Information Systems Risk Assessment Framework(ISRAF)

(Addendum of NIST 800-39 information systems risk management and revision of NIST SP 800 30 )

Prepared byS. Periyakaruppan (PK)

Need of Addendum/ Revision ?

ENSURE CONVERGED & INTEGRATED PROCESS ADDRESS THE CHALLENGES IN TRADITIONAL APPROACH ADAPTIVE & MODULAR WORKING MODEL OF INFORMATION SYSTEMS

RISK ASSESSMENT. IMPROVE THE ORGANIZATIONS RISK BASED DECISION. BRING IN VALUE ADDITION TO BUSINESS

Should It get transformed ? ! Why

TO MAKE RISK MANAGEMENT AN INTEGRAL PART OF BUSINESS AND PROJECT MANAGEMENT, IT LIFE CYCLE MANAGEMENT.

TO FACILITATE WITH PRACTICAL APPROACH TO ADDRESS RISK. TO EVOLVE BUSINESS ALIGNED APPROACH. TO TAILOR DOWN THE MODEL OF DOMAIN AGNOSTIC APPROACH.

Does it need a Model/Framework ??

EVOLVE DESCRIPTIVE PROCESS AND SYSTEMATIC THINKING. EMERGING BUSINESS DEMAND AND PROCESS CONVERGENCE ENHANCE COMMUNICATION AMONG FUNCTIONAL ENTITIES. INVOKE RESULT ORIENTED APPROACH PREDICT RESULTS IN THE SYSTEMATIC MODEL

!!!!!!! ???

Assessing risk – What & Why

TO IDENTIFY THE POTENTIAL OPPORTUNITY OF A PROBABLE CONSEQUENCE OF AN ADVERSE IMPACT DUE TO A WEAKNESS IN THE INFORMATION SYSTEMS.

TO SUPPORT BUSINESS WITH RISK BASED DECISION. TO IDENTIFY EXTERNAL AND INTERNAL THREAT EXPOSURES TO AN

ORGANIZATION FROM NATION AND ANOTHER ORGANIZATION, VICE VERSA.

TO MONITOR THE ON-GOING RISK EXPOSURE OF THE ORGANIZATION. TO OBSERVE THE EFFECTIVENESS OF INFORMATION SECURITY PROGRAM. TO ASSIST WITH METRICS FOR INFORMATION SECURITY PROGRAM

MANAGEMENT.???????

Assessing risks - When DURING ARCHITECTURE DEVELOPMENT –( ORG,PROCESS & INFORMATION

SYSTEM) DURING FUNCTIONAL AND BUSINESS SYSTEMS INTEGRATION. DURING ALL PHASES OF SDLC (SYSTEMS ACQUISITION AND DEVELOPMENT

LIFE CYCLE) DURING ACQUISITION OF NEW SECURITY OR BUSINESS/FUNCTION SOLUTION. DURING MODIFICATION OF MISSION CRITICAL/BUSINESS CRITICAL SYSTEMS. DURING THIRD PARTY VENDOR/PRODUCT ACQUISITION. DURING DECOMMISSIONING OF SYSTEMS/FUNCTIONS/GROUPS OF THE

ORGANIZATION

Risk framing Model ???

DETERMINE THE UNCERTAINTY OF THE RISK AND ASSOCIATED RISK CONSTRAINTS.

DEFINE THE RISK TOLERANCE AND PRIORITY, AND TRADEOFFS. DETERMINE THE SET OF RISK FACTORS, ASSESSMENT SCALE AND

ASSOCIATED ALGORITHM FOR COMBING FACTORS ASSIST IN PRECISE RISK COMMUNICATION AND SKETCH OUT

BOUNDARIES OF INFORMATION SYSTEM AUTHORIZATION. ENHANCE THE RISK DECISION WITH APPROPRIATE INFORMATION. INCORPORATE DE-DUPLICATION IN HIERARCHICAL RISK

MANAGEMENT MODEL. DETERMINE THE CONTEXT OF THE ENTIRE RISK ASSESSMENT

PROCESS/ASSESSMENT/APPROACH.

The Model/Framework

Respond

Monitor

Assess

Organizational

Business/Functional Group

The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.

Tier 1

Tier 2

Tier 3

Frame(CONTEXT)

The Focus

Assess

Respon

d

Monito

rRisk Assessment is a key element of risk management

Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk

assessments. Method of communicating risk results across

organization.

Strategy/Approach

Frame the risk• Freezing the scope

(Organization risk frame)

• Context of the business/function to an information system

Freeze the method• Determine risk

assessment methodology

• Determines analysis approach

Define Risk Model• Define the risk

factors and its relationship amongst the risk model

• Define Assessment and analysis approach for a framed risk model

Risk – Key concepts RISK AGGREGATE CONSOLIDATION OF INDIVIDUAL TIER1/TIER2/TIER3

RISKS IN TO A CUMULATIVE RISKS TO IDENTIFY RELATIONSHIP AMONG RISKS AT VARIOUS LEVELS.

THREAT SHIFTING THE DYNAMIC VARIATION ON THREAT SOURCE IN RESPONSE TO THE PERCEIVED COUNTERMEASURES.

RESIDUAL RISK TOLERABLE RISK REMAIN POST THE MITIGATION TO AN EXTENT POSSIBLE TO REDUCE THE LEVEL OF ADVERSE IMPACT TO THE ORGANIZATION.

ADVERSARIAL RISK RISK THAT HAS AN ADVERSE EFFECT BY ADVERSARIAL THREATS.

ADVERSARIAL THREATS THREAT HAS AN INTRINSIC CHARACTERISTICS OF DIRECT ADVERSE IMPACT. – EX., BUSINESS OPERATION INTERRUPTION.

NON-ADVERSARIAL THREATS THREATS HAS NO DIRECT OR IMMEDIATE EFFECT OF A THREAT IMPACT. – EX., EXPOSURE OF SYSTEM ERRORS, COMPETITIVE INTELLIGENCE GATHERING.

Risk – Key Factors THREAT EVENT POSSIBLE ADVERSE IMPACT THROUGH A POTENTIAL

CIRCUMSTANCES/EVENT TO ORGANIZATION FROM NATIONAL AND ANOTHER ORGANIZATION, VICE VERSA.

THREAT SOURCE THE INTEND AND THE METHOD OF EXPLOITATION OR ATTACK VECTOR.

LIKELIHOOD THE PROBABILITY OF A THREAT BECOME REALITY. VULNERABILITY FLAW IN AN INFORMATION SYSTEM THAT CAN LEAD TO A

POTENTIAL THREAT. ADVERSE IMPACT THE NEGATIVE CONSEQUENCES /DAMAGE LEADS TO

POTENTIAL IMPACT TO THE BUSINESS / ORGANIZATION/ NATION BY THE CONSEQUENCES OF AN EXERCISED VULNERABILITY

PREDISPOSING CONDITION THE EXISTING AND KNOWN LACK OF CONTROLS/ IN ADEQUATE COUNTERMEASURES AS PART OF AVAILABLE SOLUTION.

RISK MEASURE/ UNIT OF THE EXTENT TO WHICH AN ENTITY IS THREATEN BY A POTENTIAL CIRCUMSTANCES.

Assessing Risk – High Level Process

Prepare Conduct Communicate Maintain

Step -1 Step -2 Step -3 Step -4

Prepare for Assessment

Risk Assessment Preparation

Identify the purposeIdentify the Risk Model

(Assessment &

Analysis approach)

Identify the source of inputs

Identify the scope

Identify the assumptions and constraints

Initial assessment ?Re-assessment ?Risk base line determination ?

The Tiers (Org,BFP,IS) addressedResult Validity periodDecision supporting assessmentFactor influence re-assessmentAuthorization boundaryRegulatory requirements/constraints

Risk Tolerance and priorities/TradeoffsThreat source/eventsVulnerabilities and pre-disposing conditionsUncertainty and analytical approachLikelihood of Impacts

PolicyProcessProcedureReportsExternal agencies

Defined risk factorsDefined risk responseQualitative analysisQuantitative analysisSemi Quantiative analysis

Conducting AssessmentIdentify Threat source and events

Identify vulnerabilities and pre-disposing conditions

Determine likelihood of Occurrence

Determine Magnitude of Impact

Determine Risk

Step 1

Step 2

Step 3

Step 4

Step 5

Intent,Target,CapabilityCapability of adversariesRange of effects

Effect of existing controlsIntentional/accidental flaw /weakness in system/process

Depends on the degree of Step 1 and the effect of Step 2

Result of BIADepends on effective BCP/DRMTTR/MTBFRTO/RPO

Risk Combination of Step 3 and Step 4

Method of Risk Analysis

Threat oriented• Identify threat source

and event• Developing Threat

scenario and model• Identify

vulnerabilities in context of threats

Vulnerability oriented• Identify pre-

disposing conditions• Identify exploitable

vulnerabilities• Identify threats

related to the known/open vulnerabilities

Asset/Impact Oriented• Identify

mission/business critical assets

• Analyze the consequences of the adversarial threat event

• Identify vulnerabilities to the threat events/scenario of critical assets with severe adverse impact.

Method of Risk Assessments

• Objective oriented assessment• Using non-numerical values to define risk factors• Likelihood and impact with definite value based

on individual expertise

• Subjective oriented approach• Using numerical values to define risk factors• Likelihood and impact with definite number

based on history of events.

• Contextual analysis and result oriented approach• Using Bin values (numerical range) with unique

meaning and context.• Likelihood and impact derived with range of

numerical values with degree of unique context

Sample Assessment Scale

Qualitative Quantitative Semi Qualitative

Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines

Communicate Result

Determine the appropriate method of

communication

Communicate to the designated

organizational stakeholders

Furnish evidence comply with organizational

policies & Guidelines

Format defined by organization.Executive briefingsPresenting Illustrative risk figuresRisk Assessment DashboardsOut sketch the organizational prioritized risk

Identify appropriate authority.Ensure right information reach right person at right time. Present contextual information in accordance with risk strategy

Capture appropriate analysis data support the result.Include applicable supporting documents to convey the degree of results Identify and document the source of internal and external information.

Maintain Risk Posture

Identify Key Risk factors

•Monitor the key risk factors•Document the variations.•Re-define the key risk factors

Define Frequency of revisit

•Track the risk response as required•Initiate the assessment when needed•Communicate the results to organizational entities

Reconfirm the scope and assumptions

•Get the concurrence of scope and assumptions from appropriate authorities•Document the plan of action with respect to the risk response.

Applications of Risk AssessmentOrganizationTier -1

Functional/businessTier -2

Information Risk Strategy decisionsContribute EA design decisionsIS Policy/Program/Guidance decisionsCommon Control/Security Standards decisions.Help risk response – Avoid/Accept/Mitigate/TransferInvestment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy)

Support EA(Enterprise Architecture) integration in to SA.Assist in business/function information continuity decisionsAssist in business process resiliency requirements

Contribute IS systems design decisionsSupports vendor/product decisionsSupports on-going system operations authorizations

Risk Assessment in RMF life Cycle

Categorize

Select

Implement

Assess

Authorize

Monitor

Initial risk assessment at Tier 1 supports strategic level security categorization

Categorization decide security baseline in-turn assist in appropriate selection.

Supports selective implementation based on identified vulnerabilities and pre-disposing condition

Support actual implementation risk reports in Tier 3 to reveal and assess the risk posture

Furnish risk based decision to authority in all the tiers

Support Continuous improvement of risk management by Tier 3 assessments

1

4

3

2

5

6

Organizational cultural effects on Risk assessment

RISK MODELS DIFFER BASED ON PRIORITIES AND TRADEOFFS WITH RESPECT TO THE PRE-DISPOSING CONDITION OF ORGANIZATIONAL CULTURE

DETERMINATION OF RISK FACTORS AND VALUATION OF RISK FACTORS TO CONSTANT VALUES OR QUALITATIVE APPROACH DEPENDS ON ORGANIZATIONAL CULTURE

DETERMINATION OF RISK ASSESSMENT APPROACH AND ANALYSIS APPROACH DEPENDS ON ORGANIZATIONAL CULTURE.

ASSESSMENT AND ANALYSIS APPROACH MAY VARY WITH IN ORGANIZATION IN DIFFERENT TIERS.