HOME

TheInfoList



OR:

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization'' IT risk management can be considered a component of a wider
enterprise risk management Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typic ...
system. The establishment, maintenance and continuous update of an
information security management system Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core ...
(ISMS) provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.Enisa Risk management, Risk assessment inventory, page 46
/ref> Different methodologies have been proposed to manage IT risks, each of them divided into processes and steps.
According to the Risk IT framework, this encompasses not only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact. Because risk is strictly tied to uncertainty,
decision theory Decision theory (or the theory of choice; not to be confused with choice theory) is a branch of applied probability theory concerned with the theory of making decisions based on assigning probabilities to various factors and assigning numerical ...
should be applied to manage risk as a science, i.e. rationally making choices under uncertainty. Generally speaking, risk is the product of likelihood times
impact Impact may refer to: * Impact (mechanics), a high force or shock (mechanics) over a short time period * Impact, Texas, a town in Taylor County, Texas, US Science and technology * Impact crater, a meteor crater caused by an impact event * Imp ...
(Risk = Likelihood * Impact). The measure of an IT risk can determined as a product of threat, vulnerability and
asset In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can b ...
values: :\text = \text\times\text\times\text A more current risk management framework for IT Risk would be the TIK framework: :\text = ((\text\times\text) / \text) \times \text The ''process'' of risk management is an ongoing iterative process. It must be repeated indefinitely. The business environment is constantly changing and new
threats A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
and
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
emerge every day. The choice of
countermeasures A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
( controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.


Definitions

The
Certified Information Systems Auditor ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only.
Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, provides the following definition of risk management: ''"Risk management is the process of identifying
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and
threats A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
to the information resources used by an organization in achieving business objectives, and deciding what
countermeasures A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."''
'' Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives''. The head of an organizational unit must ensure that the organization has the capabilities needed to accomplish its mission. These mission owners must determine the security capabilities that their IT systems must have to provide the desired level of mission support in the face of real world threats. Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities. Risk management in the IT world is quite a complex, multi faced activity, with a lot of relations with other complex activities. The picture to the right shows the relationships between different related terms. The American National Information Assurance Training and Education Center defines risk management in the IT field as: # ''The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA approval. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis, certification, and approval.'' # ''An element of managerial science concerned with the identification, measurement, control, and minimization of uncertain events. An effective risk management program encompasses the following four phases:'' ##a ''Risk assessment, as derived from an evaluation of threats and vulnerabilities.'' ## ''Management decision.'' ## ''Control implementation.'' ## ''Effectiveness review.'' # ''The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems review.'' # ''The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. lt includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.''


Risk management as part of enterprise risk management

Some organizations have and many others should have a comprehensive
Enterprise risk management Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typic ...
(ERM) in place. The four objective categories addressed, according to
Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 20 ...
(COSO) are: * Strategy - high-level goals, aligned with and supporting the organization's mission * Operations - effective and efficient use of resources * Financial Reporting - reliability of operational and financial reporting * Compliance - compliance with applicable laws and regulations According to the Risk IT framework by ISACA,The Risk IT Framework by ISACA, IT risk is transversal to all four categories. The IT risk should be managed in the framework of Enterprise risk management:
Risk appetite Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, ...
and Risk sensitivity of the whole enterprise should guide the IT risk management process. ERM should provide the context and business objectives to IT risk management


Risk management methodology

Whilst a methodology does not describe specific methods ; nevertheless it does specify several processes (constitute a generic framework) that need to be followed. These processes may be broken down in sub-processes, they may be combined, or their sequence may change. A risk management exercise must carry out these processes in one form or another, The following table compares the processes foreseen by three leading standards. The ISACA Risk IT framework is more recent. The Risk IT Practitioner-GuideThe Risk IT Practitioner Guide, Appendix 3 ISACA
(registration required)
compares Risk IT and ISO 27005. The term methodology means an organized set of principles and rules that drive action in a particular field of knowledge. The overall comparison is illustrated in the following table. Due to the probabilistic nature and the need of cost benefit analysis, IT risks are managed following a process that according to
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
SP 800-30 can be divided in the following steps: #
risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the t ...
, #
risk mitigation Mitigation is the reduction of something harmful or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain ''in potentia'', or to manage harmful incidents that have already occur ...
, and # evaluation and
assessment Assessment may refer to: Healthcare *Health assessment, identifies needs of the patient and how those needs will be addressed *Nursing assessment, gathering information about a patient's physiological, psychological, sociological, and spiritual s ...
. Effective risk management must be totally integrated into the
Systems Development Life Cycle In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an informa ...
. Information risk analysis conducted on applications, computer installations, networks and systems under development should be undertaken using structured methodologies.Standard of Good Practice by Information Security Forum (ISF) Section SM3.4 Information risk analysis methodologies
/ref>


Context establishment

This step is the first step in
ISO ISO is the most common abbreviation for the International Organization for Standardization. ISO or Iso may also refer to: Business and finance * Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007 * Is ...
ISO/IEC 27005 ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commi ...
framework. Most of the elementary activities are foreseen as the first sub process of Risk assessment according to
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
SP 800–30. This step implies the acquisition of all relevant information about the organization and the determination of the basic criteria, purpose, scope and boundaries of risk management activities and the organization in charge of risk management activities. The purpose is usually the compliance with legal requirements and provide evidence of due diligence supporting an ISMS that can be certified. The scope can be an incident reporting plan, a business continuity plan. Another area of application can be the certification of a product. Criteria include the risk evaluation, risk acceptance and impact evaluation criteria. These are conditioned by:ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008 * legal and regulatory requirements * the strategic value for the business of information processes * stakeholder expectations * negative consequences for the reputation of the organization Establishing the scope and boundaries, the organization should be studied: its mission, its values, its structure; its strategy, its locations and cultural environment. The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.


Organization for security management

The set up of the organization in charge of risk management is foreseen as partially fulfilling the requirement to provide the resources needed to establish, implement, operate, monitor, review, maintain and improve an ISMS.ISO/IEC 27001 The main roles inside this organization are: * Senior Management * Chief information officer (CIO) * System and Information owners, such as the Chief Data Officer (CDO) or Chief Privacy Officer (CPO) * the business and functional managers * the Information_System_Security_Officer
.html" ;"title="ISSO (IT
Information System Security Officer
">ISSO (IT
Information System Security Officer
(ISSO) or
Chief information security officer A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately pr ...
(CISO) * IT Security Practitioners * Security Awareness Trainers


Risk assessment

Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control, and monitoring of implemented measurements and the enforced security policy. On the contrary, Risk Assessment is executed at discrete time points (e.g. once a year, on demand, etc.) and – until the performance of the next assessment – provides a temporary view of assessed risks and while parameterizing the entire Risk Management process. This view of the relationship of Risk Management to Risk Assessment is depicted in figure as adopted from OCTAVE. Risk assessment is often conducted in more than one iteration, the first being a high-level assessment to identify high risks, while the other iterations detailed the analysis of the major risks and other risks. According to National Information Assurance Training and Education Center risk assessment in the IT field is: # ''A study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. Managers use the results of a risk assessment to develop security requirements and specifications.'' # ''The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.'' # ''An identification of a specific ADP facility's assets, the threats to these assets, and the ADP facility's vulnerability to those threats.'' # ''An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level. '' #''A management tool which provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risks and documenting management decisions. Decisions for implementing additional protection features are normally based on the existence of a reasonable ratio between cost/benefit of the safeguard and sensitivity/value of the assets to be protected. Risk assessments may vary from an informal review of a small scale microcomputer installation to a more formal and fully documented analysis (i. e., risk analysis) of a large scale computer installation. Risk assessment methodologies may vary from qualitative or quantitative approaches to any combination of these two approaches.''


ISO 27005 framework

Risk assessment receives as input the output of the previous step Context establishment; the output is the list of assessed risks prioritized according to risk evaluation criteria. The process can be divided into the following steps: * Risk analysis, further divided in: ** Risk identification ** Risk estimation **
Risk evaluation In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
The following table compares these ISO 27005 processes with Risk IT framework processes: The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment: *
security policy Security policy is a definition of what it means to ''be secure'' for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms ...
, * organization of information security, *
asset management Asset management is a systematic approach to the governance and realization of value from the things that a group or entity is responsible for, over their whole life cycles. It may apply both to tangible assets (physical objects such as buildings ...
, * human resources security, *
physical Physical may refer to: * Physical examination, a regular overall check-up with a doctor * ''Physical'' (Olivia Newton-John album), 1981 ** "Physical" (Olivia Newton-John song) * ''Physical'' (Gabe Gurnsey album) * "Physical" (Alcazar song) (2004) * ...
and environmental security, *
communications Communication (from la, communicare, meaning "to share" or "to be in relation with") is usually defined as the transmission of information. The term may also refer to the message communicated through such transmissions or the field of inquir ...
and operations management, *
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
, *information systems acquisition, development and maintenance, (see
Systems Development Life Cycle In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an informa ...
) *information security incident management, *
business continuity Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning (or business continuity a ...
management, and * regulatory compliance.


Risk identification

Risk identification states what could cause a potential loss; the following are to be identified: *
assets In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can b ...
, primary (i.e. Business processes and related information) and supporting (i.e. hardware, software, personnel, site, organization structure) * threats * existing and planned security measures * vulnerabilities * consequence * related business processes The output of sub process is made up of: * list of asset and related business processes to be risk managed with associated list of threats, existing and planned security measures * list of vulnerabilities unrelated to any identified threats * list of incident scenarios with their consequences.


Risk estimation

There are two methods of risk assessment in information security field,
quantitative Quantitative may refer to: * Quantitative research, scientific investigation of quantitative properties * Quantitative analysis (disambiguation) * Quantitative verse, a metrical system in poetry * Statistics, also known as quantitative analysis ...
and qualitative. Purely quantitative risk assessment is a mathematical calculation based on security metrics on the
asset In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can b ...
(system or application). For each risk scenario, taking into consideration the different risk factors a
Single loss expectancy Single-loss expectancy (SLE) is the monetary value expected from the occurrence of a risk on an asset. It is related to risk management and risk assessment. Single-loss expectancy is mathematically expressed as: = \times Where the exposure ...
(SLE) is determined. Then, considering the probability of occurrence on a given period basis, for example the annual rate of occurrence (ARO), the
Annualized Loss Expectancy The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as: : \text = \text \times \text Suppose that an asset is valued at $100,000, and ...
is determined as the product of ARO and SLE. It is important to point out that the values of
assets In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can b ...
to be considered are those of all involved assets, not only the value of the directly affected resource.
For example, if you consider the risk scenario of a Laptop theft threat, you should consider the value of the data (a related asset) contained in the computer and the reputation and liability of the company (other assets) deriving from the loss of availability and confidentiality of the data that could be involved. It is easy to understand that intangible assets (data, reputation, liability) can be worth much more than physical resources at risk (the laptop hardware in the example). Intangible asset value can be huge, but is not easy to evaluate: this can be a consideration against a pure quantitative approach. Qualitative risk assessment (three to five steps evaluation, from Very High to Low) is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required. Qualitative risk assessment can be performed in a shorter period of time and with less data. Qualitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed. Qualitative risk assessments are descriptive versus measurable. Usually a qualitative classification is done followed by a quantitative evaluation of the highest risks to be compared to the costs of security measures. Risk estimation has as input the output of risk analysis and can be split in the following steps: * assessment of the consequences through the valuation of assets * assessment of the likelihood of the incident (through threat and vulnerability valuation) * assign values to the likelihood and consequence of the risks The output is the list of risks with value levels assigned. It can be documented in a
risk register A risk register ( PRINCE2) is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference a ...
. Risks arising from security threats and adversary attacks may be particularly difficult to estimate. This difficulty is made worse because, at least for any IT system connected to the Internet, any adversary with intent and capability may attack because physical closeness or access is not necessary. Some initial models have been proposed for this problem. During risk estimation there are generally three values of a given asset, one for the loss of one of the
CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...
properties:
Confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
,
Integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. Inte ...
,
Availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at a ...
.British Standard Institute "ISMSs-Part 3: Guidelines for information security risk management" BS 7799-3:2006


Risk evaluation

The risk evaluation process receives as input the output of risk analysis process. It compares each risk level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.


NIST SP 800 30 framework

To determine the likelihood of a future adverse event, threats to an IT system must be in conjunction with the potential
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and the controls in place for the IT system.
Impact refers to the magnitude of harm that could be caused by a threat's exercise of vulnerability. The level of impact is governed by the potential mission impacts and produces a relative value for the IT assets and resources affected (e.g., the criticality sensitivity of the IT system components and data). The risk assessment methodology encompasses nine primary steps: * Step 1 System Characterization * Step 2 Threat Identification * Step 3 Vulnerability Identification * Step 4 Control Analysis * Step 5 Likelihood Determination * Step 6 Impact Analysis * Step 7 Risk Determination * Step 8 Control Recommendations * Step 9 Results Documentation


Risk mitigation

Risk mitigation, the second process according to SP 800–30, the third according to ISO 27005 of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of senior management and functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease mission risk to an acceptable level, with minimal adverse impact on the organization's resources and mission.


ISO 27005 framework

The risk treatment process aim at selecting security measures to: * reduce * retain * avoid * transfer risk and produce a risk treatment plan, that is the output of the process with the residual risks subject to the acceptance of management. There are some list to select appropriate security measures, but is up to the single organization to choose the most appropriate one according to its business strategy, constraints of the environment and circumstances. The choice should be rational and documented. The importance of accepting a risk that is too costly to reduce is very high and led to the fact that risk acceptance is considered a separate process. Risk transfer apply were the risk has a very high impact but is not easy to reduce significantly the likelihood by means of security controls: the insurance premium should be compared against the mitigation costs, eventually evaluating some mixed strategy to partially treat the risk. Another option is to outsource the risk to somebody more efficient to manage the risk. Risk avoidance describe any action where ways of conducting business are changed to avoid any risk occurrence. For example, the choice of not storing sensitive information about customers can be an avoidance for the risk that customer data can be stolen. The ''residual risks'', i.e. the risk remaining after risk treatment decision have been taken, should be estimated to ensure that sufficient protection is achieved. If the residual risk is unacceptable, the risk treatment process should be iterated.


NIST SP 800 30 framework

Risk mitigation is a systematic methodology used by senior management to reduce mission risk.
Risk mitigation can be achieved through any of the following risk mitigation options: * Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level * Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified) * Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat's exercising a vulnerability (e.g., use of supporting, preventive, detective controls) * Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls * Research and Acknowledgement. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability * Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities: this is the suggestion contained in


Risk communication

Risk communication is a horizontal process that interacts bidirectionally with all other processes of risk management. Its purpose is to establish a common understanding of all aspect of risk among all the organization's stakeholder. Establishing a common understanding is important, since it influences decisions to be taken. The Risk Reduction Overview method is specifically designed for this process. It presents a comprehensible overview of the coherence of risks, measures and residual risks to achieve this common understanding.


Risk monitoring and review

Risk management is an ongoing, never ending process. Within this process implemented security measures are regularly monitored and reviewed to ensure that they work as planned and that changes in the environment rendered them ineffective. Business requirements, vulnerabilities and threats can change over the time. Regular audits should be scheduled and should be conducted by an independent party, i.e. somebody not under the control of whom is responsible for the implementations or daily management of ISMS.


IT evaluation and assessment

Security controls should be validated. Technical controls are possible complex systems that are to tested and verified. The hardest part to validate is people knowledge of procedural controls and the effectiveness of the real application in daily business of the security procedures.
Vulnerability assessment A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, informat ...
, both internal and external, and Penetration test are instruments for verifying the status of security controls. Information technology security audit is an organizational and procedural control with the aim of evaluating security. The IT systems of most organization are evolving quite rapidly. Risk management should cope with these changes through change authorization after risk re evaluation of the affected systems and processes and periodically review the risks and mitigation actions. Monitoring system events according to a security monitoring strategy, an incident response plan and security validation and metrics are fundamental activities to assure that an optimal level of security is obtained.
It is important to monitor the new vulnerabilities, apply procedural and technical security controls like regularly updating software, and evaluate other kinds of controls to deal with
zero-day attack A zero-day (also known as a 0-day) is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it ...
s. The attitude of involved people to benchmark against
best practice A best practice is a method or technique that has been generally accepted as superior to other known alternatives because it often produces results that are superior to those achieved by other means or because it has become a standard way of doing ...
and follow the seminars of professional associations in the sector are factors to assure the state of art of an organization IT risk management practice.


Integrating risk management into system development life cycle

Effective risk management must be totally integrated into the SDLC. An IT system's SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. The risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk management is an iterative process that can be performed during each major phase of the SDLC.
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
SP 800-64 is devoted to this topic. Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs, through: * Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation; * Awareness of potential engineering challenges caused by mandatory security controls; * Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; and * Facilitation of informed executive decision making through comprehensive risk management in a timely manner. This guide focuses on the information security components of the SDLC. First, descriptions of the key security roles and responsibilities that are needed in most information system developments are provided. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC. The document integrates the security steps into the linear, sequential (a.k.a. waterfall) SDLC. The five-step SDLC cited in the document is an example of one method of development and is not intended to mandate this methodology. Lastly, SP 800-64 provides insight into IT projects and initiatives that are not as clearly defined as SDLC-based developments, such as service-oriented architectures, cross-organization projects, and IT facility developments. Security can be incorporated into information systems acquisition, development and maintenance by implementing effective security practices in the following areas. * Security requirements for information systems * Correct processing in applications * Cryptographic controls * Security of system files * Security in development and support processes * Technical vulnerability management Information systems security begins with incorporating security into the requirements process for any new application or system enhancement. Security should be designed into the system from the beginning. Security requirements are presented to the vendor during the requirements phase of a product purchase. Formal testing should be done to determine whether the product meets the required security specifications prior to purchasing the product. Correct processing in applications is essential in order to prevent errors and to mitigate loss, unauthorized modification or misuse of information. Effective coding techniques include validating input and output data, protecting message integrity using encryption, checking for processing errors, and creating activity logs. Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest. Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure. System files used by applications must be protected in order to ensure the integrity and stability of the application. Using source code repositories with version control, extensive testing, production back-off plans, and appropriate access to program code are some effective measures that can be used to protect an application's files. Security in development and support processes is an essential part of a comprehensive quality assurance and production control process, and would usually involve training and continuous oversight by the most experienced staff. Applications need to be monitored and patched for technical vulnerabilities. Procedures for applying patches should include evaluating the patches to determine their appropriateness, and whether or not they can be successfully removed in case of a negative impact.


Critique of risk management as a methodology

Risk management as a scientific methodology has been criticized as being shallow. Major IT risk management programmes for large organizations, such as mandated by the US Federal Information Security Management Act, have been criticized. By avoiding the complexity that accompanies the formal probabilistic model of risks and uncertainty, risk management looks more like a process that attempts to guess rather than formally predict the future on the basis of statistical evidence. It is highly subjective in assessing the value of assets, the likelihood of threats occurrence and the significance of the impact. However, a better way to deal with the subject has not emerged.


Risk managements methods

It is quite hard to list most of the methods that at least partially support the IT risk management process. Efforts in this direction were done by: *
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...
Description of Automated Risk Management Packages That NIST/NCSC Risk Management Research Laboratory Has Examined, updated 1991 *
ENISA The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece an ...
in 2006; a list of methods and tools is available on line with a comparison engine. Among them the most widely used are: **
CRAMM {{More citations needed, date=September 2022 CRAMM (CCTA Risk Analysis and Management Method) is a risk management methodology, currently on its fifth version, CRAMM Version 5.0. History CRAMM was created in 1987 by the Central Computer and Telec ...
Developed by British government is compliant to
ISO/IEC 17799 ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and pr ...
, Gramm–Leach–Bliley Act (GLBA) and
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 199 ...
(HIPAA) ** EBIOS developed by the French government it is compliant with major security standards:
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
, ISO/IEC 13335, ISO/IEC 15408,
ISO/IEC 17799 ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and pr ...
and ISO/IEC 21287 **
Standard of Good Practice The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and ...
developed by Information Security Forum (ISF) ** Mehari developed by Clusif Club de la Sécurité de l'Information Français ** TIK IT Risk Framework developed by IT Risk Institute ** Octave developed by Carnegie Mellon University, SEI ( Software Engineering Institute) The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVESM) approach defines a risk-based strategic assessment and planning technique for security. ** IT-Grundschutz (IT Baseline Protection Manual) developed by Federal Office for Information Security (BSI) (Germany); IT-Grundschutz provides a method for an organization to establish an Information Security Management System (ISMS). It comprises both generic IT security recommendations for establishing an applicable IT security process and detailed technical recommendations to achieve the necessary IT security level for a specific domain Enisa report classified the different methods regarding completeness, free availability, tool support; the result is that: * EBIOS, ISF methods, IT-Grundschutz cover deeply all the aspects (Risk Identification, Risk analysis, Risk evaluation, Risk assessment, Risk treatment, Risk acceptance, Risk communication), * EBIOS and IT-Grundschutz are the only ones freely available and * only EBIOS has an open source tool to support it. The Factor Analysis of Information Risk (FAIR) main document, "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;"An Introduction to Factor Analysis of Information Risk" (FAIR), Risk Management Insight LLC, November 2006
;
outline that most of the methods above lack of rigorous definition of risk and its factors. FAIR is not another methodology to deal with risk management, but it complements existing methodologies.Technical Standard Risk Taxonomy Document Number: C081 Published by The Open Group, January 2009. FAIR has had a good acceptance, mainly by
The Open Group The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...
and ISACA. ISACA developed a methodology, called Risk IT, to address various kind of IT related risks, chiefly security related risks. It is integrated with
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
, a general framework to manage IT. Risk IT has a broader concept of IT risk than other methodologies, it encompasses not just only the negative
impact Impact may refer to: * Impact (mechanics), a high force or shock (mechanics) over a short time period * Impact, Texas, a town in Taylor County, Texas, US Science and technology * Impact crater, a meteor crater caused by an impact event * Imp ...
of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact. The "''Build Security In''" initiative of Homeland Security Department of United States, cites FAIR. The initiative Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. So it chiefly address
Secure coding Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited so ...
. In 2016, Threat Sketch launched an abbreviated cyber security risk assessment specifically for small organizations. The methodology uses real options to forecast and prioritize a fixed list of high-level threats. In the US, data and privacy legislation continue to evolve to focus on 'reasonable security' for sensitive information risk management. The goal is to ensure organizations establish their duty of care when it comes to managing data. Businesses are responsible to understand their risk posture to prevent foreseeable harm reasonable safeguards based on their specific working environment.


Standards

There are a number of standards about IT risk and IT risk management. For a description see the main article.


Laws


See also


References


External links


Internet2 Information Security Guide: Effective Practices and Solutions for Higher EducationRisk Management - Principles and Inventories for Risk Management / Risk Assessment methods and tools
Publication date: Jun 01, 2006 Authors:Conducted by the Technical Department of ENISA Section Risk Management
Clusif Club de la Sécurité de l'Information Français
* ttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf FIPS Publication 199, Standards for Security Categorization of Federal Information and Informationbr>FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems800-37 NIST Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle ApproachFISMApedia is a collection of documents and discussions focused on USA Federal IT security
* Anderson, K.
Intelligence-Based Threat Assessments for Information Networks and Infrastructures: A White Paper
, 2005. * Danny Lieberman,

, 2009 {{DEFAULTSORT:It Risk Data security Security Security compliance