iso 27005 risk assessment
DESCRIPTION
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.TRANSCRIPT
Risk Assessment as per ISO 27005
Presented by Dharshan Shanthamurthy,Risk Assessment Evangelist WWW.SMART‐RA.COM
SMART‐RA.COM is a patent pending product of SISA Information Security Pvt. Ltd.
What is Risk Assessment?What is Risk Assessment?
• NIST SP 800‐30Risk Assessment is the analysis of threats in conjunction with l biliti d i ti t lvulnerabilities and existing controls.
• OCTAVEA Risk Assessment will provide information needed to make risk management decisions regarding the degree of security remediationremediation.
• ISO 27005 Risk Assessment Identification Estimation andRisk Assessment = Identification, Estimation and Evaluation
Why Risk Assessment?Regulatory ComplianceCompliance St d d
Risk Assessment RequirementStandard
PCI DSS Requirement 12 1 2
Formal and structured risk assessment based on methodologies like ISO 27005, NIST SP 800‐30, OCTAVE, etc.
12.1.2
HIPAA Section 164.308(a)(1)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entityprotected health information held by the covered entity.
FISMA 3544 Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed at least annually.
ISO 27001 Clause 4.1
Risk assessments should identify risks against risk acceptance criteria and organizational objectives. Risk assessments should also be performed periodically to address changes in the security requirements and in the risk situation.
GLBA, SOX, FISMA, Data Protection Act, IT Act Amendment 2008, Privacy Act, HITRUST……
Why Risk Assessment?yBusiness RationaleFunction ExplanationFunction Explanation
Return on Investment
Structured RA Methodology follows a systematic and pre‐defined approach, minimizes the scope of human error, and emphasizes process driven rather than human driven activitiesprocess driven, rather than human driven activities.
Budget Allocation Assists in controls cost planning and justification
Controls Cost and effort optimization by optimizing controls selection and implementationimplementation
Efficient utilization of
Resource optimization by appropriate delegation of actions related to controls implementationutilization of
resourcescontrols implementation.
What is IS-RA?What is IS RA?
Risk assessment is the cornerstone of any information Risk assessment is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile its strengths and weaknesses its vulnerabilitiesprofile – its strengths and weaknesses, its vulnerabilitiesand exposures.
“IF YOU CAN’T MEASURE IT
YOU CAN’T MANAGE IT!”…YOU CAN’T MANAGE IT!”
Reality CheckReality Check
• ISRA– a need more than a want
• Each organization has their own ISRAEach organization has their own ISRA
• ISRA learning curve
• Cumbersome – 1000 assets, 20 worksheets
• Two months effortsTwo months efforts
• Complicated report
ExerciseExercise
• Threat Scenarios
• Threat Profiles to be filled.Threat Profiles to be filled.
Risk Assessment reference points
• OCTAVE
• NIST SP 800‐30
• ISO 27005
• COSO
• Risk IT
• ISO 31000
• AS/NZS 4360
• FRAP
• FTA
• MEHARI
ISO 27005 IntroductionISO 27005 Introduction
• ISO 27005 i I f ti S it Ri k M t id li• ISO 27005 is an Information Security Risk Management guideline.
• Lays emphasis on the ISMS concept of ISO 27001: 2005.
• Drafted and published by the International Organization for Standardization (ISO) and the International ElectrotechnicalStandardization (ISO) and the International ElectrotechnicalCommission (IEC)
• Provides a RA guideline and does not recommend any RA• Provides a RA guideline and does not recommend any RA methodologies.
f• Applicable to organizations of all types.
ISO 27005 WorkflowISO 27005 Workflow• Advocates an iterative approach pp
to risk assessment
• Aims at balancing time andAims at balancing time and effort with controls efficiency in mitigating high risks
• Proposes the Plan‐Do‐Check‐Act cycle.
Source: ISO 27005 Standard
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
I f i S i Ri k A Ri k A l iInformation Security Risk Assessment = Risk Analysis + Risk Evaluation
Risk Analysis:Risk Analysis:
Risk Analysis = Risk Identification + Risk Estimation
1. Risk Identification
Risk characterized in terms of organizational conditionsRisk characterized in terms of organizational conditions
• Identification of Assets: Assets within the defined scope• Identification of Threats: Based on Incident Reviewing, Asset Owners, Asset Users, External threats, etc.
ISO 27005 Risk Assessment Contd.ISO 27005 Risk Assessment Contd.
• Identification of Existing Controls: Also check if the controls are working• Identification of Existing Controls: Also check if the controls are working correctly.
• Identification of Vulnerabilities: Vulnerabilities are shortlisted in organizational processes, IT, personnel, etc.
• Identification of Consequences: The impact of loss of CIA of assets.
2. Risk Estimation
– Specifies the measure of risk.
• Qualitative EstimationQualitative Estimation• Quantitative Estimation
Risk Evaluation:Risk Evaluation:• Compares and prioritizes Risk Level based on Risk Evaluation Criteria and Risk
Acceptance Criteria.
ISO 27005 RA Workflow
Step 1 Step 2 Step 3 Step 4
Risk Analysis:GeneralRisk Evaluation
Risk Analysis: Risk Identification
Risk Analysis: Risk Estimation
General Description of ISRA
Risk Analysis: Risk Risk Analysis RiskGeneral
Step 1
Risk EvaluationRisk Analysis: Risk Identification
Risk Analysis: Risk EstimationDescription of
ISRA
1. General Description of ISRA
d f b d i kBasic Criteria Scope and BoundariesOrganization for ISRM
Identify, Describe (quantitatively or qualitatively) and P i iti Ri k
Assessed risks prioritized according to Risk Evaluation C it i
gPrioritize Risks Criteria.
Risk Analysis RiskRisk Analysis: Ri k
Step 2
General DescriptionRisk Evaluation
Risk Analysis: Risk Estimation
Risk Identification
General Description of ISRA
2. Risk Analysis: Risk IdentificationIdentification of Assets
S d d iScope and BoundariesAsset ownersAsset LocationA t f ti
Assets are definedList of Assets.List of associatedbusiness processes.
Asset functionp
Risk Analysis RiskRisk Analysis: Ri k
Step 2
General DescriptionRisk Evaluation
Risk Analysis: Risk Estimation
Risk Identification
General Description of ISRA
2. Risk Analysis: Risk IdentificationIdentification of Threats
Threat InformationThreat Information from • Review of Incidents• Asset Owners
Threats are defined• Threats• Threat source• Threat type
• Asset Users, etc.yp
Risk Analysis RiskRisk Analysis: Ri k
Step 2
General DescriptionRisk Evaluation
Risk Analysis: Risk Estimation
Risk Identification
General Description of ISRA
2. Risk Analysis: Risk IdentificationIdentification of Existing Controls
• Existing and• Documentation of
controls• RTP
Existing and planned controls are defined
Existing and planned controls
• Implementation status
• Usage status
Risk Analysis RiskRisk Analysis: Ri k
Step 2
General DescriptionRisk Evaluation
Risk Analysis: Risk Estimation
Risk Identification
General Description of ISRA
2. Risk Analysis: Risk IdentificationIdentification of Vulnerabilities
d ifi d• Vulnerabilities related• Identified Assets
• Identified Threats• Identified Existing
C t l
Vulnerabilities are identified
Vulnerabilities related to assets, threats, controls.
• Vulnerabilities not Controls
related to any threat.
Risk Analysis RiskRisk Analysis: Ri k
Step 2
General DescriptionRisk Evaluation
Risk Analysis: Risk Estimation
Risk Identification
General Description of ISRA
2. Risk Analysis: Risk IdentificationIdentification of Consequences
d b i• Incident scenarios• Assets and business
processes• Threats and
l biliti
The impact of the loss of CIA is identified
Incident scenarios with their consequences related to assets and
vulnerabilitiesbusiness processes
Risk Analysis: Ri k
Step 3
General Description Risk Analysis: RiskRisk EvaluationRisk
Estimation
General Description of ISRA
Risk Analysis: Risk Identification
3. Risk Analysis: Risk EstimationRisk Estimation Methodologies
( ) Q lit ti E ti ti Hi h M di L(a) Qualitative Estimation: High, Medium, Low
(b)Quantitative Estimation: $, hours, etc. ( )
Risk Analysis: Ri k
Step 3
General Description Risk Analysis: RiskRisk EvaluationRisk
Estimation
General Description of ISRA
Risk Analysis: Risk Identification
3. Risk Analysis: Risk EstimationAssessment of consequences
• Assets and businessh b
Assessed consequencesAssets and business processes
• Threats and vulnerabilities
The business impact from informationsecurity incidents is
d
Assessed consequences of an incident scenario expressed in terms of assets and impact
• Incident scenarios assessed.p
criteria.
Risk Analysis: Ri k
Step 3
General Description Risk Analysis: RiskRisk EvaluationRisk
Estimation
General Description of ISRA
Risk Analysis: Risk Identification
3. Risk Analysis: Risk EstimationLevel of Risk Estimation
• Incident scenarios l f kwith their
consequences • Their likelihood
Level of risk is estimated for all relevant incident
i
List of risks with value levels assigned.
(quantitative or qualitative).
scenarios
General Description Risk Analysis: Risk Risk
Step 4
Risk Analysis: RiskGeneral Description of ISRA
Risk Analysis: Risk Identification
Risk Evaluation
Risk Analysis: Risk Estimation
4. Risk Analysis: Risk EstimationLevel of Risk Estimation
l f kRisks prioritized
• Risks with value levels assigned and risk evaluation criteria.
Level of risk is compared against risk evaluation criteria and i k t it i
Risks prioritized according to risk evaluation criteria in relation to the incident
risk acceptance criteria scenarios.
SummarySummary
• Keep it Simple and Systematic
• ComprehensiveComprehensive
• Risk sensitive culture in the organization.
• Drive security from a risk management perspective, rather only a compliance p p , y pperspective.
H l RA t h l• Help RA to help you…
Questions?
Be a Risk Assessment Evangelist!Be a Risk Assessment Evangelist!IS‐RA Forum on Linkedin
SMART RA Forum on LinkedinSMART‐RA Forum on Linkedin
Dharshan Shanthamurthy,E‐mail: [email protected] y
Phone: +91‐99451 22551