Information systems risk assessment frame workisraf 130215042410-phpapp01
Information Systems RiskAssessment Framework(ISRAF)(Addendum of NIST 800-39 information systems riskmanagement and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
Need of Addendum/ Revision ? Ensure converged & integrated process Address the challenges in traditional approach Adaptive & Modular working model of information systems risk assessment. Improve the organizations risk based decision. Bring in value addition to business
Should It get transformed ? ! Why To make risk management an integral part of business and project management, IT Life cycle management. TO facilitate with practical approach to address risk. To Evolve business aligned approach. TO tailor down the model of domain agnostic approach.
Does it need a Model/Framework ?? Evolve descriptive process and systematic thinking. Emerging business demand and process convergence Enhance communication among functional entities. Invoke result oriented approach Predict results in the systematic model !!!!!!! ???
Assessing risk – What & Why To identify the potential opportunity of a probable consequence of an adverse impact due to a weakness in the information systems. To support business with risk based decision. To identify external and internal threat exposures to an organization from nation and another organization, vice versa. To monitor the on-going risk exposure of the organization. To observe the effectiveness of information security program. To assist with Metrics for information security program management. ???????
Assessing risks - When During architecture development –( Org,process & Information system) During functional and business systems integration. During all phases of SDLC (Systems acquisition and development life cycle) During acquisition of new security or business/function solution. During modification of mission critical/business critical systems. During third party vendor/product acquisition. During decommissioning of systems/functions/groups of the organization
Risk framing Model ??? Determine the uncertainty of the risk and associated risk constraints. Define the risk tolerance and priority, and tradeoffs. Determine the set of risk factors, assessment scale and associated algorithm for combing factors Assist in precise risk communication and sketch out boundaries of information system authorization. Enhance the risk decision with appropriate information. Incorporate de-duplication in hierarchical risk management model. Determine the context of the entire risk assessment process/assessment/approach.
The Model/Framework Frame (CONTEXT) Tier 1 Tier 2Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
The Focus Assess Respond MonitorRisk Assessment is a key element of riskmanagement Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk assessments. Method of communicating risk results across organization.
Risk – Key concepts Risk aggregate consolidation of individual Tier1/Tier2/Tier3 risks in to a cumulative risks to identify relationship among risks at various levels. Threat shifting the dynamic variation on threat source in response to the perceived countermeasures. Residual risk Tolerable risk remain post the mitigation to an exten possible to reduce the level of adverse impact to the organization. Adversarial risk Risk that has an adverse effect by adversarial threats. Adversarial threats Threat has an intrinsic characteristics of direc adverse impact. – Ex., business operation interruption. Non-adversarial threats Threats has no direct or immediate effect of a threat impact. – Ex., Exposure of system errors, competitive intelligence gathering.
Risk – Key Factors Threat Event Possible adverse impact through a potential circumstances/event to organization from national and another organization, vice versa. Threat source The intend and the method of exploitation or attack vector. Likelihood The Probability of a threat become reality. Vulnerability Flaw in an information system that can lead to a potential threat. Adverse Impact The negative consequences /damage leads to potential impact to the business / organization/ nation by the consequences of an exercised vulnerability Predisposing condition The existing and known lack of controls/ in adequate countermeasures as part of available solution. Risk Measure/ Unit of the extent to which an entity is threaten by a potential circumstances.
Conducting Assessment Identify Threat source and Step 1 Intent,Target,Capability events Capability of adversaries Range of effects Identify vulnerabilities and pre- Step 2 Effect of existing disposing conditions controls Intentional/accidental flaw /weakness in Determine likelihood of Step 3 system/process Occurrence Depends on the degree of Step 1 and the effect Determine Magnitude of Step 4 of Step 2 Impact Result of BIA Depends on effective Step 5 BCP/DR Determine Risk MTTR/MTBF RTO/RPORisk Combination of Step 3 andStep 4
Method of Risk AnalysisThreat oriented Vulnerability Asset/Impact• Identify threat source oriented Oriented and event • Identify pre-disposing • Identify• Developing Threat conditions mission/business scenario and model • Identify exploitable critical assets• Identify vulnerabilities vulnerabilities • Analyze the in context of threats • Identify threats related consequences of the to the known/open adversarial threat vulnerabilities event • Identify vulnerabilities to the threat events/scenario of critical assets with severe adverse impact.
Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with uniqueSemi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
Sample Assessment ScaleQualitative Quantitative Semi Qualitative Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
Communicate Result Communicate to the Furnish evidence Determine the designated comply with appropriate method of organizational organizational policies communication stakeholders & GuidelinesFormat defined by Identify appropriate Capture appropriateorganization. authority. analysis data supportExecutive briefings Ensure right the result.Presenting information reach right Include applicableIllustrative risk figures person at right time. supporting documentsRisk Assessment Present contextual to convey the degreeDashboards information in of resultsOut sketch the accordance with risk Identify andorganizational strategy document the sourceprioritized risk of internal and external information.
Maintain Risk Posture Reconfirm the Identify Key Risk Define Frequency scope and factors of revisit assumptions• Monitor the key • Track the risk • Get the risk factors response as concurrence of• Document the required scope and variations. • Initiate the assumptions• Re-define the assessment from appropriate key risk factors when needed authorities • Communicate • Document the the results to plan of action organizational with respect to entities the risk response.
Applications of RiskAssessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
Organizational cultural effects on Risk assessment Risk models differ based on priorities and tradeoffs with respect to the pre-disposing condition of organizational culture Determination of risk factors and valuation of risk factors to constant values or qualitative approach depends on organizational culture Determination of risk assessment approach and analysis approach depends on organizational culture. Assessment and analysis approach may vary with in organization in different tiers.