Principle of Information Security Module 4 Risk Management part 1

By the end of this module, you should be able to:

 

1. Define risk management and describe its importance
   
   
2. Explain the risk management framework and process model, including major components
   
   
3. Define risk appetite and explain how it relates to residual risk
   
   
4. Describe how risk is identified and documented
   
   
5. Discuss how risk is assessed based on likelihood and impact
   
   
6. Describe various options for a risk treatment and risk control strategy
   
   
7. Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis
   
   
8. Compare and contrast the dominant risk management methodologies

The upper management of an organization is responsible for overseeing, enabling, and supporting the structuring of IT and information security functions to defend its information assets. Part of upper management’s information security governance requirement is the establishment and support of an effective risk management (RM) program. The IT community must serve the information technology needs of the entire organization and at the same time leverage the special skills and insights of the InfoSec community in supporting the RM program. The InfoSec team must lead the way with skill, professionalism, and flexibility as it works with other communities of interest to balance the usefulness and security of information systems, as well as evaluating and controlling the risks facing the organization’s information assets.

In the early days of IT, corporations used computer systems mainly to gain a definitive advantage over the competition. Establishing a superior business model, method, or technique enabled an organization to provide a product or service that created a competitive advantage. In the modern business environment, however, all competitors have reached a certain level of technological competence and resilience. IT is now readily available to all organizations that make the investment, allowing them to react quickly to changes in the market. In this highly competitive environment, organizations cannot expect the implementation of new technologies to provide a competitive lead over others in the industry. Instead, the concept of avoidance of competitive disadvantage—working to prevent falling behind the competition—has emerged. Effective IT-enabled organizations quickly absorb relevant emerging technologies not just to gain or maintain competitive advantage, but to avoid loss of market share from an inability to maintain the highly responsive services required by their stakeholders.

To keep up with the competition, organizations must design and create safe environments in which their business processes and procedures can function. These environments must maintain confidentiality and privacy and assure the integrity of an organization’s data—objectives that are met by applying the principles of risk management. As an aspiring information security professional, you will play a key role in risk management.

This module explores a variety of risk management approaches and provides a discussion of how risk is identified and assessed. The module includes a section on selecting and implementing effective control strategies for the protection of information assets in the modern organization.

In Module 1, you learned about the C.I.A. triad. Each of the three elements in the triad is an essential part of every organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information system controls and the benefits of using secured, available systems.

Chinese general Sun Tzu Wu’s quote, referenced earlier in this book, also has direct relevance to risk management:

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Consider the similarities between information security and warfare. Information security managers and technicians are the defenders of information. The many threats discussed in Module 2 constantly attack the defenses surrounding information assets. Defenses are built in layers by placing safeguards behind safeguards. The defenders attempt to prevent, protect, detect, and recover from a seemingly endless series of attacks. Moreover, those defenders are legally prohibited from deploying offensive tactics, so the attackers have no need to expend resources on defense. While the defenders need to win every battle, the attackers only need to win once. To be victorious, defenders must know themselves and their enemy.

Know Yourself

You must identify, examine, and understand the current information and systems in your organization. To protect information assets, which were defined earlier in this book as information and the systems that use, store, and transmit information, you must know what those assets are, where they are, how they add value to the organization, and the vulnerabilities to which they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is in place does not necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective.

Know the Enemy

Having identified your organization’s assets and weaknesses, you move on to Sun Tzu’s second step: Know the enemy. This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.

Risk management involves discovering and understanding answers to some key questions about the risk associated with an organization’s information assets:

• Where and what is the risk (risk identification)?
  
  
• How severe is the current level of risk (risk analysis)?
  
  
• Is the current level of risk acceptable (risk evaluation)?
  
  
• What do I need to do to bring the risk to an acceptable level (risk treatment)?

The term risk assessment is commonly used to describe the entire set of activities associated with the first three questions, while risk treatment (or risk control) describes the fourth. Here, we will examine these activities individually to ensure that the distinctions between these stages are clear. InfoSec in an organization exists primarily to manage the risk to information assets stemming from the use of information. Managing risk is a key responsibility for every manager within an organization. Well-developed risk management programs rely on formal and repeatable processes. The coverage of risk management in this text was developed based on an extensive assessment of best practices in industry and government and of international standards. The international standard most closely aligned with the findings of this assessment—ISO 31000—was selected and adapted to facilitate ease of presentation and discussion.

Risk management is a complex operation that requires a formal methodology, much like the systems development life cycle (SDLC) discussed in Module 11. Figure 4-1 explores the entire approach to RM, which involves two key areas: the RM framework and the RM process. The RM framework is the overall structure of the strategic planning and design for the entirety of the organization’s RM efforts. The RM process is the implementation of risk management, as specified in the framework. In other words, the RM framework (planning) guides the RM process (doing), which conducts the processes of risk evaluation and remediation. The RM framework assesses the RM process, which in turn assesses risk in the organization’s information assets.

The RM framework and the RM process are continuous improvement activities. That means they are ongoing, repetitive, and designed to continually assess current performance to improve future RM results. The RM framework repeatedly assesses and improves how the RM process is evaluating and reacting to risk. The framework also continuously assesses and improves how well the planning and review activities are being performed—the framework itself. As an example, in a manufacturing plant, executives oversee the measurement of product quality and manufacturing productivity (the results and the equivalent of the RM process) while also assessing the effectiveness of the management processes used to structure manufacturing (the equivalent of the RM framework).

The left side of Figure 4-1 illustrates the major activities associated with the RM framework. As you have seen with other major InfoSec initiatives, this framework is developed and reviewed by an executive team led by a champion and organized using effective project management methods. Organizations that have existing RM programs may be able to adapt their operations to the methodology shown here, with minimum impact on their current efforts. Organizations that do not have formal RM programs—or have programs that are unsuccessful, inefficient, or ineffective—need to begin the process from scratch. The RM framework consists of five key stages:

• Executive governance and support
  
  
• Framework design
  
  
• Framework implementation
  
  
• Framework monitoring and review
  
  
• Continuous improvement

While this framework is provided as an example of how to perform risk management in the organization, it is not by any means the only way to do RM. Each organization must decide for itself what works best from the multiple options available. The model shown here is adapted to be in alignment with an ISO standard, while others are based on industry standards or proprietary models.

It would not be difficult for an organization to take the general recommendations of this RM framework and process and adapt it to fit the details of another methodology. Only those involved in the process know what’s best for their organizations.