Analysis of information risk management methodologies
A description of different risk management frameworks to help inform organisations who are considering selecting one.
This is an ALPHA release and we welcome feedback to help us shape further releases. Please send any feedback to enquiries@cesg.gsi.gov.uk.
Introduction
When choosing a risk management framework and assessment methodology, an organisation should ensure it fits their purposes.
Considerations may include:
- the cost
- the scope of the project
- ensuring resources required are proportionate and sustainable
- any commercial aspects that could restrict its use
This guide summarises 6 common risk management methods and tools, and considers how they can be effectively applied. Irrespective of what method or tool is used, if it is not supported by thought or context, then effective risk management outcomes are unlikely to be realised.
Note that:
- other methods not listed here may prove a better choice, depending on the unique circumstances of your business and technology needs
- using a single methodology may not meet your requirements; this is not a finite list and you may wish to use a hybrid approach or develop your own
ISO/IEC 27005:2011 (‘Information technology - Security techniques - Information security risk management’)
URL: http://www.iso.org/iso/catalogue_detail?csnumber=56742
ISO 27005 is an international standard providing guidelines for information risk management. Although it does outline a generic risk assessment process in Chapter 8 and Annex E, it leaves the choice of that process to the business.
It is part of the ISO 27000 family of standards. There is some dependency between these documents, with concepts from one being important for understanding those in another.
ISO 27005 is likely to be used by organisations following the security requirements of ISO27001 (ISO/IEC 27001:2013 “Information technology - Security techniques - Information security management systems - Requirements”), although it can be used in other contexts.
The appendices provide guidance on using qualitative and quantitative approaches. The standard is not prescriptive about which should be used. It refers out to IEC 31010:2009 (“Risk management - Risk assessment techniques”) to inform the choice of risk assessment technique. ISO 27005 requires that a risk assessment takes into account threats, vulnerabilities, and impacts. They must be contextualised to the business, then fed into the risk evaluation process, which informs the decisions made on how to treat risks.
As a framework that is not overly prescriptive, the principles of ISO 27005 can be applied to a variety of types and sizes of organisation. Given the broad and generic nature of the guidance, specialist skilled resources will be needed to tailor the implementation to the requirements of the business. The cost of these resources should be considered along with the cost of purchasing the standards.
Information Security Forum
URL: http://www.securityforum.org/tools/isf-risk-manager/
ISF aims its products at large public and private sector organisations, and produces an annually updated Standard of Good Practice for Information Security. This standard is comprehensive and is compatible with other well-known standards. It is intended to support any risk assessment, but is particularly geared towards ISF’s own Information Risk Analysis Methodology (IRAM) and automated tool (Risk Analyst Workbench (RAW). This approach has three phases: a business impact assessment which determines the security requirements of the business, a threat and vulnerability assessment, and control selection.
The standard and its related tools, which must be purchased from ISF, make for a thorough risk management package. The price of the materials includes user guides and attendance at some ISF events.
CESG Information Standard 1/2
IS 1/2 and its supporting documents provide a suite of information risk management guidance for use, predominantly, by central government departments, the wider public sector and its suppliers. However it can also be used by any organisation to assess and manage their technical risks.
The risk assessment method includes defining the scope of assessment and the corresponding information assets and then conducting an impact, threat and vulnerability assessment of them. The risk assessment method and supporting tool is freely available from CESG’s website.
The risk treatment method includes: the production of a risk treatment plan, defining an implementation approach for the identified controls (largely based on ISO 27002), the development of an assurance plan, a residual risk assessment and gap analysis.
The steps presented in IS1/2 are complex and achieving a consistent and reasoned outcome requires a skilled practitioner.
US National Institute of Standards and Technology (NIST) SP 800-30
NIST SP 800-30 is the US government’s preferred risk assessment methodology, and is mandated for US government agencies. It features a detailed step-by-step process from the initial stages of preparing for an assessment, through conducting it, communicating the results, and maintaining the assessment. It is freely available directly from the NIST website, although since NIST SP 800-30 is aimed largely at the US public sector, finding appropriate support to implement it may be difficult outside the US and should be factored into the cost.
The guidance itself is comprehensive and clear. The methodology should be usable by organisations of all sizes in both the private and public sectors. It is designed to be consistent with the ISO standards, and flexible enough to be used with other risk management frameworks. Unsurprisingly, as a US standard, much of the supporting documentation in the NIST Risk Management Framework is heavily US-focussed, often dwelling on regulatory issues that may have little relevance to non-US users.
The risk assessment process in SP 800-30 takes inputs from a preparatory step that establishes the context, scope, assumptions, and key information sources for the process, and then uses identified threats and vulnerabilities to determine likelihood, impact and risk. The process next requires that the results are communicated and the assessment maintained, including monitoring effectiveness of controls and verifying compliance.
OCTAVE Allegro
URL: http://www.cert.org/resilience/products-services/octave/index.cfm
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology originates from Carnegie Mellon University in the USA. Older versions are still in use but the most recent version, OCTAVE Allegro, is more streamlined and is actively supported. It is primarily intended as a qualitative assessment, although may be used for simple quantitative analysis.
OCTAVE is intended to be managed in a ‘workshop’ style, with a small group of participants from the operational and IT areas of the business, not requiring extensive expertise. The resources to perform a risk assessment can be downloaded for free and are integral to the process. Therefore, this approach might suit organisations looking for a risk assessment process that can be done without investing heavily in training or consultants. If training is required, Carnegie Mellon offers e-learning for a fee.
Octave Allegro is an asset-focussed method. The first step is establishing consistent, qualitative risk measurement criteria specific to the organisation’s drivers and objectives. After assets have been profiled, threats and impacts are considered in light of real world scenarios to identify risks. These risks are then prioritised according to the risk measurement criteria and mitigations planned.
ISACA COBIT 5
URL: https://cobitonline.isaca.org/
COBIT is a comprehensive governance and enterprise IT management framework from ISACA, an international association specialising in IT governance. It is a thorough and prescriptive framework which includes risk assessment, and has become popular in the US for businesses subject to heavy regulation or auditing. The standard is available free to ISACA members or can be purchased by non-members. It will likely require a significant investment of time and skilled personnel to implement. COBIT is likely to suit organisations where legal and regulatory compliance are of utmost importance.
Organisations that seek to implement COBIT will need to choose a suitable way to assess risks that takes into account threats, impacts and vulnerabilities. COBIT is aligned with other well known standards such as ISO 27005. An organisation looking to implement COBIT will also need to take into account the specialist resources that will be necessary to implement this large framework, and ensure their chosen risk assessment method appropriately reflects their threats, vulnerabilities and impacts.