O-ISM3 Risk Assessment
-
Upload
vicente-aceituno -
Category
Technology
-
view
574 -
download
1
description
Transcript of O-ISM3 Risk Assessment
© Inovement Spain 2013
ISM-RA
AU IT SB
FAIR
MAGERIT CRAMM
Dutch A&K
EBIOS
ISAMM
ISO27005
MARION
MEHARI
MIGRA
OCTAVE
SP 800-30
ISF Canadian RM Guide
……Etc
ISO27005 Establish Context
Ris
kC
om
mu
nic
atio
n
Ris
kM
on
itorin
ga
nd
Re
vie
w
Risk Treatment
Risk Evaluation
Risk Estimation
Risk Identification
Risk Assessment
Risk Analysis
Risk Acceptance
Accept risk?
Acceptable results?
Establish Context
Ris
kC
om
mu
nic
atio
n
Ris
kM
on
itorin
ga
nd
Re
vie
w
Risk Treatment
Risk Evaluation
Risk Estimation
Risk Identification
Risk Assessment
Risk Analysis
Risk Acceptance
Accept risk?
Acceptable results?
RA Method Design
Threat Taxonomy
Controls/Processes Taxonomy
Model
Scope
Depth
Threat Likelihood
Asset Value
Correct? Useful?
Impact Assets Value
Cost
Threats Frequency
Weaknesses
Countermeasures
RA Method Design
Likelihood
Exposure
Goals Scope (What is in, What is out)
Scope
The more choice on the side of the
certificate aspirant, the less value in
the certification.
The wider the scope, the higher the
cost.
ISM3-RA uses the scope of whole
companies.
Goals Organization Wide
Complexity Likelihood * Threats * Vulnerabilities * Countermeasures *
Asset Value * Exposure = N6
Correct? Useful?
Anyone can create a “correct” RA
method.
But, is it useful?
Utility
HIGH
MEDIUM
LOW
Utility
300
200
100
Utility – Added Value
What are we learning that we don’t know
already? (Non-Banal Analysis)
What are important threats to the
organization?
What should I do?
How safe am I? / How likely is that an
incident will happen?
How much will I lose this year?
How much should I invest this year?
Utility Challenges Lack of real data
Are opinions valid data?
Mixing opinions with arithmetic is a bit
like mixing magic and physics.
The higher the investment, the lower the
risk.
Return of investment is always positive.
Risk Assessment can be difficult and
expensive.
Inherent Limitations
Quantitative
Qualitative
Quantitative RA
Risk = Impact * Probability
Risk
Impact
Pro
ba
bility
Accounting
value of the
company
Expected Loss
[$]
Probability
[% / year] 100
0
0
Last year’s
losses
$ per year
Probability of
discontinuation of
the company per
year
Quantitative RA
Qualitative
Model No Model
Assets (Mostly Technical)
Servers, Databases,
Networks, etc (Purely
Technical)
ISM3-RA uses
Environments and
Business Functions
Depth
(Level
of
Detail)
Depth
The higher the level of detail, the more
complex and costly.
The depth should match the kind of
decisions we want to support.
ISM3-RA uses management-level
depth.
Environments
Management Level
Business
(Components,
Relationships,
States)
Business
Functions
Business Functions
Every business function exist and has a different importance in every company.
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
Business Functions
Every business function exist and has a different importance in every company.
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
Information
Technology
(Components,
Relationships,
States)
Environments
Environment
You can’t model meaningfully a company as a set of servers, applications or “assets”.
On the other hand, an environment has a visible head, someone who will be responsible to carry out the action plan.
Host SSCC
Terceros
SSAA Oficinas
Usuarios
Móviles
Personal
Dependencies
ISM3-RA
Host SSCC Terceros
SSAA Oficinas Usuarios
Móviles
Personal
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
Threats (There is no
widely accepted
list of threats at
any level of
detail)
(There are no reliable
estimations of probability
of threats)
Threat Taxonomy Pretty Long Lists
Magerit: Accidental Natural,
Accidental Industrial, Accidental
Error, Deliberate, etc…
Against Confidentiality, against
Integrity, against Availability et al.
ISM3-RA
1. Destruction, corruption or loss of
valid information.
2. Failure to destroy expired
information.
3. Improper use of authorized access.
4. Improper recording of access.
5. Unauthorized access,
eavesdropping, theft and disclosure
of information.
6. Underperformance, interruption of
service & failure of authorized
access.
7. Aging of information & outdated
systems
Threat Likelihood
Normally there is no data enough to
know how likely is a threat.
The multiplicity and evolution of
threats make likelihood of threats very
difficult to model.
ISM3-RA uses a qualitative scale of
likelihood. (from very high to very low)
Impact (Euros,
High – Medium – Low,
Confidenciality – Integrity – Availability, etc)
Asset Value
Euros
High – Medium – Low
Magerit: Disponibilidad, integridad,
confidencialidad, autenticidad,
trazabilidad.
ISM3-RA uses “The more important
Business Functions depend on
Environments, the more valuable”
Controls
(ISO27001
PCI DSS
NIST
ISM3, etc)
Controls / Process Taxonomy
ISO 27002 Controls
PCI DSS Controls
Cobit Controls
Custom Made Lists
Etc…
ISM3-RA uses ISM3 Processes
Mix
Mix
Results
(7, other number,
“good”, “better”, an
action plan, or a
dashboard)
High
Medium
Low
ISM3-RA
0
20
40
60
80
100
120
Relative Weight of Business Functions
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
0,0000
0,1000
0,2000
0,3000
0,4000
0,5000
0,6000
0,7000
0,8000
Internet SSCC Oficinas Host SSAA Terceros Usuarios Mobiles
Personal
Relative Protection per Environment
ISM3-RA
Host SSCC Terceros
SSAA Oficinas Usuarios
Móviles
Personal
ISM3-RA
0
2000
4000
6000
8000
10000
12000
Internet SSCC Oficinas Host SSAA Terceros Usuarios
Mobiles
Personal
Relative Environment Criticality
Host SSCC Terceros
SSAA Oficinas Usuarios
Móviles
Personal
0,000000
0,200000
0,400000
0,600000
0,800000
1,000000
1,200000
1,400000
1,600000
1,800000
SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Personal
Risk to Environment
ISM3-RA
Host SSCC Terceros
SSAA Oficinas Usuarios
Móviles
Personal
0,00000000
1,00000000
2,00000000
3,00000000
4,00000000
5,00000000
6,00000000
7,00000000
8,00000000
SSCC Oficinas Host SSAA Terceros Usuarios Mobiles
Risk to Technical Environment per Threat Improper recording of access to information or systems /
(anon or otherwise)
Unauthorized access, eavesdropping, theft and disclosure of information or systems AND
Improper use of authorized access to information or systems
Failure to destroy expired information or systems &
Failure to stop systems at will
Underperformance OR Interruption of valid system services &
Failure of authorized access
Aging of information &Outdated systems
Destruction /Corruption /
Loss of valid information or systems
ISM3-RA
Host SSCC Terceros
SSAA Oficinas Usuarios
Móviles
Personal
02000400060008000
10000120001400016000
Relative Reliance on Environments
ISM3-RA
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
0,000000
0,500000
1,000000
1,500000
2,000000
2,500000
Risk per Business Function
Personal
Usuarios Mobiles
Terceros
SSAA
Host
Oficinas
SSCC
ISM3-RA
Researc
h
Fin
ancin
g /
Accountin
g
Legal
Sale
s
Rela
tionship
s
Pro
ductio
n
Main
tenance
Busin
ess
Inte
lligence
Govern
ance
IT
Advertis
ing
Hum
an
Resourc
es
Infra
stru
ctu
re
Adm
inis
tratio
n
Pro
cure
ment
Logis
tics
ISM3-RA
Internal
Network DMZ
Mobile
Users
Internal
Users
WiFi
Networks
Govern
ance
Infra
stru
ctu
re
Hum
an
Resourc
es
Pro
ductio
n
Logis
tics
Adm
inis
tratio
n
IT
Advertis
ing
Researc
h
Pro
cure
ment
Sale
s
Busin
ess
Inte
lligence
Fin
ancin
g /
Accountin
g
Main
tenance
Rela
tionship
s
Legal
ISM3-RA
Internal
Network DMZ
Mobile
Users
Internal
Users
WiFi
Networks
Govern
ance
Infra
stru
ctu
re
Hum
an
Resourc
es
Pro
ductio
n
Logis
tics
Adm
inis
tratio
n
IT
Advertis
ing
Researc
h
Pro
cure
ment
Sale
s
Busin
ess
Inte
lligence
Fin
ancin
g /
Accountin
g
Main
tenance
Rela
tionship
s
Legal
ISM3-RA
Dashboard?
Information Security that makes Business
Sense
inovement.es/oism3
Web www.inovement.es
Video Blog youtube.com/user/vaceituno
Blog ism3.com
Twitter twitter.com/vaceituno
Presentations slideshare.net/vaceituno/presentations
Articles slideshare.net/vaceituno/documents