Certified Risk Manager
Information Security Risk Management Framework and processes based on ISO/IEC 27005
clause 7-12
Annexes are very good
DOMAIN 1
Fundamental principles and concepts of information security risk management
Demming
Alignment of ISMS and Information Security Risk Management Process
1. Risk Management Program
1.1 Demonstrate Leadership and Commitment
Support from senior leaders
1.2 Assign Responsibility for Risk Management
Assign to roles
1.3 Define Responsibilites of Principal Stakeholders
Top Mgmt
Finance
Cost/Benefit analysis
HR
Info Sec
Identify controls to manage risk
IT Technician
implement technical solutions for measuring and managing the daily operations
Legal service
regulatory and contractual
Public relations
Internal audit
1.4 Ensure Accountability
Risk Management = core business responsibility
Identify individuals who have the accountability and authority to manage risk
1.5 Establish a Risk Management Policy
Becomes part of the culture of the organisation
Is readily available within the organisation
1.6 Implement a Risk Management Process - clause 7.4
1.7 Select and Information Assessment Approach
Input
Scope
Action
Risks Idenified, quantitavely or qualitiively
Output
List of assessed risks that are prioritsed
1.8 Select a Risk Assessment Methodology
OCTAVE
MEHARI
NIST 800-30
CRAMM
1.9 Plan Activities for Risk Assessment
1.10 Provide the Resources - clause 7.1
2. Context Establishment
2.1 Understanding the Organisations Context
Mission
Risk Management Objectives
Values
Risk Management Objectives
Objectives
Risk Management Objectives
Understand Key Processes
Establish Internal and External Context
Strategies
Risk Management Objectives
SWOT (Strengths Weaknesses, Opportunties, Threats)
PEST (Political, Economic, Social, Technological)
STEP (Social, Technical, Economical, Political)
Ask people "what keeps you up and night?"
2.2 Identification and Analysis of Stakeholders
2.3 Determine the Objectives (of the risk management activity)
Laws and Regulations
Standards
Market
Internal Polocies
2.4 Determine the Basic Criteria
Evaluation of Risk (clause 7.2.2)
strategic value of business info process
criticality of the info assets involved
operational and business importance of CIA
stakeholders' expectations and perceptions
Impacts (to the org caused by an info sec event)
classificaion of impacted info asset
damage to rep
breaches of info sec (CIA)
impairment of operations (internal or 3rd party)
Risk Acceptance (clause 7.2.4) Annex E 2.2
Quantitative or Qualitative
business criteria
operations
finance
social and humanitarian factors
technology
Acceptance Maintenance Criteria
2.5 Define the Scope and Boundaries - clause 7.3
Exclusions have to be justified and documented
Interfaces have to be taken into account
Constraints - Annex A.3
Technical
Financial
Environmental
Time
Methods
Organisational
Operation
Maintenance
HR
admin
development
managerial
DOMAIN 4:
Other information security risk assessment methods
Subtopic
Efficient Communication Strategy
Methodologies
OCTAVE-S
OCTAVE-Allegro
Domain 3:
Information security risk management framework and process based on
ISO/IEC 27005
Risk Identification
Information Gathering Techniques
Questionanaires
Interviews
Open-ended questions and clarify responses
take notes
cover all subjects
Documentation Review
Scanning Tools
Vulnerability scanning
Pen testing
Code Review
Activities to identify
3.1 Assets
Primary Assets
Information
Business process and activities
Supporting Assets
Subtopic
Each asset must have an owner
assign value
Subtopic
Threats
ISO/IEC 27005, clause 8.2.3
See ANNEX C, ISO 27005
Examples
Accidental
Deliberate
Natural
existing controls
Documentation Review
Questionanaires
Interviews
Open-ended questions and clarify responses
take notes
cover all subjects
Subtopic
Subtopic
Identify Vulnerabilities
Scanning Tools
Vulnerability scanning
Pen testing
Code Review
Example
Identify Consequences/Impact
Qualitatively
Quantitatively
Examples
Real Life Example
Risk Analysis
generally most times you'll do a qualitative assessment
Monetary
Technical
Human Impact
Example presentation of impact
Risk Evaluation
Example
ISO/IEC 27005, Annex E.2.3 Example 2 — Ranking of Threats by Measures of Risk
A matrix or table such as that shown in Table E.3 can be used to relate the factors of consequences
(asset value) and likelihood of threat occurrence (taking account of vulnerability aspects). The first
step is to evaluate the consequences (asset value) on a predefined scale, e.g. 1 through 5, of each
threatened asset (column “b” in the table). The second step is to evaluate the likelihood of threat
occurrence on a predefined scale, e.g. 1 through 5, of each threat (column “c” in the table). The third
step is to calculate the measure of risk by multiplying (b × c). Finally, the threats can be ranked in order
of their associated measure of risk. Note that, in this example, 1 is taken as the lowest consequence
and the lowest likelihood of occurrence.
NOTE: PRIMARY is Patient data and Client contracts
NOTE: SUPPORTING is Laptop and File Server
Risk Assessment Using a Quantitative Method
Exposure factor (EF) This factor, expressed as a percentage, represents a measure of the extent of
loss or impact on the value of the asset.
For example, it is estimated that on average a computer attack affects three quarters of a network,
the exposure factor of this threat would be 75%.
Single Loss Expectancy (SLE) This value determines the monetary loss for a single risk occurrence.
Calculating the single loss expectancy loss: the asset value x exposure factor (SLE = AV X EF).
For example, if the value of computer equipment is $100,000 and that the exposure factor is 75%, the
single loss expectancy (SLE) would then be $75,000.
Annual rate of occurrence (ARO) This term characterizes, on an annual basis, the frequency that a
risk occurs. This annual rate of occurrence is between 0 (never) and 1 (always).
For example, if the probability of a cyber attack on a specific computer equipment, to occur, during
the year, is once in a thousand years, the annual rate of occurrence (ARO) is 0.001. If the probability
was once every 5 years, the annual rate of occurrence would be 0.2.
Annual Loss Expectancy (ALE) The expected annual loss is the combination of the anticipated loss
and the anticipated annual rate of occurrence. It determines the maximum amount to spend to
protect an asset against a particular threat. The calculation is as follows ALE = SLE x ARO
For example, if the single loss expectancy (SLE) was $75,000 and the annual rate of occurrence is
0.2, then the expected annual loss (ALE) is $15,000
Risk Treatment
Reduce
Implement Controls
— the rationale for selection of the treatment options, including the expected benefits to be gained;
— those who are accountable and responsible for approving and implementing the plan;
— the proposed actions;
— the resources required, including contingencies;
— the performance measures;
— the constraints;
— the required reporting and monitoring;
— when actions are expected to be undertaken and completed.
Example
Residual risk = Inherent risk – Treated risk
Accept
Cost/Benefit Analysis output
Regular Reviews Needed
Transfer
SLAs
Contracts
Avoid
Don't Implement Tech
Risk Acceptance
7.1 Accept the Risk Treatment Plan
Risk Owners to accept
Residual Risk
Presenting to mgmt