Compiled by; Mark E.S. Bernard, CGEIT, CRISC, CISM, CISSP CISA, … · 2017. 11. 7. · CISA, ISO 27001 Lead Auditor, SABSA-F2, CNA Risk Management Policy Workflow Process Steps Worksheet

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, CGEIT, CRISC, CISM, CISSP

CISA, ISO 27001 Lead Auditor, SABSA-F2, CNA

Risk Management Policy

Workflow

Process Steps

Worksheet Exercise

Assets

Threats

Business Impact

Vulnerabilities

Control Selection

Report

Corrective & Preventive Action Plans

Risk Treatment Plan


Version

Number

Creation/Revision

Date

Created/Updated by Comments Review Team

Members

V01r01 May 2017 Mark E.S. Bernard Initial Draft n/a


Participants will leave the presentation with a practical understanding of how the Risk Management process works including how the output is used to assign resources and prioritize corrective and preventive action plans.

Participants will learn how we identify threats associated with vulnerabilities and how we select controls designed to mitigate or eliminate these vulnerabilities.


How many session participants are familiar with the Risk Management process, have you used a Risk Management

process?



•Threat can be defined as any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive or critical information, assets or services. A threat can be natural, deliberate or accidental.

•Vulnerability can be defined as a quantifiable, threat-independent characteristic or attribute of any asset within a system boundary or environment in which it operates and which increases the probability of a threat event occurring and causing harm in terms of confidentiality, availability and/or integrity, or increases the severity of the effects of a threat event if it occurs.

•Risk can be defined as intuitively, the adverse effects that can result if vulnerability is exploited or if a threat is actualized. In some contexts, a risk is a measure of the likelihood of adverse effects or the product of the likelihood and the quantified consequences.

•Controls can be defined as a minimum set of safeguards established for a system or organization.

•Assets can be defined as a Hardware, Software, People, Telecommunications, Facilities, Services, and Information in any state including digital, hardcopy, video, spoken, electronically recorded either in a stored state or traversing a network.



Risk Management Goals

• To assess risks to Information Assets and System Resources

• To state the goals of the RM, along with the desired security level to be attained, consistent with the organizations’ risk appetite and Information Assets sensitivity

• To identify vulnerabilities within the infrastructure and facilitate the decision making process by determining the likelihood and impact based on motive and opportunity

• To identify potential impacts should a threat agent successfully exploit the identified vulnerability further impacting the Information Assets and System Resource and business functions supported along with applications, expressed in terms of confidentiality, integrity and availability and

• To provide recommendations that will mitigate and/or eliminate risk to acceptable levels.


Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that management can choose from based on the results of a Risk Assessment and the overall Risk Rating include the following:

• Management can choose to accept the risk in which case they do nothing to remediate it. They should understand that they will be held accountable for any security incident, however the risk of a security may not be a concern to management and thus they tend to accept low risks as part of normal daily operations.

• Management may choose to remediate the risk in which case management takes some sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the organization's Environment.

• Management may also choose to transfer the risk in which case management has chosen to outsource the process causing the risk and/or purchase insurance to cover the potential damages caused by the realization of a risk.


How much risk are you willing to take on the job?


‘Risk Rating’


Temporary ISMS Exemption Application

There may be occasions where compliance is not possible during a particular period of time and an exemption from compliance is this best method of identifying those occasions and following up to ensure that they are closed. During these instances it is important to identify the manager responsible for these security gaps and have them sign off. This will not only help the organization's security Office to document gaps but also to identify the responsible party who will ensure that they are closed. The following information is required for the Temporary Exemption Form to be completed:

• Exemption period - From-To• ISMS policy, procedure or standard reference ID• Reason for Exemption Application• Department or division unit affected• Information system affected• Network location affected• Rational by not granting this application:

a). would adversely affect the accomplishment of organization's businessb). would cause a major adverse financial impact

• Rational explanation• Signature of Responsible Manager and date





•Identify Assets in Scope: in this work task we document division name, asset owner and asset name.

•Identify Threats: in this work task we document threat(s) to asset(s) in scope of the risk analysis as defined within the RA worksheet including the threat identification, description, and rating.

•Identify Business Impact: in this work step we clarify the business perspective for confidentiality, integrity and availability based on a ‘high’, ‘medium’ or ‘low’ impact to regular business processes.

•Identify Vulnerabilities: in this work task we document vulnerabilities associated with the asset in scope for risk analysis as defined in RA worksheet including the vulnerability identification, description, and rating.


•Control Selection: in this work task we list the existing controls for further consideration during the preparation of remediation activities designed to lower the overall risk rating. It is possible that existing controls may be implemented incorrectly or suffer from other deficiency that if corrected would eliminate the need for additional controls.

•Risk Assessment: in the work task we calculate the overall risk rating, calculated sum of the threat and CIA business impact ratings multiplied by business impact rating multiplied by vulnerability rating.

•Recommendations: in this work task we identify the manager who has been assigned the responsibility of facilitating the risk mitigation activity, the date of expected delivery and the current status of progress in the resolution process.

•Report to Management: in this work task we identify and report to management the planned targets for risk mitigation expressed in terms of high, medium, and low impacts to confidentiality, integrity and availability. These values are rolled up into an overall revised ‘Residual Risk Rating’.


Assets are defined as a Hardware, Software, People, Telecommunications, Facilities, Services, and Information in any state including digital, hardcopy, video, spoken, electronically recorded either in a stored state or traversing a network.


How much risk are you willing to take working from home?


Identify Assets in Scope Generally one line item should be created for each asset. Potentially these assets can be rolled up as required to provide an overall risk assessment of specific services or facilities, etc…

•Division defined as the line of business in custody of the asset. Choose the abbreviated code that represents your specific division.

•Owner is defined as the division leader held accountable for assets under their care. Generally this could be a division leader’s title, please don’t include personal names.

•Asset is defined as the asset name used to track, easily recognizable. The actual asset name used to identify the asset should come from the asset inventory as maintained within the Configuration Management Data Base.


For the purpose of this exercise the ‘Division’ will be defined as organization's and the ‘Owner’ is the highest management position within the organization's Division, the Sector VP. From the Sector VP position responsibility is delegated down to other organization's managers.


Within the ‘Asset’ column we begin listing the assets associated with your particular location. Assets have been grouped into 7 categories, which are as follows: people, information, software, hardware, telecommunications, facilities and services. Examples of Asset are provided over the next 3 slides. Assets are also being recorded in the Configuration Management Data Base and some may be pulled from there. We have also provided a generic list of assets to help out.


People: Staff and managers, particularly those in key knowledge management roles such as senior/executive managers, software architects/developers/testers, systems managers, security administrators, operators, legal and regulatory compliance people….

Information: Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backup tapes/CDs/DVDs and digital archives, encryption keys ……

People, Information, Software, Hardware, Telecommunications, Facilities, Services


Software: In-house/custom-written systems, client software (including shared or single-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’ (COTS), ERP, MIS, databases, software utilities/tools……..

Hardware: Computing and storage devices (e.g. desktops, workstations, laptops, handhelds, servers, mainframes, modems and line terminators, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices)…..



Telecommunications: Fibre Internet Connection, DSL Internet Connection, General Packet Radio Service (GPRS), Gateway GPRS Support Node (GGSN), Fixed circuits MPLS, Wireless Devices (GPRS, Public), Cross-connect for E1 circuit.

Facilities: IT buildings, data centers, server/computer rooms, LAN/wiring closets, offices, desks/drawers/filing cabinets, media storage rooms and safes, Fire alarms/suppression/fire fighting equipment, uninterruptible power supplies (UPSs), electrical power, air conditioners/chillers/alarms, window and door alarms.



Services :

• Internal facing: Managed Data Centers, Wireless Carriers, Internet Service Providers, Electrical power suppliers, Equipment Suppliers (hardware, software, cabling…).

• External facing: Software as a Service, Platform as a Service, Infrastructure as a Service.



Threats are defined as any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive or critical information, assets or services. A threat can be natural, deliberate or accidental.


Within the ‘Threat’ column we begin listing threats to organization's assets. Initially we have created a generic list that was previously evaluated by the organization's Information Security Office. The list is recorded in a table within the worksheet including identification code and description in English. For example T1 Software Bugs has been listed below.


The ‘Threat Assessment Table’ categorizes threats by ‘Threat Class’ and ‘Threat Agent’ . The ‘Threat Class’ allows organization's to further focus threats by 5 groups of potential impacts described as follows, Disclosure, Interruption, Modification, Destruction, and Removal. ’Threat Agent’ helps by identifying the potential sources of threats grouped as Human Malicious, Human Non-Malicious, Non-Human, Act of God. The purpose of ‘Threat Assessment’ helps organization's employees prioritize and distinguish between serious and non-serious threats to organization's Assets. Just because a Threat may exist doesn’t always mean that it’s a Risk to organization's Assets.


Continue to review and list as many ‘Threats’ as necessary and applicable. There could be many threats with the potential to negatively impact organization's asset.


In this work step we clarify the business perspective for confidentiality, integrity and availability based on a ‘high’, ‘medium’ or ‘low’ impact to regular business processes.


Within the ‘Business Impact’ columns we assess the impact on information security goals for ‘Confidentiality’, ‘Integrity’ and ‘Availability’. The scale used to make the assessment is based on ‘N/A’ (not applicable), ‘High’, ‘Medium’ or ‘low’. The Business Impact Rating is a summary total based on Threat Rating and C-I-A Impact score.


A business impact assessment determines whether or not the confidentiality, integrity, and availability of information is maintained within the business. After assessing the impacts to the business the risks are then registered as High, Medium, or Low / or non-applicable.


Vulnerability can be defined as a quantifiable, threat-independent characteristic or attribute of any asset within a system boundary or environment in which it operates and which increases the probability of a threat event occurring and causing harm in terms of confidentiality, availability and/or integrity, or increases the severity of the effects of a threat event if it occurs.


Within the ‘Vulnerability’ column we begin listing Vulnerabilities to organization's assets. Initially we have created a generic list that was previously evaluated by the organization's Information Security Office. The list is recorded in a table within the worksheet including identification code and description in English. For example V163 Inadequate maintenance of software (patches, fixes, releases) has been listed below.


The ‘Vulnerability Assessment Table’ categorizes vulnerabilities by ‘Severity’and ‘Exposure’ . The presence of vulnerability does not in itself cause harm; vulnerability is merely a condition or a set of conditions that could allow assets to be harmed by an attack. ‘Severity’ is defined in terms of impact on the asset if the vulnerability is successfully exploited. ‘Exposure’ is defined in terms of loss, resulting from the occurrence of one or more threat events. The purpose of ‘Vulnerability Assessment’ allows organization's employees to prioritize and distinguish between serious and non-serious vulnerabilities to organization's Assets.


Continue to review each ‘Threat’ and list as many ‘Vulnerabilities’ that are applicable. Typically there are multiple vulnerabilities associated with any single threat as presented in the chart below.


In this work task we list and evaluate existing controls to determine their effectiveness and/or to identify new controls for further consideration during the preparation of remediation activities designed to lower the overall risk rating. It is possible that existing controls may be implemented incorrectly or suffer from other deficiency that if corrected would eliminate the need for additional controls.


How would you mitigate this risk?


Within the ‘Control Effectiveness’ we assess the current status of existing controls based on a scale of 1 – 5.

The ‘X’/’Y’ Axis tracks the various stages of adoption as process maturity evolves, while the ‘Z’ Axis tracks the business benefits as incidents and faults decrease lowering costs.


The ‘Control Effectiveness’ scale of 1 – 5 is defined as follows:

1 - Fully Matured: An enterprise wide risk and control framework based on ISO/IEC 27001 provides continuous and effective risk and control resolution. Internal control and risk management are integrated with enterprise practices, supported by automate real-time monitoring and full accountability for control monitoring, risk management and compliance enforcement. Controls are regularly assessed during internal audits and self-assessments. Root cause analysis is documented and corrective and preventive actions initiated. Employees are proactively involved in control assessments and continuous improvements.

2 - Implemented & managed: Internal control and risk management systems are effective within the organization's Environment. A formal, documented evaluation of controls occurs frequently and some of these controls are automated and regularly reviewed. Management detects control issues and consistently follows-up to address identified control weaknesses. Employees are evaluated on an annual bases against security requirements defined within their job descriptions.


The ‘Control Effectiveness’ scale of 1 – 5 is defined as follows:

3 - Implemented but not managed: Controls are in place and adequately documented. Operational effectiveness is evaluated on a periodic basis with an average number of issues resulting. Management is able to deal predictably with most control issues, however some control weaknesses continue to persist and the results of these impacts can be severe to regular operations. Employees are aware of their responsibilities for control.

4 - Partially Implemented: Controls are in place but are not documented. Their intuitive operation is dependent on tribal knowledge and the motivation of employees to take extra steps during the regular execution of regular tasks. Effectiveness is not adequately evaluated and Management actions to resolve control issues are not prioritised or consistent. Employees may not be aware of their responsibilities.

5 - Non- existent: Control(s) have not been implemented and there is a high risk of multiple incidents and faults.


The ‘Control Effectiveness’ columns once completed would like the following:


In this work task we identify and report to management the overall risk assessment rating for assets. We are seeking management decision to accept, reject or transfer risk. There is also the potential need to assign resources and target dates for potential corrective and preventative actions designed to remediate vulnerabilities. We require management’s commitment to identify a manager to be assigned the responsibility of facilitating the risk mitigation activity and a date of expected delivery. In the current status column we will report on progress during each ISMS Management Oversight Committee meeting.


• Overall Risk Rating: calculated• Risk Rating with current Controls: this is defined by the assessor and explained on the following slide under ‘Risk Acceptance Criteria’.• Recommended Action(s): this is defined by the assessor and recorded in the ‘Correct and Preventive Action plan’, form in the following slides.• Responsibility: this needs to be defined by management.• Target Completion Date: this needs to be defined by management.• Status: this is initially defined by the assessor and managed by the accountable party following initiation until complete.• New Control Effectiveness: : this is defined by the assessor.• Residual Risk Rating %: calculated• Risk Rating After Control Modification: calculated

Essentially once the analysis has been completed a report can be generated that addresses threats and vulnerabilities based on the risk rating which will also be used to rank and prioritize management decisions concerning resources and corrective and preventive action plans. The report should include the following information at a minimum.


The following RA Worksheet fields are where we begin to enter this information. Some of these columns are populated through lookups and other calculations to make it easier to complete. Some of this information will be rolled up and used in the ‘Risk Treatment Plan’, discussed in the following slides.


Risk Acceptance Criteria: There are three possible Risk Acceptance Criteria scenarios that management can choose from based on the results of a Risk Assessment and the overall Risk Rating include the following:

• Management can choose to accept the risk in which case they do nothing to remediate it. They should understand that they will be held accountable for any security incident, however the risk of a security may not be a concern to management and thus they tend to accept low risks as part of normal daily operations.

• Management may choose to remediate the risk in which case management takes some sort of corrective and/or preventive action to mitigate and/or eliminate the risk from the organization's Environment.

• Management may also choose to transfer the risk in which case management has chosen to outsource the process causing the risk and/or purchase insurance to cover the potential damages caused by the realization of a risk.


‘Risk Rating’ RISK RATING KEY

Extreme = range 90+

A Risk Rating of 90+ indicates that an ‘Extremely’ serious risk exists based

on our assessment a highly motivated threat is present with the technical

capability to exploit multiple vulnerabilities that will result in a serious

impact to Organization assets and services. Compounding the seriousness of

this situation is the fact that existing controls are ineffective to prevent the

known threat from exploiting the known vulnerability and/or no controls

have been implemented resulting in the same serious ‘Extreme’ risky

condition to Organization assets and services.

Critical = range 80 - 89

A Risk Rating of 80 - 89 indicates that a ‘Critical’ risk exists based on our

assessment a highly motivated threat is present with some technical

capability to exploit a known vulnerability that will result in a negative

impact to Organization assets and services. Compounding the seriousness of

this situation is the fact that existing controls are somewhat effective and may

or may not prevent a known threat from exploiting a known vulnerability

and/or no controls have been implemented resulting in a ‘Critically’ risky

condition to Organization assets and services.

High = range 60 -79

A Risk Rating of 60 - 79 indicates that a ‘High’ risk exists based on our

assessment a moderately motivated threat is present with minor technical

capability to exploit a known vulnerability that will result in a negative

impact to Organization assets and services. Existing controls are somewhat

effective and may or may not prevent a known threat from exploiting a

known vulnerability.

Medium = range 30 - 59

A Risk Rating of 30 - 59 indicates that a ‘Medium’ risk exists based on the

assessment of a known threat; however the threat maintains very little

technical capability to exploit a known vulnerability. Existing controls are

somewhat effective and will likely prevent the threat from exploiting any

vulnerability.

Low = range 0 - 29

A Risk Rating of 0 - 29 indicates that a ‘Low’ risk exists based on our

assessment a threat exists but no matching vulnerabilities exist. Existing

controls are effective and are likely to mitigate risk.



The following Corrective and Preventive Action Plan Form is used to record and track some action plans that have been reviewed and authorized by management.



How would you mitigate this risk?


The following Risk Treatment Plan is used to roll up Corrective and Preventive Action Plans for Management monitoring until sucessfully completed.


Our organization's customers want to know that the sensitive business information and processes that have been outsourced to organization's are handled and managed to the level of standards they rely on.

ISO/IEC 27001 is a globally recognized information security standard that Customers ‘trust’ and a standard that organization's Management is working towards.

It is up to each employee to actively participate in the ISMS process and ensure that practices like Risk Management are integrated into our daily routines.


Can anyone tell the participants what business benefits will be achieved through the implementation of a Risk Management process?


Your assistance with our efforts to continuously improve would be appreciated by completing our presentation evaluation, thank you.



For more information contact

LinkedIn; http://ca.linkedin.com/in/markesbernard

Documents

Compiled by; Mark E.S. Bernard, CGEIT, CRISC, CISM, CISSP CISA, … · 2017. 11. 7. · CISA, ISO 27001 Lead Auditor, SABSA-F2, CNA Risk Management Policy Workflow Process Steps Worksheet