“If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.”
—Gary Cohn
The previous chapter discussed how to conduct a risk assessment exercise and give a risk assessment report presentation. This chapter discusses the approach to be followed for managing the risks identified during the risk assessment exercise. This chapter will also focus on identifying assets and applying security controls.
Defining and Finalizing the Risk Assessment Framework
When you initiate the risk assessment, it is important to identify the framework to be followed to manage risk. This method can help the teams provide a guideline to conduct a risk analysis on assets based on the defined scope.
Security risks must be unique and might lead to significant losses, if they occur.
Organizations must comply with legal, statutory, and contractual requirements.
Organizations must define objectives to support their business operations.
Asset identification and its related vulnerabilities and security controls
Decision making to rectify the risk
Reason to spend budget expenditures for security implementation
Help in improving awareness about information security
A high-level risk framework
Risk Components
Assets
Threats
Vulnerabilities
Impact
Probability of occurrence
Consequences
Note Most companies do not consider risk assessment for an asset value that is less than or equal to 5, as the impact to the business would be minimal or negligible.
What Are Threats?
In ISO 27001, the term “threat” is designed to focus on identifying and analyzing scenarios that are unexpected or unwanted, and if they occurred, would cause harm to the organization. Risk assessment is based on threat identification, which means if there is a potential scenario of a threat, you need to do risk analysis or assessment and treatment.
A threat may be caused by intentional or unintentional acts. There are also acts of nature, such as floods, fires, and earthquakes, which you cannot control.
Asset may malfunction or be damaged
Asset may be corrupted or modified
Asset may be stolen or lost
Asset may be disclosed to unauthorized people
Any other interruption of services
What Are Vulnerabilities?
A “vulnerability” is a weakness in an asset or system that makes it susceptible to threats.
For example, if you are vulnerable to a specific type of allergy, it’s because your immune system reacts to that particular allergen. To avoid this issue, you can either take steps to make your body strong or avoid certain actions to prevent interacting with this allergen.
When you come across a condition or set of conditions that occurs frequently in your business operations and exploits an asset , you need to identify the vulnerability and avoid the conditions.
Note
It is important to identify vulnerabilities as early as possible. By analyzing conditions in which you can use the asset, you should collect and analyze various other inputs, such as reports and penetration tests, which may provide better understanding in identifying vulnerabilities.
What Is a Security Risk?
How do you define a security risk? When you get input by analyzing a threat to an asset and determine the associated vulnerabilities, you will arrive at a conclusion. If the identified threat has the potential to exploit any vulnerabilities and negatively impact an asset or group of assets, that constitutes a security risk. This means directly or indirectly there will be a negative impact on your organization.
May have the biggest impact
Needs to be addressed first
Can be put under a watch list and addressed later
To determine the risk value, you combine the asset values (covered in the “Asset Value” section of this chapter), the assessed levels of risk, and the risk’s impact.
Risk Value = Asset Value * Likelihood * Impact
Risk Likelihood Level and Rating
Likelihood Levels | Rating | Description |
|---|---|---|
Rare | 1 | Very low probability of occurrence (might occur once every 3-4 years or more) Might cause a very negligible impact |
Moderate | 2 | Might occur every two years Has a noticeable impact, i.e., some financial loss or data loss may occur |
Likely | 3 | Might occur at least once a year Has a significant impact, i.e., financial loss or data loss or could be injuries to people and other assets |
Almost Certain | 4 | Might occur more than once a year Has a very high impact, i.e., financial loss or data loss or could be injuries to people and other assets |
Risk Impact Ratings
Impact Scale | Rating | Description |
|---|---|---|
Minor | 1 | Service or business downtime that is less than a few hours (for IT infrastructure and other operational facilities) |
Moderate | 2 | Service or business downtime that is more than a few hours and could last for one calendar day |
Major | 3 | Service or business downtime that is more than a day and could affect delivery of services, so that the office/site is not operational (could be for hours or days) Or, the IT infrastructure is down or not able to reach the office/site due to public strikes, floods, earthquakes, etc. |
Catastrophic | 4 | Service or business downtime caused by severe damage to the office/site and the IT infrastructure Major financial loss leading to operations being shut down |
What Is a Risk Ranking?
The rank assigned to each risk is called its risk ranking. Risks are ranked into four types, depending on the calculated risk value and the priority level of the risk.
Risk Rankings
Risk Value | Risk Rank | Description | Risk Priority |
|---|---|---|---|
1 – 36 | Low | A security control already exists Chance to exploit the vulnerability is low Requires monitoring | P4 |
37 – 72 | Medium | There are chances to exploit the vulnerability Probability of occurrence is medium May damage only non-critical application/services and associated assets. No major impact but proactive risk monitoring is required | P3 |
73 - 108 | High | There are high chances to exploit the vulnerability Probability of occurrence is high May impact critical business applications or services resulting in service degradation High impact on business operations and risk monitoring is required on regular/frequent basis | P2 |
109 - 144 | Very High | There are very high chances to exploit the vulnerability Probability of occurrence is very high Adverse impact on critical business applications/services resulting in major downtime of services Very high impact on business operations and risk monitoring is required on regular/frequent basis | P1 |
Risk Prioritization
After analyzing the risk ranking for each risk, the focus should be to reduce the priority ranking of the risks to P4. It is not always possible to reduce the risk priority, as situations will not always be in your control. Thus, in those scenarios, you should document the justifications for not being able to reduce the risk. It is important to present such scenarios to management and seek their approval to avoid any confusion later.
Risk Owner Identification
It is the responsibility of each department head to take ownership of their departmental risks. Then they can assign further risk ownership to their team members. Once all the risk owners have been identified, they can start analyzing the risks and evaluate them based on the risk acceptance criteria defined in their organization.
Risk Treatment
Risk acceptance
Risk mitigation
Risk avoidance
Risk transfer
Risk Acceptance
Budget/financial: Financial constraints may force management to reject the budget so the security control cannot be implemented.
Environmental: Environmental factors such as space availability at the office/site, climate conditions, and surrounding natural and geographical conditions can all affect the decision process.
Organizational: Some measures are not feasible to implement due to organizational constraints.
Technological: Some technology is not feasible to implement, as it’s incompatible with the current hardware and software setup.
Cultural: Implemented security controls can be ineffective if staff or clients/stakeholders do not accept them due to cultural norms or taboos.
- Time-based: It takes time to implement any control. Thus, sometimes you may need to wait for the budget or for the right opportunity to act.
Not Applicable: Sometimes, the organization doesn’t think their business operation is big enough, or they may not be processing highly sensitive data and therefore they don’t want to implement the security control.
Personnel: The resources or staff needed is currently unavailable so the security control cannot be planned.
Legal: Sometimes legal constraints stand in the way of implementing the controls.
Note
There may be other reasons for not implementing the controls, other than those listed here. It depends on your business and industry requirements.
Risk Mitigation
Mitigation in simple terms involves the planned and executed actions you take to reduce the impact of any risk.
Threat reduction, to reduce the probability of a threat from occurring.
Vulnerability reduction, to reduce or remove a vulnerability.
Impact reduction, to reduce the impact of a security breach to an acceptable level.
Detection of unwanted event, to determine whether a threat is easily detectable or identifiable.
Recovery from unwanted event, to recover from the event, thereby reducing the impact.
The control is selected based on the assurance provided by treating the risk and the acceptable (residual) risk after implementing that control. The Information Security team should review and approve the selected controls.
Acquire the required systems
Develop or modify policies
Develop procedures and practices
Risk Avoidance
Risk avoidance is possible when potential threats are eliminated. This is often done by changing process ladders or execution methods. For example, instead of using foreign vendors, local vendors are used, as the risk of using them is much less.
Tip
Risk owners must review risks that fall under the category of risk avoidance with the Information Security/compliance team and any relevant stakeholders.
Risk Transfer
This is often the best strategy, as organizations can share their risk burdens with third parties on contractual terms.
Note
All contractual terms must be clearly identified in the agreement before proceeding with a third party.
For example, you can insure business-critical assets by purchasing an insurance policy. Thus, if an event occurs, the insurance policy will help manage costs, such as repairs, lost expenses, legal expenses, etc.
Another example is outsourcing business processes to third parties due to lack of experience/skills in-house. In this case, risk could be minimized, as the third party provides the assurance that outsourced processes will be taken care of.
Caution
Be sure to review risk transfer cases with the Information Security team and to get approval from management before making a final decision.
What Is Acceptable Risk?
What is acceptable risk? In other words, how much risk can an organization accept?
Acceptable Risk
Acceptable Risk | Description |
|---|---|
Very High/High/Medium | Requires additional controls to bring the risk to an acceptable level It should be accepted only if management approves it |
Low | Risk is at an acceptable level |
Note
When the risk score is higher than the acceptable level, the controls must be analyzed again and re-implemented.
Risk Monitoring and Review
Risk monitoring and review is a continuous process. Once you implement the security measures and controls, you must monitor and track the progress of all risks on a regular basis to ensure you’re getting the desired result. Risk owners from their respective departments are also responsible for monitoring and reviewing risks and reporting to management on a monthly basis (or as needed).
Identifying Assets
Before you start learning how to identify information assets based on the ISO 27001 implementation, it is important to understand what is meant by assets.
An asset can be anything that has value to the organization. This can be tangible or intangible value. For example, machines, people, software, patents, reputation, etc. Assets include all those items that contribute to the establishment of information that an organization requires to conduct their daily business operations.
From an information security point of view, an asset can be any device, data, or components of environments such as development, testing, and production environments that support the information security activities within the organization. In general terms, anything that you see in your organization that helps or supports the day-to-day activities, using assets such as laptops, desktops, hardware (servers, switches, and routers), software (business and/or support applications and software tools), and any confidential information (trade secrets and financial data).
Asset Register Categorization
Asset | Category |
|---|---|
Information assets | Include files including details, image files, product information, manuals, policies, and procedures |
Paper assets | Include HR records, contracts, invoices and, written papers |
Software assets | Include system software, application software, and development tools and utilities that are required |
Hardware/physical assets | Include computer and communications equipment, magnetic media, environmental equipment, furniture, facilities, accommodations, etc. |
Extension services | Include communication services, air conditioning, lighting, UPS, generators, service providers, etc. |
People assets | Include employees, contractors, visitors, guests, etc. |
Asset Value
Each asset is assigned a value, called the asset value. In simple terms, this helps you decide the importance of the asset to your business and its operations. The asset value helps you identify and determine the appropriate protection for the assets. You can also use asset values to identify and describe the consequences that might occur if an unexpected event occurred.
Criticality Ratings
Rating | Information Asset Security Elements | ||
|---|---|---|---|
Confidentiality (C) | Integrity (I) | Availability (A) | |
1 | Public | Low | Not Important |
2 | Internal | Medium | Important |
3 | Confidential | High | Very Important |
Net Asset Value = (Confidentiality + Integrity + Availability)
For example, say you are calculating an asset value for the HR data. The confidentiality = 2, the integrity = 3, and the availability = 1. In that case, the net asset value would be: 2+3+1 = 6. So, the asset value of that HR data is 6.
Asset Classification
An asset can be grouped into different categories based on similarities and characteristics. The process of grouping similar assets is called asset classification.
For example, servers, routers, switches, and LAN cables can be grouped as IT assets. Desktops, VDI devices, and IP phones can be added into the IT asset group, or you are free to make a new sub-category for these assets.
Note
Asset classification varies from organization to organization and the industry to industry. The grouping of assets depends on the asset owners.
Data classification
Asset Labeling
Once you are done with the information asset classification process, it must be labeled properly. You need to determine how your team will label the assets. Asset labeling is the small step toward achieving better security, since organizations deal with lots of information assets in their daily activities. That means the chances of misplacing or losing assets or if them being stolen is greater. Therefore, asset tagging or labeling is very important in order to cut down on administrative expenses.
There is no one good way to do asset labeling. You can use unique asset identification numbers or codes or indicate details about the specific location or group, or use any other relevant asset category. These labels can be QR codes, bar codes, or RFIDs. These codes can be easily scanned to provide additional information about the asset, which makes it easier to monitor and track the assets.
Any asset that you think is crucial to your business needs to be labeled. Each asset should have a different identifier, such as a serial number or an asset identification number (AIN). See Figure 5-3 as an example.
Note
There is no specific format for tagging assets. They should be tagged based on your defined organizational procedure. Some companies prefer not to mention the company name when tagging the assets, for security purposes.
By item ID: Some assets are tagged based on their IDs or location. For example, if your company is in New Delhi and you are tagging a laptop from the software team, you can code it as follows. ND is for New Delhi. For laptops, you can assign a sequential code L001 to L00N based on the number of laptops you have. Then you include a department ID. For the software department, let’s say the ID is S01. The final code would be ND/L001/S01 or ND-L001-S01.
Tip This labeling practice is best suited if your employees tend to travel with their tools or machines or you have multiple departments in your organization.
Adding a color code: In some cases, item ID tagging will not work. For example, companies with different software teams working on different software projects demand different configuration needs for their projects. In such scenarios, adding color codes to the asset will be helpful. Laptops with a high configuration can tagged with blue, a middle configuration with green, and those with a basic configuration can be tagged with amber to differentiate them. Similarly, tags can be used for LAN cables for voice data, browsing data, and lease lines.
Customized tagging: The need for tagging depends on the categories of assets that you want to tag. Hence, customized tagging is also important. For example, you want to label the information using barcodes that may contain different data as per your business needs. This could include manufacturer name, manufacture year, serial number, or other tracking numbers.
Note Barcodes and QR codes are very popular these days. Based on the report published in an EZOfficeInventory whitepaper, use of asset tags can reduce administrative errors by up to 41.4%.
Asset labeling
Stock availability
Tracking
Better monitoring
Asset Register
An asset register is a list of assets owned by the organization. The main benefit of having an asset register is that it gives you a list of assets along with their owners. Every department needs to create an asset register.
Assets in Different Sub-Groups and Categories
Hardware/Physical Assets | Software |
|---|---|
Computers Servers Switches/routers/hubs Access points Access card readers Firewalls Communication equipment Data storage Cabinets Safes Server racks | Anti-virus software Business applications Network management system software Development tools Operating systems Utilities |
Services | People |
Outsourced operations Outsourced services Outsourced telephone operations Security services IT services | Employees Customers Subscribers Contracts |
Information | Paper |
Databases and data files/soft copies System documentation/manual User manuals Training materials Operational or support procedures Backup AMC document | Contracts HR records Invoices |
Asset Disposal
Asset disposal is the act of obsoleting unwanted equipment or assets in a safe manner. A large volume of data is being transferred and stored on computer systems and the security of this information is essential, even when the data is being removed. If the information is not properly removed before the disposal of asset, it could be accessed and viewed by unauthorized personnel.
Media sanitization procedures: All the electronic media must be properly sanitized before it is transferred from the custody of its current owner. The proper sanitization method depends on the type of media and the intended disposal process of the media. For example, if you are sharing the hard drive from one department to another, it must be formatted before being reused to ensure security of the data.
Destruction of electronic media: Destruction of electronic media is the process of physically damaging the medium so that it cannot be reused by any device that may normally be used to read electronic information, such as computers, hard drives, pen drives, etc.
Repairing hard drives under warranty: In a special situation where a hard drive under warranty has failed and the manufacturer requires that the failed disk drive be returned, an appropriate Business Associate Agreement between the manufacturer and organization must be in place before the drive can be shipped to the manufacturer. If the manufacturer will not sign a Business Associate Agreement, the old drive must be properly destroyed.
Disposal of damaged media: The first attempt should be to overwrite the hard drive or other media device. If it cannot be overwritten, the hard drive must be disassembled and mechanically destroyed so that it is not usable.
External party: You can choose from many companies that will remove your media, but you need to make sure that the provider you select agrees to the non-disclosure agreement (NDA) and follows it.
The disposal of media is very essential and not hard work if you follow these simple steps.
Tip
An organization may use a shredder to destroy any important physical information. It’s a very secure and cost-effective way to dispose of information.
Asset Register Examples
This section explains how to track and maintain asset information in your department, with examples. The following sections discuss some examples of departments.
Human Resources Department
In any organization, human resources is the first department that communicates the company’s information security controls and ensures that everybody follows them.
Figure 5-4 shows the sample HR assets. There could be more, depending on the organization. For example, this register should include any software application/tool used by HR to perform HR operations.
HR asset register
The second most important thing in this table is the Asset Value. The Asset Value column in Figure 5-4 shows numbers, which are calculated by taking the sum of the values of Confidentiality, Integrity, and Availability. If the sum value is more than 5, it becomes important and you must implement controls. Note the Justification for Asset Value column. It is good to provide reasons in your own words so that nobody questions the given asset’s value.
Note
For each department, the asset value will be different. The importance of an asset may vary from department to department because they process and store different information.
The Asset, Category, and Asset Value columns must be filled in for each department involved in the ISO 27001 implementation journey. Some of the assets could be similar, but the data processed or stored by them could be different and their purposes could differ too.
IT Helpdesk Department
Laptops/desktops allotment and maintenance
Software licenses and installation
Network services management
Antivirus protection
Email configuration/email server management and backup
Printer configuration and maintenance
Based on this asset list, the IT asset register can be prepared similar to the HR asset register shown in Figure 5-4.
IT Infrastructure Department
Whatever you call the IT infrastructure department, their functions and activities will basically be the same. This department typically covers about 20-30% of the ISO 27001 security controls implementation.
- Server management
Installation
Maintenance
Data backup
Software licenses and installation
Based on this asset list, you can create an asset register for the IT infrastructure department.
The next section looks at the other important operations, services, and departments.
Software Development Department
In any organization, the software development division is crucial, as throughout the software development lifecycle, they handle the information related to their client’s product and software development. Hence, the business analyst, architecture, developer, and tester teams are all involved.
Requirement documents
Architecture/design documents
Software code
Test documents
Similarly, based on this asset list, you can prepare the asset register for the software development team.
From the asset register examples, you should now understand how to identify the assets of any department. Remember the most important thing, which is to ask what information does that department process and store. This will make asset identification a lot easier.
By using the examples in this chapter, you should be able to identify the critical assets in any organization, whether it is in IT/software, IT/call center, manufacturing, or any other industry.
Managing Risks
In the previous chapter, you performed an initial risk assessment. If you remember, each department risk owner analyzed key questions about the information assets to determine “the current/existing controls which are already in place” for the risks identified. If you stop there, you see from Figure 5-5 what it takes to fill this information into the risk assessment tracker.
Department: Enter the name of the department for which the tracker is being filled, such as HR.
Asset: The name of the asset being tracked, such as laptop.
Category: The category of the asset. The laptop category, for example, is Hardware-Physical.
Asset value: The value of the asset, as explained earlier in the chapter. The laptop’s asset value, for example, is 9, which is more than 5.
Threat: The threat related to this asset, as explained earlier in the chapter.
Vulnerability: Any vulnerability related to this asset, as explained earlier in the chapter.
Risk: The risk description, which explains what the risk is.
Likelihood: A rating on a scale of 1 to 4 that communicates the chances of this risk occurring. 1 is least likely and 4 is most likely. (This assumes no security controls have been implemented.)
Impact: The impact of this risk if it were to occur. You need to rate it on a scale of 1 to 4. 1 is the least impact and 4 is the highest impact. (This assumes no security controls have been implemented.)
Risk value: Calculated by multiplying the Asset Value∗Likelihood Rating∗Impact Rating. (This assumes no security controls have been implemented.)
Risk rank: The risk rank will be populated based on the risk value range. Hence, you add a formula to your assessment tracker for the risk rank column.
Risk priority: The priority of the risk as explained earlier in this chapter. You put a formula in your assessment tracker for the risk priority column.
Risk owner: List the owner of the risk, which is who will handle the risk mitigation process. Note in Figure 5-5 that the risk mentioned is the HR department, but the risk owner is the IT manager. This is because security control implementation comes under the IT helpdesk department. Hence, you need to identify the right risk owner.
Existing controls: Mention any security controls that are already implemented for this risk. If there are no controls implemented, enter “there are no existing controls”.
Note In the table in Figure 5-5, all the information is filled out on the basis that no security controls have been implemented.
The first 14 columns of the risk assessment tracker
When you move ahead from the Existing Controls column, you need to enter the calculated Risk Value and Risk Rank (see Figure 5-6). These help you determine whether the existing controls are enough to manage the risk at present or whether you need to identify and implement additional security controls.
An extended column of the risk assessment tracker
Hence, these steps for managing risks constitute a common method for implementation in departments and organizations. Every risk should be managed and tracked under the risk assessment tracker. The format of the risk tracker could be a little different in some organizations, but the basic setup of the tracker will essentially be the same.
Note
Organizations that are new to information security and have fewer existing controls in place might need to identify more security controls than organizations that are more aware or mature.
Identifying Security Controls
Along with managing risks, you need to start identifying the appropriate security controls. They should be based on the risk value/risk rank, in order to mitigate the risks and minimize the impact of the threats you identified based on the risk assessment exercise.
It is important to remember that you need to identify meaningful controls, as this will help you achieve the desired result, which is to protect the information from getting stolen, destroyed, or modified. If the identified control is not helping, you need to change the strategy as needed.
This section outlines some examples of security controls.
Security controls are identified and recommendations are listed
Revisiting the Statement of Applicability (SoA)
You may wonder why you need to revisit the SoA, as you already did so in an earlier exercise. Recall from an earlier chapter that you learned that you might have to revisit the SoA, as when you proceed with the implementation, you may find areas or scenarios that were skipped. In those cases, you need to modify the SoA document, which helps to clarify the scope for the implementation and the certification audit.
Thus, at this stage, it’s smart to analyze the SoA again and determine whether any changes are required or not.
Summary
Risk framework: This is important from the perspective of setting a clear path to manage risks. Once the path is set, it becomes easier to move forward.
Asset management: You learned how to identify assets, about the different types of assets, and how to maintain and dispose of them. By understanding assets, you can manage the asset lifecycle more easily.
Manage risks and identify controls: You learned how you need to manage risks and identify suitable controls on the path of implementation. This is an important practical step, as it helps to check whether the implementation is accurate.
Revisit the Statement of Applicability (SoA): You learned about the need for revisiting the SoA.