Mar 16 2021

Risk management in the digital world: How different is it?

Category: Risk Assessment,Security Risk AssessmentDISC @ 3:33 pm
Risk management in the digital world: How different is it?

Prioritizing and communicating risk

Last year, the number of active phishing websites increased 350% from January to March alone. Now that employees are connecting to the office from their own remote networks and not through their office’s secure network, the chance of a security breach is higher than ever. While risk managers know this already, securing company data is essential to customer trust and longevity. To prioritize risk during remote work, risk managers need to involve executives and keep them updated and educated on potential problems and solutions. Prioritizing risk now will pay dividends in the long run.

Executive teams need to buy in — simply relegating all risk-related work to risk managers isn’t enough in the end. Investing time and money to form a risk-aware culture will better educate all employees on how to avoid common scams and prepare for larger-scale problems. Without prioritization and investment in risk, companies may not make it through the next major disruption and risk major security breaches.

A risk-aware culture can’t be created overnight. Risk managers and executives must first identify the risks and find out where the company stands, aligning risk culture with the existing company culture. Then, they can implement new risk management strategies that may require drastic changes, such as new software, revised policies and educational tutorials on risk. IT teams need to be on top of their game for virtual risks, educating employees and preparing them to ask the right questions. With phishing on the rise and data at a very vulnerable point, employees must be able to assess risk on their own.

Risk management in the digital world: How different is it?

Build a Security Culture

Tags: Risk management in the digital world

Feb 25 2021

Proven Use Cases to Start Quantitative Cyber Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:05 am
Proven Use Cases to Start Quantitative Cyber Risk Management

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management –  but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…

…a slow, evolutionary process.

Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms.  And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.

Proven Use Cases to Start Quantitative Cyber Risk Management

Tags: Quantitative Cyber Risk Management

Feb 24 2021

Nmap Cheat Sheet

Category: Cheat Sheet,Network security,Risk AssessmentDISC @ 9:52 am

Nmap Cheat Sheet – Infographic by SANS Institute

Tags: Nmap, Nmap network scanning

Aug 18 2020

Advice for senior management on their responsibilities towards information risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 5:55 pm

IAAC Directors’ Guides

Source:Succinct advice for senior management on their responsibilities towards information risk, courtesy of the IAAC.




Oct 14 2019

The best practice guide for an effective infoSec function

Category: cyber security,Information Security,ISO 27k,NIST CSF,Risk AssessmentDISC @ 10:48 am

Building ISMS

The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

 

Practice Guide

Open a PDF file The best practice guide for an effective infoSec function.

How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI

Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE

Conducting a cybersecurity risk assessment


Subscribe to DISC InfoSec blog by Email




Tags: isms

Oct 06 2019

A CISO’s Guide to Bolstering Cybersecurity Posture

Category: Information Privacy,Risk Assessment,Security Risk AssessmentDISC @ 8:24 pm

iso27032

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Risk Management Framework for Information Systems

How to choose the right cybersecurity framework

Improve Cybersecurity posture by using ISO/IEC 27032
httpv://www.youtube.com/watch?v=NX5RMGOcyBM

Cybersecurity Summit 2018: David Petraeus and Lisa Monaco on America’s cybersecurity posture
httpv://www.youtube.com/watch?v=C8WGPZwlfj8

CSET Cyber Security Evaluation Tool – ICS/OT
httpv://www.youtube.com/watch?v=KzuraQXDqMY


Subscribe to DISC InfoSec blog by Email




Tags: cybersecurity posture, security risk management

Jul 21 2019

When It Come Down To It, Cybersecurity Is All About Understanding Risk

Category: Risk Assessment,Security Risk AssessmentDISC @ 12:11 am

Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.

Source: When It Come Down To It, Cybersecurity Is All About Understanding Risk

An Overview of Risk Assessment According to
ISO 27001 and ISO 27005





Enter your email address:

Delivered by FeedBurner




Mar 17 2019

Risk Management Framework for Information Systems

Category: Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 9:32 pm

Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy
NIST 800-37r2












Subscribe to DISC InfoSec blog by Email




Tags: Risk Management Framework

Mar 07 2019

How to choose the right cybersecurity framework

Category: Policies & Controls,Risk Assessment,Security Compliance,Security Risk AssessmentDISC @ 10:05 am

Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here’s how to start making sense of security frameworks.

Source: How to choose the right cybersecurity framework





Nov 05 2017

Breach highlights the need for a cyber health check

Category: cyber security,Risk AssessmentDISC @ 8:13 pm

Cyber Health Check

 

Deloitte breach highlights the need for a cyber health check

Javier Brias

Deloitte, one of the world’s biggest accounting organizations, recently suffered a data breach that compromised confidential emails and plans of some of its blue-chip clients, according to the Guardian.

The hackers also had potential access to usernames, passwords, IP addresses, architectural designs and health information.

Deloitte has confirmed it was breached but said that only a small number of clients were affected.

This breach is even more unfortunate because Deloitte offers clients advice on how to manage risks posed by cyber attacks. Its Cyber Intelligence Centre states that it can “integrate state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security.”

The problem with a solutions-based approach

The fact that Deloitte is a global consultant with interests in cyber security proves that no one is safe from a cyber attack.

In today’s cyber security market, technology vendors tend to focus on specific solutions, such as endpoint security, next-gen firewalls with IDS/IPS, email and web filtering, data loss prevention and identity access management. The problem is that mixing and matching solutions can cause interoperability gaps to materialise.

To understand the complexities of today’s IT infrastructure, companies need to have a strategic plan that takes a global view of the technological landscape and identifies the possible vulnerability points.

How Cyber Health Check fills the gaps

Our independent, three-phase Cyber Health Check service combines on-site consultancy and audit, remote vulnerability assessments and an online staff survey to identify your current cyber risks in the three key exposure areas of people, processes and technology.

This service will provide you with a concise report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, 10 Steps to Cyber Security and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risks. The report also provides feedback on basic cyber hygiene, cyber governance framework, policies and procedures, and technical controls.

The Cyber Health Check service identifies your actual cyber risks, assesses your responses to those risks and analyses your risk exposure. The result is a best-practice action plan to mitigate those risks effectively and in line with your business objectives.

For more information, visit our Cyber Health Check page.

Contact us for more information





Tags: Cyber Health Check

Oct 25 2017

Conducting an asset-based risk assessment in ISO 27001:2013

Category: ISO 27k,Risk AssessmentDISC @ 11:14 am

Conducting an asset-based risk assessment in ISO 27001:2013 – Vigilant Software

The nature of ISO27001 is that it is heavily focused on risk-based planning. This is to ensure that the identified information risks are appropriately managed according to the threats and the nature of the threats. While asset-based risk assessments are still widely regarded as best practice, and present a robust methodology for conducting risk assessments, it is no longer a requirement under ISO 27001:2013.  ISO 27001:2013 leaves it to the organisation to choose the relevant risk assessment methodology, i.e. ISO 27005, or ISO/IEC 31010.

It is commonly believed that an asset-based information security risk assessment provides a thorough and comprehensive approach to conducting a risk assessment, and this article will look at the steps to follow when conducting this type of risk assessment.

Where do you start when you embark on an asset-based information security risk assessment?

The first step would be to produce an asset register, which can be done through a series of interviews with asset owners. The ‘asset owner’ is an individual or entity that has responsibility for controlling the production, development, maintenance, use and security of an information asset.

Note: In the new standard, ISO 27001:2013, there is a stronger emphasis on the role of the ‘risk owner’, which pushes up the responsibility for the risks to a higher level within the organisation. However, since the approach we are following is an asset-based methodology, the asset owner would be the logical point to start in order to compile an asset register.

Once the asset register has been compiled, the next step is to identify any potential threats and vulnerabilities that could pose risks to those assets. A vulnerability / weakness of an asset or control can be defined as one that can be exploited by one or more threats.

Risk assessment & impact determination

Once the threats and vulnerabilities have been identified, then an analysis of the risks should be undertaken, to establish the impact level of the risks.  The impact value needs to take into consideration how the Confidentiality, Integrity and Availability of data can be affected by each of the risks.

It should also consider the business, legal, contractual and regulatory implications of risks, including the cost of the replacement of the asset, the potential loss of income, fines and reputational damage.

ISO 27005 presents a structured, systematic and rigorous process of analysing risks, and for creating the risk treatment plan, and includes a list of known threats and vulnerabilities that can be used for establishing the risks your information assets are exposed to.

vsRisk comes with an optional, pre-populated asset library.  Organisational roles are pre-assigned to each asset group, and the corresponding potential threats / risks are pre-applied to each asset. vsRisk also pre-assigns the relevant controls from Annex A to each threat. See sample below. View options to purchase vsRisk now.

Sample risk assessment

vsRisk™ provides key benefits for anyone undertaking an asset-based risk assessment.

By providing a simple framework and process to follow, vsRisk minimises the manual hassle and complexity of carrying out an information security risk assessment, saving the risk assessor time and resources. In addition, once the assessment has been completed, the risk assessments can be repeated easily in a standard format year after year.  The tool generates a set of 6 reports that can be exported and edited,  presented to management and audit teams, and includes pre-populated databases of threats and vulnerabilities as well as 7 different control sets that can be applied to treat the risks.





Tags: Risk Assessment

Jul 25 2017

Fundamentals of Information Risk Management Auditing

Category: Risk AssessmentDISC @ 1:49 pm

New information and IT risks seem to be everywhere, so it is essential that organizations address these risks in the context of enterprise risk management (ERM).
ERM is a practice that has become increasingly popular. It’s important that an organization’s information risk management specialist or auditor understands this practice because much of their work will need to be in the context of ERM.
Kick-start your career in information risk management with introductory guidance.

Fundamentals of Information Risk Management Auditing

Provides insight and guidance into information risk management and ERM, ideal for those considering a career in information risk management, for non-specialist auditors, and for managers.
This book will give you an introduction to:
Risk and risk management
Information security and management risks
Concepts of application controls

Gain an insight into the risks and controls/mitigations that you might encounter when performing or managing an audit of information risk.
Buy Now >>>

 

Author Podcast: Fundamentals of Information Risk Management Auditing, with Christopher Wright

In the podcast Christopher discusses Lean, Agile, the EU General Data Protection Regulation (GDPR), and ERM.
Listen now >>






Jun 29 2016

5 Must Read Books to Jumpstart Your Career in Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:30 am

FAIR Institute blog by Isaiah McGowan

Read Books to Jumpstart Your Career in Risk Management

What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.

They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.

hubbard_failure_of_risk_management_cover.jpg#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)

In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.

fair-book-cover.jpg#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)
In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.

With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.

This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.

Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.

Superforecasting_cover.jpg#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)

We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.

If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.

Tetlock_expert_judgement_cover.jpg#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)

Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.

Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.

Thinking_fast_and_slow_cover.jpg#5 – Thinking, Fast and Slow (Daniel Kahneman)

Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.

There it is…

This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?

 





Tags: information security risk program, risk assessment program, risk management process, Security Risk Assessment

Nov 18 2014

Independent Risk Assessment

Category: ISO 27k,Risk AssessmentDISC @ 9:42 am

RA toolkit

The essential suite for undertaking an independent risk assessment compliant with ISO/IEC 27001; supporting ISO/IEC 27002 and conforming to ISO/IEC 27005, whilst providing guidance to multiple internal Asset Owners.

Risk assessment is the core competence of information security management. This toolkit provides essential information, guidance & tools YOU NEED to undertake an effective ISO 27001 risk assessment.

The No 2 Risk Assessment Toolkit has the added benefit of supplying five soft cover versions of Risk Assessment for Asset Owners: A Pocket Guide. This enables you to provide a copy of the pocket guide to each member of staff involved in the ISO 27001 implementation, so that they can understand the risk assessment process.

 

What’s included?

Information Security Risk Management for ISO 27001/ISO 17799 (eBook): provides comprehensive guidance on risk management, in line with the requirements of ISO 27001. It is essential reading for anyone undertaking an ISO 27001 risk assessment.

The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management.

This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

 

vsRisk™- the Cybersecurity Risk Assessment Tool : vsRisk is a unique software tool designed to guide your organisation through the process of carrying out an information security risk assessment that will meet the requirements of ISO 27001:2005.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

 

The Cybersecurity Risk Assessment Tool which:

  • Automates and delivers an ISO/IEC 27001-compliant risk assessment.
  • Assesses confidentiality, integrity &; availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001.
  • Supports / conforms / complies to ISO/IEC 27001, ISO/IEC 27002, BS7799-3:2006,ISO/IEC TR 13335-3:1998, NIST SP 800-30 and the UK’s Risk Assessment Standard.
  • One year of support get all software updates and unlimited telephone and email support for a year.

vsRisk™ – the Cybersecurity Risk Assessment Tool comes in two forms – Standalone or Network-enabled (single user licence). vsRisk Network-enabled (single user licence) has exactly the same functionality as the vsRisk Standalone version – but can be installed on a network.

 

Risk Assessment for Asset Owners: A Pocket Guide (eBook):
This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO27002 (ISO17799) framework to deliver a qualitative risk assessment.

The contents of this toolkit provide clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives.

Benefits of a risk assessment

  • Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
  • Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses.
  • Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day.
  • Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

 

Related articles




Oct 18 2013

10 Steps To Assess Cyber Security Risk

Category: cyber security,Risk AssessmentDISC @ 9:00 pm

cyber attack ... Economic Pearl Harbor Will S...

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private sector stakeholders – especially the general public – to create a safe, secure, and resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation — from government and law enforcement to the private sector and most importantly, the public.

National Cyber Security Awareness Month

A cyber security risk assessment is necessary to identify the gaps in your organisation’s critical risk areas and determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources where there is no need for it.

Even if you have implemented an ISO 27001 Information Security Management System, you may want to check if your cyber security hygiene is up to standard with the industry guidelines. 

Cyber Security ToolKit  | Cyber Security Standards | Cyber Security Books

Cyber security risk assessment:

Use an in house qualified staff or an experienced consultant(s), who will work with your team to examine each of the ten risk areas (described below) in sufficient detail to identify strengths and weaknesses of your current security posture. All this information can be consolidated and immediately usable action remediation plan that will help you close the gap between what you are actually doing and recognized good practice. It will enable you to ensure that your cyber risk management at least matches minimum industry guidelines.

The ten risk areas that will be examined are:

Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?

Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?

Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?

Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?

Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?

Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyze network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?

Do you have a technical vulnerability patching program in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?

Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?

Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?

Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?

Related articles




Jun 25 2013

Risk management – ISO 27005 could be the cure

Category: ISO 27k,Risk AssessmentDISC @ 9:30 am

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)


 
 
 
 
 
 
 
 
 
 
 
 
 
 

By Catherine Thornley @ ITG

Risk management in information security management and how ISO/IEC 27005 can help you tackle it effectively.

Risk is arguably one of the most commonly used words in business, but what does it actually mean?

There are many English dictionary definitions, many centered around “a situation involving exposure to danger” and whilst some people talk about up-side or positive risk, it is generally accepted that in business, the risk is all about the chance that something will go wrong, and how badly.

But of course there is uncertainty in everything we do; and therefore risk. Sometimes there is uncertainty about whether something good will happen, but that just means that there is also a chance that it won’t; which is bad.

Risk and corporate governance

The big thing about risk in business today is corporate governance. People responsible for running companies are simply not allowed, when something goes wrong, to say “we didn’t think of that”, or “it never happened before”. Those are two quite common responses both when something has gone wrong and also when it hasn’t; when senior managers are asked to do something about risk management.

For many, when they do finally look at risk, thinking switches immediately from chance to result. The likely impact of a risk dominates thinking where previously it was the probability of a threat materialising that was the dominant factor.

Many organisations assess risk intuitively; that is to say they simply decide whether an activity, or situation, is very risky, not very risky, or somewhere in between.

This intuitive approach can be applied to information security risk – but it can be very difficult to evaluate risk effectively in this area. The challenge is two-fold; understanding what information security actually is and knowing how to assess and respond to the related risks in a logical way, that will stand scrutiny should the worst happen.

Information security managers, and those doing the job as part of a broader role, often need some help in identifying the most effective way to manage this specific set of risks, which is where ISO 27005 can help.

How ISO 27005 can help

Where ISO 27001 presents a broad blueprint for dealing with information security, ISO 27005 takes it much further and delivers the detail of information security risk assessment, in a way that the results integrate easily into an ISO 27001 compliant information security management system (ISMS).

ISO 27005 provides a detailed and valuable insight into effective information security risk management. And since ISO 27001 calls for a risk based approach, there cannot be a better basis for it!

 5 reasons why vsRisk v1.6 is the definitive risk assessment tool

Related articles




Apr 18 2012

Risk Assessment control selection and cost savings

Category: Risk Assessment,Security Risk AssessmentDISC @ 10:13 am

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system




Sep 05 2011

Risk Assessment Critical for the Security of Information Assets

Category: ISO 27k,Risk AssessmentDISC @ 10:05 pm

Information Security Risk Management for ISO27001 / ISO27002

Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives.

September 01, 2011 /24-7PressRelease/ — Today, there is hardly any organisation that doesn’t recognise the critical role that information technology plays in supporting its business objectives. As a result, IT security has come to the forefront and the ISO 27001 information security standard has been embraced by numerous organisations worldwide as a best practice approach for implementing Information Security Management System (ISMS).

Risk assessment plays an important role in managing ISO 27001 controls. This is the part with which many project managers struggle when implementing an ISMS. Information security management decisions are entirely driven by specific decisions made as an outcome of a risk assessment in relation to identified risks and specific information assets. Therefore it is imperative that a thorough risk assessment is being undertaken and no risk is left unexplored. Risk assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures.

IT Governance Ltd, the global leader in information security products and services, has developed a risk assessment tool, vsRisk, that automates and accelerates the risk assessment process. It enables project managers to monitor the day-to-day execution and management of the controls as well as generating reports for audit purposes.

Uniquely, vsRisk (www.itgovernance.co.uk/products/744) can assess the confidentiality, integrity and availability for each of the business, legal and contractual aspects of information assets, as required by the ISO 27001 standard. The tool can serve as a day-to-day operational tool, showing at a glance where an organisation stands in its progress towards ISO 27001 compliance. A free trial version can be requested here www.itgovernance.co.uk/iso27001-risk-assessment.aspx

Alan Calder, CEO of IT Governance, comments, “vsRisk reduces the time and cost of undertaking an ISO 27001-compliant risk assessment. It simplifies each step of an ISO 27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. ”

vsRisk (www.itgovernance.co.uk/products/744) offers an in-built audit trail, comparative history, comprehensive reporting and gap analysis that radically reduces the manual record keeping traditionally associated with risk assessments. The tool minimises the need for specialist knowledge and significantly undercuts the cost of generalist risk management tools, thus, making ISO27001 compliance achievable for a far wider range of organisations and professionals.

As well as supporting ISO/IEC 27001:2005 and ISO/IEC 27002, vsRisk v1.5 complies with BS7799-3:2006, ISO/IEC 27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

vsRisk is produced by Vigilant Software, the specialist software subsidiary of IT Governance and can be purchased online from www.itgovernance.co.uk/products/744.




May 04 2010

IT risk assessment frameworks: real-world experience

Category: Risk AssessmentDISC @ 5:17 pm

By Bob Violino, CSO

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it’s a huge challenge.

Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

Factor Analysis of Information Risk (FAIR)

the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)

Threat Agent Risk Assessment (TARA), a recent creation

OCTAVE
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination Center at Carnegie Mellon University, is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning.

OCTAVE defines assets as including people, hardware, software, information and systems. There are three models, including the original, which CERT says forms the basis for the OCTAVE body of knowledge and is aimed at organizations with 300 or more employees; OCTAVE-S, similar to the original but aimed at companies with limited security and risk-management resources; and OCTAVE-Allegro, a streamlined approach to information security assessment and assurance.

The framework is founded on the OCTAVE criteria—a standardized approach to a risk-driven and practice-based information security evaluation. These criteria establish the fundamental principles and attributes of risk management.

Also see How SCAP Brought Sanity to Vulnerability Management

The OCTAVE methods have several key characteristics. One is that they’re self-directed: Small teams of personnel across business units and IT work together to address the security needs of the organization. Another is that they’re designed to be flexible. Each method can be customized to address an organization’s particular risk environment, security needs and level of skill. A third is that OCTAVE aims to move organizations toward an operational risk-based view of security and addresses technology in a business context.

Among the strengths of OCTAVE is that it’s thorough and well documented, says Brooke Paul, managing director at Capital Informatics and former CSO at American Financial Group. “The people who put it together are very knowledgeable,” says Paul, who has evaluated the framework for clients. “It’s been around a while and is very well-defined and freely available.”

Because the methodology is self-directed and easily modified, it can be used as the foundation risk-assessment component or process for other risk methodologies, says Ron Woerner, security systems analyst at HDR, an architectural and engineering firm. Woerner says he’s used a hybrid of OCTAVE, FAIR and other methodologies.

“The original OCTAVE method uses a small analysis team encompassing members of IT and the business. This promotes collaboration on any found risks and provides business leaders [with] visibility into those risks,” Woerner says. “To be successful, the risk assessment-and-management process must have collaboration.”

In addition, OCTAVE “looks at all aspects of information security risk from physical, technical and people viewpoints,” Woerner says. “If you take the time to learn the process, it can help you and your organization to better understand its assets, threats, vulnerabilities and risks. You can then make better decisions on how to handle those risks.”

Experts say one of the drawbacks of OCTAVE is its complexity. “When it shipped, we spent hours trying to understand what it was that this package was going to do for us,” says Adam Rice, global CSO and vice president of managed security services at Tata Communications, a provider of communications services.

“There was a lot of time taken up just trying to understand what the approach was, because it wasn’t very clear to me,” Rice says. “Anything that takes a lot of time detracts from its use.”

Paul adds that a downside to OCTAVE is that it doesn’t allow organizations to mathematically model risk. “It’s a qualitative methodology, like most others available today,” he says.

Next at page 2:FAIR, Page 3:NIST RMF and Page 4: TARA methodology
1 2 3 4 »

Information Security Risk Analysis, Tom Peltier




Tags: FAIR, NIST RMF, OCTAVE, Risk Assessment, TARA

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Related articles by Zemanta




Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

« Previous PageNext Page »