DOMAIN 3: Information Security Governance and Risk Management

# 3.04

CISSPills Table of Contents

Security Management

Risk Management

Risk Assessment

Risk Analysis

Information Risk Management Policy

Risk Assessment Methodologies

Risk Analysis Approaches

Steps of a Quantitative Risk Analysis

Control Selection

Total Risk vs Residual Risk

Risk Handling

CISSPills Security Management

Security management includes all the activities needed to both keep a

Security Program running and maintain it.

It aims at continuously protecting organisation’s assets and resources and

incorporates processes, procedures, risk management, security controls and

awareness.

Security management ensures that policies, standards and guidelines are

implemented in a way which assures business to be conducted within an

acceptable risk level.

CISSPills Risk Management

Risk refers to the likelihood a damage can occur and impact it can have. Risk

Management is the process of identifying, assessing and minimising risks to

an acceptable level.

Risk can be never fully reduced, there will always be a residual risk. Risk

management focuses to cope with risks to that they are reduced to a level

tolerated by the organisation.

Organisations operating in regulated environments (e.g. Financial or

Healthcare industries) or subject to laws, need to take into account this

requirements with regards to Risk Management and Security Governance.

Risk Management is split in two steps:

Risk Assessment

Risk Analysis

CISSPills Risk Assessment

Risk assessment is a method to identify vulnerabilities and threats,assessing then their possible impact in order to determine the securitycontrols to put in place.

Once the threats and the vulnerabilities have been identified, theramifications deriving from their exploitation shall be investigated.Risks canhave:

Loss potential: what the company can lose if thethreat agent manages to exploit a vulnerability;

Delayed loss: a secondary consequence notdirectly related to the vulnerability being exploited,but equally impacting the organisation and itsbusiness (e.g. bad reputation after a breach).

CISSPills Risk Analysis

Risk Analysis helps to priorities risks, so that the most critical are addressed first. It

also show the amount of resources needed to protect against a specific risk.

It provides a cost/benefit analysis, which compares the cost

deriving from the occurrence of a threat and the annualised

cost of the safeguard to implement.

A proper analysis allows to understand if a countermeasure is

worth to be implemented. Typically, in fact, it makes no sense

implementing a controls that costs more than the loss derived

by the occurrence of a threat.

Ideally, the Risk Analysis team should include people coming from

different departments of the organisation, in order to have a

comprehensive picture of the risks within the enterprise.

Alternatively, the team needs to interview people working in

other department to make sure other standpoints are captured.

CISSPills Information Risk Management Policy

To be successful, a Risk Management process needs to be supported by the

executive management, needs a documented process, an information risk

management (IRM) team and an IRM policy.

The information risk management policy is very important, as it’s a tool providing IRM

team with the guidance on how to carry out a proper risk management activity within

the organisation. For example, the policy describes:

the objective of the IRM team;

The acceptable level of risk for the organisation;

The risk identification process;

Responsibilities of the IRM team;

The metric used to measure the effectiveness of the controls.

CISSPills Risk Assessment Methodologies

There are a number of risk assessment methodologies, each of them having

specific characteristics. There isn’t a ‘one size fits all’ approach and the

choice really depends on the particular requirements an organisation.

For example, organisations implementing a security program compliant with

the ISO 27001 standard, should use the ISO 27005 standard, which

describes how risk management should be undertaken within an ISMS.

NIST 800-30, mainly focusing on IT, it’s instead considered a U.S. federal

standard and fits better in governmental organisation.

CISSPills Risk Analysis Approaches

Risk analysis can be carried out following two different approaches:

Quantitative analysis: this analysis assign numeric value to the loss, to

the likelihood of a threat to occur and to the extent of the damage in the

event of a loss. These figures are entered into equations to determine total

and residual risk;

Qualitative analysis: this analysis doesn’t use numeric values. It assigns

rating to the risk (e.g. High, Medium, Low) to relay the criticality.

The team members rely on scenarios to determine the different risks and

their severity and make use of brainstorming sessions, checklists,

questionnaires, storyboards, etc. to walk through the risk analysis.

The analysis relies a lot on the experience, intuition and judgement of the

people involved in the assessment.

CISSPills Steps of a Quantitative Risk Analysis

The most used equation used in a quantitative risk analysis are Single Loss

Expectancy (SLE) and Annualized Loss Expectancy (ALE).

SLE provides a dollar amount for a threat which has taken place.

SLE ($$$) = Asset Value (AV) x Exposure Factor (EF)

AV= value of the asset

EF = It’s the percentage of damage involving the asset when the threat takes place.

ALE ($$$) = SLE x Annualized Rate of Occurrence (ARO)

ARO= likelihood that the threat takes place over a period of one year. It can from 0.0

(never) to 1.0 (once a year), with any value in between (e.g. once in 10 years is 0.1 -

1/10=0.1).

With the ALE a company knows how much it can spend to protect the asset to protect

it against a specific threat.

CISSPills Control Selection

A control must be cost-effective, that is its cost shall not exceed the value of

the loss derived by the threat it’s trying to address.

A cost/benefit analysis allows to estimate if the cost of the control is

outweighing its benefits. An equation typically used is:

ALE pre control implementation - ALE post control implementation –

annualized cost of the control

The cost of the control needs to include all the expenses related to its

purchase, implementation, maintenance, etc. For example, if the control was

a firewall, the cost shouldn’t take into account only its price, but also the cost

of the training, the cost of the license, the cost of the people implementing the

solution and so forth.

CISSPills Total Risk vs Residual Risk

As said before, a control is not able to completely eliminate a risk. Even if a safeguard

is put in place, a Residual Risk will still exist. The important thing is that such risk

doesn’t exceed the level of risk the organisation deems acceptable.

Total Risk = Threats x Vulnerability x Asset Value

Residual Risk = Threats x Vulnerability x Asset Value x Control Gap

Control Gap = it is the protection that the control can’t provide

An alternative way to describe the Residual Risk is:

Residual Risk = Total Risk – Countermeasure

The formulas above are only conceptual representation of the relationship occurring

between the entities making up risk and are useful to understand the items involved in

Total and Residual Risk.

CISSPills Risk Handling

An Organisation can choose to handle a risk in the following way:

Accept: the organisation decides it can ‘live’ with the identified risk

and further action is taken;

Transfer: the risk is deemed to high or to costly to be mitigated

using a control and for this reason is transferred to another entity

(e.g. an insurance company);

Avoid: the organisation decides to eliminate the element that poses

the risk, in order to consequently avoid the risk;

Mitigate: the organisation decides to implement a control, which

allows to reduce the risk to an acceptable level.

Organisation can choose one of the four option seen above

depending on the context. All but rejecting/ignoring the risk is

a way to cope with it.

CISSPills That’s all Folks!

We are done, thank you for the interest! Hope you have enjoyed these pills as much

as I have had fun writing them.

For comments, typos, complaints or whatever your want, drop me an e-mail at:

cisspills <at> outlook <dot> com

More resources:

Stay tuned on for the next issues;

Join ”CISSP Study Group Italia” if you are preparing your exam.

Brought to you by Pierluigi Falcone. More info about me on

Contact Details