ISO/IEC 27005 Information Security Risk Management ISO/IEC 27005 Information Security Risk Management Information Security Management Information security The practice of protecting information by mitigating information risks. (Wikipedia) The preservation of confidentiality, integrity and availability of information. (ISO/IEC 27000:2018) 02-Jul-21 Annual Review 3 Information security ▪ Confidentiality ▪ Integrity ▪ Availability ▪ Non-repudiation 02-Jul-21 Annual Review 4 ISMS (Information Security Management System) as per ISO/IEC 27001 Policies, procedures, plans, activities, controls, responsibilities, resources that are managed by an organization in order to protect its assets. Risk management is the core element of an ISMS. 02-Jul-21 Annual Review 5 ISO/IEC 27005 Information Security Risk Management The ISO/IEC 27000 series of standards Standards in the ISO/IEC 27000 family ISO/IEC 27000 Sector-specific Overview and vocabulary ISO/IEC 27001 ISO/IEC 27011 (for the telecommunications sector) Requirements for an ISMS ISO 27799 (for the health sector) ISO/IEC 27002 Guidance for information security controls ISO/IEC 27003 ISO/IEC 27017 (cloud services) … www.iso.org Guidance for implementing an ISMS ISO/IEC 27005 Guidelines for information security risk management ISO/IEC 27007 Guidelines for auditing an ISMS 02-Jul-21 Annual Review 7 ISO/IEC 27005 Information Security Risk Management About ISO/IEC 27005 ISO/IEC 27005:2018 Guidelines (not requirements) for information security risk management. Applicable to any organization (regardless of sector) that implements an ISMS. First edition of ISO/IEC 27005 was published in 2008, the second in 2011 and the third (current today, in 2021) in 2018. ISO 31000 – Guidelines for risk management. 02-Jul-21 Annual Review 9 ISO/IEC 27005 Information Security Risk Management Risk Management Risk (generally) The effect of uncertainty on objectives Risk (in the context of information security) The possibility that threats will exploit vulnerabilities and cause harm Risk management Coordinated activities to direct and control an organization with regard to risk. 02-Jul-21 Annual Review 12 Information security risk management 02-Jul-21 Annual Review 13 ISO/IEC 27005 Information Security Risk Management Establishing the context Establish the context - Understand the organization - Define the purpose of risk management - Define the scope and boundaries of the risk management process - Consider the constraints 02-Jul-21 Annual Review 15 Establish the context 02-Jul-21 Annual Review Understand the organization Purpose of risk management Scope and boundaries Constraints Purpose. Business. Mission. Values. Why a risk management process is necessary? What is covered by the risk management process. Originating from inside or from outside the organization. 16 ISO/IEC 27005 Information Security Risk Management Organization for information security risk management Organization for risk management Assign and communicate responsibilities ▪ Clear and well understood responsibilities and authorities ▪ Integrated approach with a multi-disciplinary structure? 02-Jul-21 Annual Review 18 ISO/IEC 27005 Information Security Risk Management Risk assessment (general considerations) Risk assessment - Risk identification - Risk analysis - Risk evaluation Risk – combination of consequences and probability 02-Jul-21 Annual Review 20 High level vs. detailed risk assessment High level risk assessment Detailed risk assessment Starts from consequences. Requires more time, effort and expertise. Helps gain a global image of the organization. More suitable for high-risk information systems. Focused on the business and operational environment. Involves asset valuation and assessment of threats and vulnerabilities. Simpler, may need to be complemented with a detailed assessment. 02-Jul-21 Annual Review 21 ISO/IEC 27005 Information Security Risk Management Identification of assets Asset “Anything that has value to an organization and which, therefore, requires protection.” ISO/IEC 27005:2018 Asset identification Primary assets - Business processes and activities (not all processes) - Information (not all information) Supporting assets - Hardware - Software - Network - Personnel - Site (locations) - Organization’s structure 02-Jul-21 Annual Review 24 ISO/IEC 27005 Information Security Risk Management Asset valuation Asset valuation Criteria for asset valuation ▪ Initial cost of the asset ▪ Replacement/ re-creation cost ▪ Consequences in the event of an incident (impairment of business performance, financial loss, loss of customer trust, loss of competitive advantage, reputation affected, material damage, personal safety issues, etc.) 02-Jul-21 Annual Review 26 Asset valuation Scale for asset valuation ▪ Usually 3 to 10 levels (low, medium, high …) ▪ Define what represents each level 02-Jul-21 Annual Review 27 Asset valuation Dependencies ▪ If the values of dependent assets are lower or equal to the value of the asset considered, its value remains the same ▪ If the values of dependent assets are greater, then the value of the asset considered should be increased. 02-Jul-21 Annual Review 28 ISO/IEC 27005 Information Security Risk Management Identification of threats Threat – the potential cause of an unwanted incident, which can result in harm to a system or to an organization ISO/IEC 27000:2018 Examples of typical threats (ISO/IEC 27005) Type Physical damage Natural events Loss of essential services Disturbance due to radiation Compromise of information Technical failures Unauthorized actions Compromise of functions 02-Jul-21 Annual Review Examples of threats Destruction of equipment or media Dust, corrosion or freezing Fire Water damage Earthquake Volcanic phenomenon Flood Loss of power supply Failure of telecommunication equipment Failure of utility systems (e.g., air conditioning) Electromagnetic radiation Electromagnetic pulses Theft of media or documents Data from untrustworthy sources Tampering with hardware Theft of equipment Remote spying Eavesdropping Equipment failure Equipment malfunction Software malfunction Unauthorized use of equipment Fraudulent copying of software Use of counterfeit software Corruption of data Illegal processing of data Denial of actions Abuse of rights Error in use Source A,D,E A,D,E A,D,E A,D,E E E E A,D,E A,D A,D A,D,E A,D,E D A,D D D D D A A A D D A,D D D D A,D A A – accidental D – deliberate E - environmental 31 Human threat sources Origin of threat Motivation Possible consequences Hacking Challenge, ego, rebellion, status, Social engineering Hacker, cracker System intrusion, break-ins monetary gain Unauthorized system access Spoofing Monetary gain, unauthorized data System intrusion Computer criminal alteration, illegal information disclosure, Fraudulent act (e.g. impersonation, destruction of information interception) Information warfare Blackmail, destruction, exploitation, Bomb Terrorist System attack (e.g. DDOS) revenge, media coverage, political gain System tampering Information theft Social engineering Industrial espionage Economic advantage, economic espionage System penetration Unauthorized system access Computer abuse Blackmail Insiders (e.g. poorly Fraud and theft trained, disgruntled, Curiosity, ego, revenge, monetary gain, Input of falsified or corrupted data malicious, negligent, Malicious code unintentional errors, omissions dishonest or terminated Unauthorized system access employees Sale of personal information System bugs 02-Jul-21 Annual Review 32 ISO/IEC 27005 Information Security Risk Management Identification of vulnerabilities Vulnerability – weakness of an asset or control that can be exploited by one or more threats. ISO/IEC 27000:2018 Identification of vulnerabilities Types Hardware Software Network Personnel Site Organization 02-Jul-21 Annual Review Examples of vulnerabilities Unprotected storage Lack of care at disposal Susceptibility to voltage variations Sensitivity to electromagnetic radiation Insufficient maintenance/ faulty installation of storage media No or insufficient software testing Lack of audit trail Known software issues (flaws) Wrong allocation of access rights Complicated user interface Lack of identification and authentication mechanisms Poor password management Immature of new software Incomplete or unclear specifications for developers Lack of back-up copies Unprotected communication lines Poor joint cabling Insecure network architecture Transfer of passwords in clear Unprotected public network connections Inadequate network management (resilience of routing) Absence of personnel Inadequate recruitment procedures Lack of security awareness Lack of monitoring mechanisms Lack of policies for the acceptable use of assets Inadequate (or lack of) physical security Unstable power grid Location in an area suspectable to flood Lack of formal procedures for user registration and de-registration Insufficient provisions in contracts with customers and/ or third parties Lack of email policies Lack of information classification procedures Examples of threats Theft of media or documents Theft of media or documents Loss of power supply Electromagnetic radiation Breach of information system maintainability Abuse of rights Abuse of rights Abuse of rights Abuse of rights Error in use Forging of rights Forging of rights Software malfunction Software malfunction Tampering with software Eavesdropping Failure of telecommunications equipment Remote spying Remote spying Unauthorized use of equipment Saturation of the information systems Lack of availability Errors Errors, facilitating unauthorized access Illegal data processing Unauthorized use of equipment. Malware. Theft, destruction Loss of power supply Flood Abuse of rights Abuse of rights Errors in use Errors in use 35 ISO/IEC 27005 Information Security Risk Management Identification of existing controls Existing controls The identification of existing controls is necessary in order to avoid duplication. Existing controls should be reviewed to identify if they are effective, sufficient and justified. 02-Jul-21 Annual Review 37 ISO/IEC 27005 Information Security Risk Management Risk analysis Qualitative vs. Quantitative methodologies Qualitative risk analysis - Uses qualifying attributes for consequences and likelihood - Easy to understand Likelihood - Subjective Consequences 02-Jul-21 Annual Review 40 Quantitative risk analysis - Relies on numbers - Uses historical data (e.g. incident data) - More precise Likelihood (incident history of the last 5 years) > 6 times 0.9 4-6 times 0.6 1-3 times 0.4 < 1 times 0.1 02-Jul-21 Annual Review Consequences Financial impact More than 100.000 $ 50.000$ – 100.000 $ 10.000$ – 50.000 $ < 10.000$ 0.9 0.6 0.4 0.1 41 ISO/IEC 27005 Information Security Risk Management Risk evaluation Risk evaluation Determine the level of risk Compare the level of risk with the risk criteria Description of the threat DDOS attack Fire in data center X-employee disclosing confidential information Power outage Ransomware attack Disclosure of passwords Bomb threat 02-Jul-21 Annual Review Likelihood (L) Consequences Risk Ranking 0.4 0.1 0.4 (C) 0.6 0.9 0.4 (LxC) 0.24 0.09 0.16 1 5 4 0.9 0.4 0.6 0.1 0.1 0.4 0.4 0.4 0.09 0.16 0.24 0.04 6 3 2 7 43 Risk acceptance The informed decision to take a particular risk ISO/IEC 27000:2018 Risk acceptance criteria Should be defined considering the organization’s strategy, objectives, policies, requirements of stakeholders … Description of the threat DDOS attack Fire in data center X-employee disclosing confidential information Power outage Ransomware attack Disclosure of passwords Bomb threat 02-Jul-21 Annual Review Likelihood (L) Consequences Risk Ranking 0.4 0.1 0.4 (C) 0.6 0.9 0.4 (LxC) 0.24 0.09 0.16 1 5 4 0.9 0.4 0.6 0.1 0.1 0.4 0.4 0.4 0.09 0.16 0.24 0.04 6 3 2 7 45 ISO/IEC 27005 Information Security Risk Management Risk treatment Risk treatment options Risk modification 02-Jul-21 Annual Review Risk retention Risk avoidance Risk sharing 47 Risk treatment plan - The risks assessed - The selected treatment option(s) - The control(s) for each risk - Priorities - Timeframes - Responsibilities 02-Jul-21 Annual Review 48 Residual risk The risk that remains after treatment. Risk Likelihood (L) Consequences (C) Risk (LxC) Ranking Acceptable? Yes/ No DDOS attack 0.4 0.6 0.24 1 No 02-Jul-21 Annual Review Treatment DDOS protection and mitigation service Likelihood (L) Consequences (C) Residual risk Acceptable? Yes/ No 0.4 0.1 0.04 Yes 49 ISO/IEC 27005 Information Security Risk Management Risk avoidance, modification, sharing and retention Risk avoidance The activity or the condition that gives rise to a particular risk is avoided. 02-Jul-21 Annual Review 51 Risk modification Introducing, changing, replacing, removing controls, so that the residual risk can be reassessed as being acceptable. 02-Jul-21 Annual Review 52 Risk sharing Share the risk with a third party that is able to manage it more effectively. 02-Jul-21 Annual Review 53 Risk retention The decision to retain a risk without further action considering the results of the evaluation. 02-Jul-21 Annual Review 54 ISO/IEC 27005 Information Security Risk Management Information security risk acceptance Residual risks should meet acceptance criteria. ISO/IEC 27005 Information Security Risk Management Risk communication and consultation Communication & consultation The stakeholders and the decision-makers should exchange information about risk management. 02-Jul-21 Annual Review 58 ISO/IEC 27005 Information Security Risk Management Information security risk monitoring and review Monitoring and review or risk factors Monitoring of risks and risk factors: - new assets included in the risk management scope; - modification of asset values; - new threats; - new or increased vulnerabilities; - Information security incidents. 02-Jul-21 Annual Review 60 Major changes… ▪ Outsourcing ▪ New technologies ▪ New key people ▪ Revised legislation, etc. should be reason for a review. 02-Jul-21 Annual Review 61 Risk management monitoring, review and improvement The management review (required by ISO/IEC 27001) provides an opportunity to analyze the risk management process and to propose changes/ improvements. The risk management process should remain relevant and appropriate. 02-Jul-21 Annual Review 62 ISO/IEC 27005 Information Security Risk Management ISO/IEC 27005 The framework for information security risk management proposed by the International Organization for Standardization (ISO). Thank you!
