Risk assessment principles and guidelines

1 of 24

2 of 24

Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.

[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:07

3 of 24



Intr

oduc

tion

Abstract

4 of 24



Intr

oduc

tion

Abstract

5 of 24



Intr

oduc

tion

Objective

To ensure that IT related risks are identified, analyzed and presented in order to ensure information security for the organization.

To identify measures or controls to be taken to mitigate the risk to an acceptable level.

1

2

3

4

6 of 24



7 of 24



Risk

Man

agem

ent

Generic Approach

8 of 24



Risk

Man

agem

ent

Generic Process

Risk Decision Point 2Treatment satisfactory

Risk Decision Point 1Assessment satisfactory

Context Establishment

Reduction Retention Avoidance Transfer

Risk

Mon

itori

ng a

nd R

evie

w

Risk

Ass

essm

ent

Risk Treatment

Reference: ISO/IEC 27005

Risk Acceptance

Risk

Com

mun

icat

ion

Risk Evaluation

Risk Estimation

Risk Identification

Risk

Ana

lysi

s

Yes

No

Yes

No

9 of 24



10 of 24



Risk

Ass

essm

ent

Methodology

11 of 24



Likelihood

The goal is to identify the potential threat-sources and develop a list of system vulnerabilities that could be exploited by the potential threat-sources.

Risk

Ass

essm

ent

Likelihood Description Score

Rare Rarely happen or very unlikely to happen 1

Unlikely Not seen within last 5 years or unlikely to happen 2

Moderate Seen within last 5 years but not within last year or likely to happen 3

Likely Seen within last year or very likely to happen 4

Most likely Happens on a regular basis or most likely to happen 5

12 of 24



Impact Level and Scoring – Mission Critical Scenario

The goal is to measure level of risk and determine the adverse impact resulting from a successful threat exercise of a vulnerability.

Risk

Ass

essm

ent

Impact Level Description Score

InsignificantImpact that would not cause any exposure of information, any effects to national security, any injury, any unauthorized entry, any asset loss, or no system or operation disruption.

1

MinorImpact that would cause exposure of Restricted information, “undesirable effects” to national security, less than minor injury, undetected or delay in the detection of unauthorized entry with no asset loss or access to sensitive materials, or no system or operation disruption.

2

Major

Impact that would cause exposure of Confidential information, “damage” or be “prejudicial” to national security, or harmful to national interest, national reputation, Government activities or to individual, or cause embarrassment or difficulty to administration, or give benefits to foreign powers, bringing limited financial losses to the Organization, minor injury not requiring hospitalization, undetected or delay in the detection of unauthorized entry resulting in limited access to assets or sensitive materials, or no mission impairment, or minor system and operation disruption.

3

Material

Impact that would cause exposure of Secret information, “serious damage” to national security, interest and reputation, give great benefits to foreign powers, bringing significant financial losses to the Organization, severe injury to human resources, loss of valuable asset resulting from undetected or unauthorized access, unacceptable mission delays, or unacceptable system and operation disruption.

4

Catastrophic

Impact that would cause exposure of Top Secret information, “exceptionally grave damage” to national security, bringing physical or financial losses to the Organization, loss of life, loss of critical assets, significant impairment of mission over extended period of time, or catastrophic or widespread loss of systems services.

5

13 of 24



Risk Matrix and Impact LevelR

isk

Ass

essm

ent

Low riskNo mitigation requiredAction must be taken to maintain the risk

level and implemented in long-term plan

Critical risk, immediate action required Risk mitigation is required to lower the risk to an

acceptable level Action must be taken ASAP

High risk, management attention needed. Risk mitigation is required to lower the risk to an

acceptable level Implementation plan must be developed and

included in short-term plan

Medium risk Risk mitigation may required to maintain or

reduce the risk level Implementation plan must be developed and

included in mid-term plan

14 of 24



Risk

Ass

essm

ent

Risk Treatment Process

Risk Decision Point 2

Risk Decision Point 1

Risk Assessment Results

Reduction Retention Avoidance Transfer

Risk Treatment Options

SatisfactoryAssessment

Residual Risk

SatisfactoryTreatment

Risk

Tre

atm

ent

15 of 24



Risk

Ass

essm

ent

Risk Treatment Process – continue

Risk reduction involves approaches that reduce the probability of the vulnerability being triggered or reduce the impact when the vulnerability is triggered. Reducing a risk most often involves putting in place controls.

Reduce

Risk retention means accepting the loss when it occurs. Risk retention is a viable strategy for small-impact risks where the cost of insuring against the risk would be greater over time than the total losses sustained. Plans should be put in place to manage the consequences of these risks if they should occur, including identifying a means of financing the risk. Risks can also be retained by default, i.e. when there is a failure to identify and/or appropriately transfer or otherwise treat risks.

Retain

Risk avoidance means simply not performing the activity that carries the risk. Risk avoidance can occur inappropriately if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may increase the significance of other risks or may lead to the loss of opportunities for gain.

Avoidance

Risk transfer means passing the risk on to another party that is willing to accept the risk, typically by contract, partnership and/or joint ventures. Insurance is an example of risk transfer using contracts. The transfer of a risk to other parties, or physical transfer to other places, will reduce the risk for the original organization, but may not diminish the overall level of risk to society. Where risks are transferred in whole or in part, the organization transferring the risk has acquired a new risk, in that the organization to which the risk has been transferred, may not manage the risk effectively.

Transfer

16 of 24



Risk

Ass

essm

ent

Risk Acceptance

Risk acceptance can be defined as the decision and approval by high authority party to accept the remaining risk after the treatment process is concluded. Once accepted, residual risks are considered as risks that the high authority party knowingly takes. The level and extent of accepted risks comprise one of the major parameters of the Risk Management process. In other words, the higher the accepted residual risks, the less the work involved in managing risks (and inversely).

Assess Treatment Options Develop Treatment Plan Implementation Plan

A number of options may be considered and applied either individually or in combination. Selection of the most appropriate option involves balancing the cost of implementing each option against the benefits derived from it. In general, the cost of managing risks needs to be commensurate with the benefits obtained.

Plans should document how the chosen options shall be implemented. The treatment plan should identify responsibilities, schedules, expected outcome of treatments, budgeting, performance measures and the review process to be set in place.

Implementation treatment plan should document how the chosen options shall be implemented and approve by the management and/or project sponsors.

17 of 24



Risk

Ass

essm

ent

Risk Communication

Perceptions of risk can vary due to differences in assumptions, concepts and the needs, issues and concerns of stakeholders as they relate to risk or the issues under discussion.

Risk communication should be carried out in order to achieve the following: To provide assurance of the outcome of the organization's risk management. To collect risk information. To share the results from the risk assessment and present the risk treatment plan. To avoid or reduce both occurrence and consequence of information security breaches due to the

lack of mutual understanding among decision makers and stakeholders. To support decision-making. To obtain new information security knowledge. To co-ordinate with other parties and plan responses to reduce consequences of any incident. To give decision makers and stakeholders a sense of responsibility about risks. To improve awareness.

18 of 24



Risk

Ass

essm

ent

Risk Communication

Risks are not static. Threats, vulnerabilities, likelihood or consequences may change abruptly without any indication. Therefore constant monitoring is necessary to detect these changes

This monitoring and review activities should continuously monitored and addressed (but not limited to): New assets that have been included in the risk management scope. Necessary modification of asset values, e.g. due to changed business requirements. New threats that could be active both outside and inside the organization and that have not been assessed. Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed

vulnerabilities. Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats. Increased impact or consequences of assessed threats, vulnerabilities and risks In aggregation resulting in

an unacceptable level of risk Information security incidents. Legal and environmental. Impact criteria. Risk acceptance criteria. Necessary resources.

19 of 24



20 of 24



Risk Identification ExampleR

isk

Ass

essm

ent N

o/I

D

Ass

et

Ow

ner

Thr

eat

Vul

nera

bilit

ies

Cur

rent

C

ont

rol

Plan

ned

Cont

rol

Prim

ary

Secu

rity

C

onc

ern

Like

lihood

Impac

t

Score

A1 Central DB Ahmed –business

function A

Abuse of rights

There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions.

None Limit administrator account to at least 1 or 2 account only.

N(None-

repudiation)

3 5 15

A2 Web Portal A

Ahmed –business

function A

Sabotage Ineffective user registration, deregistration and logging functionalities

Syslog None I(Integrity)

1 4 4

A3 Router John –business

function B

Passwdcracking

Network device may configured with common, default and/or weak passwords configuration.

Policy and procedure

None C(Confidentiality)

2 4 8

21 of 24



Risk Treatment Options ExampleR

isk

Ass

essm

ent

No/ID Risk Treatment Justification Risk Owner

A1 15 Reduce a) There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions.

b) Logging management system is not sufficient to detect changes in the central DB.

c) There are no database firewall implemented to monitor administrator access and activities.

Ahmed – business function A

A2 4 Avoid a) Implement NAC or similar security control.

b) Logging management system is not sufficient to detect changes in the central DB.

c) There are no database firewall implemented to monitor administrator access and activities.


A3 8 Retain a) Current default password is not an ‘easy to guess’ password.

b) Last incident was 8 years back.

John – business function B

22 of 24



Risk Treatment Plan ExampleR

isk

Ass

essm

ent

No/ID Risk Treatment Plan Risk Owner Resolve By

A1 15 Reduce Limit administrator account to at least 1 or 2 account only:

a) Setup a test server to simulate the requirement and observe the impact to the systems.

b) Develop a proper access control matrix.


ASAP30/09/2013

A2 4 Avoid a) Replace logging management system with sufficient security control to detect changes in the central DB.

b) Implement database firewall.

c) Implement data integrity solution such as tripwire.


Long-term

A3 8 Retain Conduct security audit, vulnerability assessment and hardening exercise.


Mid-term01/01/2014

23 of 24



Risk Implementation Treatment Plan ExampleR

isk

Ass

essm

ent

No/ID Plan Risk OwnerResourceRequired

ResolveBy

Expected Outcome Cost

A1 Limit administrator account to at least 1 or 2 account only:

a) Setup a test server to simulate the requirement and observe the impact to the systems.

b) Develop a proper access control matrix.

Ahmed –business function

A

1 x Server administrator

1 x DB administrator

1 x Technical Security Engineer

ASAP30/09/2013

Administrator is limit to 1 or 2 account onlyand other users are only allow based on their roles.

MYR 5k

A2 a) Replace logging management system with sufficient security control to detect changes in the central DB.

b) Implement database firewall.

c) Implement data integrity solution such as tripwire.

Ahmed –business function

A

1 x Technical Security Consultant

Long-term The system is effectively monitor user registration, deregistration and logging functionalities

MYR 150k

A3 Conduct security audit,vulnerability assessment and hardening exercise.


1 x Technical Security Consultant

1 x Technical Security Engineer

Mid-term01/01/2014

Hardened network device, al passwords are set and comply to security policy, and password cracking attempt should be logged and monitored.

MYR 200k

24 of 24

Risk assessment principles and guidelines

Economy & Finance

Transcript of Risk assessment principles and guidelines