ISMS Manual

Course Book Ver 2.
1
ISMS Implementation
Objective
To understand
– The concepts of assets, threats and Vulnerabilities
– Components of Risk Assessment
– Their inter-relationship
– The Risk assessment and management Process
Risk Assessment and Management – Risk assessment Methodologies
To Carry out Risk assessment
Ver2.2 Module: Risk Assessment and Management 2
Risk Assessment related terms Assets
Asset An asset is something to which an organization

Threat assigns value to, examples include :
Vulnerability – Information assets
Risk – Software assets
Risk Analysis – Physical assets
Risk Evaluation – Services
Risk Assessment
Acceptable Risk Must be those relevant to the scope of the
Risk Management Information Security Management System
Security Control
Asset require protection
Residual Risk
Ver2.2 Module: Risk Assessment and Management 3 Ver2.2 Module: Risk Assessment and Management 4
However Value of an asset

Each organization has its own asset valuation scale (e.g. ‘high’,
‘medium’, ‘low’ etc.)
The values express the potential impact and damage to the
business from a loss of
An organization must determine which assets may – Confidentiality
materially affect delivery of product/ service by their – Integrity
– Availability
absence or degradation; or damage the organization
Values associated with breach of legislation
through loss of confidentiality or integrity or
Dependent on
availability. – Financial loss
– Loss of sales/market share
– Service unavailability & disruption to operations
– Loss of Processing capability & productivity
– Damage to image and reputation
© STQC IT Services, Department of Information Technology 6-1

Ministry of Communications and Information Technology
Course Book Ver 2.1
ISMS Implementation
Vulnerabilities Threats
Vulnerabilities are weaknesses

associated with an organization’s Threats are anything that could cause
assets, damage / harm / loss to assets
These weaknesses may be Threats can be accidental or deliberate
exploited by threats causing loss /
damage / harm to the assets Assets are subject to many kinds of threats
which exploit vulnerabilities associated with
A vulnerability in itself does not
them.
cause harm until exploited
Threats & Vulnerabilities: Threats & Vulnerabilities:

Human Resources Security Physical Security
Vulnerability Threat
Vulnerability Threat
Unsupervised work by Theft Unprotected storage Theft
outsider
Unstable power grid Power fluctuation
Insufficient security training Operational support staff
error Lack of physical protection of Theft
building
Poorly documented Operational support staff
Susceptibility to voltage Power fluctuation
software error
fluctuation
Lack of monitoring Use of facilities in
Susceptibility to temperature Temperature extremes
mechanism unauthorized way
variation
Lack of policies for correct Use of facilities in Location in flood susceptible Flooding
use of Internet / e-mail unauthorized way area
Security Risk
A security risk is the potential that a given threat will exploit

vulnerabilities to cause loss/damage to asset
It is a function of the impact of the undesirable event and
the probability of the event occurring
RISK MANAGEMENT PROCESS
?

Course Book Ver 2.1
ISMS Implementation
Risk Assessment Components and

Security Controls
their Relationship
Measures to Prevent, Detect or Reduce the Risk
Effective security generally requires combinations of
exploit
the following : Threats Vulnerabilities
detection Correction Protect against increase increase expose
deterrence recovery Security reduce Security

Assets
Controls Risks
Prevention monitoring
Limitation awareness Met by indicate increase have
Security Asset Values

Requirements & Impacts
What is Risk Assessment
Assessment of threats to, impacts on and

vulnerabilities of assets and the likelihood of their
occurrence
Carrying out Risk Assessment It produces an estimate of the risk to an asset at a given
point in time.
Implementation issue
The Purpose of Risk Assessment ISO27001: 2005 Clause 4.2.1. Requires that
To identify the security requirements for the The organization needs to have
organization's information assets – Identify a risk assessment methodology that is suited
To review the consequences of the risks i.e. to the ISMS, and the identified business information
impact to the business security, legal and regulatory requirements.
To make decisions on how to manage the risks – Develop criteria for accepting risks and identify the
– accept or tolerate acceptable levels of risk.
– avoid The risk assessment methodology selected shall ensure
– transfer the responsibility that risk assessments produce comparable and
– reduce or control reproducible results.

Course Book Ver 2.1
ISMS Implementation
Risk Assessment and management Process Risk Assessment and management Process
contd…
Risk
Riskassessment
assessment Risk
Riskassessment
assessmentactivities
activities
&& management
management Risk
Risk Risk
Riskassessment
assessmentactivities
activities
tasks
tasks assessment
assessment &&
Asset Identify management
Asset Identifyand
andlist
listall
allassets,
assets,define
defineaavalue
valuescale
scaleand
andfor
foreach
each management
identification tasks
identificationand
and asset
assetassign
assignvalues
valuesfrom
from this
thisscale
scale tasks
valuation
valuation Risk
RiskCalculation
Calculation Calculate
Calculatethetherisk
riskas
asaafunction
functionofofthe
theassets,
assets,threats
threats
Threat Identify and
andvulnerabilities
vulnerabilitiesusing
usingsuitable
suitablemethod
Threat Identifyall
all threats
threatsassociated
associatedwith
withthe
thelist
listofofassets
assetsandand method
assessment assign Identification
Identification&& Identify
Identifythe
thesuitable
suitablerisk
risktreatment
treatmentaction
actionfor
foreach
eachofofthe
assessment assignaavalue
valueto tothem
them according
accordingtototheir
theirlikelihood
likelihoodof of the
occurrence Evaluation
Evaluationof identified
identifiedrisks
risksfrom
from the
thedifferent
differentavailable
availablerisk
risktreatment
occurrenceand andseverity
severity Risk
of treatment
Vulnerability
Vulnerability Identify
Identifyall
all vulnerabilities
vulnerabilitiesassociated
associatedwith
withthethelist
listof
ofassets
assets RiskTreatment
Treatment options
options
Options
Options
assessment
assessment and
andassign
assignaavalue
valuetotothem
them according
accordingto tohow
howeasily
easilythey
they
might Selection
Selectionofof Select
Selectsuitable
suitablesecurity
securitycontrols
controlstotoreduce
reducethetherisks
risksto
to
mightbebeexploited
exploitedby bythe
thethreats
threats Security
SecurityControls
Controls acceptable
acceptablelevel
level
&&Risk
Risk
Reduction
Reduction&&
Acceptance
Acceptance
Asset Identification Asset Valuation
The organization shall demonstrate that it has identified The organization shall need to demonstrate that it
the information assets covered by the scope as defined has established the value(s) of the information
by the organization. assets.
The value(s) shall be measured in terms of impact on
This shall include the method for ensuring that the the organization.
assets defined are appropriate to the proposed Consider business impacts in terms of
information security management system and that they – Financial loss
are complete. – Loss of sales/market share
– Service unavailability & disruption to operations
– Processing capability & productivity loss
– Damage to image and reputation
Example :Asset Valuation Example :Asset Valuation
Confidentiality(C)
Confidentiality(C) Integrity(I)
Integrity(I)
Asset
Asset Class
Class Description
Description Asset
Asset Class
Class Description
Description
Value
Value Value
Value
11 Publicly
Publicly Non-sensitive
Non-sensitive, ,available
availableto
tothe
thepublic
public 11 Very
Verylow
low Business
Businessimpact
impactisisnegligible
negligible
available
available integrity
integrity
22 Low
Low Business
Businessimpact
impactisisminor
minor
22 For
Forinternal
internaluse
use Non-sensitive
Non-sensitiveinformation
informationrestricted
restrictedto
tointernal
internal
only use integrity
integrity
only useonly
only
33 Medium
Medium Business
Businessimpact
impactisissignificant
significant
33 Restricted
Restricteduse
use Varying
Varyingrestriction
restrictionwithin
withinthe
theorganization
organization integrity
integrity
only
only
44 High
High Business
Businessimpact
impactisismajor
major
44 In-Confidence
In-Confidence Available
Availableon
onaaneed-to-know
need-to-knowbasis
basis integrity
integrity
55 Very
Veryhigh
high Business
Businessimpact
impactcould
couldlead
leadto
toserious
seriousor
or
integrity
integrity total
totalfailure
failureof
ofbusiness
businessapplication
application
55 Strictest-In-
Strictest-In- Available
Availableon
onaastrict
strictneed-to-know
need-to-knowbasis
basis
Confidence
Confidence

Course Book Ver 2.1
ISMS Implementation
Example :Asset Valuation Example :Asset Valuation

Asset
Asset CC II AA
Availability
Availability(A)
(A) Publicly
Publicly Very
Verylow
low==11 High
High==44 High
High==44
Asset
Asset Class Description
Value
Class Description available
availableWeb
Web
Value
11 Very
Verylow
low Availability
Availabilityisisrequired
requiredfor
foratatleast
least25%
25%of
ofevery
everyworking
working
site
site
availability
availability day
dayoffice
officehours
hours Human
Human Very
VeryHigh
High==55 Very
VeryHigh
High==55 Medium
Medium==33
22 Low
Low Availability
requiredfor
foratatleast
least50%
50%of
ofevery
everyworking
working resources
resources
availability day
dayoffice
officehours
availability hours database
database
33 Medium Availability
requiredfor
forevery
everyworking
workingday
dayoffice
Medium
availability hours
office Finance
FinanceGroup
Group Very
VeryHigh
High==55 Very
VeryHigh
High==55 Medium
Medium==33
availability hours
LAN/Server
LAN/Server
44 High
High Availability
requiredeveryday
everydayatatleast
least95%
95%of
ofthe
thetime
time
availability
availability
55 Very Internal
Internal Medium
Medium==44 High
High==44 Medium
Medium==33
VeryHigh
High Availability
requiredeveryday
everydayatatleast
least99.9%
99.9%of
ofthe
the
availability
availability time
time company-wide
company-wide
Email
EmailServer
Server
Example: Asset Inventory Threat Assessment

For each asset
Value
Value – Identify the threats
– Identify the relevance of the threat
Asset
AssetID
ID Asset
AssetType
Type Owner
Owner&&Location
Location CC II AA
• Does it matter, is it important or of significance?
OS1
OS1 Network
NetworkOS
OS System
SystemAdministrator
Administrator 11 33 33 • Are there vulnerabilities?
– Identify the Threat frequency
OS2
OS2 PC
PCOS
OS System
SystemAdministrator
Administrator 11 44 33
• how often a threat occurs, according to statistics etc.
S1
S1 Mail
MailServer
Server System
SystemAdministrator
Administrator 33 33 33 • For deliberate threats: motivation, attractiveness,
capabilities necessary, resources available
DB1 HR
HRData
DataBase HRD
HRDManager 33 44 22
DB1 Base Manager • For accidental threats: geographical factors, factors that
PC1 PC Individual
could influence human errors and equipment malfunction
PC1 PC IndividualUsers
Users 11 11 11
Compile a list of relevant threats for each asset, their
values and related vulnerabilities
Example :Threat Valuation Vulnerability Assessment

Identifying vulnerabilities of the asset
– What are security problems of this asset?
Score Rating – Are controls missing for the asset?
– Are flaws in the current protection mechanisms?
1 Low probability
Identifying vulnerabilities in the environment
2 Mid Probability – How secure is the physical environment?
3 High Probablity – Is the personnel well trained, aware of security and
compliant with the controls
– what about connections, networks etc.

Course Book Ver 2.1
ISMS Implementation
Vulnerability Valuation
Risk Assessment
Assess the level of weakness
Risk is function of Asset value, Threat value and
– How likely is it that a vulnerability will be exploited
Vulnerability value
– How good are the security controls in place
Assign values for vulnerabilities R=ƒ (A,T,V)
R= Risk Value (RC/RI/RA) T= Threat Value (TC/TI/TA)
A= Asset value (AC/AI/RA) V= Vulnerability value (VC/VI/VA)
Example :
Score Rating Organization is free to chose the function ‘ƒ’ as
1 Very Secure
long as the out put of Risk Assessment is relevant
2 Security is present but needs to improve
Sometimes threats and vulnerabilities are commonly called as
3 Security is clearly inadequate at present and needs to improve strongly
Security concern and assessed as single entity S(SC/SI/SA)
Levels of Acceptable Risk Risk management

The process of identifying, controlling and
It is not possible to achieve total security minimizing or eliminating security risks (that may
There will always be some Residual risk affect information systems) for affordable cost.
RM includes RA and Risk Treatment.
What level of residual risk is acceptable to be
organization?
Consequence
Transfer Avoid
Accept Reduce
Probability
Some Risk Assessment Methods
Matrix with predefined values

Ranking of threats by
measures of risk
RISK ASSESSMENT METHODOLOGIES STQC method

Course Book Ver 2.1
ISMS Implementation
Matrix with Predefined Values Risk Matrix
Evaluate the information assets in a pre-defined qualitative THREAT LOW MEDIUM HIGH
scale from its quantitative / qualitative value
VULNERABILITY L M H L M H L M H
Evaluate the level of threat in a pre-defined qualitative scale
from its likelihood of occurrence, for each asset VL 1 2 3 2 3 4 3 4 5
ASSET VALUE
Evaluate the level of vulnerability in a pre-defined qualitative L 2 3 4 3 4 5 4 5 6
scale from the ease of exploitation by the threats to cause
adverse impact, for each asset M 3 4 5 4 5 6 5 6 7
Find out risk as a function of the corresponding value of assets, H 4 5 6 5 6 7 6 7 8
threats & vulnerabilities, from the risk matrix with predefined
values VH 5 6 7 6 7 8 7 8 9
Example : Risk Calculation Table Risk Prioritization

No Asset ID Asset Name Ratings Threat Description Threat Vulnerability Risk
Value Value
C I A Description Value THREAT LOW MEDIUM HIGH
XX/YY/ZZZZ/AAAA
VULNERABILITY L M H L M H L M H
VL 1 2 3 2 3 4 3 4 5
ASSET VALUE
L 2 3 4 3 4 5 4 5 6
M 3 4 5 4 5 6 5 6 7
H 4 5 6 5 6 7 6 7 8
VH 5 6 7 6 7 8 7 8 9
Ranking of Threats by Measures of Risk Ranking of Threats by Measures of Risk:

Example
• Evaluate the impact (asset value) on a predefined Threat descriptor Impact (asset) Likelihood of Measure Threat
(a) value threat occurrence of risk ranking
scale, e.g., 1 through 5 of each threatened asset. (b) (c) (d) (e)
• Evaluate the likelihood of threat occurrence on a Threat A 5 2 10 2

predefined scale, e.g., 1 through 5 of each threat Threat B 2 4 8 3
• Calculate the measure of risk by multiplying (b x Threat C 3 5 15 1
c)
Threat D 1 3 3 5
• Rank the threat in order of their exposure
Threat E 4 1 4 4
Threat F 2 4 8 3

Course Book Ver 2.1
ISMS Implementation
STQC method for detailed RA STQC method for detailed RA

Identify and evaluate the asset (or group) for confidentiality (C), integrity
Risk calculation:
(I) and availability (A) separately .
Identify Security Concerns (Threat or Vulnerability) for each high valued Generically for each asset/group of assets the following risks shall be
estimated:
asset. – Accidental loss of Confidentiality (RAC)
The values of the Security Concerns (SCs) shall be assigned based on the – Deliberate loss of Confidentiality (RDC)
– Accidental loss of Integrity (RAI)
likelihood of the particular vulnerability to be exposed by one or many
– Deliberate loss of Integrity (RDI)
threats and considering the existing security controls, in a 4-point scale(0- – Accidental loss of Availability (RAA)
3) by taking the following into consideration: – Deliberate loss of Availability (RDA)
– Significance/ relevance of the concerns
The Risk Value (RV) from a particular Security Concern for each group of
– For deliberate threats, consider the motivation, perceived capability and resource asset is evaluated as below:
availability to carry them out Risk Value (RV) = Asset Value (AV) + 2 X Security Concern (SC)
– For accidental threats, consider the geographical environmental, personnel factors
– Existing and planned security controls. The outcome of this exercise is documented in RiskCal.xls
Risk Assessment Output :Risk Grading Commercial Off the Shelf Tools
7 8 9 10 11
3
The organization may use a commercial-off-the-shelf
concern
Value of Security
5 6 7 8 9 (COTS) risk assessment tool or any other appropriate

2
method provided that it :
3 4 5 6 7
1
1 2 3 4 5
will determine the vulnerabilities, threats and
0
probabilities of threats to the defined assets,
1 2 3 4 5 Is repeatable and sustainable and
will provide the organization with a usable measure of
Asset value (C/A/I)
Decision: risk.
If Risk value ≥ 9 : Immediate action to be taken
If 9 >Risk value ≥ 7 :Some action to be taken Examples of Risk Assessment Tools :COBRA, CRAMM, BSI-RA Tools etc.
If Risk value < 7 : Accept the risk
Managing the risks : Options for the Risk Risk Reduction Possibilities
Treatment
Reduce the Risk by applying appropriate Controls Reduce the vulnerabilities
Risk avoidance – Reduce/eliminate the weaknesses
– Not performing the activity Reduce the likelihood of occurrence
– Moving assets away from an area of risk
– Reduce/eliminate the cause
– Deferring a decision until more information is obtained
– Minimize the probability by preventive measures
Risk transfer
– By contracting-out Reduce the consequences of impact
– Take out an insurance – Taking steps to prevent, minimize or contain impact
Risk Acceptance
– Do nothing and accept the risk as it is
– Situation is unavoidable
– Risk is tolerable
Ignoring the risk
– Where their impact is judged to be minimal

Course Book Ver 2.1
ISMS Implementation
Degree of Assurance Residual Risk
ISO 27001 clause 4.2.1c states “Determine criteria for No control can ever offer ABSOLUTE assurance, there
accepting the risks and identify the acceptable levels of will always be a residual risk.
risk.”
Management, having defined the degree(s) of
assurance required from the ISMS must accept these
residual risks and be accountable if subsequently a
security breach occurs, and it was not through a
breakdown in the authorized ISMS.
ISO 27001 Clause 4.2.1 h & i) states “Obtain

management approval of the proposed residual risks
and authorization to implement and operate the ISMS”.
Selection of Control Objectives and Implementing the Controls

Controls
A plan of implementation should be developed
Review the risks and identify control options
containing
– Priorities (input from risk assessment)
The selection of controls should be made to bring – Implementing schedule
down the risk to acceptable level – The budget needed
– Responsibilities
The selection of controls should be cost effective
– Necessary training activities
It should be checked that all identified controls

are really implemented
This is done through development of

Risk Treatment Plans
Example :Risk Treatment Plan Template

Baseline Controls are
Common sense best practices, e.g.
New Control measures Estimated Estimated HOD – Information security policy document (3.1.1)
Identification Related Risk Activity Major/Minor Time Cost Approved – Controls against malicious software (8.3.1)
Number Change Responsibility – Information back-up (8.4.1)
Mandatory legal requirements, e.g.
– Data protection (12.1.4)
Satisfying contractual obligations, e.g.
– External facilities management (8.1.6)
– Outsourcing contracts (4.3.1)
«

Course Book Ver 2.1
ISMS Implementation
Summary
Risk Assessment is one of the most important task in

evaluating the security requirements of the
organization
The Organization need to evolve a suitable Risk
Assessment strategy and define the Acceptable Risk
Levels.
Risk assessment should cover all the assets covered
in the scope
Example :Information Assets Example : Software Assets
Databases and data files Application Software

System documentation System Software
User manual Development tools
Training material Utilities
Operational/ Support procedures
Continuity Plans
Fallback arrangements
Archived Information
« «
Example : Physical Assets Example : Services
Computer equipment (Processors, monitors, laptops, Modems) Computing and Communication Services
Communication equipment ( Routers, PABXs, fax machines) General Utilities e.g. Heating, lighting, Power, air conditioning.
Magnetic Media (tapes and Disks)
Other technical equipment( Power supplies, Airconditioning
units), Furniture, accomodation
« «


ISMS Manual

Uploaded by

Copyright:

Available Formats

ISMS Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Manual

Uploaded by

Copyright:

Available Formats

What are some examples of information assets discussed in the document?

What are some examples of information assets discussed in the document?

What are some examples of physical assets discussed in the document?

What are some examples of physical assets discussed in the document?

Course Book Ver 2.

Ver2.2 Module: Risk Assessment and Management 2

Risk Assessment related terms Assets

 Asset  An asset is something to which an organization

However Value of an asset

© STQC IT Services, Department of Information Technology 6-1

Vulnerabilities are weaknesses

Threats & Vulnerabilities: Threats & Vulnerabilities:

 A security risk is the potential that a given threat will exploit

RISK MANAGEMENT PROCESS

© STQC IT Services, Department of Information Technology 6-2

Risk Assessment Components and

detection Correction Protect against increase increase expose

deterrence recovery Security reduce Security

Security Asset Values

What is Risk Assessment

 Assessment of threats to, impacts on and

Ver2.2 Module: Risk Assessment and Management 16

© STQC IT Services, Department of Information Technology 6-3

Asset Identification Asset Valuation

Example :Asset Valuation Example :Asset Valuation

© STQC IT Services, Department of Information Technology 6-4

Example :Asset Valuation Example :Asset Valuation

Example: Asset Inventory Threat Assessment

Example :Threat Valuation Vulnerability Assessment

© STQC IT Services, Department of Information Technology 6-5

Levels of Acceptable Risk Risk management

Some Risk Assessment Methods

 Matrix with predefined values

© STQC IT Services, Department of Information Technology 6-6

Matrix with Predefined Values Risk Matrix

Example : Risk Calculation Table Risk Prioritization

Ranking of Threats by Measures of Risk Ranking of Threats by Measures of Risk:

• Evaluate the likelihood of threat occurrence on a Threat A 5 2 10 2

© STQC IT Services, Department of Information Technology 6-7

STQC method for detailed RA STQC method for detailed RA

5 6 7 8 9 (COTS) risk assessment tool or any other appropriate

© STQC IT Services, Department of Information Technology 6-8

Degree of Assurance Residual Risk

ISO 27001 Clause 4.2.1 h & i) states “Obtain

Selection of Control Objectives and Implementing the Controls

 It should be checked that all identified controls

This is done through development of

Example :Risk Treatment Plan Template

© STQC IT Services, Department of Information Technology 6-9

 Risk Assessment is one of the most important task in

Ver2.2 Module: Risk Assessment and Management 55

Example :Information Assets Example : Software Assets

 Databases and data files  Application Software

Example : Physical Assets Example : Services

© STQC IT Services, Department of Information Technology 6-10

You might also like

Asset An asset is something to which an organization

A security risk is the potential that a given threat will exploit

Assessment of threats to, impacts on and

Matrix with predefined values

It should be checked that all identified controls

Risk Assessment is one of the most important task in

Databases and data files Application Software