Digital information is the heart of today’s organisations. It’s growing exponentially, and its eﬀective use and management is directly linked to the continued success of the modern enterprise. However, digital technologies and global interconnection have introduced a signiﬁcant number of new risks and greatly ampliﬁed existing ones. There are now many signiﬁcant, high-proﬁle examples of information risks being realised, and their impacts continue to grow. Organisations simply must improve their management of information risk.
But doing so is a challenge. With the explosion of digital information, it’s not possible for organisations to protect all their information and associated systems to the same level. In addition, threats aren’t monolithic; they vary immensely in origin, intent, strength, and a multitude of other factors. While much has been written on this subject, there are few methodologies that provide an end-to-end approach to presenting a business-focused view of information risk.
That is, until now.
Information Risk Assessment Methodology
At the Information Security Forum, we recently introduced our Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, where many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.
The six IRAM2 phases include:
Let’s take a quick look at each phase.
Scoping helps the practitioner to develop a comprehensive understanding of the area to be assessed. This involves understanding the business and technology components that comprise an organisational area and how they interrelate, as well as any other inﬂuencing characteristics of the organisation.
The practitioner may ﬁnd deﬁning an eﬀective scope for a risk assessment to be particularly challenging. This is typically due to the complexities in modern organisations which make it diﬃcult to fully document or eﬀectively map technology services to discrete business processes. While this diﬃculty can be mitigated by ensuring appropriate stakeholders are engaged, it is also recommended that you conﬁne the scope to manageable areas for assessment. This may make it necessary to conduct multiple smaller assessments and then aggregate the results.
At the conclusion of the Scoping phase, you will have deﬁned the scope of the environment being assessed, recorded the details and agreed it with key stakeholders.
Business Impact Assessment
Once an environmental proﬁle has been completed and the scope of the assessment has been agreed, the next phase is to identify information assets in the environment and assess the business impact. The foundation for conducting a business impact assessment (BIA) in the context of information risk is the concept of information assets. IRAM2 provides guidance for identifying and assessing diﬀerent business impact categories. Risk practitioners use this phase to determine the potential business impact should information assets or systems be compromised.
At the conclusion of the BIA phase, you will have gained a solid understanding of the information assets in the environment being assessed, and their business impact ratings. The practitioner will have documented and agreed the completed BIA with key stakeholders.
Once the BIA has been completed, the next phase of the assessment is to identify and prioritise the relevant threats to the environment being assessed, and to determine how they could manifest to cause harm to that environment. The ﬁrst step in threat proﬁling involves determining which threats are relevant to the environment being assessed, thereby enabling the practitioner to populate a threat landscape.
Once the threat landscape for the environment being assessed has been populated and agreed, each threat it contains should be proﬁled. The goal of proﬁling the threats is to assess the relevant threat attributes for each threat, and then use the results to develop an understanding of two key risk factors:
- Likelihood of Initiation (LoI): the likelihood that a particular threat will initiate one or more threat events against the environment being assessed
- Threat Strength (TS): how eﬀectively a particular threat can initiate and/or execute threat events against the environment being assessed
At the conclusion of the Threat Proﬁling phase, you will have gained a solid understanding of the threats to the environment being assessed, their related threat events, and how they could aﬀect the various information assets in the environment. The practitioner will have recorded and agreed with key stakeholders the prioritised threat landscape, in-scope threat events, and impacted information assets/components.
IRAM2 provides guidance for performing an assessment of vulnerabilities that inﬂuence the likelihood of a threat event being successful. Risk practitioners use this phase to examine the key factor that aﬀects vulnerability levels, the strength of controls (i.e. design and operational eﬀectiveness).
At the conclusion of the Vulnerability Assessment phase, you will have gained a solid understanding of the degree to which the information assets within the environment being assessed are vulnerable to each in-scope threat event. The practitioner will have recorded and agreed the results of control assessment and related control strength ratings with key stakeholders.
Once the Scoping, BIA, Threat Proﬁling and Vulnerability Assessment phases have been completed, the risk assessment can progress to the Risk Evaluation phase.
IRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat proﬁling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.
At the conclusion of the Risk Evaluation phase, you will have derived the residual risk rating for all risks in the environment being assessed, and agreed the prioritised residual risk proﬁle.
After all risks have been evaluated and a residual risk rating has been determined for each risk, the next phase guides the practitioner through determining a risk treatment approach for each identified risk. Risk treatment typically involves one or more of four options, which are:
- Mitigate: Improving existing controls, or implementing new controls, to reduce the identified risk.
- Avoid: Avoiding one or all actions that lead to the risk.
- Transfer: Changing the impacted party (in whole or in part) for a risk event from the organisation in question, to another willing party.
- Accept: Taking no further action in relation to the risk, and accepting the likelihood of the assessed impact occurring. This should only occur when a risk is within the organisation’s risk appetite.
At the conclusion of the Risk Treatment phase, the IRAM2 process is eﬀectively complete. You will have developed and guided the implementation of a risk treatment plan for every risk in the prioritised residual risk proﬁle. The practitioner should ensure that the ﬁnal prioritised residual risk proﬁle is recorded in the appropriate risk repositories and managed on an ongoing basis as part of the organisation’s broader enterprise risk management process.
Identify, Analyse and Treat Risk
Threats, threat events, vulnerabilities and potential impacts are not necessarily static. This results in the need for the practitioner and key stakeholders to review risks on a regular basis, as well as when any contributing factor in the organisation or environment signiﬁcantly changes.
As information risks and cyber security threats increase, organisations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organisation is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyse and treat information risk throughout the organisation.
About the Author Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
This article is brought to you by Enex TestLab, content directors for CSO Australia.