Information Risk
Risk Assessment (RA)
Evaluation of risks is based on a combination of the impact of risk occurrence and the likelihood of occurrence. The formal risk assessment is the work product of the following processes:
Risk Identification
Credible threats are identified. In order to be credible, threats need to be realistic and there must be a known vulnerability. For each of these credible threats, the impact on assets is decided. This constitutes the Business Impact Assessment (BIA).
Risk Analysis
The probability of the occurrence of each identified risk is decided. These must be determined according to agreed and consistent criteria. Likelihood can be assessed either quantitatively (eg. referring to statistical evidence of viruses), qualitatively (eg. assuming that a weak password is a vulnerability), or even semi-quantitatively. This constitutes the Likelihood Assessment (LA).
Risk Evaluation
The LA and BIA are combined to plot a risk matrix which constitutes the overall formal Risk Assessment. As with the LA itself, the RA can be completed either qualitatively (eg. ‘insignificant’ impact combined with ’negligible’ likelihood could constitute the lowest level of risk) or quantitatively (eg. in terms of potential revenues lost). It’s important that any assessment is finally presented in a format appropriate to the audience (ie. in business terms).
Risk Management
Risk management is a cycle following the ISO 27001 ‘Plan-Do-Check-Act’ (PDCA) model:
-
Context Establishment: understanding assets in the organizational model (also understanding objectives and inter-organizational relationships)
-
Risk Identification: credible threats are identified and a BIA performed for each
-
Risk Analysis: LA is performed for each identified risk
-
Risk Evaluation: a formal RA is completed. The RA will dictate categories of controls and prioritisation. Risks should be recorded in a comprehensive risk register including:
-
threat details
-
impact
-
likelihood
-
risk level
-
recommended strategic control
-
actions to be taken
-
action accountability and completion date
-
review date
The risk register provides formal documentation for independent visibility and facilitates monitoring.
-
-
Risk Treatment
Monitoring and Review and Communication and Consultation are parallel processes to the risk management cycle. In particular, monitoring and review produces input to context establishment.
Valuation and Classification of Information Assets
The value of information assets depends upon:
-
the function of the asset
-
how long the business can maintain normal operations in the absence of the asset
-
time/difficulty/cost to recover or replace the asset
-
how frequently the asset changes
-
losses and loss of potential earnings in the absence of the asset
All information assets should be associated with an owner. The owner should have an understanding of the value of the asset and its importance to the organization.
Information classification policies
There’s no correct model for this but generally three or four levels is accepted. Each level of classification requires protection appropriate to the impact of an inappropriate release. The policies should also identify procedures for handling, distributing, storing, and disposing of such assets. These policies must be supported by robust, clear, comprehensive, and available documentation.
Each asset should be categorized and protectively marked clearly and unambiguously. The classification of assets should be in accordance with valuation against an agreed impact system. In addition to the main classification values, asset classification may also have caveats defining additional levels of protection such as: ‘Intellectual Property’ (subject to non-disclosure policies), ‘Human Resources Only’ (containing personally sensitive information for release to authorised members of the HR role only).