Anda di halaman 1dari 25

RiskAssessmentasperISO27005

PresentedbyDharshanShanthamurthy,
RiskAssessmentEvangelist
WWW.SMARTRA.COM

SMARTRA.COMisapatentpendingproductofSISAInformationSecurityPvt.Ltd.
What is Risk Assessment?
WhatisRiskAssessment?
NISTSP80030
RiskAssessmentistheanalysisofthreatsinconjunctionwith
vulnerabilitiesandexistingcontrols.
l biliti d i ti t l
OCTAVE
ARiskAssessmentwillprovideinformationneededtomake
riskmanagementdecisionsregardingthedegreeofsecurity
remediation.
remediation
ISO27005
RiskAssessment=Identification,Estimationand
Risk Assessment Identification Estimation and
Evaluation
WhyRiskAssessment?
RegulatoryCompliance
Compliance RiskAssessmentRequirement
St d d
Standard
PCIDSS Formal andstructuredriskassessmentbasedonmethodologieslikeISO27005,
Requirement NISTSP80030,OCTAVE,etc.
12 1 2
12.1.2
HIPAASection Conductanaccurateandthoroughassessmentofthepotentialrisksand
164.308(a)(1) vulnerabilitiestotheconfidentiality,integrity,andavailabilityofelectronic
protected health information held by the covered entity
protectedhealthinformationheldbythecoveredentity.
FISMA3544 Periodictestingandevaluationoftheeffectivenessofinformationsecurity
policies,procedures,andpractices,tobeperformed atleastannually.

ISO27001Clause Riskassessmentsshouldidentifyrisksagainstriskacceptancecriteriaand
4.1 organizationalobjectives.Riskassessmentsshouldalsobeperformed
periodicallytoaddresschangesinthesecurityrequirementsandintherisk
situation.
GLBA, SOX,FISMA,DataProtectionAct,ITActAmendment2008,PrivacyAct,HITRUST
WhyRiskAssessment?
y
BusinessRationale
Function Explanation
Returnon StructuredRAMethodologyfollowsasystematicandpredefined
Investment approach,minimizesthescopeofhumanerror,andemphasizes
process driven rather than human driven activities
processdriven,ratherthanhumandrivenactivities.

BudgetAllocation Assistsincontrolscostplanningandjustification

Controls Costandeffortoptimizationbyoptimizingcontrolsselectionand
implementation

Efficient Resourceoptimizationbyappropriatedelegationofactionsrelatedto
utilization of
utilizationof controls implementation
controlsimplementation.
resources
What is IS
IS-RA?
RA?
Risk assessment is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile its strengths and weaknesses,
weaknesses its vulnerabilities
and exposures.

IF YOU CANT MEASURE IT

YOU
YOU CANT MANAGE IT!
Reality Check
RealityCheck
ISRA aneedmorethanawant
Each organization has their own ISRA
EachorganizationhastheirownISRA
ISRAlearningcurve
Cumbersome 1000assets,20worksheets
Two months efforts
Twomonthsefforts
Complicatedreport
Exercise
ThreatScenarios
ThreatProfilestobefilled.
Threat Profiles to be filled.
RiskAssessmentreferencepoints
OCTAVE
NISTSP80030
ISO27005
COSO
RiskIT
ISO31000
AS/NZS4360
FRAP
FTA
MEHARI
ISO 27005 Introduction
ISO27005Introduction
ISO27005isanInformationSecurityRiskManagementguideline.
ISO 27005 i I f ti S it Ri k M t id li

LaysemphasisontheISMSconceptofISO27001:2005.

DraftedandpublishedbytheInternationalOrganizationfor
Standardization (ISO) and the International Electrotechnical
Standardization(ISO)andtheInternationalElectrotechnical
Commission(IEC)

Provides
ProvidesaRAguidelineanddoesnotrecommendanyRA
a RA guideline and does not recommend any RA
methodologies.

Applicabletoorganizationsofalltypes.
f
ISO 27005 Workflow
ISO27005Workflow
Advocatesaniterativeapproach
pp
toriskassessment

Aims
Aimsatbalancingtimeand
at balancing time and
effortwithcontrolsefficiencyin
mitigatinghighrisks

ProposesthePlanDoCheckAct
cycle.

Source:ISO27005Standard
ISO 27005 Risk Assessment
ISO27005RiskAssessment
IInformationSecurityRiskAssessment=RiskAnalysis+
f i S i Ri k A Ri k A l i
RiskEvaluation
Risk Analysis:
RiskAnalysis:
RiskAnalysis=RiskIdentification+RiskEstimation

1.RiskIdentification
Risk characterized in terms of organizational conditions
Riskcharacterizedintermsoforganizationalconditions

IdentificationofAssets:Assetswithinthedefinedscope
IdentificationofThreats:BasedonIncidentReviewing,Asset
Owners,AssetUsers,Externalthreats,etc.
ISO 27005 Risk Assessment Contd.
ISO27005RiskAssessmentContd.
Identification
IdentificationofExistingControls:Alsocheckifthecontrolsareworking
of Existing Controls: Also check if the controls are working
correctly.
IdentificationofVulnerabilities:Vulnerabilitiesareshortlistedin
organizationalprocesses,IT,personnel,etc.
IdentificationofConsequences:TheimpactoflossofCIAofassets.

2.RiskEstimation

Specifiesthemeasureofrisk.

QualitativeEstimation
Qualitative Estimation
QuantitativeEstimation

Risk Evaluation:
RiskEvaluation:
ComparesandprioritizesRiskLevelbasedonRiskEvaluationCriteriaandRisk
AcceptanceCriteria.
ISO27005RAWorkflow

Step1 Step2 Step3 Step4


General
General RiskAnalysis:
Risk Analysis:
Descriptionof RiskAnalysis:
Risk RiskEvaluation
ISRA RiskEstimation
Identification
Step1
General
RiskAnalysis:Risk
Risk Analysis: Risk RiskAnalysis:Risk
Risk Analysis Risk
Descriptionof Identification Estimation
RiskEvaluation

ISRA

1. GeneralDescriptionofISRA

Identify,Describe
d f b Assessedrisks
d ik
BasicCriteria
(quantitativelyor prioritizedaccordingto
ScopeandBoundaries
qualitatively)and RiskEvaluation
OrganizationforISRM
g
P i iti Ri k
PrioritizeRisks C it i
Criteria.
Step2
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis Risk
ofISRA Ri k
Risk Estimation
RiskEvaluation
Identification

2.RiskAnalysis:RiskIdentification
IdentificationofAssets

SScopeandBoundaries
d d i
ListofAssets.
Assetowners
Assetsaredefined Listofassociated
AssetLocation
businessprocesses.
p
A t f ti
Assetfunction
Step2
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis Risk
ofISRA Ri k
Risk Estimation
RiskEvaluation
Identification

2.RiskAnalysis:RiskIdentification
IdentificationofThreats

ThreatInformation
Threat Information
from Threats
ReviewofIncidents Threatsaredefined Threatsource
AssetOwners Threattype
yp
AssetUsers,etc.
Step2
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis Risk
ofISRA Ri k
Risk Estimation
RiskEvaluation
Identification

2.RiskAnalysis:RiskIdentification
IdentificationofExistingControls

Existing
Existingand
and
Documentationof plannedcontrols
Existingandplanned
controls Implementation
controlsaredefined
RTP status
Usagestatus
Step2
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis Risk
ofISRA Ri k
Risk Estimation
RiskEvaluation
Identification

2.RiskAnalysis:RiskIdentification
IdentificationofVulnerabilities

Vulnerabilities
Vulnerabilitiesrelated
related
IdentifiedAssets
d ifi d
toassets,threats,
IdentifiedThreats Vulnerabilitiesare
controls.
IdentifiedExisting identified
Vulnerabilitiesnot
C t l
Controls
relatedtoanythreat.
Step2
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis Risk
ofISRA Ri k
Risk Estimation
RiskEvaluation
Identification

2.RiskAnalysis:RiskIdentification
IdentificationofConsequences

Incident
Incidentscenarios
scenarios
Assetsandbusiness
db i
withtheir
processes Theimpactoftheloss
consequencesrelated
Threatsand ofCIAisidentified
toassetsand
vulnerabilities
l biliti
businessprocesses
Step3
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis: Risk
ofISRA Identification Ri k
Risk RiskEvaluation
Estimation

3.RiskAnalysis:RiskEstimation
RiskEstimationMethodologies

((a)) QualitativeEstimation:High,Medium,Low
Q lit ti E ti ti Hi h M di L
((b)) QuantitativeEstimation:$,hours,etc.
Step3
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis: Risk
ofISRA Identification Ri k
Risk RiskEvaluation
Estimation

3.RiskAnalysis:RiskEstimation
Assessmentofconsequences

Assets
Assetsandbusiness
and business Assessedconsequences
Assessed consequences
Thebusinessimpact
h b
processes ofanincidentscenario
frominformation
Threatsand expressedintermsof
securityincidentsis
vulnerabilities p
assetsandimpact
assessed.
d
Incidentscenarios criteria.
Step3
RiskAnalysis:
General Description
GeneralDescription RiskAnalysis:Risk
Risk Analysis: Risk
ofISRA Identification Ri k
Risk RiskEvaluation
Estimation

3.RiskAnalysis:RiskEstimation
LevelofRiskEstimation

Incidentscenarios
withtheir Levelofriskis
l f k
consequences estimatedforall Listofriskswithvalue
Theirlikelihood relevantincident levelsassigned.
(quantitativeor scenarios
i
qualitative).
Step4

GeneralDescription
General Description RiskAnalysis:Risk
Risk Analysis: Risk RiskAnalysis:Risk
Risk Analysis: Risk Risk
Risk
ofISRA Identification Estimation
Evaluation

4.RiskAnalysis:RiskEstimation
LevelofRiskEstimation

Risksprioritized
Risks prioritized
Levelofriskis
l f k
Riskswithvaluelevels accordingtorisk
comparedagainstrisk
assignedandrisk evaluationcriteriain
evaluationcriteriaand
evaluationcriteria. relationtotheincident
riskacceptancecriteria
ik t it i
scenarios.
Summary
KeepitSimpleandSystematic
Comprehensive
Risksensitivecultureintheorganization.
Drivesecurityfromariskmanagement
p p
perspective,ratheronlyacompliance
, y p
perspective.
HelpRAtohelpyou
H l RA t h l
Questions?

Be a Risk Assessment Evangelist!


BeaRiskAssessmentEvangelist!
ISRAForumonLinkedin
SMART RA Forum on Linkedin
SMARTRAForumonLinkedin

DharshanShanthamurthy,
Email:dharshan.shanthamurthy@sisa.in
y
Phone:+919945122551