risk managament (iso 27005) -...
TRANSCRIPT
Risk Managament (ISO 27005)
IT Governance
CEN 667
1
Project proposal (week 4) • Goal of the projects are to find applicable measurement and metric methods to improve processes:
– For 27000 series of standards 27001 and 27004 – Adnan Dzelihodzic – For ITIL – For Business Continuity and BS 25999 – For Disaster Recovery – Emil Mujevic – For Penetration testing – Dino Keco – For Operational and Security Incident management – For Risk Management – Secure method for visual authentication – Emir Kremic – Mobile securty access with speach recognition – Ercan Gokgoz – Other agreed with lecturer
• Literature review on selected topic - between 500 and 1000 words • Proposal / for improvements of choosen method, approach, techniqe, - up to
2000 words • List of references • Document prepared in two columns as it should Be prepared for the conference paper • Week report on updates
2
State of Project (week 10)
• Literature review on selected topic - between 500 and 1000 words
• Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words
• List of references
• Document prepared in two columns as it should Be prepared for the conference paper
• Week report on updates
Topic Candidate Literature review 1st draft
Proposed corrections week 9
1 27000 series of standards 27001 and 27004 metrics
Adnan Dzelihodzic
YES
YES
2 Disaster Recovery Emil Mujevic NO NO available 1st draft
3 Penetration testing Dino Keco YES YES
4 Secure method for visual authentication Emir Kremic YES YES
5 Mobile securty access with speach recognition
Ercan Gokgoz YES
YES
6 Neural Network-based Misuse Detection Systems
Selcuk Cankurt YES
3
IT Governance
CEN 667
Risk Managament (ISO 27005)
4
Week Topic
Week 1 Introduction to IT governance
Week 2
Overwiev of Information Security standards - ISO 27000 series of standards (27001,
27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2
Week 4 ITIL
Week 5 Business Continuity and BS 25999-1 and BS 25999-2
Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003)
Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
Week 11 Application and Network Security and security testing
Week 12 Specific Requirements and Controls Implementation (ISO 27002)
Week 13 Operational and Security Incident managament
Week 14 Perforamnce Measurement and Metrics (ISO 27004)
Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus
Lectures Schedule
5
6
Risk managament approaches
• Qualitative
• Quantitative
• Risk treatment – Risk reduction
– Risk retention
– Risk avoidance
– Risk transfer
– Risk acceptnce
7
Risk Assessment • Objective • Procedure defines the responsibilities, method and
procedure used to assess risks to the confidentiality, integrity and availability of: – information; – information supplied by clients; and – client related information created, processed, stored and
transmitted in the fulfilment of the organisation’s services. – It applies also, to all other resources (dependency assets)
necessary for creating, processing, storing and transmitting the information defined above.
• The information described above together with the dependency assets, constitute the 'Information Assets' which are the subject of this procedure.
• The procedure applies to all processes and activities covered by the Scope of the Information Security Management System (ISMS).
8
Procedures • Identification of Processes
From the Scope of the ISMS, the processes and their interrelationships are identified. Identification of Information Assets Each process owner produces an Asset Survey for each of the processes for which they have responsibility. These Asset Surveys identify the information assets for the process. The assets are classified under the following headings: – Electronic Information; – Non-electronic Information; – Environment / Infrastructure; – Hardware; – Software; – Physical; – People; – Services.
9
• The information assets are grouped under these headings such that information assets within a group will have common vulnerabilities and threats. This grouping saves considerable effort in the Risk Assessment process.
• Valuation of Information Assets The process owner defines the value of each information asset identified, in terms of their importance to the process, or to the organisation generally in meeting the objectives of the organisation. The perceived value is rated as: – Very High
– High
– Medium
– Low
10
• The information assets values are reviewed again later in the process (see: 'Impact' below). This initial valuation is carried out for the purpose of filtering out any information assets which are not considered to have any significant influence on the processes to which they relate, nor seen as specifically important to the client nor the organisation.
• All the information assets identified from the surveys are collated into a Master Asset List. A sub-list is produced from this, to standardise naming and remove duplicate assets. These rationalised information assets are transferred to a template which is used for the assessment of risks.
• The Security Forum may define a cut off level for information asset value, below which, information assets will not be included in the Risk Assessment process. In this case, the Risk Assessment template is copied and revised by deleting those information assets below the value threshold.
• The Master Asset List is retained for future Risk Assessments.
11
• The Risk Assessment template is now used for the Risk Assessment by completing the fields as follows:.
Identification of Vulnerabilities For each group of information assets, their vulnerabilities are listed. Vulnerabilities are a function of design, i.e. inherent weaknesses, or a result of a failure to conform to the design specification, or a result of situation.
Identification of Threats For each group of vulnerabilities, possible threats by which the vulnerabilities may be exposed, exploited or occasioned, are listed. The lists of threats are then consolidated by removing duplicated threats within each classification (i.e. within each worksheet of the Risk Assessment template).
Probabilities
• Perceived probabilities (likelihood) of each threat exposing, exploiting or occasioning a vulnerability are estimated.
• Note: Probability is time dependent and therefore rules need to be defined for estimating probability. 12
• Ratings for probability are documented in the risk assessment workbook using 4 values as follows, where 1 is certainty; 0 is impossibility:
• Probability Rating
• Impact
• As stated under Valuation of Information Assets above, values are reviewed in terms of the impact in the event of loss of confidentiality, integrity and availability. Confidentiality, integrity and availability will not necessarily be relevant for each threat. The perceived impacts are documented in the Risk Assessment template using the following values: – Critical – High – Medium – Low – Not Applicable
13
• Classifications of Impacts from Threats
• Confidentiality
• Low E.g. publicly available – no impact.
• Medium E.g. internal use in the organisation by any employee or authorised external use – appreciable impact.
• High E.g. confidential – significant impact on the organisation, clients, suppliers or other interested parties.
• Critical E.g. strictly confidential - commercial, political or military sensitivity – very significant impact (could have legal implications e.g. for personal data/information).
• Integrity
• Low Unauthorised damage or modification is not critical to business / operational applications - negligible impact.
• Medium Unauthorised damage or modification is not critical to business / operational applications - minor impact.
• High Unauthorised damage or modification is not critical but noticeable to business / operational applications - significant impact.
• Critical Unauthorised damage or modification is critical to business / operational applications - major impact and may lead to serious or total failure of the application, total shutdown of operations, or closure of the organisation or its clients.
• Availability
• Acceptable time for diminished or total unavailability.
• Low 12-48 hours.
• Medium Less than 12 hours.
• High 1-3 hours.
• Critical Less than 1 hour for total unavailability (acceptable limits for diminished availability should be defined by Service Level Agreement).
14
• Identification of Risk Risk is considered as a function of the Impact and the Probability of the threat.
• Risks are considered separately for confidentiality, integrity and availability. Consideration may be given to time to restore as a mitigating influence of a risk on availability. Perceived risks are documented in the risk assessment workbook as: – Critical – High – Medium – Low
• The risks are established from the following table:
15
The risk definitions are: • Critical Risk
Presents imminent danger. The likelihood that a vulnerability will be exposed, exploited or occasioned is very high and could cause considerable impact. Requires immediate attention. High Risk Requires increased attention since the likelihood that a vulnerability will be exposed, exploited or occasioned is high. Medium Risk The potential exists for a vulnerability to be exposed, exploited or occasioned but presents no anticipated danger. Low Risk Exposure, exploitation or occasioning of a vulnerability is unlikely and would cause minor impact to the organsiation, clients or suppliers
16
Identification of Controls • Although not part of the Risk Assessment, it is convenient to identify at this stage,
the controls from ISO / IEC 27002 that may be used to mitigate the risks from the listed threats. The controls are rationalised and shown once for each classification (i.e. within each work page of the Risk Assessment template).
• Report to Security Forum A summary report of the Risk Assessment is provided to the Security Forum. The Risk Assessment identifies the Threats that are considered to pose the greatest risks (High Order Risks) to the information assets and hence defines where most attention needs to be focused for Risk Management. Monitoring and Review The responsibility for the upkeep of the asset identification and perceived valuation remains with the process owners who review the situation regularly and especially when any significant changes are made to the business processes.
• Additionally, risks need to be re-assessed in the event of changes in legislation and regulation.
• Changes in organisational structure may result in changes to process ownership. Handover of responsibilities includes acceptance of the Risk Assessment Procedure for any inherited processes.
17
Thank you
18