IT risk management - Wikipedia

IT risk management is the application of risk management methods to information technology ... A more current risk management framework for IT Risk would be the TIK ... ITriskmanagement FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch Thisarticlemaybetootechnicalformostreaderstounderstand.Pleasehelpimproveittomakeitunderstandabletonon-experts,withoutremovingthetechnicaldetails.(November2013)(Learnhowandwhentoremovethistemplatemessage) "Informationriskmanagement"redirectshere.Fortheriskofinaccurateinformation,seeAssuranceservices. Riskmanagementelements ITriskmanagementistheapplicationofriskmanagementmethodstoinformationtechnologyinordertomanageITrisk,i.e.: Thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceandadoptionofITwithinanenterpriseororganization ITriskmanagementcanbeconsideredacomponentofawiderenterpriseriskmanagementsystem.[1] Theestablishment,maintenanceandcontinuousupdateofaninformationsecuritymanagementsystem(ISMS)provideastrongindicationthatacompanyisusingasystematicapproachfortheidentification,assessmentandmanagementofinformationsecurityrisks.[2] DifferentmethodologieshavebeenproposedtomanageITrisks,eachofthemdividedintoprocessesandsteps.[3] AccordingtotheRiskITframework,[1]thisencompassesnotonlythenegativeimpactofoperationsandservicedeliverywhichcanbringdestructionorreductionofthevalueoftheorganization,butalsothebenefitenablingriskassociatedtomissingopportunitiestousetechnologytoenableorenhancebusinessortheITprojectmanagementforaspectslikeoverspendingorlatedeliverywithadversebusinessimpact.[clarificationneededincomprehensiblesentence] Becauseriskisstrictlytiedtouncertainty,decisiontheoryshouldbeappliedtomanageriskasascience,i.e.rationallymakingchoicesunderuncertainty. Generallyspeaking,riskistheproductoflikelihoodtimesimpact(Risk=Likelihood*Impact).[4] ThemeasureofanITriskcandeterminedasaproductofthreat,vulnerabilityandassetvalues:[5] Risk = Threat × Vulnerability × Asset {\displaystyle{\text{Risk}}={\text{Threat}}\times{\text{Vulnerability}}\times{\text{Asset}}} AmorecurrentriskmanagementframeworkforITRiskwouldbetheTIKframework: Risk = ( ( Vulnerability × Threat ) / Countermeasure ) × Assetvalueatrisk {\displaystyle{\text{Risk}}=(({\text{Vulnerability}}\times{\text{Threat}})/{\text{Countermeasure}})\times{\text{Assetvalueatrisk}}} [6] Theprocessofriskmanagementisanongoingiterativeprocess.Itmustberepeatedindefinitely.Thebusinessenvironmentisconstantlychangingandnewthreatsandvulnerabilitiesemergeeveryday.Thechoiceofcountermeasures(controls)usedtomanagerisksmuststrikeabalancebetweenproductivity,cost,effectivenessofthecountermeasure,andthevalueoftheinformationalassetbeingprotected. Contents 1Definitions 2Riskmanagementaspartofenterpriseriskmanagement 3Riskmanagementmethodology 4Contextestablishment 4.1Organizationforsecuritymanagement 5Riskassessment 5.1ISO27005framework 5.1.1Riskidentification 5.1.2Riskestimation 5.1.3Riskevaluation 5.2NISTSP80030framework 6Riskmitigation 6.1ISO27005framework 6.2NISTSP80030framework 7Riskcommunication 8Riskmonitoringandreview 9ITevaluationandassessment 10Integratingriskmanagementintosystemdevelopmentlifecycle 11Critiqueofriskmanagementasamethodology 12Riskmanagementsmethods 13Standards 14Laws 15Seealso 16References 17Externallinks Definitions[edit] TheCertifiedInformationSystemsAuditorReviewManual2006producedbyISACA,aninternationalprofessionalassociationfocusedonITGovernance,providesthefollowingdefinitionofriskmanagement:"Riskmanagementistheprocessofidentifyingvulnerabilitiesandthreatstotheinformationresourcesusedbyanorganizationinachievingbusinessobjectives,anddecidingwhatcountermeasures,ifany,totakeinreducingrisktoanacceptablelevel,basedonthevalueoftheinformationresourcetotheorganization."[7] RiskmanagementistheprocessthatallowsITmanagerstobalancetheoperationalandeconomiccostsofprotectivemeasuresandachievegainsinmissioncapabilitybyprotectingtheITsystemsanddatathatsupporttheirorganizations’missions.ThisprocessisnotuniquetotheITenvironment;indeeditpervadesdecision-makinginallareasofourdailylives.[8] Theheadofanorganizationalunitmustensurethattheorganizationhasthecapabilitiesneededtoaccomplishitsmission.ThesemissionownersmustdeterminethesecuritycapabilitiesthattheirITsystemsmusthavetoprovidethedesiredlevelofmissionsupportinthefaceofrealworldthreats.MostorganizationshavetightbudgetsforITsecurity;therefore,ITsecurityspendingmustbereviewedasthoroughlyasothermanagementdecisions.Awell-structuredriskmanagementmethodology,whenusedeffectively,canhelpmanagementidentifyappropriatecontrolsforprovidingthemission-essentialsecuritycapabilities.[8] RelationshipsbetweenITsecurityentity RiskmanagementintheITworldisquiteacomplex,multifacedactivity,withalotofrelationswithothercomplexactivities.Thepicturetotherightshowstherelationshipsbetweendifferentrelatedterms. TheAmericanNationalInformationAssuranceTrainingandEducationCenterdefinesriskmanagementintheITfieldas:[9] Thetotalprocesstoidentify,control,andminimizetheimpactofuncertainevents.TheobjectiveoftheriskmanagementprogramistoreduceriskandobtainandmaintainDAAapproval.Theprocessfacilitatesthemanagementofsecurityrisksbyeachlevelofmanagementthroughoutthesystemlifecycle.Theapprovalprocessconsistsofthreeelements:riskanalysis,certification,andapproval. Anelementofmanagerialscienceconcernedwiththeidentification,measurement,control,andminimizationofuncertainevents.Aneffectiveriskmanagementprogramencompassesthefollowingfourphases: aRiskassessment,asderivedfromanevaluationofthreatsandvulnerabilities. Managementdecision. Controlimplementation. Effectivenessreview. Thetotalprocessofidentifying,measuring,andminimizinguncertaineventsaffectingAISresources.Itincludesriskanalysis,costbenefitanalysis,safeguardselection,securitytestandevaluation,safeguardimplementation,andsystemsreview. Thetotalprocessofidentifying,controlling,andeliminatingorminimizinguncertaineventsthatmayaffectsystemresources.ltincludesriskanalysis,costbenefitanalysis,selection,implementationandtest,securityevaluationofsafeguards,andoverallsecurityreview. Riskmanagementaspartofenterpriseriskmanagement[edit] SomeorganizationshaveandmanyothersshouldhaveacomprehensiveEnterpriseriskmanagement(ERM)inplace.Thefourobjectivecategoriesaddressed,accordingtoCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO)are: Strategy-high-levelgoals,alignedwithandsupportingtheorganization'smission Operations-effectiveandefficientuseofresources FinancialReporting-reliabilityofoperationalandfinancialreporting Compliance-compliancewithapplicablelawsandregulations AccordingtotheRiskITframeworkbyISACA,[10]ITriskistransversaltoallfourcategories.TheITriskshouldbemanagedintheframeworkofEnterpriseriskmanagement:RiskappetiteandRisksensitivityofthewholeenterpriseshouldguidetheITriskmanagementprocess.ERMshouldprovidethecontextandbusinessobjectivestoITriskmanagement Riskmanagementmethodology[edit] ENISA:TheRiskManagementProcess,accordingtoISOStandard13335 Whilstamethodologydoesnotdescribespecificmethods ;neverthelessitdoesspecifyseveralprocesses(constituteagenericframework)thatneedtobefollowed.Theseprocessesmaybebrokendowninsub-processes,theymaybecombined,ortheirsequencemaychange.Ariskmanagementexercisemustcarryouttheseprocessesinoneformoranother,Thefollowingtablecomparestheprocessesforeseenbythreeleadingstandards.[3]TheISACARiskITframeworkismorerecent.TheRiskITPractitioner-Guide[11]comparesRiskITandISO27005. Thetermmethodologymeansanorganizedsetofprinciplesandrulesthatdriveactioninaparticularfieldofknowledge.[3] Theoverallcomparisonisillustratedinthefollowingtable. Riskmanagementconstituentprocesses ISO/IEC27005:2008 BS7799-3:2006 NISTSP800-39 RiskIT Contextestablishment Organizationalcontext Frame RGandREDomainsmoreprecisely RG1.2ProposeITrisktolerance, RG2.1EstablishandmaintainaccountabilityforITriskmanagement RG2.3AdaptITriskpracticestoenterpriseriskpractices, RG2.4ProvideadequateresourcesforITriskmanagement, RE2.1DefineITriskanalysisscope. Riskassessment Riskassessment Assess RE2processincludes: RE2.1DefineITriskanalysisscope. RE2.2EstimateITrisk. RE2.3Identifyriskresponseoptions. RE2.4PerformapeerreviewofITriskanalysis. Ingeneral,theelementsas describedintheISO27005processareallincludedin RiskIT;however,somearestructuredandnamed differently. Risktreatment Risktreatmentandmanagementdecisionmaking Respond RE2.3Identifyriskresponseoptions RR2.3Respondtodiscoveredriskexposureandopportunity Riskacceptance RG3.4AcceptITrisk Riskcommunication Ongoingriskmanagementactivities RG1.5PromoteITrisk-awareculture RG1.6EncourageeffectivecommunicationofITrisk RE3.6DevelopITriskindicators. Riskmonitoringandreview Monitor RG2IntegratewithERM. RE2.4PerformapeerreviewofITriskanalysis. RG2.5ProvideindependentassuranceoverITriskmanagement Duetotheprobabilisticnatureandtheneedofcostbenefitanalysis,ITrisksaremanagedfollowingaprocessthataccordingtoNISTSP800-30canbedividedinthefollowingsteps:[8] riskassessment, riskmitigation,and evaluationandassessment. EffectiveriskmanagementmustbetotallyintegratedintotheSystemsDevelopmentLifeCycle.[8] Informationriskanalysisconductedonapplications,computerinstallations,networksandsystemsunderdevelopmentshouldbeundertakenusingstructuredmethodologies.[12] Contextestablishment[edit] ThisstepisthefirststepinISOISO/IEC27005framework.MostoftheelementaryactivitiesareforeseenasthefirstsubprocessofRiskassessmentaccordingtoNISTSP800–30. Thisstepimpliestheacquisitionofallrelevantinformationabouttheorganizationandthedeterminationofthebasiccriteria,purpose,scopeandboundariesofriskmanagementactivitiesandtheorganizationinchargeofriskmanagementactivities.ThepurposeisusuallythecompliancewithlegalrequirementsandprovideevidenceofduediligencesupportinganISMSthatcanbecertified.Thescopecanbeanincidentreportingplan,abusinesscontinuityplan. Anotherareaofapplicationcanbethecertificationofaproduct. Criteriaincludetheriskevaluation,riskacceptanceandimpactevaluationcriteria.Theseareconditionedby:[13] legalandregulatoryrequirements thestrategicvalueforthebusinessofinformationprocesses stakeholderexpectations negativeconsequencesforthereputationoftheorganization Establishingthescopeandboundaries,theorganizationshouldbestudied:itsmission,itsvalues,itsstructure;itsstrategy,itslocationsandculturalenvironment.Theconstraints(budgetary,cultural,political,technical)oftheorganizationaretobecollectedanddocumentedasguidefornextsteps. Organizationforsecuritymanagement[edit] Thesetupoftheorganizationinchargeofriskmanagementisforeseenaspartiallyfulfillingtherequirementtoprovidetheresourcesneededtoestablish,implement,operate,monitor,review,maintainandimproveanISMS.[14]Themainrolesinsidethisorganizationare:[8] SeniorManagement Chiefinformationofficer(CIO) SystemandInformationowners,suchastheChiefDataOfficer(CDO)orChiefPrivacyOfficer(CPO) thebusinessandfunctionalmanagers theInformationSystemSecurityOfficer(ISSO)orChiefinformationsecurityofficer(CISO) ITSecurityPractitioners SecurityAwarenessTrainers Riskassessment[edit] ENISA:Riskassessmentinsideriskmanagement RiskManagementisarecurrentactivitythatdealswiththeanalysis,planning,implementation,control,andmonitoringofimplementedmeasurementsandtheenforcedsecuritypolicy.Onthecontrary,RiskAssessmentisexecutedatdiscretetimepoints(e.g.onceayear,ondemand,etc.)and–untiltheperformanceofthenextassessment–providesatemporaryviewofassessedrisksandwhileparameterizingtheentireRiskManagementprocess. ThisviewoftherelationshipofRiskManagementtoRiskAssessmentisdepictedinfigureasadoptedfromOCTAVE.[2] Riskassessmentisoftenconductedinmorethanoneiteration,thefirstbeingahigh-levelassessmenttoidentifyhighrisks,whiletheotheriterationsdetailedtheanalysisofthemajorrisksandotherrisks. AccordingtoNationalInformationAssuranceTrainingandEducationCenterriskassessmentintheITfieldis:[9] Astudyofthevulnerabilities,threats,likelihood,lossorimpact,andtheoreticaleffectivenessofsecuritymeasures.Managersusetheresultsofariskassessmenttodevelopsecurityrequirementsandspecifications. Theprocessofevaluatingthreatsandvulnerabilities,knownandpostulated,todetermineexpectedlossandestablishthedegreeofacceptabilitytosystemoperations. AnidentificationofaspecificADPfacility'sassets,thethreatstotheseassets,andtheADPfacility'svulnerabilitytothosethreats. Ananalysisofsystemassetsandvulnerabilitiestoestablishanexpectedlossfromcertaineventsbasedonestimatedprobabilitiesoftheoccurrenceofthoseevents.Thepurposeofariskassessmentistodetermineifcountermeasuresareadequatetoreducetheprobabilityoflossortheimpactoflosstoanacceptablelevel. Amanagementtoolwhichprovidesasystematicapproachfordeterminingtherelativevalueandsensitivityofcomputerinstallationassets,assessingvulnerabilities,assessinglossexpectancyorperceivedriskexposurelevels,assessingexistingprotectionfeaturesandadditionalprotectionalternativesoracceptanceofrisksanddocumentingmanagementdecisions.Decisionsforimplementingadditionalprotectionfeaturesarenormallybasedontheexistenceofareasonableratiobetweencost/benefitofthesafeguardandsensitivity/valueoftheassetstobeprotected.Riskassessmentsmayvaryfromaninformalreviewofasmallscalemicrocomputerinstallationtoamoreformalandfullydocumentedanalysis(i.e.,riskanalysis)ofalargescalecomputerinstallation.Riskassessmentmethodologiesmayvaryfromqualitativeorquantitativeapproachestoanycombinationofthesetwoapproaches. ISO27005framework[edit] RiskassessmentreceivesasinputtheoutputofthepreviousstepContextestablishment;theoutputisthelistofassessedrisksprioritizedaccordingtoriskevaluationcriteria. Theprocesscanbedividedintothefollowingsteps:[13] Riskanalysis,furtherdividedin: Riskidentification Riskestimation Riskevaluation ThefollowingtablecomparestheseISO27005processeswithRiskITframeworkprocesses:[11] Riskassessmentconstituentprocesses ISO27005 RiskIT Riskanalysis RE2AnalyseriskcomprisesmorethanwhatisdescribedbytheISO27005processstep.RE2hasasitsobjectivedevelopingusefulinformationtosupportriskdecisionsthattakeintoaccountthebusinessrelevanceofriskfactors. RE1Collectdataservesasinputtotheanalysisofrisk(e.g.,identifyingriskfactors,collectingdataontheexternalenvironment). Riskidentification ThisprocessisincludedinRE2.2EstimateITrisk.Theidentificationofriskcomprisesthefollowingelements: Riskscenarios Riskfactors Riskestimation RE2.2EstimateITrisk Riskevaluation RE2.2EstimateITrisk TheISO/IEC27002:2005Codeofpracticeforinformationsecuritymanagementrecommendsthefollowingbeexaminedduringariskassessment: securitypolicy, organizationofinformationsecurity, assetmanagement, humanresourcessecurity, physicalandenvironmentalsecurity, communicationsandoperationsmanagement, accesscontrol, informationsystemsacquisition,developmentandmaintenance,(seeSystemsDevelopmentLifeCycle) informationsecurityincidentmanagement, businesscontinuitymanagement,and regulatorycompliance. Riskidentification[edit] OWASP:relationshipbetweenthreatagentandbusinessimpact Riskidentificationstateswhatcouldcauseapotentialloss;thefollowingaretobeidentified:[13] assets,primary(i.e.Businessprocessesandrelatedinformation)andsupporting(i.e.hardware,software,personnel,site,organizationstructure) threats existingandplannedsecuritymeasures vulnerabilities consequence relatedbusinessprocesses Theoutputofsubprocessismadeupof: listofassetandrelatedbusinessprocessestoberiskmanagedwithassociatedlistofthreats,existingandplannedsecuritymeasures listofvulnerabilitiesunrelatedtoanyidentifiedthreats listofincidentscenarioswiththeirconsequences. Riskestimation[edit] Therearetwomethodsofriskassessmentininformationsecurityfield,quantitativeandqualitative.[15] Purelyquantitativeriskassessmentisamathematicalcalculationbasedonsecuritymetricsontheasset(systemorapplication). Foreachriskscenario,takingintoconsiderationthedifferentriskfactorsaSinglelossexpectancy(SLE)isdetermined.Then,consideringtheprobabilityofoccurrenceonagivenperiodbasis,forexampletheannualrateofoccurrence(ARO),theAnnualizedLossExpectancyisdeterminedastheproductofAROandSLE.[5] Itisimportanttopointoutthatthevaluesofassetstobeconsideredarethoseofallinvolvedassets,notonlythevalueofthedirectlyaffectedresource. Forexample,ifyouconsidertheriskscenarioofaLaptoptheftthreat,youshouldconsiderthevalueofthedata(arelatedasset)containedinthecomputerandthereputationandliabilityofthecompany(otherassets)derivingfromthelossofavailabilityandconfidentialityofthedatathatcouldbeinvolved. Itiseasytounderstandthatintangibleassets(data,reputation,liability)canbeworthmuchmorethanphysicalresourcesatrisk(thelaptophardwareintheexample).[16] Intangibleassetvaluecanbehuge,butisnoteasytoevaluate:thiscanbeaconsiderationagainstapurequantitativeapproach.[17] Qualitativeriskassessment(threetofivestepsevaluation,fromVeryHightoLow)isperformedwhentheorganizationrequiresariskassessmentbeperformedinarelativelyshorttimeortomeetasmallbudget,asignificantquantityofrelevantdataisnotavailable,orthepersonsperformingtheassessmentdon'thavethesophisticatedmathematical,financial,andriskassessmentexpertiserequired.[15]Qualitativeriskassessmentcanbeperformedinashorterperiodoftimeandwithlessdata.Qualitativeriskassessmentsaretypicallyperformedthroughinterviewsofasampleofpersonnelfromallrelevantgroupswithinanorganizationchargedwiththesecurityoftheassetbeingassessed.Qualitativeriskassessmentsaredescriptiveversusmeasurable. Usuallyaqualitativeclassificationisdonefollowedbyaquantitativeevaluationofthehighestriskstobecomparedtothecostsofsecuritymeasures. Riskestimationhasasinputtheoutputofriskanalysisandcanbesplitinthefollowingsteps: assessmentoftheconsequencesthroughthevaluationofassets assessmentofthelikelihoodoftheincident(throughthreatandvulnerabilityvaluation) assignvaluestothelikelihoodandconsequenceoftherisks Theoutputisthelistofriskswithvaluelevelsassigned.Itcanbedocumentedinariskregister. Risksarisingfromsecuritythreatsandadversaryattacksmaybeparticularlydifficulttoestimate.Thisdifficultyismadeworsebecause,atleastforanyITsystemconnectedtotheInternet,anyadversarywithintentandcapabilitymayattackbecausephysicalclosenessoraccessisnotnecessary.Someinitialmodelshavebeenproposedforthisproblem.[18] Duringriskestimationtherearegenerallythreevaluesofagivenasset,oneforthelossofoneoftheCIAproperties:Confidentiality,Integrity,Availability.[19] Riskevaluation[edit] Theriskevaluationprocessreceivesasinputtheoutputofriskanalysisprocess.Itcompareseachrisklevelagainsttheriskacceptancecriteriaandprioritisetherisklistwithrisktreatmentindications. NISTSP80030framework[edit] RiskassessmentaccordingNISTSP800-30Figure3-1 Todeterminethelikelihoodofafutureadverseevent,threatstoanITsystemmustbeinconjunctionwiththepotentialvulnerabilitiesandthecontrolsinplacefortheITsystem. Impactreferstothemagnitudeofharmthatcouldbecausedbyathreat'sexerciseofvulnerability.ThelevelofimpactisgovernedbythepotentialmissionimpactsandproducesarelativevaluefortheITassetsandresourcesaffected(e.g.,thecriticalitysensitivityoftheITsystemcomponentsanddata).Theriskassessmentmethodologyencompassesnineprimarysteps:[8] Step1SystemCharacterization Step2ThreatIdentification Step3VulnerabilityIdentification Step4ControlAnalysis Step5LikelihoodDetermination Step6ImpactAnalysis Step7RiskDetermination Step8ControlRecommendations Step9ResultsDocumentation Riskmitigation[edit] Riskmitigation,thesecondprocessaccordingtoSP800–30,thethirdaccordingtoISO27005ofriskmanagement,involvesprioritizing,evaluating,andimplementingtheappropriaterisk-reducingcontrolsrecommendedfromtheriskassessmentprocess. Becausetheeliminationofallriskisusuallyimpracticalorclosetoimpossible,itistheresponsibilityofseniormanagementandfunctionalandbusinessmanagerstousetheleast-costapproachandimplementthemostappropriatecontrolstodecreasemissionrisktoanacceptablelevel,withminimaladverseimpactontheorganization'sresourcesandmission. ISO27005framework[edit] Therisktreatmentprocessaimatselectingsecuritymeasuresto: reduce retain avoid transfer riskandproducearisktreatmentplan,thatistheoutputoftheprocesswiththeresidualriskssubjecttotheacceptanceofmanagement. Therearesomelisttoselectappropriatesecuritymeasures,[14]butisuptothesingleorganizationtochoosethemostappropriateoneaccordingtoitsbusinessstrategy,constraintsoftheenvironmentandcircumstances.Thechoiceshouldberationalanddocumented.Theimportanceofacceptingariskthatistoocostlytoreduceisveryhighandledtothefactthatriskacceptanceisconsideredaseparateprocess.[13] Risktransferapplyweretheriskhasaveryhighimpactbutisnoteasytoreducesignificantlythelikelihoodbymeansofsecuritycontrols:theinsurancepremiumshouldbecomparedagainstthemitigationcosts,eventuallyevaluatingsomemixedstrategytopartiallytreattherisk.Anotheroptionistooutsourcetherisktosomebodymoreefficienttomanagetherisk.[20] Riskavoidancedescribeanyactionwherewaysofconductingbusinessarechangedtoavoidanyriskoccurrence.Forexample,thechoiceofnotstoringsensitiveinformationaboutcustomerscanbeanavoidancefortheriskthatcustomerdatacanbestolen. Theresidualrisks,i.e.theriskremainingafterrisktreatmentdecisionhavebeentaken,shouldbeestimatedtoensurethatsufficientprotectionisachieved.Iftheresidualriskisunacceptable,therisktreatmentprocessshouldbeiterated. NISTSP80030framework[edit] RiskmitigationmethodologyflowchartfromNISTSP800-30Figure4-2 RiskmitigationactionpointaccordingtoNISTSP800-30Figure4-1 Riskmitigationisasystematicmethodologyusedbyseniormanagementtoreducemissionrisk.[8] Riskmitigationcanbeachievedthroughanyofthefollowingriskmitigationoptions: RiskAssumption.ToacceptthepotentialriskandcontinueoperatingtheITsystemortoimplementcontrolstolowertherisktoanacceptablelevel RiskAvoidance.Toavoidtheriskbyeliminatingtheriskcauseand/orconsequence(e.g.,forgocertainfunctionsofthesystemorshutdownthesystemwhenrisksareidentified) RiskLimitation.Tolimittheriskbyimplementingcontrolsthatminimizetheadverseimpactofathreat'sexercisingavulnerability(e.g.,useofsupporting,preventive,detectivecontrols) RiskPlanning.Tomanageriskbydevelopingariskmitigationplanthatprioritizes,implements,andmaintainscontrols ResearchandAcknowledgement.Tolowertheriskoflossbyacknowledgingthevulnerabilityorflawandresearchingcontrolstocorrectthevulnerability RiskTransference.Totransfertheriskbyusingotheroptionstocompensatefortheloss,suchaspurchasinginsurance. Addressthegreatestrisksandstriveforsufficientriskmitigationatthelowestcost,withminimalimpactonothermissioncapabilities:thisisthesuggestioncontainedin[8] Riskcommunication[edit] Mainarticle:Riskmanagement§ Riskcommunication Riskcommunicationisahorizontalprocessthatinteractsbidirectionallywithallotherprocessesofriskmanagement.Itspurposeistoestablishacommonunderstandingofallaspectofriskamongalltheorganization'sstakeholder.Establishingacommonunderstandingisimportant,sinceitinfluencesdecisionstobetaken.TheRiskReductionOverviewmethod[21]isspecificallydesignedforthisprocess.Itpresentsacomprehensibleoverviewofthecoherenceofrisks,measuresandresidualriskstoachievethiscommonunderstanding. Riskmonitoringandreview[edit] Riskmanagementisanongoing,neverendingprocess.Withinthisprocessimplementedsecuritymeasuresareregularlymonitoredandreviewedtoensurethattheyworkasplannedandthatchangesintheenvironmentrenderedthemineffective.Businessrequirements,vulnerabilitiesandthreatscanchangeoverthetime. Regularauditsshouldbescheduledandshouldbeconductedbyanindependentparty,i.e.somebodynotunderthecontrolofwhomisresponsiblefortheimplementationsordailymanagementofISMS. ITevaluationandassessment[edit] Securitycontrolsshouldbevalidated.Technicalcontrolsarepossiblecomplexsystemsthataretotestedandverified.Thehardestparttovalidateispeopleknowledgeofproceduralcontrolsandtheeffectivenessoftherealapplicationindailybusinessofthesecurityprocedures.[8] Vulnerabilityassessment,bothinternalandexternal,andPenetrationtestareinstrumentsforverifyingthestatusofsecuritycontrols. Informationtechnologysecurityauditisanorganizationalandproceduralcontrolwiththeaimofevaluatingsecurity. TheITsystemsofmostorganizationareevolvingquiterapidly.Riskmanagementshouldcopewiththesechangesthroughchangeauthorizationafterriskreevaluationoftheaffectedsystemsandprocessesandperiodicallyreviewtherisksandmitigationactions.[5] Monitoringsystemeventsaccordingtoasecuritymonitoringstrategy,anincidentresponseplanandsecurityvalidationandmetricsarefundamentalactivitiestoassurethatanoptimallevelofsecurityisobtained. Itisimportanttomonitorthenewvulnerabilities,applyproceduralandtechnicalsecuritycontrolslikeregularlyupdatingsoftware,andevaluateotherkindsofcontrolstodealwithzero-dayattacks. TheattitudeofinvolvedpeopletobenchmarkagainstbestpracticeandfollowtheseminarsofprofessionalassociationsinthesectorarefactorstoassurethestateofartofanorganizationITriskmanagementpractice. Integratingriskmanagementintosystemdevelopmentlifecycle[edit] EffectiveriskmanagementmustbetotallyintegratedintotheSDLC.AnITsystem'sSDLChasfivephases:initiation,developmentoracquisition,implementation,operationormaintenance,anddisposal.TheriskmanagementmethodologyisthesameregardlessoftheSDLCphaseforwhichtheassessmentisbeingconducted.RiskmanagementisaniterativeprocessthatcanbeperformedduringeachmajorphaseoftheSDLC.[8] Table2-1IntegrationofRiskManagementintotheSDLC[8] SDLCPhases PhaseCharacteristics SupportfromRiskManagementActivities Phase1:Initiation TheneedforanITsystemisexpressedandthepurposeandscopeoftheITsystemisdocumented Identifiedrisksareusedtosupportthedevelopmentofthesystemrequirements,includingsecurityrequirements,andasecurityconceptofoperations(strategy) Phase2:DevelopmentorAcquisition TheITsystemisdesigned,purchased,programmed,developed,orotherwiseconstructed TherisksidentifiedduringthisphasecanbeusedtosupportthesecurityanalysesoftheITsystemthatmayleadtoarchitectureanddesigntradeoffsduringsystemdevelopment Phase3:Implementation Thesystemsecurityfeaturesshouldbeconfigured,enabled,tested,andverified Theriskmanagementprocesssupportstheassessmentofthesystemimplementationagainstitsrequirementsandwithinitsmodeledoperationalenvironment.Decisionsregardingrisksidentifiedmustbemadepriortosystemoperation Phase4:OperationorMaintenance Thesystemperformsitsfunctions.Typicallythesystemisbeingmodifiedonanongoingbasisthroughtheadditionofhardwareandsoftwareandbychangestoorganizationalprocesses,policies,andprocedures Riskmanagementactivitiesareperformedforperiodicsystemreauthorization(orreaccreditation)orwhenevermajorchangesaremadetoanITsysteminitsoperational,productionenvironment(e.g.,newsysteminterfaces) Phase5:Disposal Thisphasemayinvolvethedispositionofinformation,hardware,andsoftware.Activitiesmayincludemoving,archiving,discarding,ordestroyinginformationandsanitizingthehardwareandsoftware Riskmanagementactivitiesareperformedforsystemcomponentsthatwillbedisposedoforreplacedtoensurethatthehardwareandsoftwareareproperlydisposedof,thatresidualdataisappropriatelyhandled,andthatsystemmigrationisconductedinasecureandsystematicmanner NISTSP800-64[22]isdevotedtothistopic. EarlyintegrationofsecurityintheSDLCenablesagenciestomaximizereturnoninvestmentintheirsecurityprograms,through:[22] Earlyidentificationandmitigationofsecurityvulnerabilitiesandmisconfigurations,resultinginlowercostofsecuritycontrolimplementationandvulnerabilitymitigation; Awarenessofpotentialengineeringchallengescausedbymandatorysecuritycontrols; Identificationofsharedsecurityservicesandreuseofsecuritystrategiesandtoolstoreducedevelopmentcostandschedulewhileimprovingsecurityposturethroughprovenmethodsandtechniques;and Facilitationofinformedexecutivedecisionmakingthroughcomprehensiveriskmanagementinatimelymanner. Thisguide[22]focusesontheinformationsecuritycomponentsoftheSDLC.First,descriptionsofthekeysecurityrolesandresponsibilitiesthatareneededinmostinformationsystemdevelopmentsareprovided.Second,sufficientinformationabouttheSDLCisprovidedtoallowapersonwhoisunfamiliarwiththeSDLCprocesstounderstandtherelationshipbetweeninformationsecurityandtheSDLC. Thedocumentintegratesthesecuritystepsintothelinear,sequential(a.k.a.waterfall)SDLC.Thefive-stepSDLCcitedinthedocumentisanexampleofonemethodofdevelopmentandisnotintendedtomandatethismethodology. Lastly,SP800-64providesinsightintoITprojectsandinitiativesthatarenotasclearlydefinedasSDLC-baseddevelopments,suchasservice-orientedarchitectures,cross-organizationprojects,andITfacilitydevelopments. Securitycanbeincorporatedintoinformationsystemsacquisition,developmentandmaintenancebyimplementingeffectivesecuritypracticesinthefollowingareas.[23] Securityrequirementsforinformationsystems Correctprocessinginapplications Cryptographiccontrols Securityofsystemfiles Securityindevelopmentandsupportprocesses Technicalvulnerabilitymanagement Informationsystemssecuritybeginswithincorporatingsecurityintotherequirementsprocessforanynewapplicationorsystemenhancement.Securityshouldbedesignedintothesystemfromthebeginning.Securityrequirementsarepresentedtothevendorduringtherequirementsphaseofaproductpurchase.Formaltestingshouldbedonetodeterminewhethertheproductmeetstherequiredsecurityspecificationspriortopurchasingtheproduct. Correctprocessinginapplicationsisessentialinordertopreventerrorsandtomitigateloss,unauthorizedmodificationormisuseofinformation.Effectivecodingtechniquesincludevalidatinginputandoutputdata,protectingmessageintegrityusingencryption,checkingforprocessingerrors,andcreatingactivitylogs. Appliedproperly,cryptographiccontrolsprovideeffectivemechanismsforprotectingtheconfidentiality,authenticityandintegrityofinformation.Aninstitutionshoulddeveloppoliciesontheuseofencryption,includingproperkeymanagement.DiskEncryptionisonewaytoprotectdataatrest.DataintransitcanbeprotectedfromalterationandunauthorizedviewingusingSSLcertificatesissuedthroughaCertificateAuthoritythathasimplementedaPublicKeyInfrastructure. Systemfilesusedbyapplicationsmustbeprotectedinordertoensuretheintegrityandstabilityoftheapplication.Usingsourcecoderepositorieswithversioncontrol,extensivetesting,productionback-offplans,andappropriateaccesstoprogramcodearesomeeffectivemeasuresthatcanbeusedtoprotectanapplication'sfiles. Securityindevelopmentandsupportprocessesisanessentialpartofacomprehensivequalityassuranceandproductioncontrolprocess,andwouldusuallyinvolvetrainingandcontinuousoversightbythemostexperiencedstaff. Applicationsneedtobemonitoredandpatchedfortechnicalvulnerabilities.Proceduresforapplyingpatchesshouldincludeevaluatingthepatchestodeterminetheirappropriateness,andwhetherornottheycanbesuccessfullyremovedincaseofanegativeimpact. Critiqueofriskmanagementasamethodology[edit] Riskmanagementasascientificmethodologyhasbeencriticizedasbeingshallow.[3]MajorITriskmanagementprogrammesforlargeorganizations,suchasmandatedbytheUSFederalInformationSecurityManagementAct,havebeencriticized. Byavoidingthecomplexitythataccompaniestheformalprobabilisticmodelofrisksanduncertainty,riskmanagementlooksmorelikeaprocessthatattemptstoguessratherthanformallypredictthefutureonthebasisofstatisticalevidence.Itishighlysubjectiveinassessingthevalueofassets,thelikelihoodofthreatsoccurrenceandthesignificanceoftheimpact. However,abetterwaytodealwiththesubjecthasnotemerged.[3] Riskmanagementsmethods[edit] ItisquitehardtolistmostofthemethodsthatatleastpartiallysupporttheITriskmanagementprocess.Effortsinthisdirectionweredoneby: NISTDescriptionofAutomatedRiskManagementPackagesThatNIST/NCSCRiskManagementResearchLaboratoryHasExamined,updated1991 ENISA[24]in2006;alistofmethodsandtoolsisavailableonlinewithacomparisonengine.[25]Amongthemthemostwidelyusedare:[3] CRAMMDevelopedbyBritishgovernmentiscomplianttoISO/IEC17799,Gramm–Leach–BlileyAct(GLBA)andHealthInsurancePortabilityandAccountabilityAct(HIPAA) EBIOSdevelopedbytheFrenchgovernmentitiscompliantwithmajorsecuritystandards:ISO/IEC27001,ISO/IEC13335,ISO/IEC15408,ISO/IEC17799andISO/IEC21287 StandardofGoodPracticedevelopedbyInformationSecurityForum(ISF) MeharidevelopedbyClusifClubdelaSécuritédel'InformationFrançais[26] TIKITRiskFrameworkdevelopedbyITRiskInstitute[27] OctavedevelopedbyCarnegieMellonUniversity,SEI(SoftwareEngineeringInstitute)TheOperationallyCriticalThreat,Asset,andVulnerabilityEvaluation(OCTAVESM)approachdefinesarisk-basedstrategicassessmentandplanningtechniqueforsecurity. IT-Grundschutz(ITBaselineProtectionManual)developedbyFederalOfficeforInformationSecurity(BSI)(Germany);IT-GrundschutzprovidesamethodforanorganizationtoestablishanInformationSecurityManagementSystem(ISMS).ItcomprisesbothgenericITsecurityrecommendationsforestablishinganapplicableITsecurityprocessanddetailedtechnicalrecommendationstoachievethenecessaryITsecuritylevelforaspecificdomain Enisareport[2]classifiedthedifferentmethodsregardingcompleteness,freeavailability,toolsupport;theresultisthat: EBIOS,ISFmethods,IT-Grundschutzcoverdeeplyalltheaspects(RiskIdentification,Riskanalysis,Riskevaluation,Riskassessment,Risktreatment,Riskacceptance,Riskcommunication), EBIOSandIT-Grundschutzaretheonlyonesfreelyavailableand onlyEBIOShasanopensourcetooltosupportit. TheFactorAnalysisofInformationRisk(FAIR)maindocument,"AnIntroductiontoFactorAnalysisofInformationRisk(FAIR)",RiskManagementInsightLLC,November2006;[17] outlinethatmostofthemethodsabovelackofrigorousdefinitionofriskanditsfactors.FAIRisnotanothermethodologytodealwithriskmanagement,butitcomplementsexistingmethodologies.[28] FAIRhashadagoodacceptance,mainlybyTheOpenGroupandISACA. ISACAdevelopedamethodology,calledRiskIT,toaddressvariouskindofITrelatedrisks,chieflysecurityrelatedrisks.ItisintegratedwithCOBIT,ageneralframeworktomanageIT. RiskIThasabroaderconceptofITriskthanothermethodologies,itencompassesnotjustonlythenegativeimpactofoperationsandservicedeliverywhichcanbringdestructionorreductionofthevalueoftheorganization,butalsothebenefit\valueenablingriskassociatedtomissingopportunitiestousetechnologytoenableorenhancebusinessortheITprojectmanagementforaspectslikeoverspendingorlatedeliverywithadversebusinessimpact.[1] The"BuildSecurityIn"initiativeofHomelandSecurityDepartmentofUnitedStates,citesFAIR.[29] TheinitiativeBuildSecurityInisacollaborativeeffortthatprovidespractices,tools,guidelines,rules,principles,andotherresourcesthatsoftwaredevelopers,architects,andsecuritypractitionerscanusetobuildsecurityintosoftwareineveryphaseofitsdevelopment.SoitchieflyaddressSecurecoding. In2016,ThreatSketchlaunchedanabbreviatedcybersecurityriskassessmentspecificallyforsmallorganizations.[30][31]Themethodologyusesrealoptionstoforecastandprioritizeafixedlistofhigh-levelthreats. IntheUS,dataandprivacylegislationcontinuetoevolvetofocuson'reasonablesecurity'forsensitiveinformationriskmanagement.Thegoalistoensureorganizationsestablishtheirdutyofcarewhenitcomestomanagingdata.Businessesareresponsibletounderstandtheirriskposturetopreventforeseeableharmreasonablesafeguardsbasedontheirspecificworkingenvironment. Standards[edit] Mainarticle:ITrisk§ Standardsorganizationsandstandards ThereareanumberofstandardsaboutITriskandITriskmanagement.Foradescriptionseethemainarticle. Laws[edit] Mainarticle:ITrisk§ ITRiskLawsandRegulations Seealso[edit] Businessandeconomicsportal Accesscontrol Asset(computing) Assetmanagement Assessment Attack(computing) Availability Benchmark Bestpractice Businesscontinuity Businesscontinuityplan Businessprocess Chiefinformationofficer Chiefinformationsecurityofficer COBIT CommonVulnerabilitiesandExposures(CVE) Communications Computerinsecurity Computersecurity Confidentiality COSO Countermeasure(computer) CRAMM CommonVulnerabilityScoringSystem(CVSS) Decisiontheory EBIOS ENISA Enterpriseriskmanagement Environmentalsecurity Evaluation Exploit(computersecurity) FactorAnalysisofInformationRisk FISMA Fulldisclosure(computersecurity) Gramm–Leach–BlileyAct HealthInsurancePortabilityandAccountabilityAct HomelandSecurityDepartment Humanresources Incidentmanagement Informationsecurity InformationSecurityForum Informationsecuritymanagement Informationtechnology Informationtechnologysecurityaudit Insurance Integrity ISACA ISO ISO/IEC15408 ISO/IEC17799 ISO/IEC27000-series ISO/IEC27001 ISO/IEC27005 IT-Grundschutz ITrisk Mehari Methodology NationalInformationAssuranceTrainingandEducationCenter NationalSecurity NIST Organization OWASP Patch(computing) Penetrationtest Physicalsecurity Privacy Regulatorycompliance Risk Riskanalysis(engineering) Riskappetite Riskassessment Riskfactor(computing) Riskmanagement RiskIT Riskregister Securecoding Securitycontrol Securitypolicy Securityrisk Securityservice(telecommunication) StandardofGoodPractice Stakeholder(corporate) SystemsDevelopmentLifeCycle TheOpenGroup Threat Vulnerability Vulnerabilityassessment Vulnerabilitymanagement w3af zero-dayattack References[edit] ^abc"ISACATHERISKITFRAMEWORK(registrationrequired)"(PDF). ^abcEnisaRiskmanagement,Riskassessmentinventory,page46 ^abcdefKatsicas,SokratisK.(2009)."35".InVacca,John(ed.).ComputerandInformationSecurityHandbook.MorganKaufmannPublications.ElsevierInc.p. 605.ISBN 978-0-12-374354-1. ^"Riskisacombinationofthelikelihoodofanoccurrenceofahazardouseventorexposure(s)andtheseverityofinjuryorillhealththatcanbecausedbytheeventorexposure(s)"(OHSAS18001:2007). ^abcCaballero,Albert(2009)."14".InVacca,John(ed.).ComputerandInformationSecurityHandbook.MorganKaufmannPublications.ElsevierInc.p. 232.ISBN 978-0-12-374354-1. ^[citationneeded] ^ ISACA(2006).CISAReviewManual2006.InformationSystemsAuditandControlAssociation.p. 85.ISBN 978-1-933284-15-6. ^abcdefghijkFeringa,Alexis;Goguen,Alice;Stoneburner,Gary(1July2002)."RiskManagementGuideforInformationTechnologySystems".doi:10.6028/NIST.SP.800-30–viacsrc.nist.gov.{{citejournal}}:Citejournalrequires|journal=(help) ^ab"GlossaryofTerms".www.niatec.iri.isu.edu. ^TheRiskITFrameworkbyISACA,ISBN 978-1-60420-111-6 ^abTheRiskITPractitionerGuide,Appendix3ISACAISBN 978-1-60420-116-1(registrationrequired) ^StandardofGoodPracticebyInformationSecurityForum(ISF)SectionSM3.4Informationriskanalysismethodologies ^abcdISO/IEC,"Informationtechnology--Securitytechniques-Informationsecurityriskmanagement"ISO/IECFIDIS27005:2008 ^abISO/IEC27001 ^abOfficial(ISC)2GuidetoCISSPCBK.RiskManagement:AuerbachPublications.2007.p. 1065. ^"CNNarticleaboutaclassactionsettlementforaVeteranAffairstolenlaptop". ^ab"AnIntroductiontoFactorAnalysisofInformationRisk"(FAIR),RiskManagementInsightLLC,November2006Archived2014-11-18attheWaybackMachine; ^Spring,J.;Kern,S.;Summers,A.(2015-05-01)."Globaladversarialcapabilitymodeling".2015APWGSymposiumonElectronicCrimeResearch(ECrime):1–21.doi:10.1109/ECRIME.2015.7120797.ISBN 978-1-4799-8909-6.S2CID 24580989. ^BritishStandardInstitute"ISMSs-Part3:Guidelinesforinformationsecurityriskmanagement"BS7799-3:2006 ^CostasLambrinoudakisa,StefanosGritzalisa,PetrosHatzopoulosb,AthanasiosN.Yannacopoulosb,SokratisKatsikasa,"Aformalmodelforpricinginformationsystemsinsurancecontracts",ComputerStandards&Interfaces-Volume27,Issue5,June2005,Pages521-532doi:10.1016/j.csi.2005.01.010 ^"RiskReductionOverview".rro.sourceforge.net. ^abcGulick,Jessica;Fahlsing,Jim;Rossman,Hart;Scholl,Matthew;Stine,Kevin;Kissel,Richard(16October2008)."SecurityConsiderationsintheSystemDevelopmentLifeCycle".doi:10.6028/NIST.SP.800-64r2–viacsrc.nist.gov.{{citejournal}}:Citejournalrequires|journal=(help) ^"WikiContentNowAvailableatSpaces".wiki.internet2.edu. ^"InventoryofRiskManagement/RiskAssessmentMethods".www.enisa.europa.eu. ^"InventoryofRiskManagement/RiskAssessmentMethodsandTools".www.enisa.europa.eu. ^"Archivedcopy".Archivedfromtheoriginalon2010-10-26.Retrieved2010-12-14.{{citeweb}}:CS1maint:archivedcopyastitle(link) ^http://itriskinstitute.com/ ^TechnicalStandardRiskTaxonomyISBN 1-931624-77-1DocumentNumber:C081PublishedbyTheOpenGroup,January2009. ^"BuildSecurityIn-US-CERT".www.us-cert.gov. ^"ThreatSketch:AStart-upGrowsUpintheInnovationQuarter".InnovationQuarterHub.2016-10-05.Retrieved2016-11-15. ^"TriadEntrepreneursShareBusinessIdeasonStartupWeekend".TWCNews.Retrieved2016-11-15. Externallinks[edit] WikimediaCommonshasmediarelatedtoITriskmanagement. Internet2InformationSecurityGuide:EffectivePracticesandSolutionsforHigherEducation RiskManagement-PrinciplesandInventoriesforRiskManagement/RiskAssessmentmethodsandtools,Publicationdate:Jun01,2006Authors:ConductedbytheTechnicalDepartmentofENISASectionRiskManagement ClusifClubdelaSécuritédel'InformationFrançais 800-30NISTRiskManagementGuide 800-39NISTDRAFTManagingRiskfromInformationSystems:AnOrganizationalPerspective FIPSPublication199,StandardsforSecurityCategorizationofFederalInformationandInformation FIPSPublication200MinimumSecurityRequirementsforFederalInformationandInformationSystems 800-37NISTGuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems:ASecurityLifeCycleApproach FISMApediaisacollectionofdocumentsanddiscussionsfocusedonUSAFederalITsecurity Anderson,K."Intelligence-BasedThreatAssessmentsforInformationNetworksandInfrastructures:AWhitePaper",2005. DannyLieberman,"UsingaPracticalThreatModelingQuantitativeApproachfordatasecurity",2009 Retrievedfrom"https://en.wikipedia.org/w/index.php?title=IT_risk_management&oldid=1075183962" Categories:ITriskmanagementDatasecurityInformationtechnologymanagementSecuritySecuritycomplianceHiddencategories:AllarticleswithunsourcedstatementsArticleswithunsourcedstatementsfromApril2020CS1errors:missingperiodicalWebarchivetemplatewaybacklinksCS1maint:archivedcopyastitleWikipediaarticlesthataretootechnicalfromNovember2013AllarticlesthataretootechnicalWikipediaarticlesneedingclarificationfromSeptember2017CommonscategorylinkfromWikidataACwith0elements Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Inotherprojects WikimediaCommons Languages العربيةPortuguêsУкраїнська Editlinks