Mar 20 2012

Risk Management and Business Life Cycle

Category: Security Risk AssessmentDISC @ 1:29 pm

  • Risk management is a business process and all the business decisions should have a business development life cycle
  • Risk management is a management responsibility, must be supported by senior management and that concept of Ownership of assets must be established
  • In Pre screening of critical assets, assets sensitivity must be established based on business, legal and contractual values for confidentiality, integrity and availability. this risk analysis process will determine which critical assets needs to go through the risk assessment process
  • Organizaions use risk assessment to determine what threats exist to a specific asset and the associated risk
  • The risk acceptance threshold will provide the organization with the information needed to select effective control measures or safeguards to lower the risks to an acceptable level
  • Risk is a function of the probability that an identified threat will occur and then the impact that threat will have on the asset

    • Risk Assessment should include the followings primary steps:
    * Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
    * Threats identified
    * Vulnerabilities related to the threats
    * Probablity of occurance that the specific threat will exploit the given vulnerability
    * Impact of the loss if the specific threat will exploit the given vulnerability
    * Risk level identified
    * Control recommendations based on risk acceptance
    * Results documentation

    How to Complete a Risk Assessment in 5 Days or Less

    Tags: Risk Assessment, Security Risk Assessment, Tom Peltier

    Dec 06 2011

    vsRisk The Ultimate Cyber Security Risk Assessment Tool

    Category: ISO 27k,Security Risk AssessmentDISC @ 11:05 am

    With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
    Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis – and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
    vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure

    vsRisk – The Definitive Cyber Security Risk Assessment Tool
    The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
    • Assessing key areas such as Groups, Assets and Owners
    • Capturing your IS policy, objectives and ISMS scope
    • In-built audit trail and comparative history
    • Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
    • Comprehensive reporting and gap analysis

    Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
    Watch the video now >>>

    This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
    Join the professionals and orders your today >>>

    vsRisk and Security Risk Assessment

    Jul 05 2011

    Newly released ISO/IEC 27005:2011 helps improve risk management

    Category: ISO 27k,Security Risk AssessmentDISC @ 12:55 pm

    /EINPresswire.com/ ISO 27005:2011, the newly released international information security risk management standard, is now available to the international community of business continuity and information security practitioners.

    Information security risk management is one of the core competencies of information security. This Standard is an essential companion to ISO/IEC 27001 and ISO/IEC 27002 and replaces ISO/IEC 27005:2008.

    ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The Standard is applicable to all organisations of all types and sizes, which intend to manage risks that could compromise the organisations information security.

    IT Governance Ltd, an international distribution partner for IEC and a global leader in ISO27001 information, products and services, is making ISO/IEC 27005:2011 available from all its main websites. ISO 27005:2011 ISRM, can be downloaded today from www.itgovernance.co.uk/products/1852 .

    “The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version”, comments Alan Calder, CEO of IT Governance, “First, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”

    Organisations that would like to save time and money whilst implementing the new Standard should consider applying vsRisk – an ISO27001:2005 compliant information security risk assessment tool produced by Vigilant Software, the specialist software subsidiary of IT Governance.

    vsRisk (www.itgovernance.co.uk/products/744) simplifies each step of an ISO27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. The tool makes ISO27001 compliance achievable for a far wider range of organisations and professionals by minimising the need for specialist knowledge and significantly undercutting the cost of generalist risk management tools.

    As well as supporting ISO/IEC 27001:2005 and ISO/IEC27002, vsRisk complies with BS7799-3:2006, ISO/IEC27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.

    A copy of the ISO27005:2011 standard can be downloaded immediately from www.itgovernance.co.uk/products/1852 and the vsRisk CD-ROM can be ordered from www.itgovernance.co.uk/products/744 .

    May 13 2011

    Enterprise Risk Management: From Incentives to Controls

    Category: Security Risk AssessmentDISC @ 12:03 pm

    Enterprise Risk Management: From Incentives to Controls

    Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.

    But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.

    In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.

    Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.

    Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.

    Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.

    Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.

    Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.

    Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.

    Here are the contents of the book.

    Authors: James Lam
    Publisher: John Wiley
    ISBN 10: 0471430005
    ISBN 13: 9780471430001
    Pages: 336
    Format: Hard Cover
    Published Date: 24/06/03

    “I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”

    Tags: Enterprise Risk Management, Risk Assessment, Security Risk Assessment, security risk assessment process

    Dec 26 2010

    Information Security Risk Management for ISO27001/ISO27002

    Category: ISO 27k,Security Risk AssessmentDISC @ 8:56 pm

    Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ‘ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’.

    ISMS requirements
    The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

    International best practice
    Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

    Benefits to business include:

    Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

    Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

    Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

    Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

    Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002

    About the authors

    Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.

    Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

    Jun 08 2010

    U.S cybersecurity policies update

    Category: Information Warfare,Security Risk AssessmentDISC @ 12:47 am

    Breakdown of political party representation in...
    Image via Wikipedia

    By Greg Masters

    The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.

    The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.

    The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.

    “The passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,” Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. “These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.”

    The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.

    The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.

    A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.

    Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.

    Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.

    The amendment also calls for developing policies to be used in the purchasing of technology products and services.

    A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee

    The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.

    Related articles by Zemanta

    Tags: Diane Watson, Federal government of the United States, Federal Information Security Management Act of 2002, FISMA, Information Security, Security, Senate, United States

    May 11 2010

    OCR draft guidelines for security risk analysis

    Category: hipaa,Security Risk AssessmentDISC @ 12:42 am

    US Department of Health & Human Services
    Image by veeliam via Flickr

    The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

    The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

    Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

    The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

    Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

    OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

    OCR dratf guigelines details

    Information Security Risk Analysis, Tom Peltier

    Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security

    Feb 16 2010

    Security risk assessment process and countermeasures

    Category: Security Risk AssessmentDISC @ 4:01 pm

    The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

    The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

    • Identify the business needs of the assessment and align your requirements with business needs.
    • Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
    • Review and analyze the existing assets threats and vulnerabilities
    • Analyze the impacts and likelihood of threats and vulnerabilities on assets
    • Assess physical controls to network and security infrastructure
    • Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
    • Review logical access and physical access and other authentication mechanism
    • Review the level of security awareness based on current policies and procedures
    • Review the security controls in service level agreement from vendors and contractors
    • At the end of review develop a practical recommendations to address the identified gaps in security controls

    To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

    Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
    Preventive controls reduce exposure. Firewall is an example of preventive control
    Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
    Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

    Related articles by Zemanta

    Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

    Sep 21 2009

    Due Diligence, and Security Assessments

    Category: Information Security,Security Risk AssessmentDISC @ 9:21 pm

    Microsoft Baseline Security Analyzer
    Image via Wikipedia

    Fighting Computer Crime: A New Framework for Protecting Information

    Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

    Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

    Fred Cohen defines “due diligence is met by virtue of compliance review.”

    Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
    (FIPS 200, Section 3, Minimum Security Requirements)


    Reblog this post [with Zemanta]

    Tags: donn parker, due care, due diligence, Fred Cohen, security controls

    Aug 18 2009

    Control selection and cost savings

    Category: Security Risk AssessmentDISC @ 3:53 pm

    rm-process

    Information Security Risk Analysis

    In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
    Once risks have been assessed, risk manager utilize the following techniques to manage the risks

    • Avoidance (eliminate)
    • Reduction (mitigate)
    • Transfer (outsource or insure)
    • Retention (accept and budget)

    Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

    Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

    On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

    Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
    Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

    Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system


    Reblog this post [with Zemanta]

    Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

    Aug 10 2009

    Managing Risks and NIST 800-53

    Category: Security Risk AssessmentDISC @ 5:48 pm

    logo of en:National Institute of Standards and...
    Image via Wikipedia

    FISMA Certification & Accreditation Handbook

    The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

    Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

    Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

    The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

    nist_rmf1

    Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

    Mar 04 2009

    HIPAA accountability and security program

    Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

    Logo of the United States Department of Health...
    Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

    World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

    HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

    Risk Management Process:

    Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.

    rm-process

    Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

    Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

    A Five-step Roadmap to HIPAA Security Compliance

    Related videos by youtube
    httpv://www.youtube.com/watch?v=3Srhrow67f8

    Reblog this post [with Zemanta]

    Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

    Feb 25 2009

    Small business and assessment of IT risks

    Category: Security Risk AssessmentDISC @ 5:02 pm

    Network and Information Security Agency
    According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

    Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

    Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
    o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
    o DO: run pilots in different contexts inside EU
    o CHECK: get feedback from pilots and aggregate and analyze it
    o ACT: review and improve the simplified approach starting from the feedback
    It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
    ra-process
    Diagram: Overview of the phases of the ENISA simplified approach
    ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

    ENISA report and findings

    As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

    Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

    Related articles by Zemanta

    Computer Security
    httpv://www.youtube.com/watch?v=MUQzEJ82TrQ

    Reblog this post [with Zemanta]

    Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

    Oct 07 2008

    vsRisk and security risk assessment

    Category: ISO 27k,Security Risk AssessmentDISC @ 3:18 pm

    Information Security Risk Management for ISO27001 / ISO27002

    The State of California has adopted ISO/IEC 27002 as its standard for information security and recommends other organizations and vendors to use this standard as guidance in their efforts to comply with California law.

    To achieve an ongoing compliance, major organizations require tools to comply with standard such as ISO 27002/ISO27001. vsRisk is an easy to use Information Security Risk Assessment tool which makes risk assessment process consistent, easier and produces required documentation to achieve ISO 27001 certification . vsRisk also aligns seamlessly with standards like ISO 27002, ISO 27005 and NIST SP 800-30.

    vsRisk helps organizations to develop an Information Security Management System (ISMS) asset inventory and capture business, legal and contractual requirements against each asset. vsRisk is customizable to meet specific needs when introducing new risks, vulnerabilities and controls without any additional help from a consultant. vsRisk helps you focus on assets rather than on threats and vulnerabilities. This is an approach which works by treating business processes as an asset, which is examined for their criticality, lack of security and consequences of failed process can be examined. In this regards, vsRisk is an effective and efficient tool by identifying most important points and key issues right away, which focusing on threats doesn’t.

    Major benefits of vsRisk tool:
    1. It is the definitive ISO27001 risk assessment tool, compliant
    with all the key information security standards – which means that
    you can be certain that a vsRisk risk assessment will help you
    achieve ISO27001 certification.
    2. It is designed to be usable – your lead risk assessor and any
    asset owners involved in your risk assessment are going to find
    their task made easier
    3. Unique features include the risk assessment wizard, which
    standardizes the risk assessment process and guides asset owners
    through the risk assessment process.
    4. vsRisk creates a baseline from which future risk assessments can
    easily be made.
    5. vsRisk integrates with ISMS documentation toolkit, for even
    greater usability.

    “vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk assessment and can assess confidentiality, integrity and availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001. Providing a comprehensive best-practice alignment, it supports ISO 27001 and 27002 (ISO/IEC 17799) disciplines, and is ISO/IEC 27005 and NIST SP 800-30 compliant. It also offers a wizard-based approach that simplifies and accelerates the risk assessment process, plus integrates and regularly updates BS7799-3 compliant threat and vulnerability databases.”

    The key to successful Risk Management is to protect your most important/critical assets. The importance/criticality of an asset might change over time. That is another reason to automate security risk assessment process to recalibrate your risks based on current state of security.

    Risk Management to ISO27001/NIST Wizard-based risk assessment tool Simplifies compliance – To buy vsRisk tool!

    Meet Stringent California Information Security Legislation with Comprehensive Toolkit

    ISO27001 EXPERTS CAN HELP COMPANIES MEET STRINGENT CALIFORNIAN …
    EIN News (press release) – Netherlands
    vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool, which automates and delivers an ISO/IEC 27001-compliant risk …

    Tags: asset owner, automate security risk assessment, baseline, california, isms, iso 17799, iso 27001, iso 27001 certification, iso 27002, iso 27005, nist sp 80-30, sb 1386, vsrisk

    « Previous Page