7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 1/43
March, 29th 2011 TAO – Workshop on CBA Security 1
Information security risk management
using ISO/IEC 27005:2008
Hervé Cholez / Sébastien Pineau
Centre de Recherche Public Henri Tudor
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 2/43
Objectives
ISO/IEC 27005 is a standard that propose a way tomanage information security risks, particularly in the
context of the implementation of an ISMS* (ISO/IEC
27001)
ISO/IEC 27005 is not a method, just a guide
For the moment... discussions in progress!
* ISMS: Information Security Management System
2TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 3/43
Risk?
Risk = (Threat * Vulnerability * Impact)
Vulnerability: intrinsic to the object or situation
Threat: probability of occurrence of an (external) event
exploiting the vulnerability
Impact: consequence
Example: burglary in your house
Vulnerability: your home keys under your carpet
Threat: a burglar comes along... Impact: loss of your money, your TV, etc.
3TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 4/43
Information Security Risk? (1/3)
“ potential that a given threat will exploit vulnerabilities ofan asset or group of assets and thereby cause harm to
the organization”
4TAO – Workshop on CBA Security
Threat
Vulnerability
Asset
Impact
exploits
concerns
causes
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 5/43
Information Security Risk? (2/3)
Asset “anything that has value to the organization”
Primary: business processes and activities, information
Support: hardware, software, network, personal, facilities
Threat
“Potential cause of an unwanted incident, which may result in
harm to a system or organization”
Source of the risk, possible attack 3 kinds
Accidental (unintentional human action)
Deliberate (voluntary human action)
Environmental (non-human action)
5TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 6/43
Information Security Risk? (3/3)
Vulnerability “weakness of an asset (or control) that can be exploited by a
threat ”
Impact “adverse change to the level of business objectives achieved ”
Consequence of the risk on the system or organization
Generally expressed in terms of:
Confidentiality
Integrity
Availability
6TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 7/43
Impacts?
Confidentiality “ property that information is not made available or disclosed to
unauthorized individuals, entities or processes”
internal disclosure, external disclosure...
Integrity “ property of protecting the accuracy and completeness of
assets”
accidental modification, deliberate modification, incorrect results,
incomplete results
Availability “ property of being accessible and usable upon demand by an
authorized entity ”
performance degradation, short-term/long-term interruption, total
loss (destruction)
7TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 8/43
Information security risk
management (ISRM)?
“The total process of identifying, controlling, andeliminating or minimizing uncertain events that may
affect IT system resources” [ISO/IEC 13335-1]
3 objectives Improve information system security
Justify information system security budget
Prove the credibility of the information system using the
analysis performed
8TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 9/43
ISO/IEC 27005
Information technology – Security techniques –
Information security risk management
9TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 10/43
Tudor’s activities
10
Analyse écarts 27001
Evaluation de la maturité
en sécurité del’information
Définition d'une Politique
de sécurité
Gestion des risques
Implémentation d’un
SMSIFormation(s) 27001
Guide d’implémentation27001 + templates
Audit à blanc 27001
Outil de gestion des
risques (27005 – EBIOS)
Formation gestion des
risques (27005)
Maturer/Packager
Décliner en
niveaux/Packager
Méthodologie + template
Méthodologie + outil de
mesure
Maturer/Packager
F O U R N I S S E U R S
W E B
SaaS
Décliner en
niveaux/Packager
Décliner en
niveaux/Packager
ToolboxMaturer/Packager
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 11/43
Process
11TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 12/43
Process
12TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 13/43
Context establishment
Basic Criteria
The scope and boundaries
Organization for IRSM
13TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 14/43
Context establishment > Basic
Criteria
Risk evaluation criteria
Impact criteria
Risk acceptance criteria
These criteria are specific to a given
organization/system, to a given study, etc.
14TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 15/43
Context establishment > Basic
Criteria > Risk evaluation criteria (1)
Depends on The strategic value of the business information process
The criticality of the information assets involved
Legal and regulatory requirements, and contractual obligations
Operational and business importance of CIA Stakeholders expectations and perceptions, and negative
consequences for goodwill and reputation
Enables to prioritize risks
15TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 16/43
Context establishment > Basic
Criteria > Risk evaluation criteria (2)
Examples
Goal:
Clear differentiation between levels Unambiguous interpretation
16TAO – Workshop on CBA Security
Financial Risk level
0 Loss < 1000 € Unimportant risk
1 1000 € < Loss < 5000 € Risk affecting the internal operation
2 5000 € < Loss < 10000 € Risk affecting customers
3 Loss > 10000 € Risk
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 17/43
Context establishment > Basic
Criteria > Impact criteria (1)
Cost per security incident, considering Level of classification of the impacted information asset
Breaches of information security (e.g. Loss of CIA)
Loss of business and financial value
Disruption of plans and deadlines Damage of reputation
Breaches of legal, regulatory or contractual requirements
17TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 18/43
Context establishment > Basic
Criteria > Impact criteria (2)
Example
Goal:
Clear differentiation between levels
Unambiguous interpretation
18TAO – Workshop on CBA Security
Confidentiality Integrity Availability
0 Public No constraint No constraint
1 Restricted Change visible Unavailable 1 week/year
2 Very restricted Change reduced Unavailable 1 day/year
3 Secret Can not be altered Always available
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 19/43
Context establishment > Basic
Criteria > Likelihood of risk
Threat
Vulnerability
19TAO – Workshop on CBA Security
Explanation
1 Very unlikely, according to statistics, or the cost or level of expertise required
2 May happen from time to time
3 Very likely easier to implement, no investment or special expertise
Explanation
0 Very low: measures in place effective against the threat1 Medium: measures insufficient or inappropriate
2 High: no effective protection measures in place
3 Very high: lack of measures, or obsolete or irrelevant
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 20/43
Context establishment > Basic
Criteria > Risk acceptance criteria
(1)
Formula:
Risk level = max(concerned impact) * (threat +
vulnerability – 1)
20TAO – Workshop on CBA Security
Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 21/43
Context establishment > Basic
Criteria > Risk acceptance criteria
(2)
Example An unacceptable risk is:
A very likely risk Threat = 3
With inadequate or inappropriate measures Vulnerability = 1
And whose asset value is 3 Impact = 3
RL = 3 * (3 + 1 - 1) = 9
21TAO – Workshop on CBA Security
Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 22/43
Context establishment > Basic
Criteria > The scope and boundaries
Generally the first step (chronologically)
Definition of:
Activity, processes to take into account
Objectives
Study borders (geographically, logically, ...)
Legal constraints
Etc.
22TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 23/43
Context establishment > Basic
Criteria > Organization for ISRM
Roles and responsibilities definition for the riskmanagement process
Must be documented
23TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 24/43
Process
24TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 25/43
Risk assessment
Risk analysis Risk identification
Risk estimation
Risk evaluation
25TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 26/43
Risk assessment > Risk
identification > Asset identification
(1)
Primary asset identification business processes and activities, information
Support assets identification (and mapping)
Hardware, software, networking, people, facilities Knowledge bases available (e.g. EBIOS method)
For each asset
Owner identification Value determination
Qualitative, quantitative, semi quantitative
26TAO – Workshop on CBA Security
Ri k Ri k
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 27/43
Risk assessment > Risk
identification > Asset identification
(2)
For each asset, impact determination
Based on impact criteria
“if criteria X of asset A is not fulfil, the impact would
be...”
27TAO – Workshop on CBA Security
Confidentiality Integrity Availability
0 Public No constraint No constraint1 Restricted Change visible Unavailable 1 week/year
2 Very restricted Change reduced Unavailable 1 day/year
3 Secret Can not be altered Always available
Ri k t Ri k
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 28/43
Risk assessment > Risk
identification > Threat and
vulnerabilities identification
Knowledge bases Interviews, brainstorming
Expert analysis
Take into account controls already in place
(vulnerabilities)
For threats, take into account:
Deliberate
Accidental
28TAO – Workshop on CBA Security
Ri k t Ri k ti ti
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 29/43
Risk assessment > Risk estimation
Risk = (Threat * Vulnerability * Impact)
Use of the formula
Risk level = max(concerned impact) * (threat +vulnerability – 1)
Value for each identified risk
29TAO – Workshop on CBA Security
Ri k l ti
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 30/43
Risk evaluation
Comparison Obtained risk levels from risk assessment
Defined risk acceptance levels
30TAO – Workshop on CBA Security
Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15
P
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 31/43
Process
31TAO – Workshop on CBA Security
Ri k t t t
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 32/43
Risk treatment
4 choices Risk Reduction
Risk Retention
Risk Avoidance
Risk Transfer
Can be combined
Results on a risk treatment plan
32TAO – Workshop on CBA Security
Risktreatment
RiskReduction
RiskRetention
Risk Avoidance
RiskTransfer
Ri k t t t > Ri k d ti
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 33/43
Risk treatment > Risk reduction
Controls (measures) are implemented to reduce therisk
It generally affects the vulnerability
ISO/IEC 27002 proposes a set of controls
Constraints for risk reduction exist
Time, financial, technical, etc...
33TAO – Workshop on CBA Security
Ri k t t t > Ri k t ti
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 34/43
Risk treatment > Risk retention
Risk is accepted Nothing is done to reduce it
Generally when risk level is less than risk acceptance
value
But can be decided when risk is greater than risk
acceptance value
Negative ROSI Risk-taking
34TAO – Workshop on CBA Security
Risk treatment > Risk avoidance
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 35/43
Risk treatment > Risk avoidance
Risk is refused “business” function cancelled
Generally if the risk is too high and that no “cost-
effective” solution is found
35TAO – Workshop on CBA Security
Risk treatment > Risk transfer
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 36/43
Risk treatment > Risk transfer
Risk is transferred or shared with third party Outsourcing
Insurance
Generally for high impact risks with low occurrence
Can create other risks or modify existing risks
Transfer the responsibility to manage the risk but notthe liability of an impact
36TAO – Workshop on CBA Security
Process
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 37/43
Process
37TAO – Workshop on CBA Security
Risk acceptance
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 38/43
Risk acceptance
Risks effectively treated Review of the risk treatment
Validation of selected solutions
Selection of residual risks
Residual risks Accepting a number of risks that can consider itself unable to
deal, or are acceptable to the organization
38TAO – Workshop on CBA Security
Process
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 39/43
Process
39TAO – Workshop on CBA Security
Risk communication
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 40/43
Risk communication
Continuous step
Obtain and communicate with all the stakeholders
Collect information on risks and security
Share risk assessment results Present risk treatment plan
Awareness
Etc.
40TAO – Workshop on CBA Security
Process
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 41/43
Process
41TAO – Workshop on CBA Security
Risk monitoring and review
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 42/43
Risk monitoring and review
Continuous step
Risks are constantly changing, all risk equation
elements must be tracked!
New assets New threats
New vulnerabilities
Incidents
Etc.
Minor changes vs. major changes
42TAO – Workshop on CBA Security
7/24/2019 Sec3 Risk-management Iso27005
http://slidepdf.com/reader/full/sec3-risk-management-iso27005 43/43
Thanks for your attention!
Any questions?
Top Related