Risk Management and Risk Assessment are major components of Information Security Management (ISM). Although they are widely known, a wide range of definitions of Risk Management and Risk Assessment are found in the relevant literature [ISO13335-2], [NIST], [ENISA Regulation]. Here a consolidated view of Risk Management and Risk Assessment is presented. For the sake of this discussion, two approaches to presenting Risk Management and Risk Assessment, mainly based on OCTAVE [OCTAVE] and ISO 13335-2 [ISO13335-2] will be considered. Nevertheless, when necessary, structural elements that emanate from other perceptions of Risk Management and Risk Assessment are also used (e.g. consideration of Risk Management and Risk Assessment as counterparts of Information Security Management System, as parts of wider operational processes, etc. [WG-Deliverable 3], [Ricciuto]).
MARGINALIZATION (Different learners in Marginalized Group
Risk Management & Information Security Management Systems
1. Website: http://it-toolkits.org/ Copyright@TrucPhuong
1
Risk Management & Information Security
Management Systems
Risk Management and Risk Assessment are major components of Information Security
Management (ISM). Although they are widely known, a wide range of definitions of Risk
Management and Risk Assessment are found in the relevant literature [ISO13335-2],
[NIST], [ENISA Regulation]. Here a consolidated view of Risk Management and Risk
Assessment is presented. For the sake of this discussion, two approaches to presenting
Risk Management and Risk Assessment, mainly based on OCTAVE [OCTAVE] and ISO
13335-2 [ISO13335-2] will be considered. Nevertheless, when necessary, structural
elements that emanate from other perceptions of Risk Management and Risk Assessment
are also used (e.g. consideration of Risk Management and Risk Assessment as
counterparts of Information Security Management System, as parts of wider operational
processes, etc. [WG-Deliverable 3], [Ricciuto]).
It seems to be generally accepted by Information Security experts, that Risk Assessment
is part of the Risk Management process. After initialization, Risk Management is a
recurrent activity that deals with the analysis, planning, implementation, control and
monitoring of implemented measurements and the enforced security policy. On the
2. Website: http://it-toolkits.org/ Copyright@TrucPhuong
2
contrary, Risk Assessment is executed at discrete time points (e.g. once a year, on
demand, etc.) and – until the performance of the next assessment - provides a temporary
view of assessed risks and while parameterizing the entire Risk Management process.
This view of the relationship of Risk Management to Risk Assessment is depicted in the
following figure as adopted from OCTAVE .
It is worth mentioning, that in this figure both Risk Management and Risk Assessment
are presented as processes, that is, as sequences of activities (s. arrows in figure above).
Various standards and good practices exist for the establishment of these processes (e.g.
through structuring, adaptation, re-configuration etc.). In practice, organizations tend to
generate their own instantiations of these methods, in a form most suitable for a given
organizational structure, business area or sector. In doing so, national or international
standards (or combination of those) are taken as a basis, whereas existing security
mechanisms, policies and/or infrastructure are adapted one-by-one. In this way, new good
practices for a particular sector are created. Some representative examples of tailored
methods/good practices are:
a method based on a native national standard (e.g. [IT-Grund]);
a method based on an native international standard (e.g. [ISO13335-2]);
a method based on a de facto standard (e.g. [OCTAVE]);
a method based on a sector standard (e.g. [SIZ-DE]);
a method based on an individual basic protection profile for the IT-systems of an
organization (e.g. [SIZ-PP]);
adoption of an already existing risk analysis of similar systems (e.g. based on an existing
Protection Profiles according to Common Criteria [CC]).
In practice, combinations of the above examples are very common.
For the sake of the presentation within this site, the assumption is made, that the Risk
Management life-cycle presented in the figure (i.e. plan, implement, monitor, control,
identify, assess), refers solely to risks. Similar activities that might be necessary within
the Information Security Management process are considered to apply
to operational aspects related to the implementation and control of security
measurements .
Even although organizations tend to use a single method for Risk Management, multiple
methods are typically be used in parallel for Risk Assessment. This is because different
Risk Assessment methods might be necessary, depending on the nature of the assessed
system (e.g. structure, criticality, complexity, importance, etc.).
3. Website: http://it-toolkits.org/ Copyright@TrucPhuong
3
Through a series of activities, ENISA has established inventories of existing Risk
Management and Risk Assessment methods and tools in Europe (also referred to
as products here). Any of these products can be used for the instantiation of both the Risk
Management and Risk Assessment processes mentioned in the figure above. The contents
of these inventories and the inventories themselves are presented in this site.
It should be noted that a more detailed representation of Risk Management and Risk
Assessment is given in ISO 13335-2 [ISO13335-2]. In general, the contents of Risk
Management and Risk Assessment processes as described here are compatible with ISO
13335. In the future, detailed examples of how to adapt the processes presented to
existing business and IT-needs by means of demonstrators will be given. The generation
of such material will be part future work at ENISA in form of demonstrators.