Information security risk management

using ISO/IEC 27005:2008

Hervé Cholez / Sébastien Pineau

Centre de Recherche Public Henri Tudor
herve.cholez@tudor.lu sebastien.pineau@tudor.lu

March, 29th 2011 TAO – Workshop on CBA Security 1

 Objectives

 ISO/IEC 27005 is a standard that propose a way to

manage information security risks, particularly in the
context of the implementation of an ISMS* (ISO/IEC
27001)

 ISO/IEC 27005 is not a method, just a guide

 For the moment... discussions in progress!

* ISMS: Information Security Management System

TAO – Workshop on CBA Security 2

 Risk?

 Risk = (Threat * Vulnerability * Impact)

 Vulnerability: intrinsic to the object or situation
 Threat: probability of occurrence of an (external) event
exploiting the vulnerability
 Impact: consequence

 Example: burglary in your house

 Vulnerability: your home keys under your carpet
 Threat: a burglar comes along...
 Impact: loss of your money, your TV, etc.

TAO – Workshop on CBA Security 3

 Information Security Risk? (1/3)

 “potential that a given threat will exploit vulnerabilities of

an asset or group of assets and thereby cause harm to
the organization”

Threat

exploits

causes
Vulnerability Impact

concerns

Asset

TAO – Workshop on CBA Security 4

 Information Security Risk? (2/3)

 Asset
 “anything that has value to the organization”
 Primary: business processes and activities, information
 Support: hardware, software, network, personal, facilities

 Threat
 “Potential cause of an unwanted incident, which may result in
harm to a system or organization”
 Source of the risk, possible attack
 3 kinds
 Accidental (unintentional human action)
 Deliberate (voluntary human action)
 Environmental (non-human action)

TAO – Workshop on CBA Security 5

 Information Security Risk? (3/3)

 Vulnerability
 “weakness of an asset (or control) that can be exploited by a
threat”

 Impact
 “adverse change to the level of business objectives achieved”
 Consequence of the risk on the system or organization
 Generally expressed in terms of:
 Confidentiality
 Integrity
 Availability

TAO – Workshop on CBA Security 6

 Impacts?

 Confidentiality
 “property that information is not made available or disclosed to
unauthorized individuals, entities or processes”
 internal disclosure, external disclosure...
 Integrity
 “property of protecting the accuracy and completeness of
assets”
 accidental modification, deliberate modification, incorrect results,
incomplete results
 Availability
 “property of being accessible and usable upon demand by an
authorized entity”
 performance degradation, short-term/long-term interruption, total
loss (destruction)

TAO – Workshop on CBA Security 7

 Information security risk
management (ISRM)?

 “The total process of identifying, controlling, and

eliminating or minimizing uncertain events that may
affect IT system resources” [ISO/IEC 13335-1]

 3 objectives
 Improve information system security
 Justify information system security budget
 Prove the credibility of the information system using the
analysis performed

TAO – Workshop on CBA Security 8

ISO/IEC 27005

Information technology – Security techniques –

Information security risk management

TAO – Workshop on CBA Security 9

 Tudor’s activities

Audit à blanc 27001

FOURNISSEURS
Guide d’implémentation Maturer/Packager
27001 + templates
Implémentation d’un
SMSI
Formation(s) 27001

Maturer/Packager
Analyse écarts 27001

WEB
Décliner en
SaaS
Outil de gestion des niveaux/Packager
risques (27005 – EBIOS)
Gestion des risques Décliner en
Formation gestion des niveaux/Packager
risques (27005)

Méthodologie + template
Définition d'une Politique
de sécurité
Maturer/Packager
Toolbox

Décliner en
Evaluation de la maturité
Méthodologie + outil de niveaux/Packager
en sécurité de
mesure
l’information

10
Process

TAO – Workshop on CBA Security 11

Process

TAO – Workshop on CBA Security 12

 Context establishment

 Basic Criteria
 The scope and boundaries
 Organization for IRSM

TAO – Workshop on CBA Security 13

 Context establishment > Basic
Criteria

 Risk evaluation criteria

 Impact criteria
 Risk acceptance criteria

 These criteria are specific to a given

organization/system, to a given study, etc.

TAO – Workshop on CBA Security 14

 Context establishment > Basic
Criteria > Risk evaluation criteria (1)

 Depends on
 The strategic value of the business information process
 The criticality of the information assets involved
 Legal and regulatory requirements, and contractual obligations
 Operational and business importance of CIA
 Stakeholders expectations and perceptions, and negative
consequences for goodwill and reputation

 Enables to prioritize risks

TAO – Workshop on CBA Security 15

 Context establishment > Basic
Criteria > Risk evaluation criteria (2)

 Examples
Financial Risk level
0 Loss < 1000€ Unimportant risk
1 1000€ < Loss < 5000€ Risk affecting the internal operation
2 5000€ < Loss < 10000€ Risk affecting customers
3 Loss > 10000€ Risk

 Goal:
 Clear differentiation between levels
 Unambiguous interpretation

TAO – Workshop on CBA Security 16

 Context establishment > Basic
Criteria > Impact criteria (1)

 Cost per security incident, considering

 Level of classification of the impacted information asset
 Breaches of information security (e.g. Loss of CIA)
 Loss of business and financial value
 Disruption of plans and deadlines
 Damage of reputation
 Breaches of legal, regulatory or contractual requirements

TAO – Workshop on CBA Security 17

 Context establishment > Basic
Criteria > Impact criteria (2)

 Example
Confidentiality Integrity Availability
0 Public No constraint No constraint
1 Restricted Change visible Unavailable 1 week/year
2 Very restricted Change reduced Unavailable 1 day/year
3 Secret Can not be altered Always available

 Goal:
 Clear differentiation between levels
 Unambiguous interpretation

TAO – Workshop on CBA Security 18

 Context establishment > Basic
Criteria > Likelihood of risk

 Threat
Explanation
1 Very unlikely, according to statistics, or the cost or level of expertise required
2 May happen from time to time
3 Very likely easier to implement, no investment or special expertise

 Vulnerability
Explanation
0 Very low: measures in place effective against the threat
1 Medium: measures insufficient or inappropriate
2 High: no effective protection measures in place
3 Very high: lack of measures, or obsolete or irrelevant

TAO – Workshop on CBA Security 19

 Context establishment > Basic
Criteria > Risk acceptance criteria
(1)

 Formula:
Risk level = max(concerned impact) * (threat +
vulnerability – 1)

Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15

TAO – Workshop on CBA Security 20

 Context establishment > Basic
Criteria > Risk acceptance criteria
(2)
 Example
 An unacceptable risk is:
 A very likely risk
 Threat = 3

 With inadequate or inappropriate measures

 Vulnerability = 1

 And whose asset value is 3

 Impact = 3

RL = 3 * (3 + 1 - 1) = 9
Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15

TAO – Workshop on CBA Security 21

 Context establishment > Basic
Criteria > The scope and boundaries

 Generally the first step (chronologically)

 Definition of:
 Activity, processes to take into account
 Objectives
 Study borders (geographically, logically, ...)
 Legal constraints
 Etc.

TAO – Workshop on CBA Security 22

 Context establishment > Basic
Criteria > Organization for ISRM

 Roles and responsibilities definition for the risk

management process

 Must be documented

TAO – Workshop on CBA Security 23

Process

TAO – Workshop on CBA Security 24

 Risk assessment

 Risk analysis
 Risk identification
 Risk estimation

 Risk evaluation

TAO – Workshop on CBA Security 25

 Risk assessment > Risk
identification > Asset identification
(1)
 Primary asset identification
 business processes and activities, information

 Support assets identification (and mapping)

 Hardware, software, networking, people, facilities
 Knowledge bases available (e.g. EBIOS method)

 For each asset

 Owner identification
 Value determination
 Qualitative, quantitative, semi quantitative

TAO – Workshop on CBA Security 26

 Risk assessment > Risk
identification > Asset identification
(2)
 For each asset, impact determination

 Based on impact criteria

 “if criteria X of asset A is not fulfil, the impact would

be...”
Confidentiality Integrity Availability
0 Public No constraint No constraint
1 Restricted Change visible Unavailable 1 week/year
2 Very restricted Change reduced Unavailable 1 day/year
3 Secret Can not be altered Always available

TAO – Workshop on CBA Security 27

 Risk assessment > Risk
identification > Threat and
vulnerabilities identification
 Knowledge bases
 Interviews, brainstorming
 Expert analysis

 Take into account controls already in place

(vulnerabilities)
 For threats, take into account:
 Deliberate
 Accidental

TAO – Workshop on CBA Security 28

 Risk assessment > Risk estimation

 Risk = (Threat * Vulnerability * Impact)

 Use of the formula

Risk level = max(concerned impact) * (threat +
vulnerability – 1)

 Value for each identified risk

TAO – Workshop on CBA Security 29

 Risk evaluation

 Comparison
 Obtained risk levels from risk assessment
 Defined risk acceptance levels

Max(I) * (T+V-1) 0 1 2 3 4 5
0 0 0 0 0 0 0
1 0 1 2 3 4 5
2 0 2 4 6 8 10
3 0 3 6 9 12 15

TAO – Workshop on CBA Security 30

Process

TAO – Workshop on CBA Security 31

 Risk treatment

 4 choices
Risk
 Risk Reduction treatment

 Risk Retention
Risk Risk Risk Risk
 Risk Avoidance Reduction Retention Avoidance Transfer

 Risk Transfer

 Can be combined

 Results on a risk treatment plan

TAO – Workshop on CBA Security 32

 Risk treatment > Risk reduction

 Controls (measures) are implemented to reduce the

risk

 It generally affects the vulnerability

 ISO/IEC 27002 proposes a set of controls

 Constraints for risk reduction exist

 Time, financial, technical, etc...

TAO – Workshop on CBA Security 33

 Risk treatment > Risk retention

 Risk is accepted
 Nothing is done to reduce it

 Generally when risk level is less than risk acceptance

value

 But can be decided when risk is greater than risk

acceptance value
 Negative ROSI
 Risk-taking

TAO – Workshop on CBA Security 34

 Risk treatment > Risk avoidance

 Risk is refused
 “business” function cancelled

 Generally if the risk is too high and that no “cost-

effective” solution is found

TAO – Workshop on CBA Security 35

 Risk treatment > Risk transfer

 Risk is transferred or shared with third party

 Outsourcing
 Insurance

 Generally for high impact risks with low occurrence

 Can create other risks or modify existing risks

 Transfer the responsibility to manage the risk but not

the liability of an impact

TAO – Workshop on CBA Security 36

Process

TAO – Workshop on CBA Security 37

 Risk acceptance

 Risks effectively treated

 Review of the risk treatment
 Validation of selected solutions
 Selection of residual risks
 Residual risks
 Accepting a number of risks that can consider itself unable to
deal, or are acceptable to the organization

TAO – Workshop on CBA Security 38

Process

TAO – Workshop on CBA Security 39

 Risk communication

 Continuous step

 Obtain and communicate with all the stakeholders

 Collect information on risks and security
 Share risk assessment results
 Present risk treatment plan
 Awareness
 Etc.

TAO – Workshop on CBA Security 40

Process

TAO – Workshop on CBA Security 41

 Risk monitoring and review

 Continuous step

 Risks are constantly changing, all risk equation

elements must be tracked!
 New assets
 New threats
 New vulnerabilities
 Incidents
 Etc.

 Minor changes vs. major changes

TAO – Workshop on CBA Security 42

Thanks for your attention!

Any questions?

jocelyn.aubert@tudor.lu

TAO – Workshop on CBA Security 43