Risk Frameworks
Octave Method
Designed for large organizations (300+ employees) Builds on the 3 Phases adding 8 processes
ISO/IEC JTC 1 Information Technology
ISO/IEC Information and Communication Technology (ICT) JTC 1 - Joint Technical Committee Sub Committees (SC) - SC 27 IT Security techniques Working Groups (WG) ISMS - Information security management systems
Loss Event Frequency (LEF)
Loss Event Frequency (LEF) Threat Event Frequency (TEF) Contact Frequency (CF) Probability of Action (PA) Vulnerability (Vuln) Threat Capability (TCap) Resistance Strength (RS)
Loss Magnitude (LM)
Loss Magnitude (LM) Primary Loss Secondary Loss Secondary Loss Event Frequency (SLEF) Secondary Loss Magnitude (SLM)
Key Differences: OCTAVE vs. Other Approaches
Octave: Organization evaluation Focus on security practices Strategic issues Self direction OTHERS: System evaluation Focus on technology Tactical issues Expert led
Risk Evaluation Domain
Risk Evaluation Essentials: Risk scenarios Business impact descriptions
Risk IT Three Domains
Risk Governance Domain Risk Evaluation Domain Risk Response Domain
Risk Governance Domain
Risk Governance Essentials: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk culture
Project Risk
"A project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on at least one of the project's objectives" Threat risk has a negative impact on the project's objective(s). Opportunity risk has a positive impact on the project's objective(s) such as allowing the project to finish early, with less cost, and with more scope (functionality) than originally planned.
Project Risk Management
"Project risk management includes the processes concerned with conducting risk management planning, identification, analysis, responses, and monitoring and control on a project; most of these processes are updated throughout the project. "
Project Risk Management Objective
"The objectives of Project Risk Management are to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the project."
ISO/IEC 27005
...
IT-related Risk Management
Risk IT is not limited to information security. It covers all IT-related risks, including: Late project delivery Not achieving enough value from IT Compliance Misalignment Obsolete or inflexible IT architecture IT service delivery problems
Risk Response Domain
Risk Response Essentials: Key risk indicators (KRIs) Risk response definition and prioritization
ERM Brings Risks Together
Compliance risk External risk Governance risk Information Technology risk Strategic risk
Prepare for Risk Management
1.1 Develop stakeholder sponsorship - Meet with key stakeholders and decision makers to foster their active, visible, and continuous support of risk management and gather their requirements. 1.2 Develop risk management plan - Create the plan for conducting risk management based on requirements and constraints (e.g., schedule, funding, logistics, and contractual restrictions). 1.3 Tailor methods and tools - Adapt the risk management methods and tools (e.g., procedures, criteria, worksheets, automated support tools, databases) for the specific application of risk management (e.g., program, organization, technology). 1.4 Train personnel - Ensure that all of the people who will participate in risk management are able to effectively perform their assigned roles and responsibilities.
Risk Management Frameworks
1.Enterprise Risk Management (ERM) 2.ISO/IEC 27005 3.ISO/IEC 31000 4.Risk Management Framework (SEI - Carnegie Mellon University) 5.Octave (SEI - Carnegie Mellon University) 6.Risk management Framework - RMF (NIST) 7.Facilitated Risk Analysis Process (FRAP) 8.Factor Analysis of Information Risk - FAIR (Open Group) 9.Risk IT (ISACA) 10.PMBoK (PMI) 11.TARA (Threat Agent Risk Assessment) 12.CORAS
Perform Risk Management Activities
2.1 assess risk - transform the concerns people have into distinct, tangible risks that are explicitly documented and analyzed. 2.2 plan for controlling risk - determine an approach for addressing each risk; produce a plan for implementing the approach. 2.3 control risk - deal with each risk by implementing its defined control plan and tracking the plan to completion.
Organizational Levels
Considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes
2.1 assess risk
2.1.1 Identify risk - A concern is transformed into a distinct, tangible risk that can be described and measured. 2.1.2 Analyze risk - The risk is evaluated in relation to predefined criteria to determine its probability, impact, and risk exposure. 2.1.3 Develop risk profile - A snapshot or summary of all risks relevant to the specific application of risk management (e.g., program, organization, or technology) is developed and documented. The risk profile should be shared with all relevant stakeholders as appropriate.
2.2 plan for controlling risk
2.2.1 Determine mitigation approach - The strategy for addressing a risk is based on the current measures for the risk (i.e., probability, impact, and risk exposure). Decision-making criteria (e.g., for prioritizing risks during mitigation or deciding when to escalate risks within a program or organization) may also be used to help determine the appropriate strategy for addressing a risk. Common mitigation approaches include accept—If a risk occurs, its consequences will be tolerated; no proactive action to address the risk will be taken. When a risk is accepted, the rationale for doing so is documented. transfer—A risk is shifted to another party (e.g., through insurance or outsourcing). avoid—Activities are restructured to eliminate the possibility of a risk occurring. control—Actions are implemented in an attempt to reduce or contain a risk. Mitigation approaches should be shared with all relevant stakeholders as appropriate. 2.2.2 Develop mitigation plan - A mitigation plan is defined and documented. Mitigation plans should be shared with all relevant stakeholders as appropriate.
2.1.3 Develop risk profile
2.3.1 Implement mitigation plan - The mitigation plan (or the contingency plan) is executed as intended. 2.3.2 Track mitigation plan - The measures for tracking the action plan's execution are collected and analyzed as specified in the mitigation plan. Tracking data should be shared with all relevant stakeholders as appropriate. 2.3.3 Make tracking decision - A decision about whether to take corrective action(s) related to a risk or it's mitigation plan is made. Tracking decisions should be shared with all relevant stakeholders as appropriate.
The ERM Framework
3 Dimensions: Organizational Levels (Side) Objectives (Top) Components (Front)
Sustain and Improve Risk Management
3.1 Manage risk management assets and work products - Place designated assets (e.g., methods, tools) and work products (e.g., risk profile, mitigation plans) of the risk management practice under appropriate levels of control. 3.2 Evaluate effectiveness of risk management practice - Analyze risk management results and effectiveness measures (as specified in the risk management plan) to identify and document lessons learned regarding the strengths and weaknesses of the risk management practice (e.g., risk management plan, methods, tools, resources, training). 3.3 Implement improvements to risk management practice - Make identified changes to the risk management practice (e.g., changes to the risk management plan, methods, tools, resources, training) based on lessons learned.
Risk Assessment
Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives. Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis.
Attributes
Analysis team and augmenting analysis team skills Catalog of practices Generic threat profile Catalog of vulnerabilities Defined evaluation activities Documented evaluation results Evaluation scope and next steps Focus on risk and focused activities Organizational and technological issues Business and information technology participation Senior management participation and collaborative approach
Process
Analyzing one system, application, or segment of business operation at a time Convening a team of individuals that includes Business managers who are familiar with business information needs Technical staff who have a detailed understanding of potential system vulnerabilities and related controls Facilitated Multiple Brainstorming Sessions
Assess Security
Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Evaluate strengths and weaknesses (deficiencies) Are controls adequate Are controls excessive Test Controls Vulnerability Scans Penetration Tests
Authorize Information Systems
Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. Decisions are risk based Certification of systems Roll-out - Change Control - Change Management
Octave in the organization
By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets. All aspects of risk (assets, threats, vulnerabilities, and organizational impact) are factored into decision making, enabling an organization to match a practice-based protection strategy to its security risks.
6 Step Risk Management Framework
Categorize Information Systems Select Security Controls Implement Security Assess Security Authorize Information Systems Monitor Security Controls
Categorize Information Systems
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis Requires context knowledge Asset Inventory Security Classifications Data Classifications Define Boundaries (isolate components)
Event Identification
Differentiates risks and opportunities. Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile.
Monitoring
Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two.
Enterprise Risk Management (ERM)
Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Internal Environment
Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity's risk culture. Considers all other aspects of how the organization's actions may affect its risk culture.
Factor Analysis of Information Risk FAIR (Open Group)
FAIR (Factor Analysis of Information Risk) is a framework for understanding, analyzing and measuring information risk. FAIR is designed to address security practice weaknesses. The framework aims to allow organizations to speak the same language about risk; apply risk assessment to any object or asset; view organizational risk in total; defend or challenge risk determination using advanced analysis; and understand how time and money will affect the organization's security profile.
FIPS - Standards
Federal Information Processing Standards (FIPS) are approved by the Secretary of Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and binding for federal agencies. FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use.
FAIR - Overview
Focus: Pure Risk Complete risk taxonomy is comprised of two main branches: Loss Event Frequency (LEF) Taken over a time period Includes probability of a loss Loss Magnitude (LM)
RISK IT (ISACA)
ISACA - Founded 1969 4 Computer Professional Certifications (CISA, CISM, CGEIT, CRISC) 115K+ Members worldwide residing in 180+ countries 200+ Chapters located in 80 countries Sponsors international conferences and education Publishes original research Develops international IS audit and control standards
ISO 31000:2009 - Users
ISO 31000:2009 is intended to be used by a wide range of stakeholders including: those responsible for implementing risk management within their organization those who need to ensure that an organization manages risk those who need to manage risk for the organization as a whole or within a specific area or activity those needing to evaluate an organization's practices in managing risk developers of standards, guides, procedures, and codes of practice that in whole or in part set out how risk is to be managed within the specific context of these documents.
ISO/IEC 31000
ISO/IEC: ISO/TMB/TC 262 Risk management WG2 - Core risk management standards ISO/IEC Guide 73 - 2009 (1st Edition) - Risk management - Vocabulary ISO/IEC 31000 - 2009 (1st Edition) - Risk management - Principles and Guidelines ISO/IEC 31010 - 2009 (1st Edition) Risk management - Risk assessment techniques
Risk Response
Identifies and evaluates possible responses to risk. Evaluates options in relation to entity's risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses.
Implement Security
Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Components
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
Objective Setting
Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Information & Communication
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.
Monitor Security Controls
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. Snapshot/Continuous, Static/Dynamic, Reactive/Proactive Active/Passive Not just collect data, analyze and evaluate it (Metrics) Feedback for better controls Exceptions to Incident Response
NIST RMF
NIST RMF (National Institute of Standards and Technology's Risk Management Framework) outlines a series of activities related to managing organizational risk. The activities include: Categorizing information systems and the information within those systems based on impact. Implementing security controls in the systems. Assessing the security controls using appropriate methods and procedures Authorizing information systems operation based on a determination of the risk to organizational operations and assets Monitoring and assessing selected security controls in information systems on a continuous basis
Risk Management Framework RMF (NIST)
National Institute of Standards and Technology SP - Special Publication Series Federal Government Guidelines (May be used for Public) Free Stuff - Already paid using Tax Dollars FISMA - Federal Information Security Management Act
Octave (SEI - Carnegie Mellon University)
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination Center at Carnegie Mellon University, is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning. OCTAVE defines assets as including people, hardware, software, information and systems. There are three models, including the original, which CERT says forms the basis for the OCTAVE body of knowledge and is aimed at organizations with 300 or more employees; OCTAVE-S, similar to the original but aimed at companies with limited security and risk-management resources; and OCTAVE-Allegro, a streamlined approach to information security assessment and assurance.
Analysis teams
OCTAVE is an asset-driven evaluation approach. Identify information-related assets (e.g., information and systems) that are important to the organization Focus risk analysis activities on those assets judged to be most critical to the organization Consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats Evaluate risks in an operational context - how they are used to conduct an organization's business and how those assets are at risk due to security threats Create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization's critical assets
Octave Approach
OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. It is a flexible evaluation that can be tailored for most organizations When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together The OCTAVE approach is driven by two aspects: operational risk and security practices. Technology is examined only in relation to security practices, enabling an organization to refine the view of its current security practices.
Alignment of ISMS and Information Security Risk Management Process
PLAN: Establishing context Risk assessment Developing risk treatment plan Risk acceptance DO:Implementation of risk treatment plan CHECK:Continual monitoring and reviewing of risks ACT:Maintain and improve the Information Security Risk. Management Process
PMBoK (PMI)
PMI - Project Management Institute Project Management Institute is the world's leading not-for-profit professional membership association for the project, program and portfolio management profession. Founded in 1969 Education, Research and Certifications (PMP, RMP, ACP, SP, PgMP) Publishes Standards, Practices, and Frameworks Best known, for PMP is Project Management Body of Knowledge (PMBoK) which is currently in 5th Edition Risk Management as part of PMP, but also RMP
Phases of Risk Evaluation
Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans
Risk management framework
Phase 1: Prepare for Risk Management Phase 2: Perform Risk Management Activities Activity 2.1: Assess Risk Activity 2.2: Plan for Risk Mitigation Activity 2.3: Mitigate Risk Phase 3: Sustain and Improve Risk Management
Catalog of Practices (Operational)
Physical Security (OP1) Physical Security Plans and Procedures (OP1.1) Physical Access Control (OP1.2) Monitoring and Auditing Physical Security (OP1.3) Information Technology Security (OP2) System and Network Management (OP2.1) System Administration Tools (OP2.2) Monitoring and Auditing IT Security (OP2.3) Authentication and Authorization (OP2.4) Vulnerability Management (OP2.5) Encryption (OP2.6) Security Architecture and Design (OP2.7) Staff Security (OP3) Incident Management (OP3.1) General Staff Practices (OP3.2)
Control Activities
Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.
The risk assessment methodology
Prepare for Risk Assessment Conduct Risk Assessment Identify Threat Sources and Events Identify Vulnerabilities and Predisposing Conditions Determine Likelihood of Occurrence Determine Magnitude of Impact Determine Risk Communicate Results Maintain Assessment
Phase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities
Process 5: Identify Key Components Process 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and Plans
Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy
ISO Guide 73:2009 - Scope
Provides a basic vocabulary of the definitions of generic terms related to risk management Aims to encourage a mutual and consistent understanding, a coherent approach to the description of activities relating to the management of risk, and use of risk management terminology in processes and frameworks dealing with the management of risk.
System development Life Cycle (SDLC)
Provides gate points for security interventions Bolt-on vs. Baked-in At each gate, risk should be evaluated and security controls added Architects get involved here Involvement at each step along the way
ISO/IEC 31010:2009 Risk Management - Risk Assessment Techniques
Risk assessment attempts to answer the following fundamental questions: What can happen and why (by risk identification)? What is the likelihood of their future occurrence? What are the consequences? Are there any factors that reduce the likelihood of the risk or that mitigate the consequence of the risk?
Risk Management Framework (SEI - Carnegie Mellon University)
SEI - Software Engineering Institute Carnegie Mellon University August 2010 TECHNICAL REPORT CMU/SEI-2010-TR-017 ESC-TR-2010-017
Catalog of Practices (Strategic)
Security Awareness and Training (SP1) Security Strategy (SP2) Security Management (SP3) Security Policies and Regulations (SP4) Collaborative Security Management (SP5) Contingency Planning/Disaster Recovery (SP6)
Select Security Controls
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. Control Framework RMF Typically uses SP800-53 Control Hierarchy (common, special, hybrid) Defense in Depth
Principles
Self direction Adaptable measures Defined process Foundation for a continuous process Forward-looking view Focus on the critical few Integrated Management Open communication Global perspective Teamwork
SP - Guidelines & Recommendations
Special Publications (SPs) are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a Federal Information Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA and Agency Privacy Management) state that for other than national security programs and systems, federal agencies must follow certain specific NIST Special Publications.
Risk Analysis using FAIR
Stage 1: [Risk Identification] Identify scenario components Identify the asset at risk Identify the threat community Stage 2: [Risk Estimation] Evaluate Loss Event Frequency (LEF) Estimate probable Threat Event Frequency (TEF) Estimate Threat Capability (TCap) Estimate Control Strength (CS) Derive Vulnerability (Vuln) Derive Loss Event Frequency (LEF) Stage 3: [Risk Evaluation] Evaluate Probable Loss Magnitude (PLM) Estimate worst-case loss Estimate Probable Loss Magnitude (PLM) Stage 4: Derive and articulate risk
Where IT Risk Fits In
Standards and frameworks are available, but are either too: Generic enterprise risk management- oriented IT security-oriented No comprehensive IT- related risk framework available—until now
Facilitated Risk Analysis Process (FRAP)
Start with 5 Key Definitions: Risk - is a potential event that will have a negative impact on the business objectives or mission of the enterprise. Control - is a measure taken to avoid, detect, reduce or recover from a risk to protect the business process or mission of the enterprise. Integrity - information is as intended, without unauthorized or undesirable modification or corruption. Confidentiality - information has not undergone unauthorized or undesirable disclosure. Availability - applications, systems, or information resources are accessible when necessary.
Objectives
Strategic Operations Reporting Compliance
Threat Agent Risk Assessment TARA
TARA (Threat Agent Risk Assessment), is a new risk-assessment framework that helps companies manage risk by distilling the immense number of possible information security attacks into a digest of only those exposures that are most likely to occur. The thinking is that it would be prohibitively expensive and impractical to defend every possible vulnerability. By using a predictive framework to prioritize areas of concern, organizations can proactively target the most critical exposures and apply resources efficiently to achieve maximum results.
Roles and Responsibilities
The Board of Directors is responsible for overseeing management's design and operation of ERM. Management is responsible for the design of an entity's enterprise risk management framework. Risk officers work with managers in establishing and maintaining effective risk management. Internal auditors contribute to the ongoing effectiveness of the enterprise risk management
FAIR
The Open FAIR Body of Knowledge consists of two Open Group standards: Open Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk - Factor Analysis of Information Risk (FAIR). Open Risk Analysis (O-RA), (C13G, October 2013) describes process aspects associated with performing effective risk analysis.
FAIR - Factor Analysis of Information Risk
The Open FAIR Body of Knowledge provides a taxonomy and method for risk analysis, that enables understanding, analyzing, and measuring information risk. It allows organizations to: Speak in one language concerning their risk Consistently study and apply risk analysis principles to any object or asset View organizational risk in total Challenge and defend risk decisions
Addresses Questions
What assets require protection? What level of protection is needed? How might an asset be compromised? What is the impact if protection fails?
Components of Risk
a risk can be thought of as a cause-and-effect pair, where the threat is the cause and the resulting consequence is the effect. In this context, a threat is defined as a circumstance with the potential to produce loss, while a consequence is defined as the loss that will occur when a threat is realized
Analysis Team - Before
identify the organization's information security risks. analyze the risks to determine priorities. plan for improvement by developing a protection strategy for organizational improvement and risk mitigation plans to reduce the risk to the organization's critical assets
Analysis (or other) Team - After
plan: how to implement the protection strategy and risk mitigation plans by developing detailed action plans (This activity can include a detailed cost-benefit analysis among strategies and actions, and it results in detailed implementation plans.) implement: the detailed action plans monitor: the action plans for schedule and for effectiveness (This activity includes monitoring risks for any changes.) control: variations in plan execution by taking appropriate corrective actions [plan-do-check-act]