| |
|
|
|
|
|
|
First Measure Your Risk
Risk assessment is a
fundamental prerequisite of BS7799-2. The standard
does not require that you to use any particular
approach, nor does it list any
"approved" methods. What, then, is a
risk assessment method, and how can you tell
whether your method will meet with the approval
of a BS7799 assessor? Moreover, how can an
assessor decide if the level of residual risk
that you are prepared to live with is acceptable
to the standard?
BS 7799's risk assessment objective
The objective of a risk assessment, in the
context of BS 7799, is to balance the safeguards
identified in the Statement
of Applicability against the risk (i.e. probability) of failing to meet your
business objectives. The most you can lose is
your exposure. In the context of a
typical commercial enterprise, your exposure
would be measured in terms of regulatory
penalties and financial loss.
- for a given exposure, the removal
of safeguards will increase the
risk of loss (i.e. make the
situation "risky"). The
addition of too many safeguards
could, on the other hand, render
the security system OTT
("over-the-top"). The
BS 7799 objective is to achieve a
proper balance of safeguards,
resulting in a well
"managed" security
system.
- given a well balanced system, any
increase in exposure will result
in a "risky" situation,
while a reduction in exposure
will render the security system
OTT.
Remember that your choice of
safeguards isn't restricted to those
listed in BS 7799 Part 1. You can import
from other standards or invent your own.
Some definitions
Some definitions are always useful. Here are two
particularly good ones:
In the absence of any safeguard:
| Risk is the combination of a threat exploiting some vulnerability that could cause harm to some asset. |
 |
In ITSEC terms, the threat is a measure of attack strength.
It can be expressed in terms of parameters such
as the attacker's capability and motivation, and
how often will they try. The notion of a
defensive capability can be captured with the aid
of the following diagram. Here, the threat is
represented by the golden key. The length of the
key represents the attack strength of the threat.
The asset is represented by the money and the
defensive capabilities of the safeguards are
represented by the green ring. The thinning of
the ring in the vicinity of the threat represents
a vulnerability.
The effect of a safeguard is
to mitigate (i.e. lessen the effect of) the
threat, the vulnerability or even lessen the
value of the asset. This leads to the concept of
residual risk: |
| Residual
Risk is a combined function of
(1) a threat less the effect of some threat reducing safeguards; (2) a vulnerability less the effect of some vulnerability
reducing safeguards and (3) an asset less the effect of some asset value
reducing safeguards. |
We can illustrate this as follows...
 |
 |
 |
| (1) Reduce the threat |
(2) Reduce the vulnerability |
(3) Reduce the asset value |
| Example: safeguards that
establish the trustworthiness of people |
Example: system patches |
Example: Encryption |
In turn, we can think of risk as a cube drawn
in threat-vulnerability-asset space. The mitigation effect of a safeguard reduces the
volume of this cube, as shown opposite and allows
us to start to reason about the measurement of
risk.
Further guidance
Have a look at PD3002 a
Guide to BS 7799 Risk Assessment and Risk
Management. It hails from ISO SC27 Working Group
1's work on an appetising 5 volume set of risk
management guidance from an IT perspective.
Would
you like to know more? |
|
