ISF IRAM2 Executive Summary - securityforum.org · Information Security Forum • IRAM2 IRAM 2: The next generation in assessing information risk Evaluate risk against your organisation’s
Post on 21-Aug-2018
236 Views
Preview:
Transcript
IRAM2MANAGING INFORMATION RISK IS A BUSINESS ESSENTIALAs information risks and cyber security threats increase, organisations need to move away from reacting to incidents toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout your enterprise is a business essential.
The ISF solution: IRAM2, a methodology to meet today’s challenges.
IRAM2 helps information risk practitioners, as well as other risk, business and technology leaders to: ‒ Apply a simple, practical, yet rigorous approach: focus on simplicity and practicality, while embedding rigour throughout
the assessment process. This enables consistent results and a depth of analysis that enhances business decision making. ‒ Focus on the business perspective: guide information risk practitioners’ analysis so that information risk is assessed from
the perspective of the business. The end result is a risk profile that reflects a view of information risk in business terms. ‒ Obtain a greater coverage of risks: enable a broader and more comprehensive risk coverage, thereby reducing the chance
that a significant risk will be overlooked. ‒ Focus on the most significant risks: allow key business and technology stakeholders to obtain a clear picture of where to
focus resources, in order to deal with information risks that are most significant to the organisation. ‒ Speak a common language: provide a common vocabulary and framework, enabling information risk practitioners and
management to form a unified view of information risk across different areas of the business and better integrate into enterprise risk management.
‒ Engage with key stakeholders: empower information risk practitioners to engage with key business, risk and technology stakeholders in an organised and enterprise-aware manner.
IRAM2 is supported by four IRAM2 Assistants, each accompanied by a practitioner guide, that help automate one or more phases of the methodology.
Summary Tool
Information Security Forum • IRAM2
IRAM2: The next generation in assessing information risk
Evaluate risk against your organisation’s risk appetiteIRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat profiling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.
RiskEvaluation
E
Residual business impact
Res
idua
l lik
elih
ood
10+ risks
5-9 risks
3-4 risks
1-2 risks
4
61
2
7
6
1
12
15
Key
Provide a business-centric view of risk
IRAM2 provides guidance for scoping information risk assessments across both the business and technology. Risk practitioners use this phase to provide an integrated view of risk from the business service layer down to the technology infrastructure.
Scoping
A
Business process
1
Business process
2
Input OutputProcessing
Application Application
Assetmanagement
Changemanagement
Capacitymanagement
Incident management
ServerServer Database
Application Application
Assess realistic and worst-case business impact scenariosIRAM2 provides guidance for identifying and assessing business impacts. Risk practitioners use this phase to determine the potential business impact should information assets or systems have their confidentiality, integrity or availability compromised.
Business Impact Assessment
B
The IRAM2 information risk assessment methodology is set out in six phases. Each phase details the steps and key activities required to achieve the phase objectives, as well as identifying the key information risk factors and outputs.
Understand how well your environment/ systems can resist threatsIRAM2 provides guidance for performing an assessment of vulnerabilities that influence the likelihood of a threat event being successful. Risk practitioners use this phase to examine the extent of relevance and implementation of key controls that will help to determine control strength.
Vulnerability Assessment
D
Example threat eventsControl Control name reference
Control effectiveness
Control strength
CTL01 Effective Low
CTL03 Partially effective
CTL04 Ineffective
CTL05 Effective
CTL06 Effective
CTL07 Partially effective
CTL10 Partially effective
CTL11 Partially effective
CTL18 Ineffective
Unauthorised monitoring and/or modification of communications
Exploit vulnerabilities in an organisation’s information systems
Software malfunction (internally produced software)
Loss of information systems
Power failure or fluctuation
Flooding
Secure network design
Event logging and monitoring
IDS/IPS
Secure standardised system builds
Wireless network security
Security awareness
Physical security
Encryption (communications)
Security testing
Example components
Component A
Component B
Component C
Component D
Component E
IRAM2 control number
IRAM2 control Calculated control strength
Moderated control strength
1 Information... High High
2 Users should... Moderate Low
3 The duties of... High High
4 Staff working... Low Low
5 Staff working in... Negligible Low
6 IT staff should... Negligible Negligible
7 Business users... High High
8 Business users... Low Low
9 Classified information... Moderate High
Impact rating
Impact Category Negligible Low Moderate High
Financial • Negligible loss in sales, orders or contracts (< 1%)
• Negligible direct financial loss/profit reduction (< $10K)
• Minor loss in sales, orders or contracts (< 5%)
• Minor direct financial loss/profit reduction (< $100K)
• Moderate loss in sales, orders or contracts (< 10%)
• Moderate direct financial loss/profit reduction (< $500K)
• Significant loss in sales, orders or contracts (> 10%)
• Significant direct financial loss/profit reduction (> $500K)
Operational • Negligible/insignificant loss of management’s ability to effectively govern or operate the organisation
• Minor loss of management’s ability to effectively govern or operate the organisation (e.g. limited impairment in decision making)
• Moderate loss of management’s ability to effectively govern or operate the organisation (e.g. noticeable impairment)
• Significant loss of management’s ability to effectively govern or operate the organisation (e.g. serious impairment)
Legal and Regulatory Compliance
• Negligible impact on organisational operations, or relationship with regulator(s)
• Minor impact on organisational operations, or relationship with regulator(s)
• Moderate impact on organisational operations, and loss of confidence from key regulators
• Significant impact on organisational operations, and serious loss of confidence from regulators
Reputational • Negligible/insignificant negative publicity
• Customer complaints within normal levels
• Low levels of short-term negative publicity (e.g. local media coverage)
• Marginal increase in customer complaints
• Moderate levels of sustained negative publicity
• Significant increase in customer complaints
• Significant levels of sustained negative publicity
• Significant increase in customer complaints
Health and Safety • Negligible/insignificant injury to one individual
• Minor injury or discomfort to one individual
• Significant injury to an individual or small group
• Severe injury or loss of life to one of more individuals
IRAM2 • Information Security Forum
IRAM2: The next generation in assessing information risk
Develop pragmatic risk treatment plansIRAM2 provides practical guidance for treating identified information risks. Risk practitioners use this phase to explore different approaches to treating information risk (i.e. mitigation, avoidance, transference and acceptance).
RiskTreatment
F
Inherent risk Residual risk
Initialmitigation
Furthermitigation
AvoidanceRisk appetite
Riskaccepted
Understand and model threats IRAM2 provides guidance for performing a pragmatic assessment of the information threat landscape. Risk practitioners use this phase to identify and profile key threats across different groups by determining associated threat events.
Threat Profiling
C
Flooding Hacking group
Customer
Earthquake
Tornado
Fire (wild)Volcanic eruption
Tsunami
Threat attributes
• Capability
• Commitment
• Competence
• Culture
• Intent
• Motivation
• Origin
• Privilege
• Severity
1 Adversarial2 Accidental3 Environmental
Threat groups
Individualhacker
Threat events• Session hacking• Phishing
• User error (accidental)• Resource depletion• Miscon�guration• Flooding
Evaluate risk against your organisation’s risk appetiteIRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat profiling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.
Residual business impact
Res
idua
l lik
elih
ood
10+ risks
5-9 risks
3-4 risks
1-2 risks
4
61
2
7
6
1
12
15
Key
Assess realistic and worst-case business impact scenariosIRAM2 provides guidance for identifying and assessing business impacts. Risk practitioners use this phase to determine the potential business impact should information assets or systems have their confidentiality, integrity or availability compromised.
Scoping
ABusiness Impact
Assessment
BThreat
Profiling
CVulnerability Assessment
DRisk
Evaluation
ERisk
Treatment
F
Impact rating
Impact Category Negligible Low Moderate High
Financial • Negligible loss in sales, orders or contracts (< 1%)
• Negligible direct financial loss/profit reduction (< $10K)
• Minor loss in sales, orders or contracts (< 5%)
• Minor direct financial loss/profit reduction (< $100K)
• Moderate loss in sales, orders or contracts (< 10%)
• Moderate direct financial loss/profit reduction (< $500K)
• Significant loss in sales, orders or contracts (> 10%)
• Significant direct financial loss/profit reduction (> $500K)
Operational • Negligible/insignificant loss of management’s ability to effectively govern or operate the organisation
• Minor loss of management’s ability to effectively govern or operate the organisation (e.g. limited impairment in decision making)
• Moderate loss of management’s ability to effectively govern or operate the organisation (e.g. noticeable impairment)
• Significant loss of management’s ability to effectively govern or operate the organisation (e.g. serious impairment)
Legal and Regulatory Compliance
• Negligible impact on organisational operations, or relationship with regulator(s)
• Minor impact on organisational operations, or relationship with regulator(s)
• Moderate impact on organisational operations, and loss of confidence from key regulators
• Significant impact on organisational operations, and serious loss of confidence from regulators
Reputational • Negligible/insignificant negative publicity
• Customer complaints within normal levels
• Low levels of short-term negative publicity (e.g. local media coverage)
• Marginal increase in customer complaints
• Moderate levels of sustained negative publicity
• Significant increase in customer complaints
• Significant levels of sustained negative publicity
• Significant increase in customer complaints
Health and Safety • Negligible/insignificant injury to one individual
• Minor injury or discomfort to one individual
• Significant injury to an individual or small group
• Severe injury or loss of life to one of more individuals
Worst-case impact
Realistic impact
The Information Risk Assessment Methodology 2 (IRAM2) is a simple, practical yet rigorous business essential that helps ISF Members identify, analyse and treat information risk throughout the organisation.IRAM2 describes the following:
‒ Risk fundamentals: explains information risk and how it relates to the wider discipline of enterprise risk management.
‒ People and engagement: identifies the people, roles, skills and experience that are vital for effective information risk management and for the application of IRAM2.
‒ IRAM2 Phases: provides an overview of the methodology as well as a comprehensive description of the key steps, inputs and outputs accompanied by guidance for effective deployment.
The report also contains detailed supplementary material and further guidance to assist the information risk practitioner. For example, a common threat list, a threat event catalogue and control library are included.IRAM2 is supported by a range of deliverables to help Members implement the methodology. These include:
‒ IRAM2 Assistants to help automate steps in the methodology ‒ IRAM2 practitioner guides to support practitioners use of the assistants ‒ IRAM2 implementation space on the ISF Member website, ISF Live, which contains a facilitated forum for Members to discuss related issues and solutions, along with additional resources including recorded demonstrations of the assistants.
IRAM2 is aligned with the ISF Standard of Good Practice for Information Security and the Security Healthcheck. It also incorporates research findings from Protecting the Crown Jewels: How to protect mission-critical information assets and Threat Intelligence: React and prepare.Consultancy services from the ISF provide Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products including IRAM2.IRAM2 is available free of charge to ISF Members and can be downloaded from www.isflive.org. Non-Members can purchase the report by contacting Steve Durbin at steve.durbin@securityforum.org.
WHERE NEXT?
CONTACTFor further information contact:
Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953800steve.durbin@securityforum.orgsecurityforum.org
ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.
©2017 Information Security Forum LimitedREFERENCE: ISF 17 07 02 | CLASSIFICATION: Public, no restrictions
top related