Information security and information risk management. Information Security Risk Management Standards


“Nothing surprises people more than common sense and going according to plan.”

Ralph Emerson, American writer

Once risk treatment decisions have been made, actions to implement those decisions must be identified and planned. Each activity should be clearly defined and broken down into as many activities as necessary to clearly assign responsibilities, assess resource allocation requirements, set milestones and control points, define criteria for achieving goals, and monitor progress.

Management decisions on risk treatment are documented in the form of a “Risk Treatment Plan”. This document is a derivative of the “Register of Information Risks”, which defines for each group of threats and vulnerabilities a list of risk treatment measures that make it possible to reduce the maximum level of risk for a given threat group to the level of residual risk acceptable to the organization. The risk treatment plan also determines the implementation timeline, allocated resources and responsible executors.

The planning process should include identifying key owners of assets and business processes, consulting with them on the allocation of time, financial and other resources to implement the risk treatment plan, and obtaining approval of the appropriate level of management for the use of resources.

___________________________________

The development and implementation of a risk treatment plan includes the following measures:

  • determining the sequence of measures to implement the decisions taken on risk treatment;
  • detailing and prioritizing risk treatment activities;
  • distribution of responsibility between performers;
  • allocation of necessary resources;
  • defining milestones and control points;
  • defining criteria for achieving goals;
  • progress monitoring.

______________________________________

The implementation of risk treatment measures must be properly prioritized. The time at which each action can be taken depends on its absolute priority relative to other actions, the availability of resources (including financial and human resources), and the activities that must be completed before the process can be started. The risk treatment plan must be coordinated with other business plans. Any dependencies between these plans must be identified.

Risk treatment measures can be prioritized as follows:

1. All countermeasures are divided into groups according to the level of risk they are intended to reduce. The highest priority is given to countermeasures that reduce the greatest risks.

2. In each group, first place is given to those measures that are faster and easier to implement and that give the fastest effect.

3. The priority of countermeasures that provide the greatest return on investment ROI is increased.

4. Primary countermeasures, on which the success of other countermeasures depends, are given higher priority.

5. All other considerations that may affect the implementation of countermeasures are taken into account, including relationships with other plans, availability of certain resources, political, economic and other considerations.

At the exit this process we receive a priority list of risk treatment measures, on the basis of which further more detailed planning, allocation of resources and implementation of risk management solutions are carried out.

Coordination of all steps to implement the risk treatment plan (including acquisition, implementation, testing of security mechanisms, concluding insurance and outsourcing agreements, etc.) is carried out by the manager information security or a risk manager who must monitor that the implementation of activities is carried out in accordance with the plan, with appropriate quality and within the allocated financial, time and human resources. When implementing countermeasures into an information system, testing must be carried out to confirm the reliability and performance of the implemented security mechanisms, as well as to measure the effectiveness of their functioning.

  • To post comments, please login or register

In January 2018, the Global Risks to Humanity Report 2018 was presented at the World Economic Forum in Davos. It follows from the report that the significance of information security risks is increasing due to the increase in the number implemented attacks, and taking into account their destructive potential.

Some of the most common information security risk management techniques in the world are CRAMM, COBIT for Risk, FRAP, Octave and Microsoft. Along with certain advantages, they also have their limitations. In particular, the listed foreign methods can be effectively used by commercial companies, while government organizations, when assessing and managing information security risks, must be guided by the provisions of the regulations of the FSTEC of Russia. For example, for automated production control systems and technological processes at critical facilities, one should be guided by the order of the FSTEC of Russia dated March 14, 2014 No. 31. At the same time, this document could also be used by federal executive authorities as additional material.

Information security risks in modern society

Behind Lately the number of attacks on organizations has doubled. Attacks that cause extraordinary damage are becoming commonplace. Financial losses from attacks are increasing, and some of the largest losses are associated with ransomware attacks. A striking example of this is the attacks of the WannaCry and NotPetya ransomware viruses, which affected more than 300 thousand computers in 150 countries and led to financial losses more than $300 million

Another trend is an increase in the number of attacks on critical infrastructure and strategic industrial facilities, which can lead to the incapacitation of systems that support the life support of humanity by attackers and the occurrence of global man-made disasters.

Thus, information security risks are among the three most likely risks (together with the risks of natural disasters and extreme weather conditions) and to a list of the six most critical risks for possible damage (together with the risks of using weapons of mass destruction, natural disasters, weather anomalies and lack of drinking water). Therefore, information security risk management is one of the priority areas for the development of organizations around the world and is absolutely necessary for their further functioning.

Goals and approaches to information security risk management

The goal of any organization is to achieve certain indicators that characterize the results of its activities. For example, for commercial companies this is making a profit, increasing capitalization, market share or turnover, and for government organizations it is providing public services to the population and solving management problems. In any case, regardless of the purpose of the organization's activities, the implementation of information security risks may prevent the achievement of this goal. At the same time, each organization assesses risks and the possibility of investing in their reduction in its own way.

Thus, the goal of information security risk management is to maintain them at a level acceptable to the organization. To solve this problem, organizations create comprehensive information security systems (ISS).

When creating such systems, the question arises of choosing security tools that ensure the reduction of information security risks identified during the analysis without excessive costs for the implementation and support of these tools. Analysis of information security risks allows us to determine the necessary and sufficient set of information security means, as well as organizational measures aimed at reducing information security risks, and to develop an organization’s ISS architecture that is most effective for its specific activities and aimed at reducing precisely its information security risks.

All risks, including information security risks, are characterized by two parameters: potential damage to the organization and the likelihood of implementation. Using a combination of these two characteristics for risk analysis allows you to compare risks with different levels of damage and probability, bringing them to a common expression that is understandable for decision-makers regarding risk minimization in the organization. At the same time, the risk management process consists of the following logical stages, the composition and content of which depends on the methodology used for risk assessment and management:

  1. Determining the level of risk acceptable to the organization (risk appetite) - a criterion used when deciding whether to accept or treat a risk. Based on this criterion, it is determined which risks identified in the future will be unconditionally accepted and excluded from further consideration, and which will be subjected to further analysis and included in the risk response plan.
  2. Identification, analysis and assessment of risks. To make a decision regarding risks, they must be clearly identified and assessed in terms of damage from the risk and the likelihood of its implementation. Damage assessment determines the degree of impact of risk on an organization's IT assets and the business processes they support. When assessing probability, an analysis is made of the likelihood of the risk occurring. The assessment of these parameters can be based on the identification and analysis of vulnerabilities inherent in IT assets that may be affected by the risk, and threats that can be realized through the exploitation of these vulnerabilities. Also, depending on the risk assessment methodology used, the attacker’s model, information about the organization’s business processes and other factors associated with the implementation of risk, such as the political, economic, market or social situation in the organization’s operating environment, can be used as initial data for assessing them. When assessing risks, a qualitative, quantitative or mixed approach to their assessment can be used. The advantage of the qualitative approach is its simplicity, minimization of time and labor costs for conducting risk assessments, limitations are insufficient visibility and complexity of using the results of risk analysis for economic justification and assessing the feasibility of investments in risk response measures. The advantage of the quantitative approach is the accuracy of risk assessment, the clarity of the results and the ability to compare the value of the risk, expressed in money, with the amount of investment required to respond to this risk; the disadvantages are complexity, high labor intensity and duration of execution.
  3. Risk ranking. To determine priority in responding to risks and subsequently develop a response plan, all risks must be ranked. When ranking risks, depending on the methodology used, criteria for determining criticality may be applied, such as damage from risk implementation, probability of implementation, IT assets and business processes affected by the risk, public response and reputational damage from the realization of risk, etc.
  4. Making decisions on risks and developing a risk response plan. To determine the set of risk response measures, it is necessary to analyze the identified and assessed risks in order to make one of the following decisions regarding each of them:
    • Risk avoidance;
    • Taking risks;
    • Transfer of risk;
    • Risk reduction.
    The decision made for each risk should be recorded in the risk response plan. Also this plan may contain, depending on the methodology used, the following information necessary to respond to risks:
    • Responsible for response;
    • Description of response measures;
    • Assessing the required investment in response measures;
    • Timing for implementation of these measures.
  5. Implementation of measures to respond to risks. To implement risk response measures, responsible persons organize the implementation of the actions described in the risk response plan within the required time frame.
  6. Evaluating the effectiveness of implemented measures. To achieve confidence that the measures applied in accordance with the response plan are effective and the level of risks is acceptable to the organization, the effectiveness of each implemented risk response measure is assessed, as well as the organization's risks are regularly identified, analyzed and assessed.
Let's consider the most well-known information security risk management methods: CRAMM, COBIT for Risk, FRAP, Octave, Microsoft.

Overview of the CRAMM technique

CRAMM (CCTA Risk Analysis and Management Method), developed by the UK Security Service in 1985, is based on the BS7799 series of information security management standards (now revised to ISO 27000) and describes an approach to qualitative risk assessment. In this case, the transition to the scale of values ​​of qualitative indicators occurs with the help of special tables that determine the correspondence between qualitative and quantitative indicators. Risk assessment is based on an analysis of the value of an IT asset for business, vulnerabilities, threats and the likelihood of their implementation.

The risk management process using the CRAMM method consists of the following stages:

  1. Initiation. At this stage, a series of interviews is conducted with persons interested in the information security risk analysis process, including those responsible for the operation, administration, security and use of IT assets for which the risk analysis is performed. As a result, a formalized description of the area for further research, its boundaries is given, and the composition of the persons involved in the risk analysis is determined.
  2. Identification and Valuation of Assets. A list of IT assets used by the organization in the previously defined area of ​​study is determined. According to the CRAMM methodology, IT assets can be one of the following types:
    • Data;
    • Software;
    • Physical assets.
    For each asset, its criticality for the organization’s activities will be determined and, together with representatives of departments that use the IT asset to solve applied problems, the consequences for the organization’s activities from a violation of its confidentiality, integrity and availability will be assessed.
  3. Threat and Vulnerability Assessment. In addition to assessing the criticality of IT assets, an important part of the CRAMM methodology is assessing the likelihood of threats and vulnerabilities of IT assets. The CRAMM methodology contains tables describing the correspondence between IT asset vulnerabilities and threats that can affect IT assets through these vulnerabilities. There are also tables describing the damage to IT assets if these threats materialize. This stage is performed only for the most critical IT assets, for which the implementation of a basic set of information security measures is not enough. Definitions current vulnerabilities and threats is carried out by interviewing persons responsible for the administration and operation of IT assets. For other IT assets, the CRAMM methodology contains a set of necessary basic measures to ensure information security.
  4. Risk Calculation. Risk is calculated using the formula: Risk = P (realization) * Damage. In this case, the probability of risk realization is calculated by the formula: P (implementation) = P (threat) * P (vulnerability). At the stage of calculating the risks for each IT asset, the requirements for a set of measures to ensure its information security are determined on a scale from “1” to “7”, where the value “1” corresponds to the minimum required set of measures to ensure information security, and the value “7” – maximum.
  5. Risk Management. Based on the results of risk calculation, the CRAMM methodology determines the necessary set of measures to ensure information security. For this purpose, a special catalog is used, which includes about 4 thousand measures. The set of measures recommended by the CRAMM methodology is compared with measures that have already been taken by the organization. As a result, areas requiring additional attention in terms of the application of protective measures, and areas with excessive protective measures. This information is used to formulate an action plan to change the composition of the protection measures used in the organization - to bring the level of risks to the required level.
From the point of view of practical application, we can distinguish the following advantages CRAMM techniques:
  • A method that has been tested many times and has accumulated significant experience and professional competencies; the results of using CRAMM are recognized by international institutions;
  • The presence of a clear, formalized description of the methodology minimizes the possibility of errors occurring when implementing risk analysis and management processes;
  • The presence of automation tools for risk analysis allows you to minimize labor costs and the time required to carry out risk analysis and management activities;
  • Catalogs of threats, vulnerabilities, consequences, and information security measures simplify the requirements for the special knowledge and competence of those directly involved in risk analysis and management activities.
However, the CRAMM technique has the following disadvantages:
  • High complexity and labor intensity of collecting initial data, requiring significant resources from within the organization or from outside;
  • Large expenditures of resources and time to implement processes for analyzing and managing information security risks;
  • The involvement of a large number of stakeholders requires significant costs for organizing collaboration, communications within the project team and coordination of results;
  • The inability to evaluate risks in monetary terms makes it difficult to use the results of information security risk assessments in the feasibility study of investments necessary for the implementation of information security tools and methods.
CRAMM is widely used in both government and commercial organizations around the world, being the de facto standard for information security risk management in the UK. The methodology can be successfully applied in large organizations focused on international interaction and compliance with international management standards, carrying out the initial implementation of information security risk management processes to cover the entire organization at once. However, organizations must be able to devote significant resources and time to applying CRAMM.

Overview of the COBIT for Risk methodology

The COBIT for Risk methodology was developed by the ISACA (Information Systems Audit and Control Association) in 2013 and is based on best risk management practices (COSO ERM, ISO 31000, ISO\IEC 27xxx, etc.). The methodology examines information security risks in relation to the risks of the organization's core activities, describes approaches to the implementation of the information security risk management function in the organization and to the processes of qualitative analysis of information security risks and their management.

    When implementing the risk management function and process in an organization, the methodology identifies the following components that affect both information security risks and the process of managing them:
    • Principles, policies, procedures of the organization;
    • Processes;
    • Organizational structure;
    • Corporate culture, ethics and rules of conduct;
    • Information;
    • IT services, IT infrastructure and applications;
    • People, their experience and competencies.

    In terms of organizing the information security risk management function, the methodology defines and describes the requirements for the following components:
    • Necessary process;
    • Information flows;
    • Organizational structure;
    • People and competencies.
    The main element of analysis and management of information security risks in accordance with the methodology are risk scenarios. Each scenario is “a description of an event that, if it occurs, could result in an uncertain (positive or negative) impact on the achievement of the organization's objectives.” The methodology contains more than 100 risk scenarios covering the following impact categories:
    • Creation and maintenance of IT project portfolios;
    • Program/project life cycle management;
    • Investments in IT;
    • IT staff expertise and skills;
    • Personnel Operations;
    • Information;
    • Architecture;
    • IT infrastructure;
    • Software;
    • Ineffective use of IT;
    • Selection and management of IT suppliers;
    • Regulatory Compliance;
    • Geopolitics;
    • Theft of infrastructure elements;
    • Malicious software;
    • Logical attacks;
    • Technogenic impact;
    • Environment;
    • Natural phenomena;
    • Innovation.
    For each risk scenario, the methodology determines the degree of its belonging to each type of risk:
    • Strategic risks – risks associated with missed opportunities to use IT to develop and improve the efficiency of the organization’s core activities;
    • Project risks – risks associated with the influence of IT on the creation or development of existing processes of the organization;
    • Risks of IT management and provision of IT services are risks associated with ensuring the availability, stability and provision of IT services to users with the required level of quality, problems with which can lead to damage to the core activities of the organization.
    Each risk scenario contains the following information:
    • Threat source type - internal/external.
    • Type of threat - malicious action, natural phenomenon, error, etc.
    • Description of the event - access to information, destruction, modification, disclosure of information, theft, etc.
    • Types of assets (components) of the organization that are affected by the event - people, processes, IT infrastructure, etc.
    • Event time.
    If a risk scenario occurs, the organization will suffer damage. Thus, when analyzing information security risks in accordance with the COBIT for Risk methodology, risk scenarios relevant to the organization are identified and risk mitigation measures are aimed at reducing the likelihood of these scenarios occurring. For each of the identified risks, an analysis of its compliance with the organization’s risk appetite is carried out, followed by making one of the following decisions:
    • Risk avoidance;
    • Taking risks;
    • Transfer of risk;
    • Risk reduction.
    Further risk management is carried out by analyzing the residual level of risks and deciding on the need to implement additional risk reduction measures. The methodology contains recommendations for implementing risk mitigation measures for each type of organizational component.

    From the point of view of practical application, the following advantages of the COBIT for Risk methodology can be highlighted:
    • Connection to the COBIT common library and the ability to use approaches and “IT controls” (risk mitigations) from related areas to consider information security risks and mitigations in relation to the impact of risks on an organization's business processes;
    • A repeatedly tested method in which significant experience and professional competencies have been accumulated, and the results of which are recognized by international institutions;
    • The presence of a clear, formalized description of the methodology allows us to minimize errors in the implementation of risk analysis and management processes;
    • Catalogs of risk scenarios and “IT controls” make it possible to simplify the requirements for the special knowledge and competence of those directly involved in risk analysis and management activities;
    • The ability to use the methodology when conducting audits allows you to reduce labor costs and the required time for interpreting the results of external and internal audits.
    At the same time, the COBIT for Risk methodology has the following disadvantages and limitations:
    • The high complexity and labor intensity of collecting initial data requires the involvement of significant resources either within the organization or externally;
    • The involvement of a large number of stakeholders requires significant costs for organizing collaboration, allocating the time of the involved persons for communication within the project team and agreeing on the results with all stakeholders;
    • The lack of the ability to assess risks in monetary terms makes it difficult to use the results of an information security risk assessment when justifying the investments required to implement information security tools and methods.
    This method is used in both government and commercial organizations around the world. The method is most suitable for large technology organizations or organizations with a high degree of dependence of their core activities on information technology, for those who already use (or plan to use) COBIT standards and methodologies for managing information technology and have the necessary resources and competencies for this. In this case, effective integration of information security risk management processes and general management IT and achieving a synergistic effect that will optimize the costs of implementing processes for analyzing and managing information security risks.

One of the most important tasks of managing the information security of an organization and its CISS is risk management, or risk management - coordinated activities to manage an organization's risk. In the context of information security risks, only Negative consequences(losses).

In terms of achieving the organization's business goals, risk management is the process of creating and dynamically developing an economically feasible information security system and an effective information security management system. Therefore, risk management is one of the main tasks and responsibilities of the organization’s management.

Risk management uses its own conceptual framework, which is currently standardized and is given in the standards GOST R ISO/IEC 13335-1-2006, GOST R ISO/IEC 27001-2006. Standard ISO/IEC 27005:2008 “Information technology. Methods and means of ensuring security. Information Security Risk Management" provides conceptual guidance on information security risk management and supports the general concepts and ISMS model defined in GOST R ISO/IEC 27001-2006. It is based on the British standard BS 7799-3:2006 and has some overlap with the American standard NIST SP 800-30:2002, which also provides risk management guidance for information technology systems, and is intended to help ensure adequate information security for an organization and its KISS based on a risk management approach. A draft of the Russian national standard GOST R ISO/IEC 27005-2008, harmonized with ISO/IEC 27005:2008, has been prepared.

These standards define risk as the potential for harm to an organization as a result of some threat exploiting the vulnerabilities of an asset or group of assets. Information security risk - the possibility that this threat will exploit the vulnerabilities of an information asset (group of assets) and thereby harm the organization. It is measured by a combination of the probability of an undesirable event and its consequences (possible damage).

Information security risk management covers several processes, the most important of which are risk assessment, which includes risk analysis and assessment, and risk treatment - the selection and implementation of measures to modify the risk using the assessment results. Information security risk management is an iterative process that requires monitoring and periodic review.

Depending on the scope, object and goals of risk management, various approaches to managing and assessing information security risk can be used - high-level and detailed risk assessment. The approach may also be different for each iteration.

Risk analysis (identification and measurement) can be carried out at varying levels of detail depending on the criticality of the assets, the prevalence of known vulnerabilities and previous incidents affecting the organization. The form of analysis must be consistent with the selected risk assessment criteria. The measurement methodology may be qualitative or quantitative, or a combination of both, depending on the circumstances. In practice, qualitative assessment is often used first to obtain an overview of the level of risk and to identify key risk values. Later, it may be necessary to carry out a more specific or quantitative analysis of the underlying risk values, since qualitative analysis is usually less complex and less expensive to perform than quantitative analysis.

When choosing an approach to risk management and assessment, three groups of main criteria are taken into account - risk assessment criteria, influence criteria, and risk acceptance criteria. They must be developed and defined.

Criteria for assessing an organization's information security risks should be developed taking into account the following:

  • - strategic value of processing business information;
  • - the criticality of the affected information assets;
  • - legal and regulatory requirements and contractual obligations;
  • - operational and business importance of information availability, confidentiality and integrity;
  • - expectations of perception of the parties involved, as well as negative consequences for “intangible capital” and reputation.

In addition, risk assessment criteria can be used to determine priorities for risk treatment.

Impact criteria are identified with criteria for possible loss of confidentiality, integrity and availability of assets and reflect an adverse change in the level of business goals achieved.

Impact criteria should be developed and determined based on the extent of harm or cost to the organization caused by an information security event, taking into account the following:

  • - the level of classification of the information asset that is affected;
  • - information security violations (for example, loss of confidentiality, integrity and availability);
  • - degraded operations (internal or third parties);
  • - loss of business value and financial value;
  • - violation of plans and deadlines;
  • - damage to reputation;
  • - violation of legal, regulatory or contractual requirements.

The risk acceptance criteria correspond to the “criteria for risk acceptance and identification of an acceptable level of risk” defined in GOST R ISO/IEC 27001-2006. They must be developed and defined. Risk acceptance criteria often depend on the policies, intentions, goals of the organization and the interests of the parties involved.

The organization must define its own scales for risk acceptance levels. The following should be considered during design:

  • - risk acceptance criteria may include many thresholds, with a desired target level of risk, but subject to the condition that, in certain circumstances, senior management will accept risks above the specified level;
  • - risk acceptance criteria can be expressed as the ratio of quantified benefit (or other business benefit) to quantified risk;
  • - different risk acceptance criteria may apply to different risk classes, for example, risks of non-compliance with directives and laws cannot be accepted, while risk acceptance high level may be permitted if specified in a contractual requirement;
  • - risk acceptance criteria may include requirements relating to future additional processing, for example, a risk may be accepted if there is approval and agreement to take action to reduce it to an acceptable level within certain period time.

Risk acceptance criteria may vary depending on how long the risk is expected to exist, for example the risk may be associated with a temporary or short-term activity. Risk acceptance criteria should be set taking into account business criteria; legal and regulatory aspects; operations; technology; finance; social and humanitarian factors.

According to ISO/IEC 27005:2008, information security risk management covers the following processes: context establishment, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring and review.

As can be seen from Fig. 3.5, the information security risk management process can be iterative for activities such as risk assessment and/or risk treatment. An iterative approach to conducting a risk assessment can increase the depth and detail of the assessment with each iteration. An iterative approach provides a good balance between the time and effort spent identifying controls while still providing confidence that high-level risks are being addressed appropriately.

In the ISMS and four-phase PDAP model, establishing the context, assessing the risk, developing a risk treatment plan, and accepting the risk are all part of the “plan” phase. In the “do” phase of action

Rice. 3.5.

and the controls required to reduce the risk to an acceptable level are implemented in accordance with the risk treatment plan. In the “check” phase, managers identify the need to review risk treatment in the light of incidents and changes in circumstances. The “Act” phase is where any necessary work is carried out, including re-initiating the information security risk management process.

In table 3.3 shows the types of activities (processes) related to risk management that are significant for the four phases of the ISMS process based on the PDAP model.

Table 3.3

Relationship between the phases of the ISMS process and the processes and subprocesses of information security risk management

Establishing the context for information security risk management involves establishing the basic criteria (risk assessment, impact or risk acceptance), defining the scope and boundaries, and establishing an appropriate organizational structure for the implementation of risk management.

Context is first established when a high-level risk assessment is carried out. High-level assessment allows for prioritization and chronology of actions. If it provides sufficient information to effectively determine the actions required to reduce the risk to an acceptable level, then the task is completed and risk treatment follows. If the information is insufficient, another iteration of the risk assessment is carried out using a revised context (e.g. risk assessment, risk acceptance or impact criteria), possibly on limited parts of the full scope (see Figure 3.5, risk decision point No. 1).

One of the most important aspects of the implementation of information security policy is the analysis of threats, assessment of their reliability and the severity of the likely consequences. In reality, risk appears where there is a probability of a threat occurring, and the magnitude of the risk is directly proportional to the magnitude of this probability (Fig. 4.11).

The essence of risk management activities is to assess their size, develop mitigation measures and create a mechanism to ensure that residual risks do not exceed acceptable limits. Thus, risk management involves two activities: risk assessment and the selection of effective and cost-effective protective and regulatory mechanisms. The risk management process can be divided into the following stages [Galatenko V. A., 2006]:

  • identification of assets and resource values ​​in need of protection;
  • selection of analyzed objects and the degree of detail of their consideration;
  • analysis of threats and their consequences, identification of weaknesses in protection;
  • classification of risks, selection of risk assessment methodology and assessment;
  • selection, implementation and testing of protective measures;
  • residual risk assessment.

Rice. 4.11. Uncertainty as the basis for risk formation

The information security policy includes the development of a strategy for managing risks of different classes.

A short list of the most common threats was given above (see clause 17.2). It is advisable to identify not only the threats themselves, but also the sources of their occurrence - this will help to correctly assess the risk and select appropriate neutralization measures. For example, logging into a system illegally increases the risk of password guessing or an unauthorized user or equipment connecting to the network.

It is obvious that to counter each method of illegal entry, its own security mechanisms are needed. After identifying a threat, it is necessary to assess the likelihood of its implementation and the extent of potential damage.

When assessing the severity of the damage, it is necessary to keep in mind not only the immediate costs of replacing equipment or restoring information, but also more distant ones, in particular, undermining the company’s reputation, weakening its position in the market, etc.

After identifying and analyzing threats and their possible consequences, there are several approaches to management: risk assessment, risk reduction, risk avoidance, changing the nature of risk, risk acceptance, development of corrective measures (Fig. 4.12).

Rice. 4.12. Risk Management Framework

When identifying assets and information resources - those values ​​​​that need to be protected - it is necessary to consider not only the components information system, but also the supporting infrastructure, personnel, as well as intangible assets, including the current rating and reputation of the company. However, one of the main results of the asset identification process is to obtain a detailed information structure of the organization and how it can be used.


The selection of analyzed objects and the degree of detail of their consideration is the next step in risk assessment. For a small organization, it is acceptable to consider the entire information infrastructure; for a large organization, one should focus on the most important (critical) services. If important services many, then those are selected whose risks are obviously high or unknown. If information basis organization is a local network, then the number of hardware objects should include computers, peripheral devices, external interfaces, cable management and active network equipment.

Software objects should include operating systems (network, server and client), application software, tools, network management programs and individual subsystems. It is important to record in which network nodes the software is stored, where and how it is used. The third type of information objects is data that is stored, processed and transmitted over the network. Data should be classified by type and degree of confidentiality, where it is stored and processed, and how to access it should be identified. All this is important for assessing the risks and consequences of information security breaches.

Risk assessment is carried out on the basis of accumulated initial data and an assessment of the degree of certainty of threats. It is quite acceptable to use such a simple method as multiplying the probability of a threat occurring by the amount of expected damage. If we use a three-point scale for probability and damage, then there will be six possible products: 1, 2, 3, 4, 6 and 9. The first two results can be classified as low risk, the third and fourth - as medium, and the last two - as high. This scale can be used to assess the acceptability of risks.

If any risks are found to be unacceptably high, additional protective measures must be implemented. Several security mechanisms that are effective and inexpensive can be used to eliminate or reduce the weakness that makes a dangerous threat real. For example, if there is a high probability of illegal login, you can enter long passwords, use a password generation program, or purchase an integrated smart card-based authentication system. If there is a possibility of intentional damage to servers for various purposes, which can have serious consequences, you can limit the physical access of personnel to server rooms and strengthen their security.

Risk assessment technology must combine formal metrics and the formation of real quantitative indicators for assessment. With their help, it is necessary to answer two questions: are the existing risks acceptable, and if not, then what protective equipment is economically profitable to use.

Rice. 4.13. Risk Assessment and Mitigation Framework

Risk reduction methodology. Many risks can be significantly reduced by using simple and inexpensive countermeasures. For example, competent (regulated) access control reduces the risk of unauthorized intrusion. Some classes of risks can be avoided - moving the organization's Web server outside the local network avoids the risk of unauthorized access to local network from Web clients. Some risks cannot be reduced to a small value, but after implementing a standard set of countermeasures they can be accepted, constantly monitoring the residual risk (Figure 4.13).

The assessment of the cost of protective measures should take into account not only the direct costs of purchasing equipment and/or software, but also the costs of introducing new products, training and retraining of personnel. This cost can be expressed on some scale and then compared with the difference between the calculated risk and the acceptable risk. If, according to this indicator, the remedy turns out to be economically profitable, it can be accepted for further consideration.

Rice. 4.14. Iterative risk management process

Control of residual risks is necessarily included in the current control of the information security system. When the planned measures have been taken, it is necessary to check their effectiveness - to ensure that the residual risks have become acceptable. In the event of a systematic increase in residual risks, it is necessary to analyze the mistakes made and immediately take corrective measures.

Risk management is a multi-stage iterative process (Figure 4.14).

Almost all of its stages are interconnected, and upon completion of almost any of them, the need to return to the previous one may become apparent. Thus, when identifying assets, an understanding may arise that the selected boundaries of analysis should be expanded and the degree of detail increased. Primary analysis is especially difficult when multiple returns to the beginning are inevitable. Risk management is a typical optimization problem; the fundamental difficulty lies in its competent formulation at the level of top management, the combination of optimal methods and description of initial data (Fig. 4.15).

Rice. 4.15. Formation of IT risk management activities

The Risk Assessment and Risk Management methodologies have become an integral part of activities in the field of Business Continuity and Information Security. The IS implementation program and sets of policies are based on a set of systemic actions and practical steps (Fig. 4.16-Fig. 4.19).

Rice. 4.16. Set of systemic actions and practical steps (1)

Rice. 4.17. Sets of systemic actions and practical steps (2)

Rice. 4.18. Sets of systemic actions and practical steps (3)

Rice. 4.19. Sets of systemic actions and practical steps (4)

More than a dozen different international standards and specifications have been prepared and are actively used, regulating in detail information risk management procedures: ISO 15408: 1999 (“Common Criteria for Information Technology Security Evaluation"), ISO 17799:2002 ("Code of Practice for Information Security Management"), NIST 80030, SAS 78/94, COBIT.

Methodology and tool RA Software Tool is based on the requirements of international standards ISO 17999 and ISO 13335 (parts 3 and 4), as well as on the requirements of the British National Standards Institute (BSI) guidelines - PD 3002 ("Guide to risk assessment and management"), PD 3003 (" Assessing a company's audit readiness in accordance with BS 7799"), PD 3005 (Security Selection Guide).

In practice, such risk management techniques allow you to:

  • create models of the company’s information assets from a security point of view;
  • classify and evaluate asset values;
  • compile lists of the most significant security threats and vulnerabilities;
  • rank security threats and vulnerabilities;
  • assess and manage risks;
  • develop corrective measures;
  • justify risk control means and measures;
  • evaluate the effectiveness/cost of various protection options;
  • formalize and automate risk assessment and management procedures.

Risk management includes a number of important stages, which are necessarily included in the planned work to ensure information security (Fig. 4.20).

The use of appropriate software can reduce the complexity of conducting risk analysis and selecting countermeasures. Currently, more than a dozen software products have been developed to analyze and manage risks at a basic level of security. An example is enough simple remedy is software package BSS (Baseline Security Survey, UK).

Software products more high class: CRAMM (Insight Consulting Limited, UK), Risk Watch, COBRA (Consultative Objective and Bi-Functional Risk Analysis), Buddy System. The most popular of them is CRAMM (Complex Risk Analysis and Management Method), which implements a method of risk analysis and control. A significant advantage of the method is the ability to conduct a detailed study in a short time with full documentation of the results.

Rice. 4.20. Stages of risk management

Methods like CRAMM are based on an integrated approach to risk assessment, combining quantitative and qualitative analysis methods. The method is universal and suitable for both large and small organizations, both government and commercial sectors.

The strengths of the CRAMM method include the following:

  • CRAMM is a well-structured and widely tested risk analysis method that provides realistic practical results;
  • CRAMM software tools can be used at all stages of an IS security audit;
  • at the core software product there is a fairly large knowledge base on countermeasures in the field of information security, based on the recommendations of the BS 7799 standard;
  • the flexibility and versatility of the CRAMM method allows it to be used for auditing IP of any level of complexity and purpose;
  • CRAMM can be used as a tool to develop an organization's business continuity plan and information security policies;
  • CRAMM can be used as a means of documenting IS security mechanisms.

For commercial organizations there is a commercial profile of security standards (Commercial Profile), for government organizations - government (Government Profile). The government version of the profile also allows you to audit for compliance with the requirements of the American standard TCSEC ("Orange Book").

When implementing an information security management system (ISMS) in an organization, one of the main stumbling points is usually the risk management system. Discussions about information security risk management are akin to the UFO problem. On the one hand, no one around seemed to have seen this and the event itself seems unlikely, on the other hand there is a lot of evidence, hundreds of books have been written, there are even corresponding scientific disciplines and associations of pundits involved in this research process and, as usual, the intelligence services have special secret knowledge in this area.

Alexander Astakhov, CISA, 2006

Introduction

There is no consensus among information security specialists on risk management issues. Someone denies quantitative methods of risk assessment, someone denies qualitative methods, someone generally denies the feasibility and the very possibility of risk assessment, someone accuses the organization's management of insufficient awareness of the importance of safety issues or complains about the difficulties associated with obtaining an objective assessment of value certain assets, such as the organization's reputation. Others, not seeing the possibility of justifying the costs of safety, propose treating this as some kind of hygienic procedure and spending as much money on this procedure as is not a pity, or as much as is left in the budget.

Whatever opinions exist on the issue of information security risk management and no matter how we treat these risks, one thing is clear that this issue contains the essence of the multifaceted activities of information security specialists, directly connecting it with business, giving it reasonable meaning and expediency. This article outlines one possible approach to risk management and answers the question of why different organizations view and manage information security risks differently.

Fixed and auxiliary assets

When we talk about business risks, we mean the possibility of suffering certain damage with a certain probability. This can be either direct material damage or indirect damage, expressed, for example, in lost profits, up to exit from the business, because if the risk is not managed, then the business can be lost.

Actually, the essence of the issue is that the organization has and uses several main categories of resources to achieve the results of its activities (its business goals) (hereinafter we will use the concept of an asset directly related to business). An asset is anything that has value for an organization and generates its income (in other words, it is something that creates a positive financial flow or saves money)

There are material, financial, human and information assets. Modern international standards also define another category of assets – processes. A process is an aggregated asset that operates all other company assets to achieve business goals. The company's image and reputation are also considered one of the most important assets. These key assets for any organization are nothing more than a special type of information assets, since the image and reputation of a company is nothing more than the content of open and widely disseminated information about it. Information security deals with image issues insofar as problems with the security of the organization, as well as the leakage of confidential information, have an extremely negative impact on the image.

Business results are influenced by various external and internal factors classified as risk. This influence is expressed in a negative impact on one or simultaneously several groups of assets of the organization. For example, a server failure affects the availability of information and applications stored on it, and its repair distracts human resources, creating a shortage of them in a certain area of ​​work and causing disorganization of business processes, while the temporary unavailability of client services can negatively affect the company's image.

By definition, all types of assets are important to an organization. However, every organization has core vital assets and supporting assets. It is very easy to determine which assets are the main ones, because... These are the assets around which the organization's business is built. Thus, the business of an organization can be based on the ownership and use of tangible assets (for example, land, real estate, equipment, minerals), the business can also be built on the management of financial assets (credit activities, insurance, investing), the business can be based on competence and the authority of specific specialists (consulting, audit, training, high-tech and knowledge-intensive industries) or a business can revolve around information assets (software development, information products, e-commerce, business on the Internet). The risks of fixed assets are fraught with loss of business and irreparable losses for the organization, therefore, the attention of business owners is primarily focused on these risks and the management of the organization deals with them personally. Risks to supporting assets typically result in recoverable damage and are not a major priority in the organization's management system. Typically, such risks are managed by specially appointed people, or these risks are transferred to a third party, for example, an outsourcer or an insurance company. For an organization, this is more a matter of management efficiency than survival.

Existing approaches to risk management

Since information security risks are not the main ones for all organizations, three main approaches to managing these risks are practiced, differing in depth and level of formalism.

For non-critical systems, when information assets are auxiliary and the level of informatization is not high, which is typical for most modern Russian companies, there is a minimal need for risk assessment. In such organizations it is necessary to talk about some basic level Information security determined by existing regulations and standards, best practices, experience, as well as how it is done in most other organizations. However, existing standards, describing a certain basic set of requirements and security mechanisms, always stipulate the need to assess the risks and economic feasibility of using certain control mechanisms in order to select from the general set of requirements and mechanisms those that are applicable in a particular organization.

For critical systems in which information assets are not the main ones, but the level of informatization of business processes is very high and information risks can significantly affect the main business processes, risk assessment must be applied, but in in this case It is advisable to limit ourselves to informal qualitative approaches to solving this problem, paying attention to Special attention the most critical systems.

When an organization’s business is built around information assets and information security risks are the main ones, a formal approach and quantitative methods must be used to assess these risks.

In many companies, several types of assets can be vital at the same time, for example, when the business is diversified or the company is engaged in the creation of information products and both human and informational resources. In this case, the rational approach is to conduct a high-level risk assessment to determine which systems are highly exposed to risk and which are critical to business operations, followed by a detailed risk assessment of the identified systems. For all other non-critical systems, it is advisable to limit yourself to using a basic approach, making risk management decisions based on existing experience, expert opinions and best practice.

Levels of maturity

The choice of approach to risk assessment in an organization, in addition to the nature of its business and the level of informatization of business processes, is also influenced by its level of maturity. Information security risk management is a business task initiated by the management of an organization due to its awareness and degree of awareness of information security problems, the meaning of which is to protect the business from real existing information security threats. According to the degree of awareness, several levels of maturity of organizations can be traced, which to a certain extent correlate with the maturity levels defined in COBIT and other standards:

  1. On entry level There is no awareness as such; the organization takes fragmented measures to ensure information security, initiated and implemented by IT specialists on their own responsibility.
  2. At the second level, the organization defines responsibility for information security, attempts are made to use integrated solutions with centralized management and implementation of individual information security management processes.
  3. The third level is characterized by the application of a process approach to information security management described in the standards. The information security management system becomes so important for the organization that it is considered as a necessary component of the organization's management system. However, a full-fledged information security management system does not yet exist, because the basic element of this system – risk management processes – is missing.
  4. For organizations with highest degree awareness of information security problems is characterized by the use of a formalized approach to information security risk management, characterized by the presence of documented processes of planning, implementation, monitoring and improvement.

Risk management process model

In March this year, a new British standard, BS 7799 Part 3 – Information security management systems - Information security risk management practice, was adopted. ISO expects that this document will be approved as an International Standard by the end of 2007. BS 7799-3 defines risk assessment and management processes as an integral element of an organization's management system, using the same process model as other management standards, which includes four process groups: plan, do, review, act (PDA), which reflects standard cycle of any management processes. While ISO 27001 describes the overall end-to-end security management cycle, BS 7799-3 extends it to information security risk management processes.

In the information security risk management system, at the Planning stage, the policy and methodology for risk management are determined, and a risk assessment is performed, which includes an inventory of assets, compilation of threat and vulnerability profiles, assessment of the effectiveness of countermeasures and potential damage, and determination of the acceptable level of residual risks.

At the Implementation stage, risks are processed and control mechanisms are introduced to minimize them. The organization's management makes one of four decisions for each identified risk: ignore, avoid, transfer to an external party, or minimize. After this, a risk treatment plan is developed and implemented.

At the Verification stage, the functioning of control mechanisms is monitored, changes in risk factors (assets, threats, vulnerabilities) are monitored, audits are conducted and various control procedures are performed.

At the Action stage, based on the results of continuous monitoring and ongoing audits, the necessary corrective actions are carried out, which may include, in particular, a reassessment of the magnitude of risks, adjustments to the risk management policy and methodology, as well as the risk treatment plan.

Risk factors

The essence of any risk management approach is to analyze risk factors and make adequate decisions to treat risks. Risk factors are the main parameters that we use when assessing risks. There are only seven such parameters:

  • Asset
  • Damage (Loss)
  • Threat
  • Vulnerability
  • Control mechanism
  • Average annual loss (ALE)
  • Return on Investment (ROI)

How these parameters are analyzed and assessed is determined by the risk assessment methodology used in the organization. At the same time, the general approach and pattern of reasoning are approximately the same, no matter what methodology is used. The risk assessment process includes two phases. In the first phase, which is defined in the standards as risk analysis, it is necessary to answer the following questions:

  • What is the company's main asset?
  • What is the real value of this asset?
  • What threats exist to this asset?
  • What are the consequences of these threats and the damage to the business?
  • How likely are these threats?
  • How vulnerable is the business to these threats?
  • What is the expected average annual loss?

In the second phase, which is defined by the standards as risk assessment, it is necessary to answer the question: What level of risk (the amount of average annual losses) is acceptable for the organization and, based on this, what risks exceed this level.

Thus, based on the results of the risk assessment, we obtain a description of the risks exceeding the acceptable level and an assessment of the magnitude of these risks, which is determined by the size of the average annual losses. Next, you need to make a decision on risk treatment, i.e. answer the following questions:

  • Which risk treatment option do we choose?
  • If a decision is made to minimize risk, what control mechanisms should be used?
  • How effective are these controls and what return on investment will they provide?

The output of this process is a risk treatment plan that determines how risks are treated, the cost of countermeasures, as well as the timing and responsibility for implementing countermeasures.

Deciding on Risk Treatment

Making a decision on risk treatment is the key and most critical moment in the risk management process. In order for management to make the right decision, the person responsible for risk management in the organization must provide him with relevant information. The form of presentation of such information is determined by the standard business communication algorithm, which includes four main points:

  • Problem reporting: What is the threat to the business (source, object, method of implementation) and what is the reason for its existence?
  • Severity of the problem: How does this threaten the organization, its management and shareholders?
  • Proposed solution: What is proposed to be done to correct the situation, how much will it cost, who should do it, and what is required directly from management?
  • Alternative solutions: What other ways to solve the problem exist (there are always alternatives and management should have the opportunity to choose).

Points 1 and 2, as well as 3 and 4 may be interchanged, depending on the specific situation.

Risk management methods

There are a sufficient number of well-proven and widely used risk assessment and management methods. One such method is OCTAVE, developed at Carnegie Melon University for internal use In the organisation. OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation (Operationally Critical Threat, Asset, and Vulnerability Evaluation) has a number of modifications designed for organizations different sizes and areas of activity. The essence of this method is that a sequence of appropriately organized internal workshops is used to assess risks. Risk assessment is carried out in three stages, which are preceded by a set of preparatory activities, including agreeing on the schedule of workshops, assigning roles, planning, and coordinating the actions of project team members.

At the first stage, during practical workshops, threat profiles are developed, including an inventory and assessment of the value of assets, identification of applicable legal and regulatory requirements, identification of threats and assessment of their likelihood, as well as determination of a system of organizational measures to maintain the information security regime.

At the second stage, a technical analysis of the vulnerabilities of the organization’s information systems in relation to threats whose profiles were developed at the previous stage is carried out, which includes the identification of existing vulnerabilities of the organization’s information systems and an assessment of their magnitude.

At the third stage, information security risks are assessed and processed, which includes determining the magnitude and likelihood of causing damage as a result of security threats using vulnerabilities that were identified in the previous stages, determining a protection strategy, as well as selecting options and making decisions on risk treatment. The magnitude of the risk is defined as the average annual loss of the organization as a result of the implementation of security threats.

A similar approach is used in the well-known CRAMM risk assessment method, developed at one time by order of the British government. CRAMM's primary method of risk assessment is through carefully planned interviews using detailed questionnaires. CRAMM is used in thousands of organizations around the world, thanks, among other things, to the availability of highly developed software tools that contain a knowledge base on risks and mechanisms for minimizing them, tools for collecting information, generating reports, and also implementing algorithms for calculating the magnitude of risks.

Unlike the OCTAVE method, CRAMM uses a slightly different sequence of actions and methods for determining the magnitude of risks. First, the feasibility of assessing risks in general is determined, and if the organization’s information system is not critical enough, then a standard set of control mechanisms described in international standards and contained in the CRAMM knowledge base will be applied to it.

At the first stage, the CRAMM method builds a model of information system resources that describes the relationships between information, software and technical resources, and also evaluates the value of resources based on the possible damage that an organization may suffer as a result of their compromise.

At the second stage, a risk assessment is carried out, which includes identifying and assessing the likelihood of threats, assessing the magnitude of vulnerabilities and calculating risks for each triple: resource - threat - vulnerability. CRAMM evaluates “pure” risks, regardless of the control mechanisms implemented in the system. At the risk assessment stage, it is assumed that no countermeasures are applied at all, and a set of recommended countermeasures to minimize risks is formed based on this assumption.

On final stage The CRAMM toolkit generates a set of countermeasures to minimize identified risks and compares recommended and existing countermeasures, after which a risk treatment plan is generated.

Risk Management Toolkit

In the process of risk assessment, we go through a number of successive stages, periodically rolling back to previous stages, for example, re-evaluating a certain risk after choosing a specific countermeasure to minimize it. At each stage, it is necessary to have on hand questionnaires, lists of threats and vulnerabilities, registers of resources and risks, documentation, minutes of meetings, standards and guidelines. In this regard, we need some kind of programmed algorithm, database and interface to work with these various data.

To manage information security risks, you can use tools, for example, as in the CRAMM method, or RA2 (shown in the figure), but this is not mandatory. The BS 7799-3 standard says much the same. The usefulness of using the toolkit may lie in the fact that it contains a programmed algorithm for the risk assessment and risk management workflow, which simplifies the work for an inexperienced specialist.

The use of tools allows you to unify the methodology and simplify the use of results to reassess risks, even if it is performed by other specialists. Thanks to the use of tools, it is possible to streamline data storage and work with resource models, threat profiles, lists of vulnerabilities and risks.

In addition to the risk assessment and management tools themselves, the software tools may also contain additional tools for documenting the ISMS, analyzing discrepancies with standard requirements, developing a resource register, as well as other tools necessary for the implementation and operation of the ISMS.

conclusions

The choice of qualitative or quantitative approaches to risk assessment is determined by the nature of the organization’s business and the level of its informatization, i.e. the importance of information assets to him, as well as the level of maturity of the organization.

When implementing a formal approach to risk management in an organization, it is necessary to rely primarily on common sense, existing standards (eg BS 7799-3) and well-established methodologies (eg OCTAVE or CRAMM). It may be useful to use software tools for these purposes that implement the appropriate methodologies and meet the requirements of the standards to the maximum extent possible (for example, RA2).

The effectiveness of the information security risk management process is determined by the accuracy and completeness of the analysis and assessment of risk factors, as well as the effectiveness of the mechanisms used in the organization for making management decisions and monitoring their implementation.

Links

  • Astakhov A.M., “History of the BS 7799 standard”, http://www.globaltrust.ru/shop/osnov.php?idstat=61&idcatstat=12
  • Astakhov A.M., “How to build and certify an information security management system?”,


2024 gtavrl.ru.