • We have seen an implementation based on the ‘combined approach’ based on assets clustered in information systems 5
Recap on information security Recap Conducting Risk Assessment and Treament (RAT) Critical information systems Conducting CIA Code Business Impact Analyse (BIA) Non-Critical information systems Apply baselines Critical systems management Telephone Treasury CRM Document Email ….. Billing ERP Baseline security 6
Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 7
ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenarios/potential incidents) Threat # n Vulnerability # n 8
ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenarios) Threat # n Vulnerability # n 9
ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenario’s) Threat # n Vulnerability # n 10
Example: Customer Helpdesk
ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 c): Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. ( Note: aka ‘risk appetite’ ) The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. There should be a documented methodology, risk appetite should be determined. 12
ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1d): Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. The methodology should involve assets, threats, vulnerabilities and impacts. 13
ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 e): Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c) Prioritize risks and determine which need treatment. 14
Example: Risk Assessment Without baselines High Medium Risk High Risk Fire destroys telephones Insufficient staffing causes • and computers long waits for customers I M P A Low Riskk Medium Risk C Entry errors cause problems T Employee commits fraud • for customers (who then complain) Low PROBABILITY High
Example: Risk Assessment With baselines High Medium Risk High Risk Fire destroys telephones As we have insufficient staff • and computers and we enable this causes long waits I have too little insurance for customers M covering that P Low Riskk Medium Risk A We have insufficient C • Entry errors cause problems access controls on the for customers (who then T helpdesk system enabling complain) employees to commit • fraud Low PROBABILITY High
ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 f): Identify and evaluate options for the treatment of risks. • Options: Applying controls, accepting risks, avoiding risks, transferring risks to other parties Clause 4.2.1g): Select control objectives and controls for the treatment of risks. Clause 4.2.1h): Obtain management approval of the proposed residual risks. Either accept, avoid, transfer risks or select controls. 17
Example: Risk Response Medium Risk High Risk High • Fire destroys telephones and Customer has a long wait computers hire enough people • insure phones + freebees for long waits I computers M Transfer Control P Medium Risk Low Risk A C Fraud Entry errors ignore input validation T • Accept Control Low PROBABILITY High
Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 19
The RAT process from ISO 27005 Main steps 1. Context establishment 2. Risk assessment 3. Risk estimation/evaluation 4. Risk treatment 5. Risk acceptance 6. Documentation/communication 7. Risk monitoring Source: ISO 27005 20
The RAT process from ISO 27005 Main steps 1. Context establishment • Determine legal requirements • Determine scope and boundaries, e.g.: Business process lifecycle Information system lifecycle • Determine dependencies with other ‘systems’. 21
The RAT process from ISO 27005 Allocating responsibilities RA Interconnected information systems Scope Helpdesk Invoicing dep. Department #3 Manager #1 Manager #2 Manager #3 Business Business Business info Process #1 Process #2 Process #2 info Impose requirements Information Information Information System #1 System #2 System #3 Network Internet 22
The RAT process from ISO 27005 Main steps 1. Context establishment 2. Risk assessment • Identify assets (= familiarize with system) • Identify threats • Relate actual security incidents • Identify vulnerabilities • Relate existing controls (baselines in our setting) • Determine consequences (potential incidents) Threats may be of natural or human origin. 23
The RAT process from ISO 27005 ‘Natural’ threat examples Source: BSI IT-Grundschutz-Catalogues 24
The RAT process from ISO 27005 ‘Human’ threat examples (not limitative) Source: NIST SP 800-30 25
The RAT process from ISO 27005 Vulnerability examples Source: ISO 27005 26
The RAT process from ISO 27005 Vulnerability examples Alternatively, one can directly relate vulnerabilities to the 11 ISO 27002 chapters. H ISO 27002 Example topics 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human resources security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance 27
Recommend
More recommend