Risk Management for Information Security | Set-1
Prerequisite – Threat Modelling
A risk is nothing but intersection of assets, threats and vulnerability.
A+T+V = R
NIST SP 800-30 Risk Management Guide for Information Technology Practitioners defines risk as a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
So the main components of Risk Assessment are:
- Impact (i.e. potential loss)
- Likelihood of occurrence (i.e. the probability that an event – threat successful exploit of a vulnerability – will occur)
Threats is anything that can exploit a vulnerability accidentally or intentionally and destroy or damage an asset. Asset can be anything people, property or information. Asset is what we are trying to protect and a threat is what we are trying to protect against. Vulnerability means gap or weakness in our protection efforts.
Threat Source is a method to exploit a vulnerability or a situation either intentionally or unintentionally. For example a Malicious Software to which a virus or worm attaches to spread itself in the system and to others computer via email containing either virus as a attachment or as a link. If this email is shared by sender without knowing the malicious purpose of attachment or link then, this will be unintentional threat source otherwise it will be an intentional threat source.
The complete process of handling Risk can be divided into following stages:
- Context Establishment
- Risk Assessment
- Risk Identification
- Risk Estimation
- Risk Evaluation
- Risk Management/ Mitigation
- Risk Assumption
- Risk Avoidance
- Risk Limitation
- Risk Planning
- Research and Acknowledgement
- Risk Transferance
- Risk Communication
- Risk Monitoring and Review
- IT Evaluation and Assesment
1. Context Establishment –
In this step information about the organization and basic criteria, purpose, scope and boundaries of risk management activities are obtained. In addition to this data, it is important to gather details about the organization in charge of risk management activities.
Organization’s mission, values, structure, strategy, locations and cultural environment are studied to have a deep understanding of it’s scope and boundaries.
The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.
The main role inside organization in charge of risk management activities can be seen as:
- Senior Management
- Chief information officer (CIO)
- System and Information owners
- the business and functional managers
- the Information System Security Officer (ISSO) or Chief information security officer (CISO)
- IT Security Practitioners
- Security Awareness Trainers