CSS 8
CSS 8
CSS 8
Introduction
This lesson begins with a brief section on what IT security requirements are. It is followed by a
detailed look at what risk assessment is. Risk management in the context of information
security risk management is addressed subsequently and the two standards associated with
risk management - ISO 27005 and ISO 31000 - are mentioned and a comparison between
these two standards is included. Some parts of this lesson are quoted from the standards and
the tone of the language could get somewhat legal!
https://vimeo.com/214472708/7fa0731ade
Transcript
IT security requirements
Security requirements that describe more concretely what must be done to assure the security
of a system and its data are typically required. http://www.opensecurityarchitecture.org/cms/
Open Security Architecture (OSA) suggests that four different security requirement types
should be distinguished:
Functional security requirements: These are security services that need to be achieved by
the system under inspection. Examples could be authentication, authorisation, backup,
server clustering, etc. This requirement artefact can be derived from best practices,
policies, and regulations.
http://shop.bsigroup.com/upload/Standards%20&%20Publications/publications/BIP0076-Ch...
Risk assessment
Risk assessment is a term used to describe the overall process or method to:
Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
Analyse and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
Determine appropriate ways to eliminate the hazard, or control the risk when the hazard
cannot be eliminated (risk control).
A risk assessment is a thorough look at the workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyse and evaluate how likely and severe the risk is. When this determination is made, you
can next decide what measures should be in place to effectively eliminate or control the harm
from happening.
Risk assessment is a systematic examination of a task, job or process that is carried out at
work for the purposes of identifying the significant hazards and the risk of someone being
harmed, and of deciding what further control measures you must take to reduce the risk to an
acceptable level.
The objective of a risk assessment is to understand the existing system and environment, and
to identify risks through analysis of the information/data collected. By default, all relevant
information should be considered, irrespective of storage format. Several types of information
that are often collected include:
Physical assets, such as hardware, including those in the data centre, network and
communication components and peripherals (e.g. desktop, laptop, PDAs)
Operating systems, such as PC and server operating systems, and network management
systems
Security systems in use, such as access control mechanisms, change control, antivirus,
spam control and network monitoring
The scope of an enterprise security risk assessment may cover the connection of the internal
network with the Internet, the security protection for a computer centre, a specific
department’s use of the IT infrastructure or the IT security of the entire organisation. Thus, the
corresponding objectives should identify all relevant security requirements, such as protection
when connecting to the Internet, identifying high-risk areas in a computer room or assessing
the overall information security level of a department. The security requirements should be
based on business needs, which are typically driven by senior management, to identify the
desired level of security protection. A key component of any risk assessment should be the
relevant regulatory requirements, such as Sarbanes-Oxley, Health Insurance Portability and
Accountability Act (HIPAA), the US Gramm-Leach-Bliley Act and the European Data Protection
Directive.
The typical tasks that are performed in a security assessment for an organisation are listed
below. Depending upon the requirements of the organisation, the relevant tasks are selected.
Mapping threats to assets and vulnerabilities can help identify their possible combinations.
Each threat can be associated with a specific vulnerability, or even multiple vulnerabilities.
Unless a threat can exploit a vulnerability, it is not a risk to an asset. The combinations of the
tasks must be reduced before performing a risk analysis; those that are either not feasible or
Identify business needs and changes to requirements that may affect overall IT and
security direction
Analyse assets, threats and vulnerabilities, including their impacts and likelihood
Assess physical protection applied to computing equipment and other network components
Conduct technical and procedural review and analysis of the network architecture,
protocols and components to ensure that they are implemented according to the security
policies
Review and check the configuration, implementation and usage of remote access systems,
servers, firewalls and external network connections, including the client Internet connection
Review current level of security awareness and commitment of staff within the organisation
The following report presents a qualitative risk analysis framework. Summarise the process in
the discussion forum.
https://pdfs.semanticscholar.org/3743/6a533bcbcd1bb42000383eae445840e5cefc.pdf
Organisations perform IT enterprise security risk assessments to assess, identify and modify
their overall security posture and to enable security, operations, organisational management
and other personnel to collaborate and view the entire organisation from an attacker’s
perspective. This process is required to obtain organisational management’s commitment to
allocate resources and implement the appropriate security solutions.
A comprehensive enterprise security risk assessment also helps determine the value of the
various types of data generated and stored across the organisation. Without valuing the
Asset identification: Identify the key system assets (or services) that have to be protected
Exposure assessment: Assess the potential losses associated with each asset
Threat identification: Identify the most probable threats to the system assets
Attack assessment: Decompose threats into possible attacks on the system and the ways
that these may occur
Control identification: Propose the controls that may be put in place to protect an asset
Feasibility assessment: Assess the technical feasibility and cost of the controls
Once the assets, threats and vulnerabilities are identified, it is possible to determine the impact
and likelihood of security risks. Figure 8.03 illustrates the functional flow and relationships
between each of these activities.
Included in the process are impact assessment and likelihood assessment. Impact assessment
is used interchangeably with the terms impact analysis and consequence assessment. The
impact on revenues, profits, cost, service levels, regulations and reputation are quantifiable. It
is necessary to consider the level of risk that can be tolerated and how, what and when assets
could be affected by such risks. The more severe the consequences of a threat, the higher the
risk.
Figure 8.04 illustrates a template for evaluating the risk using a risk matrix. The green dotted
boxed portion is the risk portion of the matrix. The likelihood of the occurrence and the
potential impact determine the overall impact. For example a Highly unlikely occurrence with a
severity of Harmful will be Tolerable, whereas a Likely occurrence, which is Extremely Harmful
will be Intolerable. A similar approach is used to determine the impact of the threats on the
vulnerabilities in security devices and information system components (Figure 8.05). The
numbers in the boxed green area give a relative risk estimate and the total score provides the
overall risk estimate of the threats to the IT system in the entire organisation.
Information is the valuable meaning or knowledge that we derive from data; in other words,
it is the content of computer files, paperwork, conversations, expertise, intellectual property
and so forth.
The term management implies someone proactively identifying, assessing, evaluating and
dealing with risks on an on-going basis, along with related governance aspects such as
direction, control, authorisation and resourcing of the process.
The overall approach to information risk management is similar to that relating to the topics
discussed in this lesson so far. Figure 8.06 illustrates the four essential steps in information
risk management. It illustrates (“External obligations”) the various inputs to each stage as well
as the need to fulfil statutory compliance with industry standards (such as PCI-DSS, HIPAA,
etc.). Notice that the changes (if and when needed) impact every step in the process.
The first stage of the process is to identify potential information risks. Several factors or
information sources feed in to the “identify” step, including:
Threats: The actors (insiders and outsiders) and natural events that might cause incidents
if they acted on vulnerabilities causing impacts.
Assets: Specifically information assets, in particular valuable information content but also,
to a lesser extent, the storage vessels, computer hardware, etc.
Impacts: The harmful effects of incidents and calamities affecting assets, damaging the
organisation and its business interests, and often third parties.
Advisories, standards etc.: The relevant warnings and advice put out by myriad
organisations such as CERT, the FBI, ISO/IEC, journalists, technology vendors, as well as
information risk and security professionals (our social network).
The “evaluate risks” stage involves considering/assessing all that information in order to
determine the significance of various risks, which in turn drives priorities for the next stage. The
organisation’s appetite or tolerance for risks is a major concern here, reflecting corporate
strategies and policies as well as the broader cultural drivers and personal attitudes of the
people engaged in risk management activities.
“Treat risks” means avoiding, mitigating, sharing and/or accepting them. This stage involves
both deciding what to do and doing it (implementing the risk treatment decisions).
“Handle changes” might seem obvious but it is called out on the diagram due to its
importance. Information risks are constantly in flux, partly as a result of the risk treatments, and
partly due to various other factors both within and without the organisation. Handle changes is
an important component of the process that is continually relevant to assess the risks in the
context of changing organisational/business requirements.
http://securitycn.com/img/uploadimg/20070924/183844756.pdf
ISO 27005
ISO/IEC 27005 is a heavyweight standard. The standard provides a number of annexes with
examples and further information for users.
The standard doesn't specify, recommend or even name any specific risk management
method. It does, however, imply a continual process consisting of a structured sequence of
activities, some of which are iterative:
Establish the risk management context (e.g. the scope, compliance obligations,
approaches/methods to be used, and relevant policies and criteria such as the
organisation’s risk tolerance or appetite).
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share
[with third parties]) the risks appropriately, using those “levels of risk” to prioritise them.
Monitor and review risks, risk treatments, obligations and criteria on an on-going basis,
identifying and responding appropriately to significant changes.
The second edition of ISO/IEC 27005 was published in 2011. It reflects the general corporate
or enterprise-wide risk management standard ISO 31000:2009, “Risk management - Principles
and guidelines”, in the specific context of risks to or involving information.
Risks affecting organisations can have consequences in terms of economic performance and
professional reputation, as well as environmental, safety and societal outcomes. Therefore,
managing risk effectively helps organisations to perform well in an environment full of
uncertainty.
ISO 31000:2009, titled “Risk management - Principles and guidelines”, provides principles,
framework and a process for managing risk. It can be used by any organisation regardless of
its size, activity or sector. Using ISO 31000 can help organisations increase the likelihood of
achieving objectives, improve the identification of opportunities and threats, and allocate and
use resources effectively for risk treatment.
However, ISO 31000 cannot be used for certification purposes, although it does provide
guidance for internal or external audit programmes. Organisations using it can compare their
risk management practices with an internationally recognised benchmark, providing sound
principles for effective management and corporate governance.
Both standards are guidelines for risk management. Figure 8.09 illustrates the commonality
between the two standards in terms of risk management. Notice the similarity of terms as well
as the similarity of the process. The difference is in the scope. In short, ISO 31000 is a
superset of ISO 27005.
ISO 27005 standard “provides guidelines for information security risk management” and
“supports the general concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk management approach.”
ISO 31000 provides principles, a framework and a process for managing risks. It gives
consideration to all types of risks, unlike the aforementioned 27005, which is specific to
information security risks. ISO 27005 presents the guidelines for the risk management
evaluation and implementation as per the requirements of ISO 27001 standard, which relates
to information security management systems (ISMS). It establishes that risk management best
practices should be defined in accordance with the characteristics of the organisation, taking
into account the scope of its ISMS, the risk management context, as well as its industry.
According to the framework described in this standard for implementing the requirements of
ISMS, several different methodologies may be used; in the appendix of the document different
approaches to risk management, as it relates to information security, are introduced.
ISO 31000 are guidelines for risk management designing, implementation and maintenance
throughout an organisation, with an emphasis on ERM (enterprise risk management). The
scope of this approach to risk management is to enable all strategic, management and
operational tasks of an organisation throughout projects, functions and processes to be aligned
to a common set of risk management objectives. It serves as a master standard for each and
every risk management standard. Because of its general context, it provides overall guidelines
to any area of risk management (e.g. finance, engineering and security, among others).
Although most organisations already have a defined methodology in place to manage risks,
this new standard defines a set of principles that must be followed in order to ensure the
effectiveness of risk management. It suggests that companies should continually develop,
implement, and improve a framework whose goal is to integrate the process for managing risks
Summary
In the course of this lesson, you have received a fair idea of risk assessment and its role in risk
management. It is a key activity upon which most security requirements are based; in fact, the
entire set of security requirements are derived from the results of risk assessment and are
implemented as security controls. You noticed that the two standards ISO 27005 and ISO
31000 address organisational risk and are fairly similar in nature. The terms, activities and
tasks are similar and they differ only in their scope of application. In that sense, ISO 27005 is
IT specific whereas ISO 31000 is generic in its approach.
The following link provides a sample risk assessment report for a fictitious company.
Summarise the various steps involved in identifying the threats and vulnerabilities and plan a
risk assessment strategy.
https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/sampleriskassessmentre...
Essential reading
Bahtit, H., and Regragui, B., 2013. Risk management for ISO27005 decision support
[online]. International Journal of Innovative Research in Science, Engineering and
Technology. Available at:
https://pdfs.semanticscholar.org/5692/f8f8bad1bdc09e52a8f464565d59ca64dfef.pdf
[Accessed 26/01/2017].
Derock, A., Hebrard, P., and Vallée, F., 2010. Convergence of the latest standards
addressing safety and security for information technology [online]. Online proceedings of
Embedded Real Time Software and Systems (ERTS2 2010), Toulouse, France (May
2010). Available at: http://web1.see.asso.fr/erts2010/Site/0ANDGY78/Fichier/PAPIERS%2
0ERTS%202010/ERTS201... [Accessed 26/01/2016].
Further reading
De Bruijn, W., Spruit, M.R., and Van Den Heuvel, M., 2010. Identifying the cost of security
[online]. Journal of Information Assurance and Security, 5 (1). Available at:
https://pdfs.semanticscholar.org/41e8/fead50aca0ff87bc71699401c839de6047cc.pdf
[Accessed 26/01/2017].
Spremi?, M., 2012. Corporate IT risk management model: A holistic view at managing
information system security risks [online]. Information Technology Interfaces (ITI),
References
Canadian Centre for Occupational Health and Safety. Risk assessment [online]. Available
at: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html [Accessed
26/01/2017].
Schmittling, R., and Munns, A., 2010. Performing a security risk assessment [online].
ISACA. Available at:
https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Ris...
[Accessed 26/01/2017].
http://www.opensecurityarchitecture.org/cms/
http://shop.bsigroup.com/upload/Standards%20&%20Publications/publications/BIP0076-Ch...
https://pdfs.semanticscholar.org/3743/6a533bcbcd1bb42000383eae445840e5cefc.pdf
http://securitycn.com/img/uploadimg/20070924/183844756.pdf
https://itsecurity.uiowa.edu/sites/itsecurity.uiowa.edu/files/sampleriskassessmentre...