Introduction and acknowledgement

Contents

The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.

The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.

The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria.

Copyright

Disclaimer

An illustration of the application of Failure Modes and Effects Analysis (FMEA) techniques to the analysis of information security risks

The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to demonstrate how the FMEA method can be used to analyze information security risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and reformatting, it is essentially unchanged. We are very grateful for Bala's input.

This work is copyright © 2008, ISO27k implementers' forum, some rights reserved.  It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.  You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers’ Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.

Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the accuracy of the users' assessment of risk factors, on the definition of information assets and on the framing of risks being considered. For these reasons, the process is best conducted by a team of people with solid expertise and practical experience of (a) assessing and managing information security risks, and (b) the organization, its internal and external situation with respect to information security. Don't expect to get definitive answers from anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly. Some very experienced practitioners in this field claim that all risk analysis is basically bunkum, and we have some sympathy with that viewpoint.

The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other support functions and/or information security consultants) and may be adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because the organization has little if any experience of a particular informaiton security risk does not necessarily mean that it can be discounted. Organizations with immature security management processes and systems may have significant ongoing security incidents that are not even recognized, due to inadequate incident detection and reporting processes.

Important notes:

How to carry out the Risk Assessment (RA) using FMEA:

1

2

3

4

5

6

7

8

9

10

11

12

14

15

16

17

18

19

Using prioritized risks

Guideline to Carry out a Risk Assessment Using FMEAImportant notes:

This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking account of the asset values.

The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN)

Each asset can have more than one failure mode and for each failure mode there can be more than one cause.

For more clarification see the comments on the header in each cell of the FMEA sample worksheet

How to carry out the Risk Assessment (RA) using FMEA:

Identify the businesses or the services rendered by the department under the scope of RA

Compute the assets that deliver or support the business or service identified

Write down the asset number (to avoid duplication)

Write down the function of the asset in delivering or maintain the identified business or service

Now identify the failure modes for the identified function. Please note that there could be more than one failure mode for each function

Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will be the effect on the business or service.

Now refer the severity chart and choose the number relevant to the effect of the failure mode

Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause.

Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happening.

Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each control in separate rows.

Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls.

You can now see the Risk Priority Number calculated for a failure mode of the respective asset function.

Now identify who will implement the recommended control and by what target date the recommended control would be implemented.

Refer the Probability Chart

Refer the Detectability Chart

New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process.

Using prioritized risks

Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted later.

Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN.

5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements.

All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted above.

If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to address lower risks.

Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence according to the RPNs.

Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitigate each of these HIGH RISK has to be listed down. Kinldy list each control in separate rows.

Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RISK. If it is HIGH RISK then the process has to be repeated from step 1.

The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduction: the cutoff point should go further down the list if more resources are allocated, and vice versa.

FMEA Sample

Page 4

Department: XYZ Department

Sl.No. Business / Service Asset Name Asset Number Function

Current Controls

8 Firewall 5000 IP Spoofing 8 2

4 Firewall 5000 7 2

9 Firewall 5000 DDOS Attack 10 2

7 Firewall 5000 User awareness 5 6

5 Firewall 5000 6 1

Potential Failure Mode(s)

Potential Technical Effect(s) of Failure

Potential Business Consequence(s) of

Failure

Sev

Potential Cause(s)/ Mechanism(s) of

Failure

Prob

Preventive Controls

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Diversion of sensitive data traffic, fraud

Procedures not followed

Procedures available

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Entry for External Hackers

Disclosure or modification of

business records;

prosecution; bad PR; customer

defection

Procedures not followed

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Inability to process

electronic transactions; bad

PR; customer defection

Procedures not followed

Procedures available

Protecting IT Assets

To identify trusted zones by encryption

CIA Compromised

Disclosure of customer database;

commercial and privacy issues

Procedures not followed

Policies Defined

Protecting IT Assets

To identify trusted zones by encryption

Authentication mechanism using legacy

systems having improper

configuration

User may not have access to the requested

service

Staff unable to work; backlogs;

bad PR

Policies not fully implemented

Policies Defined

FMEA Sample

Page 5

Sl.No. Business / Service Asset Name Asset Number Function

Current Controls

Potential Failure Mode(s)

Potential Technical Effect(s) of Failure

Potential Business Consequence(s) of

Failure

Sev

Potential Cause(s)/ Mechanism(s) of

Failure

Prob

3 Firewall 5000 7 2

6 Firewall 5000 DDOS Attack 10 2

2 Firewall 5000 7 2

1 Firewall 5000 Data Theft 7 2 Nil

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Entry for External Hackers

Disclosure or modification of

business records;

prosecution; bad PR; customer

defection

Procedures not followed

Procedures available

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Inability to process

electronic transactions; bad

PR; customer defection

Procedures not followed

Protecting IT Assets

To identify trusted zones by encryption

Encryption level (56 bit or 128 bit) mismatch

Data will be exposed as

plain text

Disclosure of customer database;

commercial and privacy issues

Policies not fully implemented

Policies Defined

Protecting IT Assets

To block unauthorized

requests

Rules not appropriately configured

Commercial and privacy

consequences

Procedures not available

FMEA Sample

Page 6

Current Controls

Action Results

Implemented Controls

New

Sev

Ne

w O

cc

New

De

t

Detective Controls Detective Controls

4 64 5 3 2

4 56 5 3 2

2 40 2 5 2

1 30 Not Required Not Required 5 2 2

5 30 User Awareness User Awareness 1 5 3

Det

RPN

Recommended Controls

Responsibility & Target Completion

Date

Detective Controls

Preventive Controls

Preventive Controls

Increase audit frequency

XYZ by end Jan 2006

Increase audit frequency

Log Monitoring

Increase audit frequency

XYZ by end Jan 2006

Increase audit frequency

Increase audit frequency

XYZ by end Jan 2006

Increase audit frequency

Business owner to formally accept risk

XYZ by end March 2006

FMEA Sample

Page 7

Current Controls

Action Results

Implemented Controls

New

Sev

Ne

w O

cc

New

De

t

Det

RPN

Recommended Controls

Responsibility & Target Completion

Date

2 28 1 4 2

1 20 1 4 2

1 14 User Awareness User Awareness 2 2 2

1 14 User Awareness User Awareness 2 2 1

Increase audit frequency

XYZ by end Jan 2006

Increase audit frequency

Log Monitoring

Increase audit frequency

XYZ by end Jan 2006

Increase audit frequency

XYZ by end March 2006

XYZ by end March 2006

FMEA Sample

Page 8

New

RP

N

30

30

20

20

15

FMEA Sample

Page 9

New

RP

N

8

8

8

4

Severity

Page 10

Effect SEVERITY of Effect RankingCatastrophic Resource not available / Problem unknown 10

Extreme 9

Very High 8

High Resource Available / Major violation of policies 7

Moderate Resource Available / Major violations of process 6

Low Resource Available / Major violations of procedures 5

Very Low Resource Available / Minor violations of policies 4

Minor Resource Available / Minor violations of process 3

Very Minor Resource Available / Minor violations of procedures 2

None No effect 1

Resource not available / Problem known and cannot be controlled

Resource not available / Problem known and can be controlled

Probability

Page 11

PROBABILITY of Failure Failure Prob Ranking

Very High: Failure is almost inevitable>1 in 2 10

1 in 3 9

High: Repeated failures1 in 8 8

1 in 20 7

Moderate: Occasional failures

1 in 80 6

1 in 400 5

1 in 2,000 4

Low: Relatively few failures1 in 15,000 3

1 in 150,000 2

Remote: Failure is unlikely <1 in 1,500,000 1

Detectability

Page 12

Detection Likelihood of DETECTION Ranking

10

Very Remote 9

Remote 8

Very Low 7

Low 6

Moderate 5

Moderately High 4

High 3

Very High 2

Almost Certain 1

Absolute Uncertainty

Control cannot prevent / detect potential cause/mechanism and subsequent failure mode

Very remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Very low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Moderate chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Moderately High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Very high chance the control will prevent / detect potential cause/mechanism and subsequent failure mode

Control will prevent / detect potential cause/mechanism and subsequent failure mode