The
first shortcut is called not
all assets. An asset in the
ISO 27001 is rather broadly defined as anything that has value to
the organization and the standard says you are to "identify
assets within the scope". I know of no company that has charted
all assets. I suggest you start by "just" assessing your
main business processes. Not any other type of asset and certainly
not everything with an ip-number. You may later expand the scope to
also include the services or systems that support your business
processes (called sub-systems in NIST SP800-37). You and your
colleagues probably already have a good sense of what business
processes matter most to your business. This shortcut is
basically a materiality criterion that allows you to perform fewer
risk assessments and to spend our time on the more important ones.
The second shortcut is not all threats. If you look, you'll likely find that many information security standards contain fairly comprehensive threat catalogs. Further, if you make your own threat brainstorm to list everything that could possibly go wrong, you quickly discover your threat catalogs are becoming much too long to be operational. This shortcut is to split the assets into types, and then identify which threats are relevant to different asset types. For example, not all types of assets can burn. Business processes, IT services, logical servers, etc. does not burn. It is only the more physical types, such as hardware and buildings. And even within the different physical assets one can make responsible shortcuts by only assessing the threat from the fire at a datacenter, not individually on all the equipment that also stands in the data center. The shortcut here gives fewer threat assessments.
Inheritance is the name of the third shortcut. Good practice and some standards prescribe to make both the Business Impact Assessments (BIA) and probability assessments. The latter is performed by estimating how vulnerabile your assets are to the relevant threats.
The second shortcut is not all threats. If you look, you'll likely find that many information security standards contain fairly comprehensive threat catalogs. Further, if you make your own threat brainstorm to list everything that could possibly go wrong, you quickly discover your threat catalogs are becoming much too long to be operational. This shortcut is to split the assets into types, and then identify which threats are relevant to different asset types. For example, not all types of assets can burn. Business processes, IT services, logical servers, etc. does not burn. It is only the more physical types, such as hardware and buildings. And even within the different physical assets one can make responsible shortcuts by only assessing the threat from the fire at a datacenter, not individually on all the equipment that also stands in the data center. The shortcut here gives fewer threat assessments.
Inheritance is the name of the third shortcut. Good practice and some standards prescribe to make both the Business Impact Assessments (BIA) and probability assessments. The latter is performed by estimating how vulnerabile your assets are to the relevant threats.
Here
is the problem: It's difficult to make both kinds of assessments on
an asset. Example #1: It is difficult to make vulnerability
assessment on a business process. Example #2: It's more than
difficult to make a business impact assessment on a server; few
people,if any, know which business processes a server supports
and how important those are to the business.
The solution to this challenge is to identify dependencies between your assets. In a business process, you can identify which other assets it depends on. Business Impact Assessment are then done "only" on a business process level. Business Impact values are then inherited downwards to the supporting assets.
The solution to this challenge is to identify dependencies between your assets. In a business process, you can identify which other assets it depends on. Business Impact Assessment are then done "only" on a business process level. Business Impact values are then inherited downwards to the supporting assets.
Vulnerability
assessments are made "only" on the supporting assets, e.g.
applications, virtual servers, data centers. The vulnerability
scores are inherited upwards to the business process.
This
method gives us a dependency hierarchy in which we have
BIA scores and vulnerability or probability scores on each asset,
and hence it's no problem to calculate a risk score on each asset.
This
shortcut results in fewer impact assessments and fewer
vulnerabilities assessments, and you'll benefit from
assessments that actually is possible to perform.
Fourth and last shortcut is high level assessments first. When you conduct a BIA, you will be asking about how much a security incident is expected to impact revenues, costs, image or contractual and statutory compliance. The fourth shortcut is to assess these factors collectively, not individually. The same goes for vulnerability assessments where protection for multiple threats can be assessed together. Granted, it is a shortcut, and you can probably find experts who say that this is not good enough. I still think it makes sense to begin at a high level. You'll subsequently get plenty of opportunities to refine and evaluate your assets in more details, where that makes sense. Therefore, this is also a responsible shortcut, especially if your organization has not yet made risk assessments a recurrent, regular routine.
Fourth and last shortcut is high level assessments first. When you conduct a BIA, you will be asking about how much a security incident is expected to impact revenues, costs, image or contractual and statutory compliance. The fourth shortcut is to assess these factors collectively, not individually. The same goes for vulnerability assessments where protection for multiple threats can be assessed together. Granted, it is a shortcut, and you can probably find experts who say that this is not good enough. I still think it makes sense to begin at a high level. You'll subsequently get plenty of opportunities to refine and evaluate your assets in more details, where that makes sense. Therefore, this is also a responsible shortcut, especially if your organization has not yet made risk assessments a recurrent, regular routine.
Here is a brief summary of the shortcuts:
- Not all assets
- Not all threats
- Up and downwards inheritance
- High level assessments first - refine later
Remember
that risk assessments and risk management - as all other security
efforts - is a process, not a
project. Apply this knowledge
to use the shortcuts to a great extent and run your risk
assessments gently at the first runs. You can refine later, for
example by including more assets, more threats, involving more
people (more reviews), or going into more details in your
assessments.
I'm suggesting these shortcuts will make you save time (your own time, the time of your colleagues, or even your consulting costs if you have such). The shortcuts will also get you closer to ISO 27001 compliance with less effort (I know; we're ISO 27001 certified).
I'm suggesting these shortcuts will make you save time (your own time, the time of your colleagues, or even your consulting costs if you have such). The shortcuts will also get you closer to ISO 27001 compliance with less effort (I know; we're ISO 27001 certified).
PS! For purpose of full disclosure: I am the founder and CEO in Neupart that sells IT GRC tools and consulting services in risk management and other related disciplines. You can use the four shortcuts with or without Neupart's risk management tool , SecureAware. If you look at the screens from SecureAware ( at the bottom of this link ) you get some examples of how the four shortcuts can be implemented and which questions you can ask in your risk assessments.
Do you find these shortcuts responsible and perhaps even useful? Or do you have tips for practical risk assessment that you want to share?
About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.
No comments:
Post a Comment