For many of us that works in Information Security, many of us sees risk as a negative thing. But risk is an essential part of a business. From ISO/IEC 31000 - Risk is the effect of uncertainty on an objective. An effect is a deviation from the expected - positive and/negative.
Risk Standards
- ISO/IEC 31000 - Risk Management Principles and Guideline
- ISO/IEC 27005 - Information Technology - Security Techniques - Information Security Risk Management
- NIST SP800-39 - Managing Information Security Risk
- COBIT 5 for Risk
- NIST SP800-30 Rev 1 - Guide for Conducting Risk Assessment
- HTRA - Harmonized Threat and Risk Assessment
Risk Management begins with:
- Knowing what has to be protected
- Identification of assets
- Determining asset value
- Understanding risk culture of the organization
- Risk acceptance
- Risk tolerance
Risk Relative to Information Security Management
Information Security Risk is a potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
Strategic risk <-> Business risk <-> Information system (3)
Implementation of Risk Management
- Obtain mandate and commitment from the management
- Design a risk management framework
- Understand the organization
- Unique requirements
- Understand the organization
- Implement risk management
- Monitor and review the risk framework
- Continuously improve the risk framework
Elements of Risk Management
- Policy - what seems to be the most important to the organization
- Resources - people, budget
- Accountability - who is the owner of the risk
- Integration into business processes - integrating a risk culture to the business process
- Reporting structure - risk register, risk assessment report, audit report
Risk management works effectively when it is implemented based on a framework adapted to the needs of the organization and consistently applied.
Risk Management Terminologies
- Assets - an item or property of value to its owner
- Tangible - could be cash or money
- Intangible - could be your reputation, name, morale
- Asset Value - the value of an asset is often affected by both internal and external factors
- Value to business operations - example: the value of a hard drive failure effect on the business
- Liability - breach or loss of data would be crucial
- Value to an adversary - information of the company could be valuable to the competitors
- Intellectual Property (IP) - patents, trademarks, copyrights, trade secrets
- IT Assets - a major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems
- Threats - any circumstance or event with the potential to adversely impact:
- organizational operations,
- organizational assets,
- individuals,
- other organizations, or
- the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
- Threat Source - element which alone, or in combination, has the potential to give rise to risk
- Vulnerability - weakness in:
- an information system
- system security procedures
- internal controls
- implementation that could be exploited by a threat source
- Impact - outcome of an event
- Likelihood - chance of something happening
- Residual Risk - risk that remains after risk treatment (after mitigating the risk down to an acceptable level)
- Risk Acceptance - the level of risk of the management is willing to tolerate