Guide to Risk Assessment Management and ISO/IEC 27002/27005

The goal of risk management is to identify the potential problems before they emerge. Usually, they occur unconditionally. It helps the IT managers to balance the CAPEX/OPEX costs in the organization and also take protective measures and gains much control power.

Risk management comprises of three processes: Risk assessment, Risk Mitigation, and Risk evaluation. Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control, and monitoring of implemented measurements and the enforced security policy. Risk IT provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. 

Risk=((Vulnerability*Threat)/CounterMeasure)

The standard risk assessment methodologies form part of a risk management and assessment process depicted below in the figure which enables an organization to effectively identify, assess, and treat risks.

The risk is the product of likelihood times impact
(Risk = Likelihood * Impact)

The measure of an IT risk can be determined as a product of threat, vulnerability, and asset values:

1. A study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. Managers use the results of a risk assessment to develop security requirements and specifications.
2. To determine expected loss and establish acceptability to system operations.
3. Identification of a specific ADP facility’s assets, the threats to these assets, and the ADP facility’s vulnerability to those threats.
4. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level.
5. A management tool that provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risks, and documenting management decisions.
   
   The ISO/IEC 27002:2005 Code of practice for information security management recommends the following examined during a risk assessment:

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities, and the controls in place for the IT system. Impact refers to the magnitude of harm a threat’s exercise of vulnerability could cause that.

The level of impacts is governed by the potential mission impacts and in return produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data).

The risk assessment method encompasses nine primary steps, which are described in the given below sections. It derives this functional model from the NIST SP 800–30 framework as a reference.

System characterization:

Characterizing an IT system establishes the scope of the risk assessment effort.

The system-related information used to characterize an IT system and its operational environment.

The information-gathering techniques that can solicit information relevant to the IT system processing environment. The method described in this document can apply to assessments of single or multiple, interrelated systems.

Information Assets of the IT system:

Identifying risk for an IT system requires a keen understanding of the system’s processing environment. The person or persons who conduct the risk assessment must therefore first collect system-related information, which is usually classified as follows:

For a system that is in the initiation or design phase, we can derive system information from the design or requirements document. For an IT system under development, it is necessary to define key security rules and attributes planned for the future IT system. Therefore, the system description based on the security provided by the underlying infrastructure or on future security plans for the IT system.

— — — — — — — — — — — THE END — — — — — — — — — — — —

Quote of the day:

“Don’t count your chickens before they’re hatched”

Meaning: don’t be too confident in anticipating success or good fortune before it is certain.

Thanks for reading!

Have a pleasant day!

Also published at https://medium.com/faun/risk-assessment-management-framework-and-its-structure-2914252ad6f0