SIG-ISM has published a white paper on risk management.
A reference to ISO 27001 chapter 5. leadership should be added her, specifically detailing how the organization addresses risk responsibilities and residual risks.
ISO 27000 definitions
The most common used in the risk assessment process
Adverse event or incident (threat, risk element)
An event that might affect safety in a negative way
Vulnerability
Weakness in a system, process, human or a building that could be exploited by a threat
Probability
A measure of how often an incident occurs
Consequence (of injuries)
Consequence is the impact of an event. It can affect the economy, reputation, loss of personal reputation, life and health or critical functions or lead to prosecution
Risk
Risk is a measure that combines the probability and consequences of an event.
Why should we carry out a risk assessment?
- Maintaining confidence in a system or service
- Compliance with legal obligations
- Maintain quality of service
- Maintaining an overview of information assets
- Protecting employees, students and citizens
- Help protect critical infrastructure
- Learning and dissemination of knowledge among the participants in a risk assessment workshop
Risk assessment methodology
When we undertake a risk assessment we:
- Identify adverse events, i.e. events that can lead to violations of information values regarding confidentiality, integrity and availability
- Assess the risk - probability combined with consequence - for each adverse event
- Evaluating and managing risks by proposing protection or controls that mitigate risks
Roles and responsibilities
- Risk owner
- Risk assessment facilitator
- ++
Risk assessment process
The risk assessment process can be divided into the following activities:
- Mapping of information assets. Value assessment. Business Impact assessment
- Identify existing safeguards and control measures
- Identifcation of risk elements
- Assessment of risk level (consequence and probability)
- Controls in relation to risk elements
- Categorization and prioritization of controls
- Approval of controls
- Risk treatment. Implementation and follow-up of controls
Activity 2 to 5 is usually done in a risk assessment workshop.
Participants
List of possible participants in a risk assessment workshop:
- Management (defining risk appetite)
- Information Security Manager/Officer
- Risk owners / Asset owners
- Risk assesment facilitator
Risk treatment and residual risk
Description of process
Risk treatment plan
- A description of the risk to be reduced and controls to implement .
- Rational for the choice of controls and expected effects
- Responsible for approving the plan
- Responsible for implementing the comtrols
- Activities related to implementation
- Target and performance criteria and delimitations in relation to the comtrols
- Reporting and monitoring requirements
- Plan and timeframes
Risk areas
- The organization's ownership of ICT
- Information security policy and guidelines
- Organization of information security
- Resources
- Expertise, skills and safety culture
- Employee safety
- Architecture
- Work processes
- Roles and responsibilities
- Establishment and maintenance of portfolio
- Innovation
- Decision-making by ICT investments
- Acquisition, development and maintenance of ICT systems / services
- Quality assurance
- Supplier relations
- Handling of information assets
- Access control
- Operation and management
- Infrastructure
- Software
- Data communication security
- Cryptography
- Malware and logical attacks
- Social engineering
- Theft or destruction
- Disloyal employees
- Physical and environmental areas
- Geopolitical conditions
- Handling of information security incidents
- Continuity plans
- Compliance with laws, rules and agreements
- Communication
Tools/Aids
- White paper on risk management
- Risk assessment spreadsheet
- WISE - Risk Management Template
- Examples of likelihood (Probability)
- Examples of impact (consequences)
- Overview of risk areas
- Risk inventory
1 Comment
Øivind Høiem
Future work: Add a list of "common" risks for NRENs