Information Systems Risk Assessment Framework(ISRAF) (Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 )
Prepared byS. Periyakaruppan (PK)
Need of Addendum/ Revision ?
Ensure converged & integrated process Address the challenges in traditional approach Adaptive & Modular working model of information systems
risk assessment. Improve the organizations risk based decision. Bring in value addition to business
Should It get transformed ? ! Why
To make risk management an integral part of business and project management, IT Life cycle management.
TO facilitate with practical approach to address risk. To Evolve business aligned approach. TO tailor down the model of domain agnostic approach.
Does it need a Model/Framework ??
Evolve descriptive process and systematic thinking. Emerging business demand and process convergence Enhance communication among functional entities. Invoke result oriented approach Predict results in the systematic model
!!!!!!! ???
Assessing risk – What & Why To identify the potential opportunity of a probable
consequence of an adverse impact due to a weakness in the information systems.
To support business with risk based decision. To identify external and internal threat exposures to an
organization from nation and another organization, vice versa.
To monitor the on-going risk exposure of the organization. To observe the effectiveness of information security program. To assist with Metrics for information security program
management.
???????
Assessing risks - When During architecture development –( Org,process & Information
system) During functional and business systems integration. During all phases of SDLC (Systems acquisition and
development life cycle) During acquisition of new security or business/function solution. During modification of mission critical/business critical systems. During third party vendor/product acquisition. During decommissioning of systems/functions/groups of the
organization
Risk framing Model ???
Determine the uncertainty of the risk and associated risk constraints.
Define the risk tolerance and priority, and tradeoffs.
Determine the set of risk factors, assessment scale and associated algorithm for combing factors
Assist in precise risk communication and sketch out boundaries of information system authorization.
Enhance the risk decision with appropriate information. Incorporate de-duplication in hierarchical risk management
model. Determine the context of the entire risk assessment
process/assessment/approach.
The Model/Framework
Respond
Monitor
Assess
Organizational
Business/Functional Group
Information Systems
The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
Tier 1
Tier 2
Tier 3
Frame(CONTEXT)
The Focus
Assess
Respond
Monito
rRisk Assessment is a key element of risk management
Risk Assessment process in modular approach.
Preparation checklist. Activity checklist. Protocol to maintain appropriate result of
risk assessments. Method of communicating risk results
across organization.
Strategy/Approach
Frame the risk• Freezing the
scope (Organization risk frame)
• Context of the business/function to an information system
Freeze the method• Determine risk
assessment methodology
• Determines analysis approach
Define Risk Model• Define the risk
factors and its relationship amongst the risk model
• Define Assessment and analysis approach for a framed risk model
Risk – Key concepts Risk aggregate consolidation of individual Tier1/Tier2/Tier3
risks in to a cumulative risks to identify relationship among risks at various levels.
Threat shifting the dynamic variation on threat source in response to the perceived countermeasures.
Residual risk Tolerable risk remain post the mitigation to an extent possible to reduce the level of adverse impact to the organization.
Adversarial risk Risk that has an adverse effect by adversarial threats.
Adversarial threats Threat has an intrinsic characteristics of direct adverse impact. – Ex., business operation interruption.
Non-adversarial threats Threats has no direct or immediate effect of a threat impact. – Ex., Exposure of system errors, competitive intelligence gathering.
Risk – Key Factors
Threat Event Possible adverse impact through a potential circumstances/event to organization from national and another organization, vice versa.
Threat source The intend and the method of exploitation or attack vector.
Likelihood The Probability of a threat become reality. Vulnerability Flaw in an information system that can lead
to a potential threat. Adverse Impact The negative consequences /damage
leads to potential impact to the business / organization/ nation by the consequences of an exercised vulnerability
Predisposing condition The existing and known lack of controls/ in adequate countermeasures as part of available solution.
Risk Measure/ Unit of the extent to which an entity is threaten by a potential circumstances.
Assessing Risk – High Level Process
Prepare ConductCommunica
teMaintain
Step -1
Step -2
Step -3
Step -4
Prepare for Assessment
Risk Assessment Preparation
Identify the purposeIdentify the Risk Model
(Assessment & Analysis approac
h)
Identify the
source of inputs
Identify the scope
Identify the assumptions and
constraints
Initial assessment ?Re-assessment ?Risk base line determination ?
The Tiers (Org,BFP,IS) addressedResult Validity periodDecision supporting assessmentFactor influence re-assessmentAuthorization boundaryRegulatory requirements/constraints
Risk Tolerance and priorities/TradeoffsThreat source/eventsVulnerabilities and pre-disposing conditionsUncertainty and analytical approachLikelihood of Impacts
PolicyProcessProcedureReportsExternal agencies
Defined risk factorsDefined risk responseQualitative analysisQuantitative analysisSemi Quantiative analysis
Conducting AssessmentIdentify Threat source and events
Identify vulnerabilities and pre-disposing conditions
Determine likelihood of Occurrence
Determine Magnitude of Impact
Determine Risk
Step 1
Step 2
Step 3
Step 4
Step 5
Intent,Target,CapabilityCapability of adversariesRange of effects Effect of existing controlsIntentional/accidental flaw /weakness in system/processDepends on the degree of Step 1 and the effect of Step 2
Result of BIADepends on effective BCP/DRMTTR/MTBFRTO/RPO
Risk Combination of Step 3 and Step 4
Method of Risk Analysis
Threat oriented• Identify threat
source and event• Developing
Threat scenario and model
• Identify vulnerabilities in context of threats
Vulnerability oriented• Identify pre-
disposing conditions
• Identify exploitable vulnerabilities
• Identify threats related to the known/open vulnerabilities
Asset/Impact Oriented• Identify
mission/business critical assets
• Analyze the consequences of the adversarial threat event
• Identify vulnerabilities to the threat events/scenario of critical assets with severe adverse impact.
Method of Risk Assessments
• Objective oriented assessment• Using non-numerical values to define
risk factors• Likelihood and impact with definite
value based on individual expertise
• Subjective oriented approach• Using numerical values to define risk
factors• Likelihood and impact with definite
number based on history of events.
• Contextual analysis and result oriented approach
• Using Bin values (numerical range) with unique meaning and context.
• Likelihood and impact derived with range of numerical values with degree of unique context
Sample Assessment Scale
Qualitative Quantitative Semi Qualitative
Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
Communicate Result
Determine the appropriate method of communication
Communicate to the designated organizational stakeholders
Furnish evidence comply with
organizational policies & Guidelines
Format defined by organization.Executive briefingsPresenting Illustrative risk figuresRisk Assessment DashboardsOut sketch the organizational prioritized risk
Identify appropriate authority.Ensure right information reach right person at right time. Present contextual information in accordance with risk strategy
Capture appropriate analysis data support the result.Include applicable supporting documents to convey the degree of results Identify and document the source of internal and external information.
Maintain Risk Posture
Identify Key Risk factors•Monitor the key risk factors•Document the variations.•Re-define the key risk factors
Define Frequency of revisit
•Track the risk response as required•Initiate the assessment when needed•Communicate the results to organizational entities
Reconfirm the scope and
assumptions
•Get the concurrence of scope and assumptions from appropriate authorities•Document the plan of action with respect to the risk response.
Applications of Risk AssessmentOrganizationTier -1
Functional/businessTier -2
Information Risk Strategy decisionsContribute EA design decisionsIS Policy/Program/Guidance decisionsCommon Control/Security Standards decisions.Help risk response – Avoid/Accept/Mitigate/TransferInvestment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy)
Support EA(Enterprise Architecture) integration in to SA.Assist in business/function information continuity decisionsAssist in business process resiliency requirements
Contribute IS systems design decisionsSupports vendor/product decisionsSupports on-going system operations authorizations
Risk Assessment in RMF life Cycle
Categorize
Select
Implement
Assess
Authorize
Monitor
Initial risk assessment at Tier 1 supports strategic level security categorization
Categorization decide security baseline in-turn assist in appropriate selection.
Supports selective implementation based on identified vulnerabilities and pre-disposing condition
Support actual implementation risk reports in Tier 3 to reveal and assess the risk posture
Furnish risk based decision to authority in all the tiers
Support Continuous improvement of risk management by Tier 3 assessments
1
4
3
2
5
6
Organizational cultural effects on Risk assessment
Risk models differ based on priorities and tradeoffs with respect to the pre-disposing condition of organizational culture
Determination of risk factors and valuation of risk factors to constant values or qualitative approach depends on organizational culture
Determination of risk assessment approach and analysis approach depends on organizational culture.
Assessment and analysis approach may vary with in organization in different tiers.