Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Analisis de Riesgos O-ISM3


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Analisis de Riesgos O-ISM3

  1. 1. FIST Conference November/Madrid 2008 @ Risk Assessment ISM3-Style Vicente Aceituno, 20081
  2. 2. About me Vice president of the FIST Conferences association. President of the ISSA Spain chapter. Author of a number of articles: Google: vaceituno wikipedia Director of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard. ISM3 is the main source for this presentation. www.ism3.com2
  3. 3. Standards Magerit BS 7799-3:2005 AS 4360 ISO 27005 Canadian Risk Management ISF method Guide Octave SP800-30 Marion ISO 13335-2 Mehari Ebios Dutch A&K analysis Cramm3
  4. 4. RA Method Design Likelihood Threats Frequency Weaknesses Cost Countermeasures Value Assets Impact Exposure4
  5. 5. Complexity Likelihood * Threats * Vulnerabilities * Countermeasured * Asset Value * Exposure = N65
  6. 6. RA Method Design Threat Taxonomy Countermeasures Taxonomy Model Scope Depth Threat Likelihood Asset Value Correct? Useful?6
  7. 7. Threat Taxonomy Pretty Long Lists Magerit: Accidental Natural, Accidental Industrial, Accidental Error, Deliberada, etc… Against Confidenciality, against Integrity, againts Availability et al. ISM3-RA uses: 1. Destruction /Corruption /Loss of valid information or systems. 2. Aging of information &Outdated systems 3. Underperformance OR Interruption of valid system services &Failure of authorized access 4. Failure to destroy expired information or systems &Failure to stop systems at will 5. Unauthorized access, eavesdropping, theft and disclosure of information or systems AND Improper use of authorized access to information or systems 6. Improper recording of access to information or systems / (anon or otherwise)7
  8. 8. Countermeasures Taxonomy ISO 27001 Controls PCI DSS Controls Cobit Controls Custom Made Lists Etc… ISM3-RA uses ISM3 Processes8
  9. 9. Model No Model Assets (Mostly Technical) Servers, Databases, Networks, etc (Purely Technical) ISM3-RA uses Environments and Business Functions9
  10. 10. ISM3-RA Environments Environments WiFi Internal Internal Mobile DMZ Networks Network Users Users10
  11. 11. ProductionISM3-RA Business Model Administration Relationships IT Legal Financing / Accounting Infrastructure Maintenance Logistics Business Functions Human Resources Procurement Business Intelligence Advertising Sales Governance Research 11
  12. 12. Scope The more choice on the side of the certificate aspirant, the less value in the certification. The wider the scope, the higher the cost. ISM3-RA uses the scope of whole companies.12
  13. 13. Depth The higher the level of detail, the more complex and costly. The depth should match the kind of decisions we want to support. ISM3-RA uses management-level depth. Environments13
  14. 14. Threat Likelihood Normally there is no data enough to know how likely is a threat. The multiplicity and evolution of threats make likelihood of threats very difficult to model. ISM3-RA uses a qualitative scale of likelihood. (from very high to very low)14
  15. 15. Asset Value Euros High – Medium – Low Magerit: Disponibilidad, integridad, confidencialidad, autenticidad, trazabilidad. ISM3-RA uses “The more important Business Functions depend on Environments, the more valuable”15
  16. 16. Correct? Useful? Anyone can create a “correct” RA method. But, is it useful?16
  17. 17. Utility HIGH MEDIUM LOW17
  18. 18. Utility 300 200 10018
  19. 19. Utility – Added Value What are we learning that we don’t know already? (Non-Banal Analysis) What are important threats to the organization? What should I do? How safe am I? / How likely is that an incident will happen? How much will I lose this year? How much should I invest this year?19
  20. 20. Limitaciones de validez20
  21. 21. Quantitative RA Risk = Impact * Probability Probability Risk Impact21
  22. 22. Quantitative RA Expected Loss [$] Accounting value of the company Last year’s losses $ per year 0 Probability [% / year] 0 100 Probability of discontinuation of the company per year22
  23. 23. ISO27005 Establish Context Risk Assessment Risk Analysis Risk Monitoring and Review Risk Monitoring and Review Risk Communication Risk Communication Risk Identification Risk Estimation Risk Evaluation Acceptable results? Risk Treatment Accept risk? Risk Acceptance23
  24. 24. Utility Challenges • Lack of real data • Are opinions valid data? • Mixing opinions with arithmetics is a bit like mixing magic and physics. • The higher the investment, the lower the risk. • Return of investment is always positive. • Risk Assessment can be difficult and expensive.24
  25. 25. ProductionISM3-RA Administration Mobile Users Relationships IT Legal Internal Users Financing / Accounting Infrastructure Maintenance Network Internal Logistics Human Resources Procurement Networks Business WiFi Intelligence Advertising Sales Governance DMZ Research 25
  26. 26. ProductionISM3-RA Administration Mobile Users Relationships IT Legal Internal Users Financing / Accounting Infrastructure Maintenance Network Internal Logistics Human Resources Procurement Networks Business WiFi Intelligence Advertising Sales Governance DMZ Research 26
  27. 27. 27 G ov 0 20 40 60 80 100 120 er na nc e R es ea rc h B Ad us ve ine r ti ss si ng In te H li ge um an nc In e fo Re rm so at ur io n ce s Te ch no log y Le R ga el a l tio ns A hip dm s Relative Weight of Business Functions Fi na in nc is in tra g tio /A n cc ou nt In in fra g st ru ct ur e Lo gi st M i cs ai nt en an P ce ro cu re m en P t ro du ct io n S al es Ejemplo ISM3-RA
  28. 28. Ejemplo ISM3-RA Relative Protection per Environment1,20001,00000,80000,60000,40000,20000,0000 Internet SSCC Oficinas Host SSAA Terceros Usuarios Personal Mobiles28
  29. 29. 29 G 0 5000 10000 15000 20000 25000 ov er na n ce R es ea rc h Ad B ve us rti in s in e ss g In te l li H ge um nc an e In R fo es rm ou at rc io es n Te ch no lo g y Le ga R l el Relative Reliance on Environments at io ns hi A ps dm F in in i st an ra c in ti o g n /A cc ou nt in g In fra st ru ct u re Lo gi st i cs M ai nt e na nc e Pr oc ur em en t P ro d uc tio n S al es Ejemplo ISM3-RA
  30. 30. Ejemplo ISM3-RA Relative Environment Criticality350003000025000200001500010000 5000 0 Internet SSCC Oficinas Host SSAA Terceros Usuarios Personal Mobiles30
  31. 31. 31 G ov 0,000000 0,000050 0,000100 0,000150 0,000200 0,000250 0,000300 0,000350 0,000400 0,000450 er na nc e R es ea rc Ad h Bu si ve ne r ti ss si n In g H te um l lig an en In ce fo R rm es at ou io rc n es Te ch no lo gy Le R ga el a l ti o ns Ad hi Fi m ps na in nc is in tr a g ti o Risk per Business Function /A n cc ou nt In in fra g st ru ct ur e Lo gi st M ic s ai nt en an P ce ro cu re m en P t ro du ct io n Sa le s Host SSAA SSCC Oficinas Personal T erceros Usuarios Mobiles Ejemplo ISM3-RA
  32. 32. Ejemplo ISM3-RA Improper r ec or ding of acc es s to Risk to Technical Environment per Threat inf or mation or sy stem / ( anon or otherw is e) s Unauthor ized acc ess , eav es dropping, thef t and disc los ure of information or0,00600000 sy stem AND s Improper use of author iz ed ac cess to inf or mation or sy stem s0,00500000 Failure to destroy expired information or sy stem & s Failure to s top sy stem at w ill s0,00400000 Under perf or m e OR Interr uption of anc valid s y stem s erv ic es &0,00300000 Failure of authorized acc es s Aging of inf or mation &0,00200000 Outdated s y stems0,00100000 Des truction / Cor ruption / Loss of v alid information or s ys tems0,00000000 SS CC Oficinas Host S SAA Terceros Usuarios Mobiles32
  33. 33. References 1. Viable System Model 2. RA Method Inventory 3. EL CISNE NEGRO: EL IMPACTO DE LO ALTAMENTE IMPROBABLE, NICHOLAS TALEB, NASSIM, ISBN: 9788449320774 4. Magerit, Canadian Risk Management Guide, SP800-30, AS 4360, Marion, Ebios, Cramm, ISO 13335-2, ISF method, Mehari, Octave, Dutch A&K analysis 5. Scales of Measuremente - Wikipedia33
  34. 34. Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.34
  35. 35. @ THANK YOU Vicente Aceituno Madrid, November 200835