Recently I was asked if I could provide a few pointers to help in developing a risk assessment process for an organization. I thought I would share my response. First, I would like to draw your attention to the mind map image over to the left of this text. The mind map represents a basic risk management methodology and is provided by Wikiversity. If you are unfamiliar with Wikiversity, it is an interesting project which is “devoted to learning resources and learning projects for all levels, types, and styles of education from pre-school to university, including professional training and informal learning.” It is a very interesting project and I applaud their efforts.
Basic Terminology
A good starting point in developing a risk assessment process is NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The document provides the following definition:
Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Frequently risk will be defined as a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability. What should also be included is the resulting impact of that adverse event on the organization.
NIST SP 800-30 contains information on risk assessment and management. Recently, NIST released NIST SP 800-39, “DRAFT Managing Risk from Information Systems: An Organizational Perspective,” which contains a references to NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” NIST SP 800-30 Revision 1, when it is released, will be the document for risk assessment while NIST SP 800-39 is for risk management.
Michael Smith, the Guerilla CISO, had a posting “An Open Letter to NIST About SP 800-30“. Michael writes “The best thing that you have given us is not the risk management framework, it was SP 800-30, ‘Risk Management Guide for Information Systems’. It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.” I’ll leave it to the reader to view the rest of the post. The point is, NIST SP 800-30 currently is the best document to start with when talking about risk assessment.
The nine primary steps in the risk assessment methodology:
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
Now that risk assessment is defined along with which NIST documents contains what, let us talk about risk management. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The risk management process is meant to protect an organization and its ability to perform its mission. It is not just just a technical function carried out by the IT experts to protect IT assets. It is an essential management function of the organization.
Framework
Awhile back, I did a post “Intense Simplicities” which discussed the risk-based protection model verses the policy based compliance model. Several frameworks were discussed and a “Security Mappings” page was developed. Examine the frameworks discussed in the previous post and notice that basically the primary steps in risk assessment can be mapped back into the frameworks. Before developing a risk assessment methodology, consider its place in the whole risk management methodology and the framework of the organization. This allows you to utilize what has already been developed.
IT Governance Institute® (ITGI™) is also developing the IT Risk Management Framework. To quote from Urs Fischer article, “The framework aims to fill the gap between generic risk management frameworks such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO)’s Enterprise Risk Management (ERM) and Australia/New Zealand AS/NZ 4360, and detailed (mostly security-related) IT risk management frameworks. Indeed, the goal of this framework is to allow organisations to understand and manage all IT-related risks (beyond security) and to address all aspects (beyond operational management of IT) when managing risk.
Information Sources
ISACA has made available a great deal of information that can be used in developing a risk assessment process. The following documents are bit older, but open to the world.
- Framing Your Choices: Weighing Three Risk Management Frameworks by Linda L. Briggs
- Risk Assessment Tools: A Primer – the article looks at risk assessment tools, in order to creates a framework of understanding and provides insight into the world of automated risk analysis.
- Risk Without Remorse – the article makes the argument that “by implementing COBIT risk management, the CIO should expect better portfolio management decisions and improved risk-reward communications intra- and interdepartmentwide, as well as a better ROA.”
- Risk and Control Self-Assessment (RCSA) – the article makes the argument that risk and control self-assessment (RCSA) is “a great asset in several phases of the audit process, starting with the risk assessment and development of the annual audit plan or individual audit plans of the area being reviewed.”
- IS Auditing Procedure: P1 IS Risk Assessment Measurement
- IS Auditing Guideline: G13 Use of Risk Assessment in Audit Planning
- Standard for IS Auditing: S11 Use of Risk Assessment in Audit Planing
– offers the conclusion that newer frameworks such as AS/NZS 4360 or M_o_R offer a solid route to first understanding and then controlling business risk.
If you become a member of ISACA, you can access more recent documents involving risk assessment and management. These include:
- A Comprehensive Method for Assessment of Operational Risk in E-banking by George Tanampasidis, CISA, PMP
- Risk Management Standards: The Bigger Picture by David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
- Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions by Michael Godfrey
- New Framework for Enterprise Risk Management in IT by Urs Fischer, CISA, CIA, CPA Swiss
CERT just recently produced a podcast, “Security Risk Assessment Using OCTAVE® Allegro.” OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. The authors of the blog site, the RiskAnalys.is, are big advocates of the Factor Analysis of Information Risk (FAIR) Framework. FAIR is meant to provide a framework for understanding, analyzing, and measuring information risk.
Update:Alex Hutton provided some important clarification on FAIR. Alex points out, “FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a ’scan/prioritize/fix/repeat/’ Deming cycle at it’s core.” Alex also provides a great pointer to the ENISA’s website which includes a comparison of the 18 different Risk Assessment Methodologies. Alex writes, “They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.”
The ISO 27001 Security site has compiled a very nice listing with brief outlines of information security risk analysis methods, standards, and tools. IsecT Ltd., home of the NoticeBored security awareness service, voluntarily maintains the site as a “not-for-profit labour-of-love activity.” They have done a great job of keeping the site up-to-date. The site also makes available a free ISO27k toolkit. The toolkit consists of “a collection of papers contributed by members of the ISO27k Implementers’ Forum, either individually or through collaborative working groups organized on the Forum.” Three documents of particular interest are “Information security risk analysis spreadsheet,” “FMEA risk analysis spreadsheet“, and “Information security risk register.”
I tend to like information sources that are available to the public at no cost. Alex pointed out that Microsoft has put out the The Security Risk Management Guide. Microsoft describes the guide as helping explain “how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.”
After mentioning Microsoft, I feel compelled to point out an open source project. The Security Officers Management and Analysis Project (SOMAP) is a project with the goal to “develop and maintain Open Source Information Security Risk Management tools and utilities.” SOMAP operates on the belief that “Information Security is not a competitive issue and only freely available and cooperatively developed risk management utilities and tools can potentially lead to a better security management and to further development of the whole risk management field.” They have created the “Risk Management Handbook,” “Risk Assessment Guide,” “Security Officers Best Friend (SOBF Tool),” and “Open Risk Model Repository (ORIMOR).” See their site for additional details.
Blogs
A few blog sites where information can be obtained, and questions posted, are:
- Not Bad For a Cubicle: Risk Management made interesting.
- Risktical Ramblings: Assessing, Articulating & Quantifying Information Security Risk by Chris Hayes.
- Security and Risk Management Strategies Blog: Burton Group.
- RealTime IT Compliance: This is Rebecca Herold’s site who specializes in risk assessment, gap analysis, policy content development, awareness training, strategy development and implementation. The few times I have talked with her, she has been real friendly and helpful.
Recent Blog Posts
Below are a few recent blog postings that maybe of interest. The posts were pulled from Google Reader with accompanying blurbs of text.
- Risktical Ramblings: Risk and CVSS … I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful “metric vectors” that provide a simple yet powerful way to analyze a vulnerability.. …
- The Security Catalyst: Refreshing, Reloading, Refueling … My goal in writing the book was simple: present enough information to create a shift in thinking. Beyond that, a keynote, executive seminar and guided system has been developed, tested and refined to further expand on the information in the book, bring it to life and drive results. Part of our journey will be working with organizations (small and large) to implement the tenets outlined in Into the Breach to improve revenue, complete a successful risk assessment, build an awareness program that works or influence a positive change in how people, information and risk are managed …
- (ISC)2 Blog: Proving the Value of Qualitative Risk Assessments … Qualitative risk assessments are a cornerstone security management tool. This type of assessment process is characterized by estimates of asset values, threats, vulnerabilities, and costs from anticipated exposures. Risk management frameworks are a way for managers to determine where to allocate resources when risk is at an unacceptable level ….
- RiskAnalys.is: Relentless Reflection – What it Means in Risk Management … Picking up from yesterday, Today I’d like to talk about: HANSEI – WHAT IS “RELENTLESS REFLECTION?” – And why we’re talking about it in the context of Risk Analysis. Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk man …
- bsi: Navigating the Security Practice Landscape … RA risk assessment (5) SA system and services acquisition (11) SC system and communications protection (23) SI system and information integrity (SI) Mappings to Other Standards Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 paragraphs. Appendix H Standards and Guidance Mappings provide …
- RiskAnalys.is: UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU AND ME! …a Good Risk Assessment Methodology” – written by yours truly and Jack. It’s a very high-level document, and serves two purposes: For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document). …
Build Security In (bsi) is maintained for DHS. It contains documents that are continuously being updated. The “Risk Management” area provides a framework for identifying, tracking, and managing software risks.
Only a Starting Point
Overcoming Bias, a great thought provoking blog, recently posted, “Say It Loud.” The author, Eliezer Yudkowsky, quotes Will Strunk: “If you don’t know how to pronounce a word, say it loud! If you don’t know how to pronounce a word, say it loud!” Eliezer goes on to say, “This comical piece of advice struck me as sound at the time, and I still respect it. Why compound ignorance with inaudibility? Why run and hide?” This corresponds with one of my favorite graphics created by the Creating Passionate Users blog:
Eliezer makes a very valid point. To those who “sounds clueless, but isn’t,” you need to speak up. Otherwise, you are helping the “sounds smart, but isn’t” promote their cluelessness throughout the organization.
With that in mind, let me state this loudly: the above sources will provide a very useful starting point in developing a risk assessment process. NIST SP 800-30 is the best place to start. Also check out NIST SP 800-39. The IT Governance Institute has been talking about the IT Risk Management Framework for awhile now. It should be great when it comes out, but the last I heard there was no release date set. CERT OCTAVE is freely available, so that makes it a good resource. I am less familiar with FAIR, though it looks very interesting. I tend to use COBIT when dealing with business processes as a checklist of controls to have in place. Members of ISACA should look in the journal’s archive area. The last issue was focused on risk and contained a couple of articles that would be helpful. The articles that are open to the public are somewhat dated. The blog sites will be helpful once you start narrowing in and know what you are interested in doing. In the end, this post is meant only as a starting point. It is not a complete list; not even close. While there may be a great deal more work to do, your journey has begun. Good luck.
Articulate and well thought out. One thing I might add, if I may, is that FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a “scan/prioritize/fix/repeat/” Deming cycle at it’s core.
Another resource you or your readers may be interested in is ENISA’s document that compares 18 different Risk Assessment Methodologies. They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.