IRAM2MANAGING INFORMATION RISK IS A BUSINESS ESSENTIALAs information risks and cyber security threats increase, organisations need to move away from reacting to incidents toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout your enterprise is a business essential.

The ISF solution: IRAM2, a methodology to meet today’s challenges.

IRAM2 helps information risk practitioners, as well as other risk, business and technology leaders to: ‒ Apply a simple, practical, yet rigorous approach: focus on simplicity and practicality, while embedding rigour throughout

the assessment process. This enables consistent results and a depth of analysis that enhances business decision making. ‒ Focus on the business perspective: guide information risk practitioners’ analysis so that information risk is assessed from

the perspective of the business. The end result is a risk profile that reflects a view of information risk in business terms. ‒ Obtain a greater coverage of risks: enable a broader and more comprehensive risk coverage, thereby reducing the chance

that a significant risk will be overlooked. ‒ Focus on the most significant risks: allow key business and technology stakeholders to obtain a clear picture of where to

focus resources, in order to deal with information risks that are most significant to the organisation. ‒ Speak a common language: provide a common vocabulary and framework, enabling information risk practitioners and

management to form a unified view of information risk across different areas of the business and better integrate into enterprise risk management.

‒ Engage with key stakeholders: empower information risk practitioners to engage with key business, risk and technology stakeholders in an organised and enterprise-aware manner.

IRAM2 is supported by four IRAM2 Assistants, each accompanied by a practitioner guide, that help automate one or more phases of the methodology.

Summary Tool

Information Security Forum • IRAM2

IRAM2: The next generation in assessing information risk

Evaluate risk against your organisation’s risk appetiteIRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat profiling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.

RiskEvaluation

E

Residual business impact

Res

idua

l lik

elih

ood

10+ risks

5-9 risks

3-4 risks

1-2 risks

4

61

2

7

6

1

12

15

Key

Provide a business-centric view of risk

IRAM2 provides guidance for scoping information risk assessments across both the business and technology. Risk practitioners use this phase to provide an integrated view of risk from the business service layer down to the technology infrastructure.

Scoping

A

Business process

1

Business process

2

Input OutputProcessing

Application Application

Assetmanagement

Changemanagement

Capacitymanagement

Incident management

ServerServer Database

Application Application

Assess realistic and worst-case business impact scenariosIRAM2 provides guidance for identifying and assessing business impacts. Risk practitioners use this phase to determine the potential business impact should information assets or systems have their confidentiality, integrity or availability compromised.

Business Impact Assessment

B

The IRAM2 information risk assessment methodology is set out in six phases. Each phase details the steps and key activities required to achieve the phase objectives, as well as identifying the key information risk factors and outputs.

Understand how well your environment/ systems can resist threatsIRAM2 provides guidance for performing an assessment of vulnerabilities that influence the likelihood of a threat event being successful. Risk practitioners use this phase to examine the extent of relevance and implementation of key controls that will help to determine control strength.

Vulnerability Assessment

D

Example threat eventsControl Control name reference

Control effectiveness

Control strength

CTL01 Effective Low

CTL03 Partially effective

CTL04 Ineffective

CTL05 Effective

CTL06 Effective

CTL07 Partially effective

CTL10 Partially effective

CTL11 Partially effective

CTL18 Ineffective

Unauthorised monitoring and/or modification of communications

Exploit vulnerabilities in an organisation’s information systems

Software malfunction (internally produced software)

Loss of information systems

Power failure or fluctuation

Flooding

Secure network design

Event logging and monitoring

IDS/IPS

Secure standardised system builds

Wireless network security

Security awareness

Physical security

Encryption (communications)

Security testing

Example components

Component A

Component B

Component C

Component D

Component E

IRAM2 control number

IRAM2 control Calculated control strength

Moderated control strength

1 Information... High High

2 Users should... Moderate Low

3 The duties of... High High

4 Staff working... Low Low

5 Staff working in... Negligible Low

6 IT staff should... Negligible Negligible

7 Business users... High High

8 Business users... Low Low

9 Classified information... Moderate High

Impact rating

Impact Category Negligible Low Moderate High

Financial • Negligible loss in sales, orders or contracts (< 1%)

• Negligible direct financial loss/profit reduction (< $10K)

• Minor loss in sales, orders or contracts (< 5%)

• Minor direct financial loss/profit reduction (< $100K)

• Moderate loss in sales, orders or contracts (< 10%)

• Moderate direct financial loss/profit reduction (< $500K)

• Significant loss in sales, orders or contracts (> 10%)

• Significant direct financial loss/profit reduction (> $500K)

Operational • Negligible/insignificant loss of management’s ability to effectively govern or operate the organisation

• Minor loss of management’s ability to effectively govern or operate the organisation (e.g. limited impairment in decision making)

• Moderate loss of management’s ability to effectively govern or operate the organisation (e.g. noticeable impairment)

• Significant loss of management’s ability to effectively govern or operate the organisation (e.g. serious impairment)

Legal and Regulatory Compliance

• Negligible impact on organisational operations, or relationship with regulator(s)

• Minor impact on organisational operations, or relationship with regulator(s)

• Moderate impact on organisational operations, and loss of confidence from key regulators

• Significant impact on organisational operations, and serious loss of confidence from regulators

Reputational • Negligible/insignificant negative publicity

• Customer complaints within normal levels

• Low levels of short-term negative publicity (e.g. local media coverage)

• Marginal increase in customer complaints

• Moderate levels of sustained negative publicity

• Significant increase in customer complaints

• Significant levels of sustained negative publicity

• Significant increase in customer complaints

Health and Safety • Negligible/insignificant injury to one individual

• Minor injury or discomfort to one individual

• Significant injury to an individual or small group

• Severe injury or loss of life to one of more individuals

IRAM2 • Information Security Forum

IRAM2: The next generation in assessing information risk

Develop pragmatic risk treatment plansIRAM2 provides practical guidance for treating identified information risks. Risk practitioners use this phase to explore different approaches to treating information risk (i.e. mitigation, avoidance, transference and acceptance).

RiskTreatment

F

Inherent risk Residual risk

Initialmitigation

Furthermitigation

AvoidanceRisk appetite

Riskaccepted

Understand and model threats IRAM2 provides guidance for performing a pragmatic assessment of the information threat landscape. Risk practitioners use this phase to identify and profile key threats across different groups by determining associated threat events.

Threat Profiling

C

Flooding Hacking group

Customer

Earthquake

Tornado

Fire (wild)Volcanic eruption

Tsunami

Threat attributes

• Capability

• Commitment

• Competence

• Culture

• Intent

• Motivation

• Origin

• Privilege

• Severity

1 Adversarial2 Accidental3 Environmental

Threat groups

Individualhacker

Threat events• Session hacking• Phishing

• User error (accidental)• Resource depletion• Miscon�guration• Flooding

Evaluate risk against your organisation’s risk appetiteIRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat profiling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.

Residual business impact

Res

idua

l lik

elih

ood

10+ risks

5-9 risks

3-4 risks

1-2 risks

4

61

2

7

6

1

12

15

Key

Assess realistic and worst-case business impact scenariosIRAM2 provides guidance for identifying and assessing business impacts. Risk practitioners use this phase to determine the potential business impact should information assets or systems have their confidentiality, integrity or availability compromised.

Scoping

ABusiness Impact

Assessment

BThreat

Profiling

CVulnerability Assessment

DRisk

Evaluation

ERisk

Treatment

F

Impact rating

Impact Category Negligible Low Moderate High

Financial • Negligible loss in sales, orders or contracts (< 1%)

• Negligible direct financial loss/profit reduction (< $10K)

• Minor loss in sales, orders or contracts (< 5%)

• Minor direct financial loss/profit reduction (< $100K)

• Moderate loss in sales, orders or contracts (< 10%)

• Moderate direct financial loss/profit reduction (< $500K)

• Significant loss in sales, orders or contracts (> 10%)

• Significant direct financial loss/profit reduction (> $500K)

Operational • Negligible/insignificant loss of management’s ability to effectively govern or operate the organisation

• Minor loss of management’s ability to effectively govern or operate the organisation (e.g. limited impairment in decision making)

• Moderate loss of management’s ability to effectively govern or operate the organisation (e.g. noticeable impairment)

• Significant loss of management’s ability to effectively govern or operate the organisation (e.g. serious impairment)

Legal and Regulatory Compliance

• Negligible impact on organisational operations, or relationship with regulator(s)

• Minor impact on organisational operations, or relationship with regulator(s)

• Moderate impact on organisational operations, and loss of confidence from key regulators

• Significant impact on organisational operations, and serious loss of confidence from regulators

Reputational • Negligible/insignificant negative publicity

• Customer complaints within normal levels

• Low levels of short-term negative publicity (e.g. local media coverage)

• Marginal increase in customer complaints

• Moderate levels of sustained negative publicity

• Significant increase in customer complaints

• Significant levels of sustained negative publicity

• Significant increase in customer complaints

Health and Safety • Negligible/insignificant injury to one individual

• Minor injury or discomfort to one individual

• Significant injury to an individual or small group

• Severe injury or loss of life to one of more individuals

Worst-case impact

Realistic impact

The Information Risk Assessment Methodology 2 (IRAM2) is a simple, practical yet rigorous business essential that helps ISF Members identify, analyse and treat information risk throughout the organisation.IRAM2 describes the following:

‒ Risk fundamentals: explains information risk and how it relates to the wider discipline of enterprise risk management.

‒ People and engagement: identifies the people, roles, skills and experience that are vital for effective information risk management and for the application of IRAM2.

‒ IRAM2 Phases: provides an overview of the methodology as well as a comprehensive description of the key steps, inputs and outputs accompanied by guidance for effective deployment.

The report also contains detailed supplementary material and further guidance to assist the information risk practitioner. For example, a common threat list, a threat event catalogue and control library are included.IRAM2 is supported by a range of deliverables to help Members implement the methodology. These include:

‒ IRAM2 Assistants to help automate steps in the methodology ‒ IRAM2 practitioner guides to support practitioners use of the assistants ‒ IRAM2 implementation space on the ISF Member website, ISF Live, which contains a facilitated forum for Members to discuss related issues and solutions, along with additional resources including recorded demonstrations of the assistants.

IRAM2 is aligned with the ISF Standard of Good Practice for Information Security and the Security Healthcheck. It also incorporates research findings from Protecting the Crown Jewels: How to protect mission-critical information assets and Threat Intelligence: React and prepare.Consultancy services from the ISF provide Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products including IRAM2.IRAM2 is available free of charge to ISF Members and can be downloaded from www.isflive.org. Non-Members can purchase the report by contacting Steve Durbin at steve.durbin@securityforum.org.

WHERE NEXT?

CONTACTFor further information contact:

Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953800steve.durbin@securityforum.orgsecurityforum.org

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

©2017 Information Security Forum LimitedREFERENCE: ISF 17 07 02 | CLASSIFICATION: Public, no restrictions