Basic Terminology

A good starting point in developing a risk assessment process is NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The document provides the following definition:

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Frequently risk will be defined as a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability. What should also be included is the resulting impact of that adverse event on the organization.

NIST SP 800-30 contains information on risk assessment and management. Recently, NIST released NIST SP 800-39, “DRAFT Managing Risk from Information Systems: An Organizational Perspective,” which contains a references to NIST SP 800-30 Revision 1, “Guide for Conducting Risk Assessments.” NIST SP 800-30 Revision 1, when it is released, will be the document for risk assessment while NIST SP 800-39 is for risk management.

Michael Smith, the Guerilla CISO, had a posting “An Open Letter to NIST About SP 800-30“. Michael writes “The best thing that you have given us is not the risk management framework, it was SP 800-30, ‘Risk Management Guide for Information Systems’. It’s small, to-the-point, and scalable from a single server to an entire IT enterprise.” I’ll leave it to the reader to view the rest of the post. The point is, NIST SP 800-30 currently is the best document to start with when talking about risk assessment.

The nine primary steps in the risk assessment methodology:

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Now that risk assessment is defined along with which NIST documents contains what, let us talk about risk management. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The risk management process is meant to protect an organization and its ability to perform its mission. It is not just just a technical function carried out by the IT experts to protect IT assets. It is an essential management function of the organization.

Framework

Awhile back, I did a post “Intense Simplicities” which discussed the risk-based protection model verses the policy based compliance model. Several frameworks were discussed and a “Security Mappings” page was developed. Examine the frameworks discussed in the previous post and notice that basically the primary steps in risk assessment can be mapped back into the frameworks. Before developing a risk assessment methodology, consider its place in the whole risk management methodology and the framework of the organization. This allows you to utilize what has already been developed.

IT Governance Institute® (ITGI™) is also developing the IT Risk Management Framework. To quote from Urs Fischer article, “The framework aims to fill the gap between generic risk management frameworks such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO)’s Enterprise Risk Management (ERM) and Australia/New Zealand AS/NZ 4360, and detailed (mostly security-related) IT risk management frameworks. Indeed, the goal of this framework is to allow organisations to understand and manage all IT-related risks (beyond security) and to address all aspects (beyond operational management of IT) when managing risk.

Information Sources

ISACA has made available a great deal of information that can be used in developing a risk assessment process. The following documents are bit older, but open to the world.

• Framing Your Choices: Weighing Three Risk Management Frameworks by Linda L. Briggs

– offers the conclusion that newer frameworks such as AS/NZS 4360 or M_o_R offer a solid route to first understanding and then controlling business risk.

• Risk Assessment Tools: A Primer – the article looks at risk assessment tools, in order to creates a framework of understanding and provides insight into the world of automated risk analysis.
• Risk Without Remorse – the article makes the argument that “by implementing COBIT risk management, the CIO should expect better portfolio management decisions and improved risk-reward communications intra- and interdepartmentwide, as well as a better ROA.”
• Risk and Control Self-Assessment (RCSA) – the article makes the argument that risk and control self-assessment (RCSA) is “a great asset in several phases of the audit process, starting with the risk assessment and development of the annual audit plan or individual audit plans of the area being reviewed.”
• IS Auditing Procedure: P1 IS Risk Assessment Measurement
• IS Auditing Guideline: G13 Use of Risk Assessment in Audit Planning
• Standard for IS Auditing: S11 Use of Risk Assessment in Audit Planing

If you become a member of ISACA, you can access more recent documents involving risk assessment and management. These include:

• A Comprehensive Method for Assessment of Operational Risk in E-banking by George Tanampasidis, CISA, PMP
• Risk Management Standards: The Bigger Picture by David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
• Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions by Michael Godfrey
• New Framework for Enterprise Risk Management in IT by Urs Fischer, CISA, CIA, CPA Swiss

CERT just recently produced a podcast, “Security Risk Assessment Using OCTAVE® Allegro.” OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. The authors of the blog site, the RiskAnalys.is, are big advocates of the Factor Analysis of Information Risk (FAIR) Framework. FAIR is meant to provide a framework for understanding, analyzing, and measuring information risk.

Update:Alex Hutton provided some important clarification on FAIR. Alex points out, “FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a ’scan/prioritize/fix/repeat/’ Deming cycle at it’s core.” Alex also provides a great pointer to the ENISA’s website which includes a comparison of the 18 different Risk Assessment Methodologies. Alex writes, “They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.”

The ISO 27001 Security site has compiled a very nice listing with brief outlines of information security risk analysis methods, standards, and tools. IsecT Ltd., home of the NoticeBored security awareness service, voluntarily maintains the site as a “not-for-profit labour-of-love activity.” They have done a great job of keeping the site up-to-date. The site also makes available a free ISO27k toolkit. The toolkit consists of “a collection of papers contributed by members of the ISO27k Implementers’ Forum, either individually or through collaborative working groups organized on the Forum.” Three documents of particular interest are “Information security risk analysis spreadsheet,” “FMEA risk analysis spreadsheet“, and “Information security risk register.”

I tend to like information sources that are available to the public at no cost. Alex pointed out that Microsoft has put out the The Security Risk Management Guide. Microsoft describes the guide as helping explain “how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners.”

After mentioning Microsoft, I feel compelled to point out an open source project. The Security Officers Management and Analysis Project (SOMAP) is a project with the goal to “develop and maintain Open Source Information Security Risk Management tools and utilities.” SOMAP operates on the belief that “Information Security is not a competitive issue and only freely available and cooperatively developed risk management utilities and tools can potentially lead to a better security management and to further development of the whole risk management field.” They have created the “Risk Management Handbook,” “Risk Assessment Guide,” “Security Officers Best Friend (SOBF Tool),” and “Open Risk Model Repository (ORIMOR).” See their site for additional details.

Blogs

A few blog sites where information can be obtained, and questions posted, are:

• Not Bad For a Cubicle: Risk Management made interesting.
• Risktical Ramblings: Assessing, Articulating & Quantifying Information Security Risk by Chris Hayes.
• Security and Risk Management Strategies Blog: Burton Group.
• RealTime IT Compliance: This is Rebecca Herold’s site who specializes in risk assessment, gap analysis, policy content development, awareness training, strategy development and implementation. The few times I have talked with her, she has been real friendly and helpful.

Recent Blog Posts

Below are a few recent blog postings that maybe of interest. The posts were pulled from Google Reader with accompanying blurbs of text.

• Risktical Ramblings: Risk and CVSS … I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful “metric vectors” that provide a simple yet powerful way to analyze a vulnerability.. …
• The Security Catalyst: Refreshing, Reloading, Refueling … My goal in writing the book was simple: present enough information to create a shift in thinking. Beyond that, a keynote, executive seminar and guided system has been developed, tested and refined to further expand on the information in the book, bring it to life and drive results. Part of our journey will be working with organizations (small and large) to implement the tenets outlined in Into the Breach to improve revenue, complete a successful risk assessment, build an awareness program that works or influence a positive change in how people, information and risk are managed …
• (ISC)2 Blog: Proving the Value of Qualitative Risk Assessments … Qualitative risk assessments are a cornerstone security management tool. This type of assessment process is characterized by estimates of asset values, threats, vulnerabilities, and costs from anticipated exposures. Risk management frameworks are a way for managers to determine where to allocate resources when risk is at an unacceptable level ….
• RiskAnalys.is: Relentless Reflection – What it Means in Risk Management … Picking up from yesterday, Today I’d like to talk about: HANSEI – WHAT IS “RELENTLESS REFLECTION?” – And why we’re talking about it in the context of Risk Analysis. Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk man …
• bsi: Navigating the Security Practice Landscape … RA risk assessment (5) SA system and services acquisition (11) SC system and communications protection (23) SI system and information integrity (SI) Mappings to Other Standards Appendix G Security Control Mappings provides a detailed mapping of 800-53 controls to ISO 17799 paragraphs. Appendix H Standards and Guidance Mappings provide …
• RiskAnalys.is: UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU AND ME! …a Good Risk Assessment Methodology” – written by yours truly and Jack. It’s a very high-level document, and serves two purposes: For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document). …

Build Security In (bsi) is maintained for DHS. It contains documents that are continuously being updated. The “Risk Management” area provides a framework for identifying, tracking, and managing software risks.

Only a Starting Point

Overcoming Bias, a great thought provoking blog, recently posted, “Say It Loud.” The author, Eliezer Yudkowsky, quotes Will Strunk: “If you don’t know how to pronounce a word, say it loud! If you don’t know how to pronounce a word, say it loud!” Eliezer goes on to say, “This comical piece of advice struck me as sound at the time, and I still respect it. Why compound ignorance with inaudibility? Why run and hide?” This corresponds with one of my favorite graphics created by the Creating Passionate Users blog:

Eliezer makes a very valid point. To those who “sounds clueless, but isn’t,” you need to speak up. Otherwise, you are helping the “sounds smart, but isn’t” promote their cluelessness throughout the organization.

With that in mind, let me state this loudly: the above sources will provide a very useful starting point in developing a risk assessment process. NIST SP 800-30 is the best place to start. Also check out NIST SP 800-39. The IT Governance Institute has been talking about the IT Risk Management Framework for awhile now. It should be great when it comes out, but the last I heard there was no release date set. CERT OCTAVE is freely available, so that makes it a good resource. I am less familiar with FAIR, though it looks very interesting. I tend to use COBIT when dealing with business processes as a checklist of controls to have in place. Members of ISACA should look in the journal’s archive area. The last issue was focused on risk and contained a couple of articles that would be helpful. The articles that are open to the public are somewhat dated. The blog sites will be helpful once you start narrowing in and know what you are interested in doing. In the end, this post is meant only as a starting point. It is not a complete list; not even close. While there may be a great deal more work to do, your journey has begun. Good luck.

Dave Oliver did a fantastic job discussing mind maps with his post, “Managing your Mind. Mindmaps, a handy tool for the Enterprise Architect.” I am tempted to stop writing, leaving the reader to simply read Dave’s post. I just have a few additional links and comments to provide.

There are many software packages to help with mind maps. Dave recommends Mindjet Mindmanager Pro 7, one of the most popular commercial products. If you want to evaluate the software, there is a free 21 day trial option. Want to try something else? There are plenty of other packages. The folks over at Mind-mapping.org have done an amazing job of maintaining a list of the various mind mapping software. The commercial products are too numerous to include, but if you are looking to experiment with mind mapping, the open source packages might provide a good cost effective starting point. Mind-mapping.org has provided a nice map of open source solutions.

Eric Hebert, has done a post “99 Mind Mapping Resources, Tools, and Tips.” While I won’t list all 99 links, here are the categories covered:

• Free Software
• Resources
• Professional Training
• In the News
• Examples of Mind maps
• Books
• E-Books
• Articles On the Web
• PDF Articles
• Blogs
• People
• Videos
• Noteworthy Paid Software

Dave and Eric posts provide a fairly complete list of available information for learning all about mind maps. Now to add a little connective intelligence. Jerry Manas, author of “Napoleon on Project Management: Timeless Lessons in Planning, Execution, and Leadership” and “Managing the Gray Areas,” president of project management consulting firm The Marengo Group, co-founder of the popular leadership blog site PMThink!, and a two-time Mindjet webinar presenter has a few very useful posting concerning mind mapping:

• Finding Clarity: Using MindManager® Pro 7 to Manage the Gray Areas.
• 101 Project Management Uses for Mind Mapping Software
• Mindmap Productivity Tips
• Think Clear: Mind Map to Innovate …
• Event Map: Mind Map Technique
• Enable Creativity to Generate Ideas …

The Controlling Chaos podcast, hosted by Dina Henry Scott, PMP and Sr. Project Manager at VSP, has two podcasts that have interesting information on mind mapping tools: MindManager Pro 7 with Michael Deutch and Mapping Your Way to Project Success!.

Using mind mapping techniques to help in the area of security, Rudolph Araujo, Senior Principal Consultant at Foundstone, did a posting “MindMapper vs. MindManager.” Rudolph writes:

I was using mind mapping for everything from building threat models and doing code reviews to working out my articles and presentations. I even convinced Foundstone to purchase a bunch of licenses of MindMapper as a lot of other people at Foundstone had become fans as well.

Over at the Security Catalyst, Michael Santarcangelo has been working with mind mapping. Michael writes about the Security Catalyst work with mind mapping to develop a map of the advancement of security. The work is discussed in his posts “What do you think the future of how we practice security looks like?,” “Mind mapping the future of how we practice security“, and “Advancing the Future of Security; a mind-map experiment.” Michael explains his interest in mind mapping when he writes:

I am a visually driven person. I think in non-linear ways, and have a 4′x8′ whiteboard in my office that I use several times a day. Mind mapping, therefore, is a natural fit for me. As a speaker, I’m generally impressed by those who also mind map. If you are also visual, you may find mind mapping works for you, too. In my quest for personal improvement, I have come to enjoy reading the thoughts of Grigor at Behind the Glasses. He’s covered mind mapping a bit, and recently covered the beta of MindMeister – an online, collaborative mind mapping tool.

The resulting map is available on MindMeister or in PDF format. Don C. Weber, Information Assurance Director at Ultimate Solutions, Inc. and a member of the Security Catalyst community, was inspired to use mind mapping to help him develop a security plan based on the ISO 17799:2005 standard. Don discusses his use of both the open source FreeMind and the commercial MindManager software. He also discusses the steps he went through to map ISO 17799:2005 in his posting “Mindmapping ISO17799:2005.”

Mind mapping is not going to help you lose weight, be sexier to members of the opposite sex, add hair to your head, and/or cure you of all that might ail you. Software, at its best, can only help you perform your job better. It does not provide a solution in and by itself. Mind mapping provides a technique which enables you to explore, capture and structure what’s going on in your mind. For some, mind maps will be of no help. There are countless other methods to do the same thing. It is up to you to experiment and find the solution that work best for you. The important thing is to realize that when the old way of doing business no longer works well, you need to stop doing things the way they have always been done. The known is comfortable, but it fails to advance you anywhere. Challenge yourself. Learn to do things differently. You will be glad that you did, and you just might become a little more sexier. When you step off the beaten path, anything is possible.