One of the questions that come up frequently when discussing risk equations, taxonomies and risk management in general, is how does it align with an established framework, such as ISO 27005?
To begin, SecureState has settled on our own iRisk equation as well as FAIR. FAIR (Factor Analysis of Information Risk) is for those that are looking to handle more than just security (i.e. a complete taxonomy), and really are looking at risk from a top-down, enterprise-wide operational perspective. It allows you to apply risk to any object or asset, and can be applied to organizational risk in total. From a bottom-up perspective, the iRisk equation is targeted for the security group only and allows you start from where you are with activities you are already doing. For simplicity, it purposely omits variables that can be added in later once budget, or management buy-in, permits.
The equations are complementary to other risk assessment models/frameworks, including those contained in COSO, ITIL, ISO, COBIT, etc. It provides an engine that can be used in other security risk models to more simply align the risk assessment results with the way the organization currently works. Because it comes up so often, we’ll delve a little deeper into ISO.
Brief ISO Risk Management Review
ISO 27001 describes a general process for the Information Security Management System (ISMS). ISO 27002 provides the taxonomy of information security controls. ISO 27002 does discuss some risk management and treatment as a domain in the ISMS. However, in moving up the chain of security program management, ISO 27005 defines the approach to managing security risk. Both SecureState’s iRisk and FAIR provide a methodology for analyzing security risk within these approaches. (On a side note, ISO 31000 provides principles and generic guidelines on enterprise risk management. FAIR is capable of addressing ERM as well).
The foundation for the risk management portion of the ISMS includes these steps:
- Define the risk assessment approach of the organization
- Identify the risks
- Analyze and evaluate the risks
- Identify and evaluate options for the treatment of risks
- Select control objectives and controls for the treatment of risks
- Obtain management approval of the proposed residual risks
Where Does a Risk Equation Fit In?
It’s important to reiterate that ISO 27005 does not provide specifics for identifying a methodology for determining risk level—it outlines the process for managing risk at a very high level.
A risk equation provides a logical, defensible methodology to identify, analyze, and evaluate the risks within that management system. It is also quantitative. This means it generally describes counts or amounts, ratios, or ranked values. The equation or taxonomy provides the requisite basic vocabulary, based on a fundamental description of what risk is. It then shows how to apply it to produce the objective, meaningful, and consistent results that the business needs in order to make informed decisions on whether to accept, mitigate, avoid, or transfer risk. iRisk and FAIR thus provide a methodology for evaluating actual risks, meeting the needs of 27005.
As Always, Communication is Key
Because communicating complex risk information presents a problem with any model, it is important to articulate results in ways that can be processed most easily and thus are most useful to decision-makers. A quantitative equation offers a fast and efficient way of conveying information— i.e. it takes a lot less time to read graphs than it does to read documents and have long meetings about what the point is. Interestingly, we also have a strong inherent belief that quantitative data is somehow more real or more rigorous. Thus, having an equation that simplifies the explanation of how the results were arrived at improves both your credibility and the acceptance of the results.
Whether you start from top-down management or are looking for bottom-up results, having a quantifiable approach to security risk management that aligns with a known standard such as ISO will put you in a better position than you are today.
If you’d like to find out more, feel free to comment or contribute at iRisk Community.