4. Risk Management Framework
The Organisation’s approach to risk, which has been specifically approved and authorised by management, is contained in the risk management framework, which it applies to its overall strategic planning process. The risk management framework is designed to identify and assess risks (including information security risk) in the business plan, to identify and evaluate options for the treatment of those risks, and to select control objectives and controls that will reduce those risks to acceptable levels within the context of the business plan, operational requirements, constraints and objectives and national and international legislation and regulation. [ISO17799 4.1 and 4.2]
CIO has decided not to use an automated tool to perform risk assessments. Instead it has sought advice from external security consultants VigiTrust to set out the initial to procedures and documentation and in conjunction and co-operation with the Digi-CAST3™ Team, has been trained on the use of this manual and the implementation of the procedures necessary to produce a number of methodologies to perform risk assessment on a regular basis
Risk assessments projects need to be carried out regularly and need to help CIO identify the threat landscape, vulnerabilities and threat levels associated to each vulnerability against each of its tangible and intangible assets.
CIO opted to work with Digi-Sign because of its knowledge of Certificate Authority [CA] and Public Key Infrastructures [PKI] and with VigiTrust because of their in the filed of risk assessment for particularly sensitive information and projects related to the security of sensitive assets.
CIO considered tools such as RA2 or equivalent on the market. However these tools require a deep understanding of the current security threat landscape and are only extremely effective for security professionals.
It was therefore decided to work with security consultants who had their own methodologies backed by a proven track record of helping blue chip organizations to meet security best practice guidelines.
Some initial research was conducted by CIO as to whether an automated tool would be appropriate to perform the risk assessment tasks related to this project. It was very quickly identified that consultants would be required in order to engage with CIO and conduct risks assessments. After a full tendering process in accordance with the laws of the Kingdom of Bahrain and a lengthy and careful consideration process, Batelco and Digi-Sign were selected to provide this service to the CIO in co-operation with Digi-Sign’s ISO consultancy partner VigiTrust.
The chosen methodology is based on benchmarking vulnerabilities and threats to each assets against a risk matrix. The matrix consists in evaluation of the asset in terms of importance to CIO, assigning a probability of likelihood for each threat and determining an absolute impact for the threat. The risk is calculated as follows:
Risk (aka “Absolute risk”) = Probability of Threat * Absolute Impact of Threat
The information below details all of the elements of this risk calculation model:
Evaluation of Assets
The operation owner defines the value of each asset detected depending on his perception of impact on operations) or on users in general in case of loss, theft, inaccessibility, deterioration / corruption or any other security violations. Perceived value is ranked as follows:
Unimportant (0) Damage on the asset never affects the data system
Not very important (1) Damage on the asset has very little impact on the data system. The data system keeps operating. Damage on it does not tarnish the company name.
Medium (2) Damage on the asset affects the data system. The data system keeps operating but the asset in question must be replaced. Damage thereon can affect the company name negatively to a somewhat noticeable extent.
Important (3) Damage on the asset has major impact on the data system. The data system is only half operational in that it may not be fully accessible or its integrity might have been somewhat compromised. The asset in question must be replaced. Damage thereon affects the company name adversely.
Very important (4) The asset plays a major part for the operation of the data system. Damage on the asset has a huge impact on the operability of the data system. Only parts of the data system remain useable. Damage thereon has substantial adverse impact on the company name.
Extremely important (5) The asset is essential for the operation of the data system. Damage on the asset directly influences the data system. The data system is out of operation. Damage thereof has very adverse impact on the company name.
At this stage Potential vulnerabilities are listed for each asset. Vulnerabilities are the weaknesses identified for assets. Potential threats are listed for each asset. Threats are potential tools by which vulnerabilities can be misused or exploited.
Important Note: The value as determined by the above procedure is entered in the “Critical” column Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.
Threat Probability Values
Negligible (0) Not likely to happen.
Very low (1) Twice or three times in a period of 5 years.
Low (2) May happen once a year or a shorter period of time.
Medium (3) May happen every six months or within a period of time between one to 6 months.
High (4) May happen once a month or within a period of time between 2 days to one month.
Very high (5) May happen once a day.
Extremely High (6) May happen multiple times a day.
Threat Impact Values
Unimportant (0) The threat has no impact on the asset.
Small (1) The threat has little impact on the asset. There is no need to repair or re-configure the asset.
Important (2) Although the impact by the threat is minor and is only reported by a few persons or organizations, the threat can still have concrete damage. Corrective action involving time, effort and financial input may have to be implemented to make up for the damage and eradicate the issues.
Detrimental (3) The Threat can damage the reputation of asset and system operators. Significant spending may be necessary to repair the damage and eradicate the issues.
Serious (4) The Threat inflicts substantial damage on the asset and/or many staff members and the organization itself may be significantly impacted by the damage. Large scale restructuring may be necessary in the damaged system. Corrective action needs to be taken to eradicate the issues.
Very serious (5) Threats causes the asset to be out of operation indefinitely. It requires the system to be re-designed and re-structured totally. Corrective action needs to be taken to eradicate the issues.
The information pertaining to absolute risks requires the use of the values detailed above according to the formula, Absolute Risk = Threat Probability Value * Threat Impact Value.
So by determining the “Threat Probability Value” (i.e. 1 – 6) using the horizontal part of the following Risk Calculation Table and then searching down the vertical column for the “Threat Impact Value”, the “Absolute Risk Value” can be calculated.
Important Note: All three values are entered in the Risk Treatment Plan file that accompanies this document and is referenced “Digi-CAST Asset List & Risk Treatment Issue 001-071107.xls”.
Every time an asset is added or removed from the Trust Centre, this Digi-CAST™ Manual and the “Digi-CAST Asset List & Risk Treatment” must be updated and must be signed by the Information Security Manual.
In addition, the new Issue must be circulated to all members of the Trust Centre Team and Trust Centre Management. And this is the responsibility of the Information Security Manager.
Risk Calculation Table
| Probability of the Threat to Happen |
Unimportant (0) |
Minor (1) | Important (2) | Detrimental (3) | Serious (4) | Very serious (5) |
| Negligible (0) | None (0) | None (0) | None (0) | None (0) | None (0) | None (0) |
| Very low (1) | None (0) | Low (1) | Low (2) | Low (3) | Medium (4) | Medium (5) |
| Low (2) | None (0) | Low (2) | Medium (4) | Medium (6) | High (8) | High (10) |
| Medium (3) | None (0) | Low (3) | Medium (6) | High (9) | High (9) | Critical (15) |
| High (4) | None (0) | Medium (4) | High (8) | High (12) | Critical (16) | Very High (20) |
| Very High (5) | None (0) | Medium (5) | High (10) | Critical (15) | Very High (20) | Very High (25) |
| Extremely High (6) | None (0) | Medium (6) | High (12) | Critical (18) | Very High (24) | Very High (30) |
Absolute Risk Table
Absolute Risk |
Risk Score |
Multiplication Values
|
| None | 0 | 0 |
| Low | 1 | 1,2,3 |
| Medium | 2 | 4,5,6 |
| High | 3 | 8,9,10,12 |
| Critical | 4 | 15,16,18 |
| Very high | 5 | 20,24,25,30 |
Actual Risk Value is calculated by using the following final formula:
1. Absolute Risk = Probability of the Threat * Absolute Impact of the Threat
2. Absolute Risk Score Simplified Absolute Risk Score (Table 4)
3. Actual Risk Value = New Absolute Risk Score * Asset Value Identification of Targets, Controls and Counter Measures and Management of Risks
3–Step Absolute Risk Calculation
Step 1
Take into consideration the impact an event using the “Threat Impact Values” scale above (0 - 5).
Step 2
Then consider the likelihood it could happen using the “Threat Possibility Values” scale above (0 - 6).
Step 3
Then use the table, which gives you the risk for the RTP (it is a basic multiplier). The value you get will appear on the “Absolute Risk Table” and this enables you to label the Risk appropriately.
Example
Rack server:
The Rack could be physically damaged or it could collapse resulting in machines having to be powered off before being moved - results in disruption to services.
Probability of that happening is low (2) however impact of the issue, if it did happen, is high (4) as it would seriously disrupt services. Therefore the Absolute Risk Value is 4 x 2 = 8. The Absolute Risk (8) is then entered in the Absolute Risk column of the Digi-CAST Asset List & Risk Treatment.
In Summary
Low Absolute Risk Value is typically low to high impact with little probability of occurrence (or vice versa).
High Absolute Risk Value is typically high impact and high probability (unusual and rare, but may occur).
Medium Absolute Risk Value is more complicated and requires careful attention as it suggests that the impact would be medium to high and so is the probability. This is where indicating actual controls in place will ensure that a proper risk assessment has been conducted.
Consider the asset and carefully consider the likelihood of the potential threat happening. Should it happen, what impact would have it have on the CIO Trust Centre if it did happen and then using the above system assign figures and calculate the Absolute Risk Value.
The CIO Trust Centre staff must understand the scoring mechanism and regular training should be provided by the Information Security Manager to all the members of the Trust Centre Team. In addition ongoing security awareness through training, reference manual, demonstration and incident reporting, resolution and documentation is provided in order for Trust Centre Team to keep abreast of the latest threats in order to be able to continually assess risks and take pre-emptive action.
The Organisation’s method for risk assessment is to use risk assessment tool in this Digi-CAST™ Manual and uses the procedure as set out below. This tool and methodology is suitable for the scope of the Organisation’s ISMS (Section 1), the business objectives (3.1b1 above), the security, contractual, legal and regulatory requirements (3.1b2) above and risk management framework that were identified earlier. The selection criteria are set out in DOC 4.2. [ISO27001 4.2.1c] and the risk assessment procedure itself is carried out as described in DOC 4.4.
This method of risk assessment is applied throughout the Organization in respect of information risks.
The Information Security Manager is responsible for carrying out risk assessments wherever they are required by the ISMS.
Procedure
Controls are implemented according to relevant associated processes and OWIs pertaining to each threat.
The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to the Trust Centre team members on request.
This procedure was approved by the Director General of IT and the President of the CIO on 08 November 2007 and is issued on a version-controlled basis under their signatures.
The Organisation has a documented approach (framework in DOC 4.3, tool in DOC 4.2 and procedure/methodology in DOC 4.4) to risk assessment.
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue