Upload
vishnukesarwani
View
8
Download
2
Embed Size (px)
Citation preview
Introduction and acknowledgement
Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.
The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.
The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria.
Copyright
Disclaimer
An illustration of the application of Failure Modes and Effects Analysis (FMEA) techniques to the analysis of information security risks
The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to demonstrate how the FMEA method can be used to analyze information security risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and reformatting, it is essentially unchanged. We are very grateful for Bala's input.
This work is copyright © 2008, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers’ Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the accuracy of the users' assessment of risk factors, on the definition of information assets and on the framing of risks being considered. For these reasons, the process is best conducted by a team of people with solid expertise and practical experience of (a) assessing and managing information security risks, and (b) the organization, its internal and external situation with respect to information security. Don't expect to get definitive answers from anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly. Some very experienced practitioners in this field claim that all risk analysis is basically bunkum, and we have some sympathy with that viewpoint.
The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other support functions and/or information security consultants) and may be adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because the organization has little if any experience of a particular informaiton security risk does not necessarily mean that it can be discounted. Organizations with immature security management processes and systems may have significant ongoing security incidents that are not even recognized, due to inadequate incident detection and reporting processes.
Important notes:
How to carry out the Risk Assessment (RA) using FMEA:
1
2
3
4
5
6
7
8
9
10
11
12
14
15
16
17
18
19
Using prioritized risks
Guideline to Carry out a Risk Assessment Using FMEAImportant notes:
This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking account of the asset values.
The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN)
Each asset can have more than one failure mode and for each failure mode there can be more than one cause.
For more clarification see the comments on the header in each cell of the FMEA sample worksheet
How to carry out the Risk Assessment (RA) using FMEA:
Identify the businesses or the services rendered by the department under the scope of RA
Compute the assets that deliver or support the business or service identified
Write down the asset number (to avoid duplication)
Write down the function of the asset in delivering or maintain the identified business or service
Now identify the failure modes for the identified function. Please note that there could be more than one failure mode for each function
Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will be the effect on the business or service.
Now refer the severity chart and choose the number relevant to the effect of the failure mode
Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause.
Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happening.
Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each control in separate rows.
Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls.
You can now see the Risk Priority Number calculated for a failure mode of the respective asset function.
Now identify who will implement the recommended control and by what target date the recommended control would be implemented.
Refer the Probability Chart
Refer the Detectability Chart
New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process.
Using prioritized risks
Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted later.
Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN.
5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements.
All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted above.
If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to address lower risks.
Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence according to the RPNs.
Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitigate each of these HIGH RISK has to be listed down. Kinldy list each control in separate rows.
Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RISK. If it is HIGH RISK then the process has to be repeated from step 1.
The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduction: the cutoff point should go further down the list if more resources are allocated, and vice versa.
FMEA Sample
Page 4
Department: XYZ Department
Sl.No. Business / Service Asset Name Asset Number Function
Current Controls
8 Firewall 5000 IP Spoofing 8 2
4 Firewall 5000 7 2
9 Firewall 5000 DDOS Attack 10 2
7 Firewall 5000 User awareness 5 6
5 Firewall 5000 6 1
Potential Failure Mode(s)
Potential Technical Effect(s) of Failure
Potential Business Consequence(s) of
Failure
Sev
Potential Cause(s)/ Mechanism(s) of
Failure
Prob
Preventive Controls
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Diversion of sensitive data traffic, fraud
Procedures not followed
Procedures available
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Entry for External Hackers
Disclosure or modification of
business records;
prosecution; bad PR; customer
defection
Procedures not followed
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Inability to process
electronic transactions; bad
PR; customer defection
Procedures not followed
Procedures available
Protecting IT Assets
To identify trusted zones by encryption
CIA Compromised
Disclosure of customer database;
commercial and privacy issues
Procedures not followed
Policies Defined
Protecting IT Assets
To identify trusted zones by encryption
Authentication mechanism using legacy
systems having improper
configuration
User may not have access to the requested
service
Staff unable to work; backlogs;
bad PR
Policies not fully implemented
Policies Defined
FMEA Sample
Page 5
Sl.No. Business / Service Asset Name Asset Number Function
Current Controls
Potential Failure Mode(s)
Potential Technical Effect(s) of Failure
Potential Business Consequence(s) of
Failure
Sev
Potential Cause(s)/ Mechanism(s) of
Failure
Prob
3 Firewall 5000 7 2
6 Firewall 5000 DDOS Attack 10 2
2 Firewall 5000 7 2
1 Firewall 5000 Data Theft 7 2 Nil
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Entry for External Hackers
Disclosure or modification of
business records;
prosecution; bad PR; customer
defection
Procedures not followed
Procedures available
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Inability to process
electronic transactions; bad
PR; customer defection
Procedures not followed
Protecting IT Assets
To identify trusted zones by encryption
Encryption level (56 bit or 128 bit) mismatch
Data will be exposed as
plain text
Disclosure of customer database;
commercial and privacy issues
Policies not fully implemented
Policies Defined
Protecting IT Assets
To block unauthorized
requests
Rules not appropriately configured
Commercial and privacy
consequences
Procedures not available
FMEA Sample
Page 6
Current Controls
Action Results
Implemented Controls
New
Sev
Ne
w O
cc
New
De
t
Detective Controls Detective Controls
4 64 5 3 2
4 56 5 3 2
2 40 2 5 2
1 30 Not Required Not Required 5 2 2
5 30 User Awareness User Awareness 1 5 3
Det
RPN
Recommended Controls
Responsibility & Target Completion
Date
Detective Controls
Preventive Controls
Preventive Controls
Increase audit frequency
XYZ by end Jan 2006
Increase audit frequency
Log Monitoring
Increase audit frequency
XYZ by end Jan 2006
Increase audit frequency
Increase audit frequency
XYZ by end Jan 2006
Increase audit frequency
Business owner to formally accept risk
XYZ by end March 2006
FMEA Sample
Page 7
Current Controls
Action Results
Implemented Controls
New
Sev
Ne
w O
cc
New
De
t
Det
RPN
Recommended Controls
Responsibility & Target Completion
Date
2 28 1 4 2
1 20 1 4 2
1 14 User Awareness User Awareness 2 2 2
1 14 User Awareness User Awareness 2 2 1
Increase audit frequency
XYZ by end Jan 2006
Increase audit frequency
Log Monitoring
Increase audit frequency
XYZ by end Jan 2006
Increase audit frequency
XYZ by end March 2006
XYZ by end March 2006
FMEA Sample
Page 8
New
RP
N
30
30
20
20
15
FMEA Sample
Page 9
New
RP
N
8
8
8
4
Severity
Page 10
Effect SEVERITY of Effect RankingCatastrophic Resource not available / Problem unknown 10
Extreme 9
Very High 8
High Resource Available / Major violation of policies 7
Moderate Resource Available / Major violations of process 6
Low Resource Available / Major violations of procedures 5
Very Low Resource Available / Minor violations of policies 4
Minor Resource Available / Minor violations of process 3
Very Minor Resource Available / Minor violations of procedures 2
None No effect 1
Resource not available / Problem known and cannot be controlled
Resource not available / Problem known and can be controlled
Probability
Page 11
PROBABILITY of Failure Failure Prob Ranking
Very High: Failure is almost inevitable>1 in 2 10
1 in 3 9
High: Repeated failures1 in 8 8
1 in 20 7
Moderate: Occasional failures
1 in 80 6
1 in 400 5
1 in 2,000 4
Low: Relatively few failures1 in 15,000 3
1 in 150,000 2
Remote: Failure is unlikely <1 in 1,500,000 1
Detectability
Page 12
Detection Likelihood of DETECTION Ranking
10
Very Remote 9
Remote 8
Very Low 7
Low 6
Moderate 5
Moderately High 4
High 3
Very High 2
Almost Certain 1
Absolute Uncertainty
Control cannot prevent / detect potential cause/mechanism and subsequent failure mode
Very remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Very low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Moderate chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Moderately High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Very high chance the control will prevent / detect potential cause/mechanism and subsequent failure mode
Control will prevent / detect potential cause/mechanism and subsequent failure mode