Performing a risk assessment according to NIST or ISO/IEC 27005 international practices to identify and measure risk across the organisation, with the aim of mitigating those risks to reduce the surface area of expose.
He’s the personified troublemaker of all things progressive, the mischief-maker of innovation, the gremlin of ingenuity, the firebrand of progress. Those unaware and ignorant of his sting suffer loss and setback. Though he is as old as humanity, his power to bully has trended upward in recent years, concomitant to humanity’s upward trend to build complex, integrated, global systems.
Murphy’s adage is quoted by many: “If anything can go wrong, it will.” And as the world grows increasingly complex and interconnected, Murphy’s adage is proven true, without prejudice to frontiers or national boundaries, capturing headlines throughout the years.
Environmental catastrophic events such as Chernobyl, Deep Water Horizon or Fukushima.
Financial disasters such as Enron, WorldCom, Olympus.
Data breaches such as Aadhar, Equifax, NATO, Marriott Starwood, Cambridge Analytica, and so many more.
But how did these events occur? Is Murphy an unusually clever foe, or are there other factors that could be mitigated to avoid future blows to progress and security in a democratic society?
The answer rests in understanding and practicing risk management, where the lack of a risk governance framework resulted corporate governance failures. In a study by the OECD, it found that “boards did not fully appreciate the risks that the companies were taking, if they were not engaging in reckless risk-taking themselves, and/or deficient risk management systems” (OECD, 2014, p. 10).
The OECD adds that “effective risk management is not about eliminating risk taking, which is indeed a fundamental driving force in business and entrepreneurship. At the same time, the need to strengthen risk management practices has been one of the fundamental driving forces in business and entrepreneurship” (Ibid., 13).
Introducing Risk Management
Whether realising it or not, everyone manages risk based upon several factors, often tracking to the following workflow: identifying risk, analysis risk, evaluating risk and treating risk.
On a personal level, individuals perform risk management functions every day, making risk-based decisions based across personal risk acceptance levels associated with hazards, i.e. to participate or not in a white-water rafting trip,
perhaps to mitigate risk by wearing a life jacket during the event.
Yet at a corporate level, risk management follows a formal process similar to the workflow above, but follows a “best practice” accepted in the industry, such as:
NIST Risk Management Framework, SP 800-37 Rev 2
There are other risk management frameworks in operation today such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the IT Infrastructure Library (ITIL), the Control Objectives for Information and related Technology (COBIT), the CCTA Risk Analysis and Management Methodology (CRAMM) the Facilitated Risk Analysis Process (FRAP), and Carnegie Mellon University’s Software Engineering Institute (OCTAVE). But at Allendevaux & Company, we normally employ one of two methodologies in information security risk management: NIST or ISO/IEC 27005.
For the remainder of this guidance article, we will focus on best practices associated with ISO/IEC 27005.
ISO/IEC 27005: Apply Standardized Best Practices to Measure Risk
The International Organization for Standardization, jointly with the International Electrotechnical Commission, formed a joint committee called the ICO/IEC JTC 1, which prepared guidelines for information security risk management in an organisation, especially in relation to an information security management system. The guidelines of the risk management approach help organisations follow a systematic approach to identify, measure and lower risk, lowering the chances of Murphy’s Law to adversely affect a service, system or integrated complex system.
At Allendevaux & Company, we normally conduct a risk assessment at the outset of an engagement when implementing a data protection programme. Doing this enables the enterprise to understand its exposure to untreated risks; this is also called inherent risk, representing the amount of risk that exists in the absence of controls.
Measuring Inherent Risk
When measuring risk, many think of technological systems, platforms and networks, i.e. things that are technology-based assets. But risk management practices with ISO/IEC 27005 go beyond this. A holistic approach to risk management is to evaluate the risk that may exist across these categories:
key stakeholders and personnel
workflow processes that empower practices
systems and platforms
key suppliers and partners
To ensure continuity of operations, the potential for risk to impact these four areas must be evaluated. Risk comes in many forms, including but not limited to these forms of risk:
In risk management, these potential threats are part of the threat model as seen below, which can endanger any assets, whether related to people, processes, platforms or vendors.
It’s helpful to follow the threat model starting with the tag “Assets” and read clockwise as follows:
“Assets can be endangered by threats, exploited by vulnerabilities, resulting in exposure, creating risk. Risk is mitigated by applying safeguards (controls), resulting in the protection of assets, which lowers risk.”
The threat model forms the central fabric toward understanding how assets are endangered and can be protected. The threat model also provides an excellent way of understanding key terms, such as assets, threats, vulnerabilities, exposure, risk and safeguards (controls).
There are different methodologies that can be used to measure risk. While it is beyond the scope of this article to articulate the steps, it is worthwhile to understand the two approaches that can be adopted, the qualitative and quantitative risk assessment methodology.
First, the qualitative risk assessment methodology prioritizes risk using a predefined rating scale so that risks are scored based on their probability or likelihood of occurrence, followed by the impact that would unfold should the event happen. This is the most common approach used in risk analysis.
Second, the quantitative risk assessment methodology assigns an empirical rating to a risk using a formula. For example, if an organisation wants to calculate its Annual Loss Expectancy (ALE) for a platform that was purchased for 250,000 euros and invoices 2 million euros, potentially exploitable on a bi-monthly basis, the calculation is as follows:
ALE = Annual Rate of Occurrence (ARO) x Single Loss Expectancy (SLE); or ALE = ARO x SLE
the ARO can be exploited six times per year;
the SLE = 250,000 euro
the ALE = 1.5 million euro
The risk becomes measurable, but on an economy of scale, this methodology is often difficult to calculate across many assets, because values of assets changes as depreciation occurs, including upkeep costs that contribute to the true number. At Allendevaux & Company, we usually employ the qualitative method of assessing risk, following this process:
identify assets to protect
create an asset inventory
identify potential threats
note any vulnerability
calculate exposure factor (EF)
calculate residual risk in terms of the likelihood that a threat will be exploited (risk=threat x vulnerability)
assess the annualised rate of occurrence (ARO)
apply risk assignment and acceptance/rejection criterion
select countermeasures to apply as controls
generate residual risk values
We track these values in a matrix as seen here, resulting in impacts to the confidentiality, availability and integrity of an asset.
There are numerous software applications that can help streamline risk analysis calculations, whether employing the quantitative or qualitative methodology. But oftentimes, for smaller or mid-sized organisations, using a spreadsheet to create a matrix is an acceptable practice. We can help provide a template to get you started if you are wanting to perform this exercise internal within your organisation.
Understanding the inherent risk in a system is a fundamental starting point, because it indicates the current risk level given the existing set of controls (or absence of controls). We measure risks, because (a) it is difficult to improvement upon something that isn’t measure, and (b) it’s helpful to monitor improvement in risk over time as new controls are implemented that lower risk. It is also a legal requirement to conduct periodic risk assessments with many regulations around the world.
In the inherent risk diagram, a simple color-coding schema has been applied:
Red = unacceptable risk, requiring treatment so that risk can be lowered.
Yellow = moderate risk, and the organisation will need to determine if a moderate risk level is acceptable for its risk appetite, or if the risk needs lowered further; and
Green = risk still exists, but the chance of occurrence (or its impact) are within acceptable risk levels for the organisation.
Applying controls in relation to data protection involves applying safeguards or countermeasures that result in the protection of an asset. Normally the protections (or practices) available to safeguard an asset span these categories:
administrative controls, such as writing, implementing and enforcing policies and procedures to be practiced by the organisation, producing repeatable, consistent outcomes that ensure continuity of operations;
technical controls to ensure restricted access is enforced, encryption of sensitive information in transit and storage, strong passwords are individually assigned, systems are hardened, ports are locked down, and so on;
physical controls, such as implementing systems and mandating procedures to secure and monitor a building, the use of alarmed doors, the employment of fire and smoke detectors, the placement of video cameras in sensitive areas, and other physical safeguards; and
legal controls, such as ensuring strong contracts with key vendors, confidentiality agreements with personnel, transborder mechanisms for cross-border jurisdictional flows, data processing agreements, etc.
When taken together, these controls aim to safeguard assets, resulting in heightening the confidentiality, availability and integrity of services. It should be noted that not all risk can be mitigated; there will always be some risk that remains.
Determining the acceptable risk appetite of an enterprise is often driven by factors such as contractual obligations, compliance with geographic regulations such as the GDPR in the EU or the CCPA in California, compliance with sectoral regulations such as HIPAA in the US or MiFID II in the UK, plus the enterprise’s appetite for risk.
The remaining risk, after the application of controls results in residual risk, which takes us to the next section.
Determining Residual Risk
Once risk has been measured and controls applied, the risk level will be lowered. The lowered value is called the residual risk, and it should be monitored and periodically reassessed to ensure the value remains acceptable to the risk tolerance level of the organisation. As seen in the diagram below, the risk “before treatment” vs the risk “after treatment” has been meaningfully improved across each category important to the organisation. Controls should continue to be added until the risk level sits within an acceptable tolerance compatible with the organisation’s risk appetite, also ensuring it meets contractual obligations and regulatory compliance requirements.
Beating Murphy: It Can Be Done
The modern version of Murphy was born at Edwards Air Force Base in 1949, named after Captain Edward A. Murphy. Assigned to work on a United States initiative called Project MX981, the goal was to understand the biological limits of deceleration that could be tolerated in a crash. During the project, a catalogue of “laws” was documented referencing things that went wrong or could go wrong in order to apply mitigations to avoid those circumstances. By using an early systematic approach, the aerospace engineer was able to mitigate risk to an acceptable tolerance level.
Today, risk management methodology has improved, and there are many good books to help practitioners perform comprehensive risk management. To perform a risk management study, be prepared to dedicate time to the task. An inexperienced individual performing a risk analysis for a company of 100 to 200 can easily spend a few hundred hours coming up to speed and working through the exercises. But in many domains, performing a risk assessment is contractually required or a statutory obligation.
If you need help, contact us. We have certified IBITGQ risk assessors to streamline the process. They will interview key stakeholders, build an asset inventory, perform an asset valuation, identify potential threats, note vulnerabilities that may be relevant in the absence of countermeasures, measure exposure, calculate the risk factor, determine safeguards to apply to treat mitigations, calculate residual risk, and produce a meaningful report that shows due diligence and due care.
When you take this approach, you can beat Murphy too.
Getting Further Help
If you need guidance understanding the information above, contact the Allendevaux & Company Service Desk. You will be assigned to a certified privacy professional accredited by ISO, IBITGQ or the IAPP with experience in privacy law and compliance. You’ll also find contact information at the bottom of this page for telephone, and email.
We need your consent to receive your information and contact you. By pressing the 'Send' button below, you are providing that consent. You have the right to withdraw your consent at any time. To withdraw your consent, please email us here. For more information about what we do with your personal data and how we protect it, see our privacy notice.