O-ISM3 Risk Assessment

1,906 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,906
On SlideShare
0
From Embeds
0
Number of Embeds
856
Actions
Shares
0
Downloads
60
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

O-ISM3 Risk Assessment

  1. 1. © Inovement Spain 2013
  2. 2. ISM-RA
  3. 3. AU IT SB FAIR MAGERIT CRAMM Dutch A&K EBIOS ISAMM ISO27005 MARION MEHARI MIGRA OCTAVE SP 800-30 ISF Canadian RM Guide ……Etc
  4. 4. ISO27005 Establish Context RiskCommunication RiskMonitoringandReview Risk Treatment Risk Evaluation Risk Estimation Risk Identification Risk Assessment Risk Analysis Risk Acceptance Accept risk? Acceptable results? Establish Context RiskCommunication RiskMonitoringandReview Risk Treatment Risk Evaluation Risk Estimation Risk Identification Risk Assessment Risk Analysis Risk Acceptance Accept risk? Acceptable results?
  5. 5. RA Method Design  Threat Taxonomy  Controls/Processes Taxonomy  Model  Scope  Depth  Threat Likelihood  Asset Value  Correct? Useful?
  6. 6. Impact Assets Value Cost Threats Frequency Weaknesses Countermeasures RA Method Design Likelihood Exposure
  7. 7. Goals Scope (What is in, What is out)
  8. 8. Scope  The more choice on the side of the certificate aspirant, the less value in the certification.  The wider the scope, the higher the cost.  ISM3-RA uses the scope of whole companies.
  9. 9. Goals Organization Wide
  10. 10. Complexity Likelihood * Threats * Vulnerabilities * Countermeasures * Asset Value * Exposure = N6
  11. 11. Correct? Useful?  Anyone can create a “correct” RA method.  But, is it useful?
  12. 12. Utility HIGH MEDIUM LOW
  13. 13. Utility 300 200 100
  14. 14. Utility – Added Value  What are we learning that we don’t know already? (Non-Banal Analysis)  What are important threats to the organization?  What should I do?  How safe am I? / How likely is that an incident will happen?  How much will I lose this year?  How much should I invest this year?
  15. 15. Utility Challenges  Lack of real data  Are opinions valid data?  Mixing opinions with arithmetic is a bit like mixing magic and physics.  The higher the investment, the lower the risk.  Return of investment is always positive.  Risk Assessment can be difficult and expensive.
  16. 16. Inherent Limitations
  17. 17. Quantitative
  18. 18. Qualitative
  19. 19. Quantitative RA Risk = Impact * Probability Risk Impact Probability
  20. 20. Accounting value of the company Expected Loss [$] Probability [% / year] 100 0 0 Last year’s losses $ per year Probability of discontinuation of the company per year Quantitative RA
  21. 21. Qualitative
  22. 22. Model  No Model  Assets (Mostly Technical)  Servers, Databases, Networks, etc (Purely Technical)  ISM3-RA uses Environments and Business Functions
  23. 23. Depth (Level of Detail)
  24. 24. Depth  The higher the level of detail, the more complex and costly.  The depth should match the kind of decisions we want to support.  ISM3-RA uses management-level depth. Environments
  25. 25. Management Level
  26. 26. Business (Components, Relationships, States)
  27. 27. Business Functions
  28. 28. Business Functions  Every business function exist and has a different importance in every company. Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  29. 29. Business Functions  Every business function exist and has a different importance in every company. Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  30. 30. Information Technology (Components, Relationships, States)
  31. 31. Environments
  32. 32. Environment  You can’t model meaningfully a company as a set of servers, applications or “assets”.  On the other hand, an environment has a visible head, someone who will be responsible to carry out the action plan. HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal
  33. 33. Dependencies
  34. 34. ISM3-RA HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  35. 35. Threats (There is no widely accepted list of threats at any level of detail) (There are no reliable estimations of probability of threats)
  36. 36. Threat Taxonomy  Pretty Long Lists  Magerit: Accidental Natural, Accidental Industrial, Accidental Error, Deliberate, etc…  Against Confidentiality, against Integrity, against Availability et al.
  37. 37. ISM3-RA 1. Destruction, corruption or loss of valid information. 2. Failure to destroy expired information. 3. Improper use of authorized access. 4. Improper recording of access. 5. Unauthorized access, eavesdropping, theft and disclosure of information. 6. Underperformance, interruption of service & failure of authorized access. 7. Aging of information & outdated systems
  38. 38. Threat Likelihood  Normally there is no data enough to know how likely is a threat.  The multiplicity and evolution of threats make likelihood of threats very difficult to model.  ISM3-RA uses a qualitative scale of likelihood. (from very high to very low)
  39. 39. Impact (Euros, High – Medium – Low, Confidenciality – Integrity – Availability, etc)
  40. 40. Asset Value  Euros  High – Medium – Low  Magerit: Disponibilidad, integridad, confidencialidad, autenticidad, trazabilidad.  ISM3-RA uses “The more important Business Functions depend on Environments, the more valuable”
  41. 41. Controls (ISO27001 PCI DSS NIST ISM3, etc)
  42. 42. Controls / Process Taxonomy  ISO 27002 Controls  PCI DSS Controls  Cobit Controls  Custom Made Lists  Etc…  ISM3-RA uses ISM3 Processes
  43. 43. Mix
  44. 44. Mix
  45. 45. Results (7, other number, “good”, “better”, an action plan, or a dashboard)
  46. 46. High Medium Low
  47. 47. ISM3-RA 0 20 40 60 80 100 120 Relative Weight of Business Functions Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  48. 48. 0,0000 0,1000 0,2000 0,3000 0,4000 0,5000 0,6000 0,7000 0,8000 Internet SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Personal Relative Protection per Environment ISM3-RA HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal
  49. 49. ISM3-RA 0 2000 4000 6000 8000 10000 12000 Internet SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Personal Relative Environment Criticality HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal
  50. 50. 0,000000 0,200000 0,400000 0,600000 0,800000 1,000000 1,200000 1,400000 1,600000 1,800000 SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Personal Risk to Environment ISM3-RA HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal
  51. 51. 0,00000000 1,00000000 2,00000000 3,00000000 4,00000000 5,00000000 6,00000000 7,00000000 8,00000000 SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Risk to Technical Environment per Threat Improper recording of access to informationor systems / (anon or otherwise) Unauthorizedaccess,eavesdropping, theft and disclosure of informationor systems AND Improper use of authorizedaccess to information or systems Failure to destroy expired information or systems & Failure to stop systems at will Underperformance OR Interruptionof valid system services & Failure of authorizedaccess Aging of information& Outdatedsystems Destruction / Corruption / Loss of valid information or systems ISM3-RA HostSSCC Terceros SSAAOficinas Usuarios Móviles Personal
  52. 52. 0 2000 4000 6000 8000 10000 12000 14000 16000 Relative Reliance on Environments ISM3-RA Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  53. 53. 0,000000 0,500000 1,000000 1,500000 2,000000 2,500000 Risk per Business Function Personal Usuarios Mobiles Terceros SSAA Host Oficinas SSCC ISM3-RA Research Financing/ Accounting Legal Sales Relationships Production Maintenance Business Intelligence Governance IT Advertising Human Resources Infrastructure Administration Procurement Logistics
  54. 54. ISM3-RA Internal Network DMZ Mobile Users Internal Users WiFi Networks Governance Infrastructure Human Resources Production Logistics Administration IT Advertising Research Procurement Sales Business Intelligence Financing/ Accounting Maintenance Relationships Legal
  55. 55. ISM3-RA Internal Network DMZ Mobile Users Internal Users WiFi Networks Governance Infrastructure Human Resources Production Logistics Administration IT Advertising Research Procurement Sales Business Intelligence Financing/ Accounting Maintenance Relationships Legal
  56. 56. ISM3-RA Dashboard?
  57. 57. Information Security that makes Business Sense inovement.es/oism3 Web www.inovement.es Video Blog youtube.com/user/vaceituno Blog ism3.com Twitter twitter.com/vaceituno Presentations slideshare.net/vaceituno/presentations Articles slideshare.net/vaceituno/documents

×