iso 27005 risk assessment

Risk Assessment as per ISO 27005

Presented by Dharshan Shanthamurthy,Risk Assessment Evangelist WWW.SMART‐RA.COM

SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.

What is Risk Assessment?What is Risk Assessment?

• NIST SP 800‐30Risk Assessment is the analysis of threats in conjunction with l biliti d i ti t lvulnerabilities and existing controls.

• OCTAVEA Risk Assessment will provide information needed to make risk management decisions regarding the degree of security remediationremediation.

• ISO 27005 Risk Assessment Identification Estimation andRisk Assessment = Identification, Estimation and Evaluation

Why Risk Assessment?Regulatory ComplianceCompliance St d d

Risk Assessment RequirementStandard

PCI DSS Requirement 12 1 2

Formal and structured risk assessment based on methodologies like ISO 27005, NIST SP 800‐30, OCTAVE, etc.

12.1.2

HIPAA Section 164.308(a)(1)

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entityprotected health information held by the covered entity.

FISMA 3544 Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed at least annually.

ISO 27001 Clause 4.1

Risk assessments should identify risks against risk acceptance criteria and organizational objectives. Risk assessments should also be performed periodically to address changes in the security requirements and in the risk situation.

GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……

Why Risk Assessment?yBusiness RationaleFunction ExplanationFunction Explanation

Return on Investment

Structured RA Methodology follows a systematic and pre‐defined approach, minimizes the scope of human error, and emphasizes process driven rather than human driven activitiesprocess driven, rather than human driven activities.

Budget Allocation Assists in controls cost planning and justification

Controls Cost and effort optimization by optimizing controls selection and implementationimplementation

Efficient utilization of

Resource optimization by appropriate delegation of actions related to controls implementationutilization of

resourcescontrols implementation.

What is IS-RA?What is IS RA?

Risk assessment is the cornerstone of any information Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile its strengths and weaknesses its vulnerabilitiesprofile – its strengths and weaknesses, its vulnerabilitiesand exposures.

“IF YOU CAN’T MEASURE IT

YOU CAN’T MANAGE IT!”…YOU CAN’T MANAGE IT!”

Reality CheckReality Check

• ISRA– a need more than a want

• Each organization has their own ISRAEach organization has their own ISRA

• ISRA learning curve

• Cumbersome – 1000 assets, 20 worksheets

• Two months effortsTwo months efforts

• Complicated report

ExerciseExercise

• Threat Scenarios

• Threat Profiles to be filled.Threat Profiles to be filled.

Risk Assessment reference points

• OCTAVE

• NIST SP 800‐30

• ISO 27005

• COSO

• Risk IT

• ISO 31000

• AS/NZS 4360

• FRAP

• FTA

• MEHARI

ISO 27005 IntroductionISO 27005 Introduction

• ISO 27005 i I f ti S it Ri k M t id li• ISO 27005 is an Information Security Risk Management guideline.

• Lays emphasis on the ISMS concept of ISO 27001: 2005.

• Drafted and published by the International Organization for Standardization (ISO) and the International ElectrotechnicalStandardization (ISO) and the International ElectrotechnicalCommission (IEC)

• Provides a RA guideline and does not recommend any RA• Provides a RA guideline and does not recommend any RA methodologies.

f• Applicable to organizations of all types.

ISO 27005 WorkflowISO 27005 Workflow• Advocates an iterative approach pp

to risk assessment

• Aims at balancing time andAims at balancing time and effort with controls efficiency in mitigating high risks

• Proposes the Plan‐Do‐Check‐Act cycle.

Source: ISO 27005 Standard

ISO 27005 Risk AssessmentISO 27005 Risk Assessment

I f i S i Ri k A Ri k A l iInformation Security Risk Assessment = Risk Analysis + Risk Evaluation

Risk Analysis:Risk Analysis:

Risk Analysis = Risk Identification + Risk Estimation

1. Risk Identification

Risk characterized in terms of organizational conditionsRisk characterized in terms of organizational conditions

• Identification of Assets: Assets within the defined scope• Identification of Threats: Based on Incident Reviewing, Asset Owners, Asset Users, External threats, etc.

ISO 27005 Risk Assessment Contd.ISO 27005 Risk Assessment Contd.

• Identification of Existing Controls: Also check if the controls are working• Identification of Existing Controls: Also check if the controls are working correctly.

• Identification of Vulnerabilities: Vulnerabilities are shortlisted in organizational processes, IT, personnel, etc.

• Identification of Consequences: The impact of loss of CIA of assets.

2. Risk Estimation

– Specifies the measure of risk.

• Qualitative EstimationQualitative Estimation• Quantitative Estimation

Risk Evaluation:Risk Evaluation:• Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk

Acceptance Criteria.

ISO 27005 RA Workflow

Step 1 Step 2 Step 3 Step 4

Risk Analysis:GeneralRisk Evaluation

Risk Analysis: Risk Identification

Risk Analysis: Risk Estimation

General Description of ISRA

Risk Analysis: Risk Risk Analysis RiskGeneral

Step 1

Risk EvaluationRisk Analysis: Risk Identification

Risk Analysis: Risk EstimationDescription of

ISRA

1. General Description of ISRA

d f b d i kBasic Criteria Scope and BoundariesOrganization for ISRM

Identify, Describe (quantitatively or qualitatively) and P i iti Ri k

Assessed risks prioritized according to Risk Evaluation C it i

gPrioritize Risks Criteria.

Risk Analysis RiskRisk Analysis: Ri k

Step 2

General DescriptionRisk Evaluation


Risk Identification


2. Risk Analysis: Risk IdentificationIdentification of Assets

S d d iScope and BoundariesAsset ownersAsset LocationA t f ti

Assets are definedList of Assets.List of associatedbusiness processes.

Asset functionp


Step 2



Risk Identification


2. Risk Analysis: Risk IdentificationIdentification of Threats

Threat InformationThreat Information from • Review of Incidents• Asset Owners

Threats are defined• Threats• Threat source• Threat type

• Asset Users, etc.yp


Step 2



Risk Identification


2. Risk Analysis: Risk IdentificationIdentification of Existing Controls

• Existing and• Documentation of

controls• RTP

Existing and planned controls are defined

Existing and planned controls

• Implementation status

• Usage status


Step 2



Risk Identification


2. Risk Analysis: Risk IdentificationIdentification of Vulnerabilities

d ifi d• Vulnerabilities related• Identified Assets

• Identified Threats• Identified Existing

C t l

Vulnerabilities are identified

Vulnerabilities related to assets, threats, controls.

• Vulnerabilities not Controls

related to any threat.


Step 2



Risk Identification


2. Risk Analysis: Risk IdentificationIdentification of Consequences

d b i• Incident scenarios• Assets and business

processes• Threats and

l biliti

The impact of the loss of CIA is identified

Incident scenarios with their consequences related to assets and

vulnerabilitiesbusiness processes

Risk Analysis: Ri k

Step 3

General Description Risk Analysis: RiskRisk EvaluationRisk

Estimation



3. Risk Analysis: Risk EstimationRisk Estimation Methodologies

( ) Q lit ti E ti ti Hi h M di L(a) Qualitative Estimation: High, Medium, Low

(b)Quantitative Estimation: $, hours, etc. ( )

Risk Analysis: Ri k

Step 3


Estimation



3. Risk Analysis: Risk EstimationAssessment of consequences

• Assets and businessh b

Assessed consequencesAssets and business processes

• Threats and vulnerabilities

The business impact from informationsecurity incidents is

d

Assessed consequences of an incident scenario expressed in terms of assets and impact

• Incident scenarios assessed.p

criteria.

Risk Analysis: Ri k

Step 3


Estimation



3. Risk Analysis: Risk EstimationLevel of Risk Estimation

• Incident scenarios l f kwith their

consequences • Their likelihood

Level of risk is estimated for all relevant incident

i

List of risks with value levels assigned.

(quantitative or qualitative).

scenarios

General Description Risk Analysis: Risk Risk

Step 4

Risk Analysis: RiskGeneral Description of ISRA


Risk Evaluation


4. Risk Analysis: Risk EstimationLevel of Risk Estimation

l f kRisks prioritized

• Risks with value levels assigned and risk evaluation criteria.

Level of risk is compared against risk evaluation criteria and i k t it i

Risks prioritized according to risk evaluation criteria in relation to the incident

risk acceptance criteria scenarios.

SummarySummary

• Keep it Simple and Systematic

• ComprehensiveComprehensive

• Risk sensitive culture in the organization.

• Drive security from a risk management perspective, rather only a compliance p p , y pperspective.

H l RA t h l• Help RA to help you…

Questions?

Be a Risk Assessment Evangelist!Be a Risk Assessment Evangelist!IS‐RA Forum on Linkedin

SMART RA Forum on LinkedinSMART‐RA Forum on Linkedin

Dharshan Shanthamurthy,E‐mail: [email protected] y

Phone: +91‐99451 22551

iso 27005 risk assessment

Technology