Information Systems Risk Assessment Framework (ISRAF)(Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
Need of Addendum/ Revision ?
Should It get transformed ? ! Why
Does it need a Model/Framework ?? !!!!!!! ???
Assessing risk – What & Why ???????
Assessing risks - When
Risk framing Model ???
The Model/Framework Frame (CONTEXT) Tier 1 Tier 2Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
The Focus Assess Respond Monitor Risk Assessment is a key element of risk management Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk assessments. Method of communicating risk results across organization.
Risk – Key concepts
Risk – Key Factors
Assessing Risk – High Level Process Step -1 Step -2 Step -3 Step -4
Prepare for Assessment
Conducting Assessment Intent,Target,CapabilityIdentify Threat source and events Capability of adversaries Step 1 Range of effectsIdentify vulnerabilities and pre-disposing conditions Step 2 Effect of existing controls Intentional/accidentalDetermine likelihood of Occurrence flaw /weakness in Step 3 system/processDetermine Magnitude of Impact Depends on the degree of Step 4 Step 1 and the effect ofDetermine Risk Step 2 Step 5 Result of BIA Depends on effective BCP/DR MTTR/MTBF RTO/RPO
Method of Risk AnalysisThreat oriented Vulnerability oriented Asset/Impact Oriented• Identify threat source • Identify pre-disposing • Identify mission/business and event conditions critical assets• Developing Threat • Identify exploitable • Analyze the scenario and model vulnerabilities consequences of the• Identify vulnerabilities in • Identify threats related adversarial threat event context of threats to the known/open • Identify vulnerabilities to vulnerabilities the threat events/scenario of critical assets with severe adverse impact.
Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with uniqueSemi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
Sample Assessment ScaleQualitative Quantitative Semi QualitativeCaution: The assessment scales and its descriptive meanings are subject to varybetween organization to organization and with in organization discretion to theorganizational culture and its policies and guidelines
Communicate Result Determine the Communicate to the Furnish evidence comply appropriate method of designated organizational with organizational communication stakeholders policies & GuidelinesFormat defined by Identify appropriate Capture appropriateorganization. authority. analysis data support theExecutive briefings Ensure right result.Presenting Illustrative information reach right Include applicablerisk figures person at right time. supporting documentsRisk Assessment Present contextual to convey the degree ofDashboards information in resultsOut sketch the accordance with risk Identify andorganizational prioritized strategy document the source ofrisk internal and external information.
Maintain Risk Posture Identify Key Risk Define Frequency of Reconfirm the scope factors revisit and assumptions• Monitor the key • Track the risk • Get the risk factors response as concurrence of• Document the required scope and variations. • Initiate the assumptions from• Re-define the key assessment when appropriate risk factors needed authorities • Communicate the • Document the plan results to of action with organizational respect to the risk entities response.
Applications of Risk Assessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
Risk Assessment in RMF life Cycle 1 2 6 3 5 4
Organizational cultural effects on Risk assessment