Your SlideShare is downloading. ×
ISO 27005 Risk Assessment
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

ISO 27005 Risk Assessment

10,644
views

Published on

What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.

What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.


0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,644
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
866
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Risk Assessment as per ISO 27005 Presented by Dharshan Shanthamurthy, Risk Assessment Evangelist  WWW.SMART‐RA.COMSMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
  • 2. What is Risk Assessment?What is Risk Assessment?• NIST SP 800‐30 Risk Assessment is the analysis of threats in conjunction with  vulnerabilities and existing controls. l biliti d i ti t l• OCTAVE A Risk Assessment will provide information needed to make  risk management decisions regarding the degree of security  remediation.  remediation• ISO 27005  Risk Assessment = Identification, Estimation and  Risk Assessment Identification Estimation and Evaluation
  • 3. Why Risk Assessment?Regulatory ComplianceCompliance  Risk Assessment RequirementStandardSt d dPCI DSS  Formal and structured risk assessment based on methodologies like ISO 27005, Requirement  NIST SP 800‐30, OCTAVE, etc.12.1.2 12 1 2HIPAA Section  Conduct an accurate and thorough assessment of the potential risks and 164.308(a)(1)  vulnerabilities to the confidentiality, integrity, and availability of electronic  protected health information held by the covered entity. protected health information held by the covered entityFISMA 3544 Periodic testing and evaluation of the effectiveness of information security  policies, procedures, and practices, to be performed at least annually.ISO 27001 Clause  Risk assessments should identify risks against risk acceptance criteria and 4.1 organizational objectives. Risk assessments should also be performed  periodically to address changes in the security requirements and in the risk  situation.GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
  • 4. Why Risk Assessment? yBusiness RationaleFunction ExplanationReturn on  Structured RA Methodology follows a systematic and pre‐defined Investment approach, minimizes the scope of human error, and emphasizes  process driven, rather than human driven activities. process driven rather than human driven activitiesBudget Allocation Assists in controls cost planning and justificationControls  Cost and effort optimization by optimizing controls selection and  implementationEfficient  Resource optimization by appropriate delegation of actions related to utilization of utilization of controls implementation. controls implementationresources
  • 5. What is IS-RA? IS RA?Risk assessment is the cornerstone of any informationsecurity program, and it is the fastest way to gain acomplete understanding of an organizations securityprofile – its strengths and weaknesses its vulnerabilities weaknesses,and exposures.“IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!” YOU
  • 6. Reality CheckReality Check• ISRA– a need more than a want• Each organization has their own ISRA  Each organization has their own ISRA• ISRA learning curve• Cumbersome – 1000 assets, 20 worksheets• Two months efforts  Two months efforts• Complicated report
  • 7. Exercise• Threat Scenarios• Threat Profiles to be filled. Threat Profiles to be filled.
  • 8. Risk Assessment reference points • OCTAVE • NIST SP 800‐30 • ISO 27005 • COSO • Risk IT • ISO 31000 • AS/NZS 4360 • FRAP • FTA • MEHARI
  • 9. ISO 27005 IntroductionISO 27005 Introduction • ISO 27005 i ISO 27005 is an Information Security Risk Management guideline. I f ti S it Ri k M t id li • Lays emphasis on the ISMS concept of ISO 27001: 2005. • Drafted and published by the International Organization for  Standardization (ISO) and the International Electrotechnical Standardization (ISO) and the International Electrotechnical Commission (IEC) • Provides a RA guideline and does not recommend any RA Provides a RA guideline and does not recommend any RA  methodologies. • Applicable to organizations of all types. f
  • 10. ISO 27005 WorkflowISO 27005 Workflow• Advocates an iterative approach  pp to risk assessment• Aims at balancing time and Aims at balancing time and  effort with controls efficiency in  mitigating high risks• Proposes the Plan‐Do‐Check‐Act  cycle. Source: ISO 27005 Standard
  • 11. ISO 27005 Risk AssessmentISO 27005 Risk AssessmentInformation Security Risk Assessment = Risk Analysis + I f i S i Ri k A Ri k A l i Risk EvaluationRisk Analysis:Risk Analysis: Risk Analysis = Risk Identification + Risk Estimation1. Risk Identification Risk characterized in terms of organizational conditions Risk characterized in terms of organizational conditions • Identification of Assets: Assets within the defined scope • Identification of Threats: Based on Incident Reviewing, Asset  Owners, Asset Users, External threats, etc.
  • 12. ISO 27005 Risk Assessment Contd.ISO 27005 Risk Assessment Contd. • Identification of Existing Controls: Also check if the controls are working Identification of Existing Controls: Also check if the controls are working  correctly.  • Identification of Vulnerabilities: Vulnerabilities are shortlisted in  organizational processes, IT, personnel, etc. • Identification of Consequences: The impact of loss of CIA of assets. 2. Risk Estimation – Specifies the measure of risk. • Qualitative Estimation Qualitative Estimation • Quantitative Estimation Risk Evaluation: Risk Evaluation: • Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk  Acceptance Criteria.
  • 13. ISO 27005 RA Workflow Step 1 Step 2 Step 3 Step 4 General  General Risk Analysis:  Risk Analysis: Description of  Risk Analysis:  Risk  Risk Evaluation ISRA Risk Estimation Identification
  • 14. Step 1 General  Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis Risk Description of  Identification Estimation Risk Evaluation ISRA1. General Description of ISRA Identify, Describe  d f b Assessed risks  d ikBasic Criteria  (quantitatively or  prioritized according to Scope and Boundaries qualitatively) and  Risk Evaluation Organization for ISRM g Prioritize Risks P i iti Ri k Criteria. C it i
  • 15. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification2.  Risk Analysis: Risk Identification Identification of AssetsScope and BoundariesS d d i List of Assets.Asset owners Assets are defined List of associatedAsset Location business processes. pAsset functionA t f ti
  • 16. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification2.  Risk Analysis: Risk Identification Identification of ThreatsThreat Information Threat Informationfrom  • Threats• Review of Incidents Threats are defined • Threat source• Asset Owners • Threat type yp• Asset Users, etc.
  • 17. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification2.  Risk Analysis: Risk Identification Identification of Existing Controls • Existing and Existing and • Documentation of  planned controls Existing and planned  controls • Implementation  controls are defined• RTP status • Usage status
  • 18. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification2.  Risk Analysis: Risk Identification Identification of Vulnerabilities • Vulnerabilities related Vulnerabilities related • Identified Assets d ifi d to assets, threats, • Identified Threats Vulnerabilities are  controls.• Identified Existing  identified • Vulnerabilities not  Controls C t l related to any threat.
  • 19. Step 2 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis Risk of ISRA Risk  Ri k Estimation Risk Evaluation Identification2.  Risk Analysis: Risk Identification Identification of Consequences • Incident scenarios Incident scenarios • Assets and business  db i with their  processes The impact of the loss  consequences related • Threats and  of CIA is identified to assets and  vulnerabilities l biliti business processes
  • 20. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation3.  Risk Analysis: Risk Estimation Risk Estimation Methodologies(a) Qualitative Estimation: High, Medium, Low( ) Q lit ti E ti ti Hi h M di L( )(b) Quantitative Estimation: $, hours, etc. 
  • 21. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation3.  Risk Analysis: Risk Estimation Assessment of consequences• Assets and business Assets and business  Assessed consequences  Assessed consequences The business impact  h b processes of an incident scenario  from information• Threats and  expressed in terms of  security incidents is  vulnerabilities p assets and impact  assessed. d• Incident scenarios criteria.
  • 22. Step 3 Risk Analysis:  General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk of ISRA Identification Risk  Ri k Risk Evaluation Estimation3.  Risk Analysis: Risk Estimation Level of Risk Estimation• Incident scenarios  with their  Level of risk is  l f k consequences  estimated for all  List of risks with value • Their likelihood  relevant incident  levels assigned. (quantitative or  scenarios i qualitative).
  • 23. Step 4 General Description  General Description Risk Analysis: Risk  Risk Analysis: Risk Risk Analysis: Risk  Risk Analysis: Risk Risk  Risk of ISRA Identification Estimation Evaluation4.  Risk Analysis: Risk Estimation Level of Risk Estimation Risks prioritized  Risks prioritized Level of risk is  l f k• Risks with value levels  according to risk  compared against risk  assigned and risk  evaluation criteria in  evaluation criteria and  evaluation criteria.  relation to the incident  risk acceptance criteria ik t it i scenarios.
  • 24. Summary• Keep it Simple and Systematic• Comprehensive• Risk sensitive culture in the organization.• Drive security from a risk management  p p perspective, rather only a compliance  , y p perspective.• H l RA t h l Help RA to help you…
  • 25. Questions?Be a Risk Assessment Evangelist!Be a Risk Assessment Evangelist! IS‐RA Forum on Linkedin SMART‐RA Forum on Linkedin SMART RA Forum on Linkedin Dharshan Shanthamurthy, E‐mail: dharshan.shanthamurthy@sisa.in  y Phone: +91‐99451 22551