Risk Assessment for Asset Owners

Risk Assessment for Asset Owners

ALAN CALDER
STEVE G WATKINS
Copyright Date: 2007
Published by: IT Governance Publishing
Pages: 46
https://www.jstor.org/stable/j.ctt5hh5xt
  • Cite this Item
  • Book Info
    Risk Assessment for Asset Owners
    Book Description:

    Risk assessment is at the heart of risk management, and the two together form the core competences of information security management. This title is a guide to the ISO27001 risk assessment, designed to assist asset owners and others who are working within an ISO27001/ISO17799 framework to deliver a qualitative risk assessment. It conforms with the guidance provided in BS7799-3:2006 and NIST SP 800-30.

    eISBN: 978-1-905356-29-4
    Subjects: Business, Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. Table of Contents
    (pp. 5-6)
  3. CHAPTER 1: INTRODUCTION
    (pp. 7-8)

    All organizations face risks¹ to information and information assets. Many organizations seek to identify and control those risks, usually as part of a structured approach to information security risk management.

    ISO/IEC27001:2005 is an international standard specification for an Information Security Management System (or ‘ISMS’). Organizations that develop an ISMS in line² with the specification of ISO27001 can receive external, third-party certification that their ISMS conforms to the standard, and such a certificate can have significant commercial, financial and compliance benefits.

    ISO/IEC17799:2005 is the international Code of Practice for information security; it provides detailed guidance to support the specification contained in...

  4. CHAPTER 2: INFORMATION SECURITY RISK MANAGEMENT
    (pp. 9-10)

    Organizations develop and implement risk management strategies in order to reduce the negative impact on the organization of risks occurring, and to provide a structured, consistent basis for making decisions around risk mitigation options. Risk management has two phases: risk assessment and risk treatment.

    Risk assessment is the process of identifying threats, and assessing the likelihood of those threats exploiting some vulnerability, and the potential impact of such an event occurring.

    Risk treatment is the process of responding to identified risks.

    Risk assessment, also known as risk analysis, is the process by which risks are identified and assessed. The assessment...

  5. CHAPTER 3: DEFINITIONS
    (pp. 11-12)

    ISO27001 has specific definitions⁶ for key terms, and these are relevant to those involved in carrying out risk assessments.

    Asset: anything that has value to the organization.

    Availability: the property of being accessible and usable upon demand by an authorized entity.

    Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities or processes.

    Control: means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature. Control is also used as a synonym for safeguard or countermeasure.

    Information processing facilities: any information processing system,...

  6. CHAPTER 4: ASSET OWNERS
    (pp. 13-14)

    According to ISO27001, every asset has an owner.⁷

    The term ‘owner’ is not meant to convey legal ownership of the asset to the individual and is defined (4.2.1 - d1, footnote 2) as the ‘individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets’. This could therefore be a system administrator or a manager who is responsible for defining how an asset or group of similar assets is used.

    The owner of the asset is the person – or part of the business – who is responsible for the appropriate...

  7. CHAPTER 5: OVERVIEW OF THE RISK ASSESSMENT PROCESS
    (pp. 15-19)

    ISO27001 says that ‘criteria against which risk will be evaluated’ must be contained within the ISMS policy (ISO 27001 clause 4.2.1 - b3). Within the context provided by the policy, the organization must identify a suitable risk assessment methodology that takes into account identified business, information security, legal and regulatory requirements (4.2.1 - c1) and must ensure that the criteria for accepting risks and for identifying the acceptable level of risks are defined (4.2.1 - c2).

    ISO27001 says that the organization’s risk assessment methodology – which should reflect the organization’s risk appetite and/or sit within the existing Enterprise Risk Management...

  8. CHAPTER 6: ASSET IDENTIFICATION
    (pp. 20-23)

    The first step in meeting the ISO27001 requirements for risk assessments is to identify all the information assets (and ‘assets’ includes information systems – which should be so defined in your information security policy) within the scope (4.2.1 - a) of the ISMS and, at the same time, to document which individual and/or department ‘owns’ the asset.

    The asset identification exercise can only take place once the scope⁹ has been finalised.

    ISO17799 identifies, in A.7.1.1, the six classes of assets that have to be considered, each of which should be referenced in your information security policy statement. They are as...

  9. CHAPTER 7: THREATS AND VULNERABILITIES
    (pp. 24-27)

    Information security threats and vulnerabilities go together.

    The difference between ‘threats’ and ‘vulnerabilities’ is not always immediately clear to people new to the subject. It is very important to differentiate clearly between these two attributes of a risk because the existence of the risk itself is dependent on the coexistence of a threat and a vulnerability.

    The simple difference is this:

    vulnerabilities are flaws or weaknesses in an asset, whereas

    threats can accidentally trigger or intentionally exploit a vulnerability to compromise some aspect of the asset.

    There are very many threats that have absolutely no relevance to many organizations. A...

  10. CHAPTER 8: ASSET VALUATION
    (pp. 28-32)

    The asset owner is usually also responsible for valuing the information asset.

    The successful exploitation of a vulnerability by a threat will have an impact on the asset’s availability, confidentiality or integrity. This may have consequences for the business, in terms of its actual operations, or from a compliance angle, or in relation to a contractual requirement. A single threat could exploit more than one vulnerability and each exploitation could have more than one type of impact. These impacts should all be identified. The potential business harm that might result from each of these identified impacts should then be estimated....

  11. CHAPTER 9: RISK LEVEL
    (pp. 33-34)

    The risk level is a function of impact and likelihood (probability). The final step in the risk assessment exercise is to assess the risk level for each impact.

    Three levels of risk assessment are usually adequate: low, medium and high. Where the likely impact is low and the probability is also low, then the risk level could be considered very low. Where the impact is at least high and the probability is also at least high, then the risk level might (depending on the design of the risk matrix) be either high or very high. These relationships are set out...

  12. CHAPTER 10: RISK TREATMENT AND CONTROL SELECTION
    (pp. 35-39)

    ISO27001 specifies that only once you have completed the risk assessment can you move on to the selection of controls. There are four control selection choices in what is known as ‘risk treatment’.

    The four risk treatment decisions that can be made are:

    Accept the risk

    Eliminate the risk by work-around or other arrangements

    Control the risk to bring it to an acceptable level

    Transfer it to a third party (eg, via insurance)

    The criterion that is used in making the decision is simple: either the risk is within the organization’s pre-determined, board-approved risk tolerance level, in which case it...

  13. CHAPTER 11: STATEMENT OF APPLICABILITY AND RISK TREATMENT PLAN
    (pp. 40-43)

    The completion of the risk assessment and the risk treatment decisions must be documented. This produces two documents:

    Statement of Applicability, and

    Risk Treatment Plan.

    The first lists all the controls listed in Annex A of ISO27001 and documents whether or not they have been applied within the ISMS, and also identifies any additional controls that have been applied. The second maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation plan.

    As the controls are selected, the Statement of...

  14. CHAPTER 12: REVIEWING THE RISK ASSESSMENT
    (pp. 44-45)

    ISO27001 sets out the requirement: ‘review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks’ taking into account changes in the business environment, to the organization, to the risks it faces, to the incidents it experiences, to regulatory changes and in light of the effectiveness of the controls.15

    Given the rate of development of new threats, the discovery of new vulnerabilities and the development of new technology (with its own inherent vulnerabilities), the information security management system needs to be continually reviewed to ensure it remains fit for purpose and that it...

  15. ITG RESOURCES
    (pp. 46-48)