Get best of the week

Analysis of international documents on information security risk management. Part 2

In the previous part, we described the general concept of risk management and disclosed risk management methods in accordance with the documents of NIST SP 800 series. In this part we will continue to review international documents on information security risk management: we are in line with the ISO 27005 and 31010 standards. Let's get started!

image

The previously reviewed special publications NIST SP 800-39, NIST SP 800-37 and NIST SP 800-30 offer a coherent systematic approach to risk assessment and processing, while NIST SP 800-53, NIST SP 800-53A and NIST SP 800-137 offer specific measures to minimize the risks of information security. However, it should be borne in mind that these documents are essentially advisory in nature and are not standards (for example, unlike NIST FIPS documents), and also that they were originally developed for companies and organizations from the United States. This imposes certain restrictions on their use: for example, organizations cannot obtain international certification for the implementation of the provisions of these documents, and the use of the entire set of related NIST frameworks can be overly laborious and impractical.Often, companies choose the certification path according to the requirements of the International Organization for Standardization (ISO), receiving, for example, the status of "ISO 27001 Certified", recognized worldwide. The ISO 27000 series of standards includes documents on information security and risk management. Consider the main document of this series on IS risk management: standard ISO / IEC 27005: 2018.

ISO / IEC 27005: 2018


Standard ISO / IEC 27005: 2018 "Information technology - Security techniques - Information security risk management"("Information Technology - Security Techniques - Information Security Risk Management") is the third revision: the first version of the standard was published in 2005, and the second in 2011. The document introduces several risk-specific terms. So, a means of protection (English control) is a measure that changes the risk. The concept of contexts (English context) includes the external context, which means the external environment of the company (for example, the political, economic, cultural environment, as well as relationships with external stakeholders), and the internal context, which means the internal environment of the company (internal processes, policies, standards, systems, goals and culture of the organization, relationships with internal stakeholders, as well as contractual obligations).

Risk- this is the result of inaccuracy (English uncertainty) in achieving goals; however, inaccuracy means a state of lack of information related to a certain event, its consequences or the likelihood of its occurrence. Under the level of risk (Eng. Level of risk) is understood the magnitude of the risk, expressed as a product of the effects of significant events and the probability of occurrence of these events. Residual risk (Eng. Residual risk) - the risk remaining after the risk treatment procedure. Under risk assessment(English risk assessment) understand the general process of identification (i.e., search, definition and description of risk), analysis (i.e. understanding the nature of risk and determining its level) and hazard assessment (i.e. comparing the results of risk analysis with risk criteria for determining the admissibility of its value) risks. Risk treatment is a risk modification process that may include:

  • risk avoidance by avoiding actions that may lead to risks;
  • Acceptance or increase of risk in order to achieve business goals;
  • elimination of risk sources;
  • change in the probability of risk occurrence;
  • change in the expected consequences of the implementation of risk;
  • risk transfer (division);
  • risk preservation.

The IS risk management process from the point of view of the authors of the ISO / IEC 27005: 2018 standard should be characterized by the following features:

  1. . , ( -).
  2. .
  3. .
  4. , .
  5. .
  6. .
  7. .
  8. .

The risk management process itself consists of the following steps (processes) that comply with the PDCA (Plan - Do - Check - Act) approach adopted in ISO 27001:

  1. Definition of the context.
  2. Risk assessment.
  3. Develop a risk treatment plan.
  4. Risk taking
  5. Implementation of the developed risk treatment plan.
  6. Continuous monitoring and review of risks.
  7. Support and improvement of the IS risk management process.

Further we will consider each of these steps in more detail.

1. Definition of the context


When determining the context, the input data are all information about the company that is relevant to risk management. As part of this process, an approach to risk management is selected, which should include criteria for assessing risks, criteria for assessing negative impact (English impact), and criteria for accepting risks. In addition, the resources necessary for the implementation of this process should be evaluated and allocated.

Risk assessment criteria should be developed to assess IS risks in the company and should take into account the value of information assets, the requirements for their confidentiality, integrity, accessibility, the role of information business processes, the requirements of legislation and contractual obligations, expectations of stakeholders, possible negative consequences for goodwill and reputation company.

The criteria for assessing the negative impact should take into account the level of damage or expenses of the company to recover from the information security risk realized, taking into account the level of importance of the IT asset, violation of information security (i.e. loss of the asset’s privacy, integrity, accessibility properties), forced business process downtime, economic losses , violation of plans and deadlines, damage to reputation, violation of legal requirements and contractual obligations.

Risk Acceptance Criteriacan be expressed as the ratio of expected business benefits to expected risks. At the same time, different criteria can be applied for different classes of risks: for example, the risks of non-compliance with the law may not be accepted in principle, and high financial risks may be accepted if they are part of contractual obligations. In addition, the forecasted time period of risk relevance (long-term and short-term risks) should be taken into account. Criteria for accepting risks must be developed taking into account the desired (target) level of risk with the possibility of top management accepting risks above this level in certain circumstances, as well as the possibility of accepting risks subject to subsequent processing of risks during the agreed time period.

In addition to the above criteria, as part of the context determination process, the boundaries and scope of the IS risk management process should be taken into account: business goals, business processes, plans and policies of the company, the structure and functions of the organization, applicable legislative and other requirements, information assets, expectations of stakeholders, interaction with counterparties. You can consider the risk management process within a specific IT system, infrastructure, business process, or within a specific part of the entire company.

2. Risk assessment


As part of the risk assessment process, the company must assess the value of information assets, identify current threats and vulnerabilities, obtain information on current remedies and their effectiveness, and determine the potential consequences of the risks. As a result of risk assessment, the company should receive a quantitative or qualitative risk assessment, as well as prioritization of these risks, taking into account the criteria for assessing the risk of risks and the goals of the company. The risk assessment process itself consists of identification of risks, analysis of risks, hazard assessment of risks.

2.1. Risk identification


The purpose of identifying risks is to determine what can happen and lead to potential damage, and to gain an understanding of how, where and why this damage can occur. In this case, one should take into account the risks, regardless of whether the source of these risks is under the control of the organization or not. As part of this process, the following should be carried out:

  1. identification (inventory) of assets, resulting in a list of IT assets and business processes;
  2. identification of threats, while it is necessary to take into account deliberate and random threats, external and internal sources of threats, and information about possible threats can be obtained both from internal sources in the organization (lawyers, HR, IT, etc.) and from external (insurance companies, external consultants, statistical information, etc.);
  3. ;
  4. , ; , , -, , , ;
  5. , , -.

2.2.


A risk analysis can be carried out with different depths, depending on the criticality of the assets, the number of known vulnerabilities, and also taking into account previous incidents. The methodology of risk analysis can be both qualitative and quantitative: as a rule, first a qualitative analysis is used to highlight high priority risks, and then a quantitative analysis is applied to the identified risks, which is more time-consuming and gives more accurate results.

When using qualitative analysis, specialists operate on a scale of descriptive hazard assessment (for example, low, medium, high) of the potential consequences of certain events and the likelihood of these consequences.

When using quantitative analysis methodsnumerical values ​​are already being applied, taking into account historical data on incidents that have already occurred. It should be borne in mind that in the absence of reliable, verifiable facts, a quantitative risk assessment can only give the illusion of accuracy.

When the risk analysis process itself is conducted, the potential consequences of IS incidents are first assessed: their level of negative impact on the company is assessed taking into account the consequences of violations of confidentiality, integrity, and accessibility of information assets. The existing assets are checked and audited with a view to classifying them according to their criticality, and the potential negative impact of information security violations of these assets on the business is also assessed (preferably in monetary terms). The valuation of assets is carried out as part of an analysis of the negative impact on the business (Business Impact Analysis) and can be calculated based on the cost of replacing or restoring assets / information, as well as the consequences of the loss or compromise of assets / information: financial, legal, and reputation aspects are considered.It should also be borne in mind that threats can affect one or several interrelated assets or affect assets only partially.

Next, an assessment of the probability of an incident, i.e. all potential threat scenarios. It is necessary to take into account the frequency of the threat and the ease of exploitation of vulnerabilities, guided by statistical information about similar threats, as well as data on the motivation and possibilities of deliberate sources of threats (building a model of the intruder), the attractiveness of assets for attackers, existing vulnerabilities, applied protective measures, and in case of consideration of unintentional threats - take into account the location, weather conditions, equipment features, human errors, etc. Depending on the required accuracy of the assessment, assets can be grouped or divided in terms of attack scenarios applicable to them.

Finally, the risk level is determined for all scenarios from the developed list of attack scenarios. The magnitude of the expected risk is a product of the probability of the incident scenario and its consequences.

2.3. Risk assessment


As part of the risk hazard assessment process, the risk levels obtained at the previous stage are compared with the risk comparison criteria and risk acceptance criteria obtained at the context determination stage. When making decisions, the consequences of the implementation of threats, the likelihood of negative consequences, the level of personal confidence in the correctness of the identification and analysis of risks should be taken into account. It is necessary to take into account the properties of IS assets (for example, if the loss of confidentiality is not relevant for the organization, then all risks that violate this property can be discarded), as well as the importance of business processes served by a particular asset (for example, risks that affect an insignificant business process may be recognized as low priority).

3. IS risk treatment


By the start of this subprocess, we already have a list of prioritized risks in accordance with the criteria for assessing the risk of risks associated with incident scenarios that may lead to the realization of these risks. As a result of going through the risk processing stage, we must choose protection measures designed to modify (retention), maintain (avoidance) or transfer (share) risks, and process residual risks and form risk treatment plan.

The indicated risk treatment options (modification, preservation, avoidance or transfer) should be selected depending on the results of the risk assessment process, the expected cost estimate of the implementation of protective measures and the expected benefits of each option, and they can be combined (for example, modify the probability of risk and transfer the residual risk ) Preference should be given to easy-to-implement and low-budget measures, which at the same time give a large effect of reducing risks and cover a greater number of threats, and if necessary, the use of costly solutions should give economic justification for their application. In general, one should strive to minimize negative consequences, as well as take into account rare but destructive risks.

As a result, the responsible persons should formulate a risk treatment plan that clearly defines the priority and time interval in accordance with which a method of processing each risk should be implemented. Priorities can be set based on the results of risk ranking and cost-benefit analysis. If any protection measures have already been implemented in the organization, it will be reasonable to analyze their relevance and cost of ownership, while taking into account the relationship between protection measures and threats for which protection these measures were applied.

At the end of the risk treatment plan, the residual risks should be determined. This may require updating or re-conducting a risk assessment taking into account the expected effects of the proposed risk treatment methods.

Next, we consider in more detail the possible options for processing risks.

3.1. Risk modification


Risk modification implies such risk management by applying or changing protective measures, which leads to the assessment of residual risk as acceptable. When using the risk modification option, justified and relevant protection measures are selected that meet the requirements defined at the stages of risk assessment and processing. A variety of restrictions should be taken into account, such as the cost of ownership of protective equipment (taking into account the implementation, administration and influence on the infrastructure), the time and financial framework, the need for personnel serving these protective equipment, and the requirements for integration with current and new security measures. It is also necessary to compare the cost of the indicated costs with the value of the asset being protected. The protection measures include: correction, elimination, prevention, minimization of negative impact,prevention of potential violators; detection, recovery, monitoring and awareness raising of employees.

The result of the “Risk Modification” step should be a list of possible protection measures with their cost, proposed benefits and implementation priority.

3.2. Risk preservation


Risk preservation means that, based on the results of the risk hazard assessment, it was decided that no further steps for its processing are required, i.e. The estimated level of expected risk meets the risk acceptance criteria. Note that this option is significantly different from the vicious practice of ignoring risk, in which the already identified and assessed risk is not processed in any way, i.e. the decision on its adoption is not officially adopted, leaving the risk in a “suspended" state.

3.3. Risk avoidance


When choosing this option, a decision is made not to conduct a certain activity or to change the conditions of its conduct so as to avoid the risk associated with this activity. This decision can be made in case of high risks or if the cost of implementing protective measures exceeds the expected benefits. For example, a company may refuse to provide users with certain online services related to personal data, based on the results of an analysis of the possible risks of leakage of such information and the cost of implementing adequate protection measures.

3.4. Risk transfer


Risk can be transferred to the organization that can manage it most effectively. Thus, on the basis of a risk assessment, a decision is made to transfer certain risks to another person, for example, by insuring cyber risks (a service that is gaining popularity in Russia, but is still several times behind the size of this market, for example, in the USA) or by transferring responsibilities for monitoring and responding to IS incidents to the MSSP (Managed Security Service Provider) or MDR (Managed Detection and Response), i.e. in commercial SOC. When choosing the risk transfer option, it should be noted that risk transfer itself can be a risk, as well as the fact that responsibility for managing the risk can be transferred to another company, but responsibility for the negative consequences of a possible incident cannot be transferred to it.

4. Risk Acceptance


The input data for this stage will be the risk treatment plans developed at the previous step and the assessment of residual risks. Risk management plans should describe how the assessed risks will be processed to meet the criteria for accepting risks. Responsible persons analyze and agree on the proposed risk treatment plans and the final residual risks, as well as indicate all the conditions under which this approval is made. In a simplified model, a trivial comparison of the residual risk with a previously defined acceptable level is made. However, it should be borne in mind that in some cases it may be necessary to review the criteria for accepting risks that do not take into account new circumstances or conditions. In this case, those responsible may be forced to accept such risks,indicating the rationale and commentary on the decision on non-compliance with the criteria for accepting risks in a particular case.

As a result, a list of accepted risks is formed with a justification for those that do not meet the previously defined criteria for accepting risks.

5. Implementation of the developed risk treatment plan. IS risk communication


At this stage, the developed risk treatment plan is directly implemented: in accordance with the decisions made, protection equipment and equipment are purchased and configured, cyber insurance and incident response contracts are concluded, and legal work is carried out with contractors. In parallel, management and stakeholders are informed about the identified IS risks and measures taken to address them in order to achieve a common understanding of the ongoing activities.
Information security risk communication plans are being developed for coordinated activities in normal and emergency situations (for example, in case of a major information security incident).

6. Continuous risk monitoring and review


It should be borne in mind that risks can quietly change over time: assets and their value change, new threats and vulnerabilities appear, the probability of threats and the level of their negative impact changes. Therefore, it is necessary to continuously monitor ongoing changes, including with the involvement of external counterparties specializing in the analysis of current IS threats. It is required to conduct a regular review of both IS risks and the methods used to treat them for the relevance and adequacy of a potentially changing situation. Particular attention should be paid to this process at the time of significant changes in the company's work and ongoing business processes (for example, during mergers / acquisitions, the launch of new services, changes in the ownership structure of the company, etc.).

7. Support and improvement of the IS risk management process


Similar to continuous risk monitoring, the risk management process itself should be constantly maintained and improved so that the context, assessment and treatment plan remain relevant to the current situation and circumstances. All changes and improvements need to be agreed with interested parties. Criteria for assessing and accepting risks, evaluating the value of assets, available resources, activity of competitors and changes in legislation and contractual obligations should correspond to the current business processes and current goals of the company. If necessary, it is necessary to change or improve the current approach, the methodology and tools of IS risk management.

IEC 31010: 2019


We now briefly review the IEC 31010: 2019 standard “Risk management - Risk assessment techniques” .

This standard is part of a series of business risk management standards that are not specifically tied to IS risks. The “title” standard is ISO 31000: 2018, “Risk management - Guidelines”, which describes the framework, principles and the risk management process itself. The risk management process described in this document is similar to that discussed above: the context, boundaries and criteria are determined, a risk assessment is carried out (consisting of identification, analysis, risk hazard assessment), then there is a risk treatment followed by communication, reporting, monitoring and review.

The IEC 31010: 2019 standard is noteworthy in that it provides more than 40 different risk assessment techniques, each provides an explanation, a method of application for all risk assessment sub-processes (risk identification, identification of sources and causes of risk, analysis of protective measures, analysis consequences, probabilities, relationships and interactions, measuring and assessing the level of risk, choice of protective measures, reporting), and for some techniques practical examples of use are also given. In addition, for this standard in its domestic version, GOST R ISO / IEC 31010-2011 “Risk management. Methods of risk assessment ”refers 607-P of the Central Bank of the Russian Federation“ On requirements for the procedure for ensuring uninterrupted operation of the payment system, indicators of uninterrupted operation of the payment system and methods of risk analysis in the payment system, including risk profiles ”.

More articles:


All Articles