O-ISM3 Risk Assessment

© Inovement Spain 2013

ISM-RA

AU IT SB

FAIR

MAGERIT CRAMM

Dutch A&K

EBIOS

ISAMM

ISO27005

MARION

MEHARI

MIGRA

OCTAVE

SP 800-30

ISF Canadian RM Guide

……Etc

ISO27005 Establish Context

Ris

kC

om

mu

nic

atio

n

Ris

kM

on

itorin

ga

nd

Re

vie

w

Risk Treatment

Risk Evaluation

Risk Estimation

Risk Identification

Risk Assessment

Risk Analysis

Risk Acceptance

Accept risk?

Acceptable results?

Establish Context

Ris

kC

om

mu

nic

atio

n

Ris

kM

on

itorin

ga

nd

Re

vie

w

Risk Treatment

Risk Evaluation

Risk Estimation

Risk Identification

Risk Assessment

Risk Analysis

Risk Acceptance

Accept risk?

Acceptable results?

RA Method Design

Threat Taxonomy

Controls/Processes Taxonomy

Model

Scope

Depth

Threat Likelihood

Asset Value

Correct? Useful?

Impact Assets Value

Cost

Threats Frequency

Weaknesses

Countermeasures

RA Method Design

Likelihood

Exposure

Goals Scope (What is in, What is out)

Scope

The more choice on the side of the

certificate aspirant, the less value in

the certification.

The wider the scope, the higher the

cost.

ISM3-RA uses the scope of whole

companies.

Goals Organization Wide

Complexity Likelihood * Threats * Vulnerabilities * Countermeasures *

Asset Value * Exposure = N6

Correct? Useful?

Anyone can create a “correct” RA

method.

But, is it useful?

Utility

HIGH

MEDIUM

LOW

Utility

300

200

100

Utility – Added Value

What are we learning that we don’t know

already? (Non-Banal Analysis)

What are important threats to the

organization?

What should I do?

How safe am I? / How likely is that an

incident will happen?

How much will I lose this year?

How much should I invest this year?

Utility Challenges Lack of real data

Are opinions valid data?

Mixing opinions with arithmetic is a bit

like mixing magic and physics.

The higher the investment, the lower the

risk.

Return of investment is always positive.

Risk Assessment can be difficult and

expensive.

Inherent Limitations

Quantitative

Qualitative

Quantitative RA

Risk = Impact * Probability

Risk

Impact

Pro

ba

bility

Accounting

value of the

company

Expected Loss

[$]

Probability

[% / year] 100

0

0

Last year’s

losses

$ per year

Probability of

discontinuation of

the company per

year

Quantitative RA

Qualitative

Model No Model

Assets (Mostly Technical)

Servers, Databases,

Networks, etc (Purely

Technical)

ISM3-RA uses

Environments and

Business Functions

Depth

(Level

of

Detail)

Depth

The higher the level of detail, the more

complex and costly.

The depth should match the kind of

decisions we want to support.

ISM3-RA uses management-level

depth.

Environments

Management Level

Business

(Components,

Relationships,

States)

Business

Functions

Business Functions

Every business function exist and has a different importance in every company.

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

Business Functions

Every business function exist and has a different importance in every company.

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

Information

Technology

(Components,

Relationships,

States)

Environments

Environment

You can’t model meaningfully a company as a set of servers, applications or “assets”.

On the other hand, an environment has a visible head, someone who will be responsible to carry out the action plan.

Host SSCC

Terceros

SSAA Oficinas

Usuarios

Móviles

Personal

Dependencies

ISM3-RA

Host SSCC Terceros

SSAA Oficinas Usuarios

Móviles

Personal

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

Threats (There is no

widely accepted

list of threats at

any level of

detail)

(There are no reliable

estimations of probability

of threats)

Threat Taxonomy Pretty Long Lists

Magerit: Accidental Natural,

Accidental Industrial, Accidental

Error, Deliberate, etc…

Against Confidentiality, against

Integrity, against Availability et al.

ISM3-RA

1. Destruction, corruption or loss of

valid information.

2. Failure to destroy expired

information.

3. Improper use of authorized access.

4. Improper recording of access.

5. Unauthorized access,

eavesdropping, theft and disclosure

of information.

6. Underperformance, interruption of

service & failure of authorized

access.

7. Aging of information & outdated

systems

Threat Likelihood

Normally there is no data enough to

know how likely is a threat.

The multiplicity and evolution of

threats make likelihood of threats very

difficult to model.

ISM3-RA uses a qualitative scale of

likelihood. (from very high to very low)

Impact (Euros,

High – Medium – Low,

Confidenciality – Integrity – Availability, etc)

Asset Value

Euros

High – Medium – Low

Magerit: Disponibilidad, integridad,

confidencialidad, autenticidad,

trazabilidad.

ISM3-RA uses “The more important

Business Functions depend on

Environments, the more valuable”

Controls

(ISO27001

PCI DSS

NIST

ISM3, etc)

Controls / Process Taxonomy

ISO 27002 Controls

PCI DSS Controls

Cobit Controls

Custom Made Lists

Etc…

ISM3-RA uses ISM3 Processes

Mix

Mix

Results

(7, other number,

“good”, “better”, an

action plan, or a

dashboard)

High

Medium

Low

ISM3-RA

0

20

40

60

80

100

120

Relative Weight of Business Functions

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

0,0000

0,1000

0,2000

0,3000

0,4000

0,5000

0,6000

0,7000

0,8000

Internet SSCC Oficinas Host SSAA Terceros Usuarios Mobiles

Personal

Relative Protection per Environment

ISM3-RA

Host SSCC Terceros

SSAA Oficinas Usuarios

Móviles

Personal

ISM3-RA

0

2000

4000

6000

8000

10000

12000

Internet SSCC Oficinas Host SSAA Terceros Usuarios

Mobiles

Personal

Relative Environment Criticality

Host SSCC Terceros

SSAA Oficinas Usuarios

Móviles

Personal

0,000000

0,200000

0,400000

0,600000

0,800000

1,000000

1,200000

1,400000

1,600000

1,800000

SSCC Oficinas Host SSAA Terceros Usuarios Mobiles Personal

Risk to Environment

ISM3-RA

Host SSCC Terceros

SSAA Oficinas Usuarios

Móviles

Personal

0,00000000

1,00000000

2,00000000

3,00000000

4,00000000

5,00000000

6,00000000

7,00000000

8,00000000

SSCC Oficinas Host SSAA Terceros Usuarios Mobiles

Risk to Technical Environment per Threat Improper recording of access to information or systems /

(anon or otherwise)

Unauthorized access, eavesdropping, theft and disclosure of information or systems AND

Improper use of authorized access to information or systems

Failure to destroy expired information or systems &

Failure to stop systems at will

Underperformance OR Interruption of valid system services &

Failure of authorized access

Aging of information &Outdated systems

Destruction /Corruption /

Loss of valid information or systems

ISM3-RA

Host SSCC Terceros

SSAA Oficinas Usuarios

Móviles

Personal

02000400060008000

10000120001400016000

Relative Reliance on Environments

ISM3-RA

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

0,000000

0,500000

1,000000

1,500000

2,000000

2,500000

Risk per Business Function

Personal

Usuarios Mobiles

Terceros

SSAA

Host

Oficinas

SSCC

ISM3-RA

Researc

h

Fin

ancin

g /

Accountin

g

Legal

Sale

s

Rela

tionship

s

Pro

ductio

n

Main

tenance

Busin

ess

Inte

lligence

Govern

ance

IT

Advertis

ing

Hum

an

Resourc

es

Infra

stru

ctu

re

Adm

inis

tratio

n

Pro

cure

ment

Logis

tics

ISM3-RA

Internal

Network DMZ

Mobile

Users

Internal

Users

WiFi

Networks

Govern

ance

Infra

stru

ctu

re

Hum

an

Resourc

es

Pro

ductio

n

Logis

tics

Adm

inis

tratio

n

IT

Advertis

ing

Researc

h

Pro

cure

ment

Sale

s

Busin

ess

Inte

lligence

Fin

ancin

g /

Accountin

g

Main

tenance

Rela

tionship

s

Legal

ISM3-RA

Internal

Network DMZ

Mobile

Users

Internal

Users

WiFi

Networks

Govern

ance

Infra

stru

ctu

re

Hum

an

Resourc

es

Pro

ductio

n

Logis

tics

Adm

inis

tratio

n

IT

Advertis

ing

Researc

h

Pro

cure

ment

Sale

s

Busin

ess

Inte

lligence

Fin

ancin

g /

Accountin

g

Main

tenance

Rela

tionship

s

Legal

ISM3-RA

Dashboard?

Information Security that makes Business

Sense

inovement.es/oism3

Web www.inovement.es

Video Blog youtube.com/user/vaceituno

Blog ism3.com

Twitter twitter.com/vaceituno

Presentations slideshare.net/vaceituno/presentations

Articles slideshare.net/vaceituno/documents