Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

Complete information risk management solution

advertisement 
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
Jason Creasey
Certified
STREAM
Consultant
A complete Information
Risk Management
solution for ISF Members
using IRAM and STREAM
Simon Marvell
Partner
Abstract
IRAM is a business-led information risk analysis methodology used widely by ISF members. IRAM
provides tools for business impact assessment, threat and vulnerability assessment and control
selection. However, it is not an integrated web-based solution and does not provide tools for ongoing monitoring and reporting of risk status or workflow for managing the treatment of
unacceptable risks. This paper describes how IRAM can be used easily with Acuity’s STREAM GRC
software to provide a complete information risk management solution for ISF members.
Overview of IRAM
IRAM provides a three – stage approach as illustrated in Figure 1. The comprehensive Business
Impact Assessment is widely used and is ideal to provide a ‘front-end’ to STREAM, where the
summary detail can be entered and copies of the supporting BIA spreadsheets stored centrally. The
Threat and Vulnerability Assessment is useful, particularly in conjunction with the ISF Healthcheck,
both of which are compatible with STREAM. The control selection tool gives food for thought but at
present is less widely used than the other two stages.
Figure 1: Three-stage IRAM Process
Note. The two assessment tools in IRAM are based on spreadsheets, which can be co-ordinated
using the web-based Risk Analyst Workbench (RAW). For simplicity we just use the term IRAM in
this paper.
Page 1 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
The roles of IRAM and STREAM in managing Information Risk
IRAM provides a strong business driven articulation of the requirements for information security
through its business impact analysis (BIA). The BIA provides an essential understanding of the
requirements for Confidentiality, Integrity and Availability (CIA) of information which can be
informed and refined by an understanding of the likelihood of a loss event or incident occurring by
the IRAM Threat & Vulnerability Analysis.
Clearly, information with high requirements for CIA needs a high degree of protection and without
that protection there would be a significant risk (probably an expectation) of serious damage, even
more so when there is a genuine likelihood of loss or attack.
But the assumption of no protection is theoretical and the risk information of most value to business
managers is an understanding of the residual risk, taking account of the existence and performance
of controls deployed to mitigate this risk.
The IRAM Control Selection stage allows a range of controls to be considered and, where required,
helps to select additional controls to reduce the likelihood of serious incidents occurring. However,
IRAM it is not designed to quantify residual risk as part of the risk analysis or to monitor residual risk
as contributory factors change. This means that while, following an IRAM risk analysis, the business
can be confident that it has a good understanding of the requirements for information security it
may not fully understand the residual risk. Furthermore, any understanding of residual risk that it
does have will deteriorate over time if the performance of controls changes in a way that is not
visible to the risk analyst.
The following table summarises the main factors that influence residual risk and their frequency of
change:
Factor
Frequency of Change
Influence on
Residual Risk
Supported by
IRAM?
Supported
by
STREAM?
Business
Impact
Analysis
Relatively static - once
determined, the potential
business impacts from a loss of
1
CIA tend not to change much .
Variable by risk type. Can change
significantly at short notice, e.g. if
targeted by attackers
2
Weaknesses in control – variable
by control type. Can change
significantly at short notice, e.g.
zero-day vulnerabilities
Variable as BIA, Threat Likelihood
and Vulnerabilities change
A broad statement of
information security
requirements
Yes - Detailed
Yes Summary
Refines the BIA defined
requirements
Yes
Yes
Increases the
likelihood that an
attack, if mounted
would be successful
The design for
reducing residual risk
to an acceptable level
Yes
Yes
Yes, but not as a
compliance tool
Yes
Threat
Likelihood
Vulnerabilities
Control
Selection
1
The BIA can change as information goes through different phases in its lifecycle, e.g. data which is embargoed
before publication. However this can be modelled and the BIA at each lifecycle stage tends to be relatively
static.
2
Most vulnerabilities are weaknesses in control. However, organisations may also be inherently vulnerable to
an incident, e.g. if there is a single-point of failure. Inherent vulnerabilities result in higher requirements for
security whereas control vulnerabilities require improvement in control performance.
Page 2 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
Factor
Frequency of Change
Influence on
Residual Risk
Supported by
IRAM?
Supported
by
STREAM?
Control
Performance
Variable, perhaps due to staffing
levels, budget constraints,
competing priorities, people
making mistakes
Variable by incident type
Very important factor
in maintaining residual
risk at an acceptable
level
Feedback on the
performance of the
above factors allowing
refinement and
improvement
Reduces residual risk
as improvement
actions are completed
Yes
Yes
No
Yes
No
Yes
Incidents and
Near-misses
Handling of
Improvement
Actions
Variable depending on the
volume and frequency of
improvement actions
Figure 2: The contributory factors in understanding residual risk
The above table illustrates that all residual risk factors are variable (less so for BIA), sometimes to
quite an extent.
This means that to be effective and provide meaningful management information an information
risk management solution must:



Integrate all the different components of information risk
Calculate residual risk – it is impossible for a risk analyst to manually evaluate all of the
above factors, even where they have visibility of them
Update the calculation every time one of the factors changes, which could, in some cases, be
daily.
IRAM does not calculate residual risk or support the complete range of residual risk factors, as
illustrated in the table above.
However, a combination of IRAM with STREAM provides a
complete, easy to use and powerful solution for information risk management.
A complete information risk management solution for ISF Members
using IRAM and STREAM
Figure 3 overleaf illustrates the recommended combined solution, allowing ISF members to take
advantage of the powerful graphical displays and aggregation facilities available in STREAM without
losing the benefits of the ISF IRAM tool which comes as a standard part of ISF membership.
STREAM’s asset management and risk modelling, which are straightforward and easy-to use, are
important so that risk boards, committees or equivalent can view and discuss the risks to an
application before it goes live or if it changes significantly.
Although knowledge of how STREAM can be used with ISF tools will be very useful, STREAM can be
configured easily without the need for extensive support, saving time and money. Furthermore,
once it has been set up, many risk assessments can become semi-automatic.
Page 3 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
Figure 3: A combined IRAM / STREAM Risk Management Solution
Business Impact Analysis
IRAM provides a comprehensive BIA designed specifically for the needs of ISF members. Members
can use the IRAM BIA to capture BIA information and then enter the BIA Summary information to
STREAM. Since BIA data is typically fairly static an automated interface is not required and the
summary information can be entered to STREAM manually. STREAM can be configured with the
same A – E scale used by IRAM for recording impacts.
Threat and Vulnerability Assessment
Stage 2 of IRAM (Threat and Vulnerability Assessment) is not as widely used by Members as Stage 1
(BIA) and so Members may prefer to add this information directly into STREAM as it simplifies the
process and is more flexible. Since this information is variable, it will be easy to manage in STREAM
which automatically keeps a history of previous assessments and re-calculates the residual risk each
time it is updated. Members that prefer to keep their Threat and Vulnerability Assessments in IRAM
can transpose or import the data to STREAM.
STREAM can be configured with the ISF Threat list and / or other Threat lists as required and the
same A-E scale used by IRAM for recording threat likelihood.
Control Selection
As with Stage 2, Stage 3 of IRAM (Control Selection) is not as widely used by Members as Stage 1
(BIA) and so Members may prefer to add this information directly into STREAM, particularly for
Page 4 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
compliance monitoring. STREAM also has the advantage in that its Framework mappings allow
Controls to be mapped to Asset Classes and Threats. So each time an Asset is added to an Asset
Class, STREAM will automatically map all relevant Controls and Threats to the Asset.
STREAM can be configured with ISF Controls Content, such as the Standard of Good Practice (SoGP),
Security Healthcheck, Benchmark controls or any other set of control standards, such as ISO 27001,
PCI-DSS, COBIT 5 or internal policies and control standards.
If Members prefer to use IRAM for control selection they can do so and transpose or import the data
to STREAM.
Control Compliance and Performance of Key Control Indicators (KCIs)
Since control compliance and, in particular, the performance of key control indicators is such an
important factor in residual risk, and varies over time, it is recommended that this information is
recorded in STREAM. A history of control assessments is maintained and residual risk is recalculated
every time a change is made.
As indicated above, STREAM can be configured with ISF Controls content or any other set of control
standards. Multiple controls assessment schemes can be defined for different control sets, including
the ISF benchmarking scheme.
An optional Control Approvals scheme can be configured to provide independent approval of control
assessments.
Incidents and Near-misses
IRAM does not provide a facility for recording and tracking incidents and near-misses but they can
be captured in STREAM and linked to Assets, Controls and Threats. STREAM can be configured with
the ISF’s Threat / Incident types.
The impact of incidents can be recorded in STREAM (if required using the ISF’s A-E scale) and
reporting provides information on frequency and average impact of events which can be used to
refine and continually improve the risk assessment and residual risk calculation.
Action Management
IRAM provides only limited options for recording and tracking actions but they can be raised (and
easily tracked) in STREAM against controls, risks, incidents and near-misses.
As actions are completed, the status of controls and risks can be updated in STREAM and the
residual risk re-calculated.
Alerting and Workflow
As a single-user system IRAM does not support alerting and workflow. In STREAM risks, controls,
incidents, near-misses and actions can be allocated to owners who will receive an email alert. Dates
of next assessment, approval, acceptance and target completion dates for actions can be recorded
with alerts and reminders sent to users.
Workflow can be established to handle exceptions and waivers.
Page 5 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
Asset Management and Risk Modelling
A strength of STREAM is its configurable ‘asset-based’ approach to risk management. ‘Asset’ is a
term used in STREAM to denote a component of the target scope for risk management. IRAM takes
a ‘system – based’ approach to risk assessment and this can be configured in STREAM.
However, Members also have a range of preferred primary points of focus – some prefer a business
process led approach, others segment into ‘business as usual’ and ‘project’ views, while others
structure geographically and /or by technology components (critical business applications, networks,
computer installations etc.). STREAM is configurable to support all of these approaches and they can
be ‘mixed and matched’ with different risk assessment and control assessment schemes as required.
An unlimited Asset Class tree structure can be configured in STREAM allowing organisations to
configure assets down to their required level of detail. As Assets are then added to the scope of the
risk assessment, threats and controls will be automatically mapped to the Assets providing
important assurance that a consistent approach is being taken to common Assets across the
Enterprise.
STREAM’s flexibility in this area allows multiple risk types to be managed in the same database so,
for example, information risk management can be integrated with: supply chain risk management;
business continuity; privacy, and; enterprise risk management.
Residual Risk Calculation
As any contributory factor to residual risk assessment is changed, STREAM automatically recalculates residual risk and compares it against risk thresholds. Risk appetites can optionally be set
in STREAM allowing residual risk to be reported in relation to risk appetite.
STREAM automatically logs previous assessments so users can view history and trends.
For frequently changing factors, such as patch or anti-virus status, key control indicators for these
factors can be defined and the data imported automatically from third party applications (such as
scanners and anti-virus systems) allowing the residual risk status to be updated in real time.
Monitoring and Reporting
STREAM provides an extensive set of graphical dashboards and reports providing easy, on-demand,
visibility of risk and compliance status. Subject to user management permissions, users can
aggregate up for summary views or drill down for more information.
Reports draw real-time views from the database which is continually updated as factors change,
ensuring that the user can always see the current status. Historical reports also allow the user to
review progress and perform trend analysis.
Conclusion
ISF Members have long-recognised the importance of information risk management and the value of
accurate information on risk and compliance status.
IRAM is an excellent tool for risk analysis with a particularly strong BIA component which identifies
information security requirements. However, to provide important information on residual risk
Page 6 of 7
October
2013
A complete Information Risk Management solution For ISF Members using
IRAM and STREAM
status in a centralised, aggregated manner, it needs to be combined with a tool that can calculate
residual risk status and provide strong risk monitoring and reporting capabilities.
STREAM provides these capabilities and also additional features not provided with IRAM such as
Incident / Near-misses and Action Management. STREAM is configurable with ISF content and will
therefore integrate seamlessly with IRAM.
Finally, STREAM’s multi-user capability with workflow and alerting will allow Members to extend
controlled information risk management processes out from specialised, trained risk analysts to the
wider user-base, including control owners, incident owners, action owners and auditors.
Business managers can use STREAM’s dashboards and reports to see ‘at a glance’ real-time views of
their residual risk and compliance status, identifying areas of concern for investigation.
Contact Information
Jason Creasey
Director
Simon Marvell
Partner
jason.creasey@jerakano.com
simon.marvell@acuityrm.com
www.jerakano.com
www.acuityrm.com
+44 (0) 1483 838098
+44 (0) 7713 257282
+44 (0) 20 7297 2086
+44 (0) 7900 246371
Relationship between Acuity and Jerakano
STREAM Integrated Risk Manager from Acuity Risk Management
provides flexible, easy to use and cost effective automation for
managing risk and compliance to both ISF members and nonmembers alike.
www.acuityrm.com
As a Certified Consulting Partner, Jerakano can help you automate
the ISF Standard of Good Practice and other ISF deliverables such as
IRAM, Security Healthcheck, Benchmarking and Securing the Supply
Chain using – STREAM Integrated Risk Manager.
Page 7 of 7
Related documents
landform
landform
Shaina Reddinger - Mrs. Maine`s Wikispace
Shaina Reddinger - Mrs. Maine`s Wikispace
Market Research in E
Market Research in E
Surface Water Worksheet
Surface Water Worksheet
value stream mapping for business process management
value stream mapping for business process management
CLEANSING STREAM - Encouraging Hope Ministries
CLEANSING STREAM - Encouraging Hope Ministries
Deriving the formula for PV of finite income streams
Deriving the formula for PV of finite income streams
INCOG Flyer on Field Form Contents
INCOG Flyer on Field Form Contents
Stream Function
Stream Function
Download
advertisement