Information Security Risk Management

Stages of ISRM

Risk Identification

• Identify assets: 哪些数据、系统或其他资产将被视为您组织的“皇冠上的宝石”?? For example, which assets would have the most significant impact on your organization if their confidentiality, 完整性或可用性受到损害? It’s not hard to see why the confidentiality of data like social security numbers and intellectual property is important. But what about integrity? 例如，如果一家企业属于萨班斯-奥克斯利法案(SOX) regulatory requirements, 财务报告数据中的一个小的完整性问题可能会导致巨大的成本. Or, if an organization is an online music streaming service and the availability of music files is compromised, then they could lose subscribers.
• Identify vulnerabilities: What system-level or software vulnerabilities 是否将资产的机密性、完整性和可用性置于风险之中? What weaknesses or deficiencies in organizational processes could result in information being compromised?
• Identify threats: 资产或信息泄露的一些潜在原因是什么? For example, 贵组织的数据中心是否位于环境受到威胁的地区, like tornadoes and floods, are more prevalent? 业内同行是否正被一个已知的犯罪集团积极瞄准和攻击, hacktivist group, or government-sponsored entity? Threat modeling is an important activity that helps add context by tying risks to known threats and the different ways those threats can cause risks to become realized via exploiting vulnerabilities.
• Identify controls: 您已经采取了哪些措施来保护已识别的资产? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination. 补偿控制是间接解决风险的“安全网”控制. Continuing with the same example above, 补偿控制可以是季度访问审查过程. During this review, the application user list is cross-referenced with the company’s user directory and termination lists to find users with unwarranted access and then reactively remove that unauthorized access when it’s found.

Information Security Risk Assessments

这是将你收集到的有关资产的信息进行组合的过程, vulnerabilities, and controls to define a risk. 为此有许多框架和方法, 但你可能会用到这个方程的一些变体:

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls

注意:这是一个非常简化的公式类比. 计算概率风险远没有这么简单，这让每个人都很沮丧.

Risk Management Strategy

Once a risk has been assessed and analyzed, an organization will need to select treatment options:

• Remediation:实现完全或几乎完全修复潜在风险的控制.
  Example: 您已经识别了存储关键资产的服务器上的漏洞, 然后为这个漏洞打补丁.
• Mitigation降低风险的可能性和/或影响，但不完全解决它.
  Example: 您已经识别了存储关键资产的服务器上的漏洞, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
• Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
  Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)
• Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
  Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, 成功利用这个漏洞是非常复杂的. 因此，您决定不需要花费时间和资源来修复漏洞.
• Risk avoidance: 消除所有已识别风险的暴露 
  Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. 这些服务器处理和存储敏感和非敏感数据. 以避免敏感数据被泄露的风险, 您可以快速地将敏感数据迁移到更新的数据中, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

Risk Communication Strategy

Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to understand the costs of treating or not treating a risk and the rationale behind that decision. Responsibility and accountability needs to be clearly defined and associated with individuals and teams in the organization to ensure the right people are engaged at the right times in the process.

Rinse and Repeat

This is an ongoing process. 如果你选择了需要实施控制的治疗方案, 这种控制需要持续监测. 您可能会将此控制插入到随时间变化的系统中. Ports being opened, code being changed, and any number of other factors could cause your control to break down in the months or years following its initial implementation.

ISRM Process Ownership

There are many stakeholders in the ISRM process, and each of them have different responsibilities. 定义这个过程中的各种角色, 以及与每个角色相关的责任, 确保这一过程顺利进行的关键步骤是什么.

Process Owners: At a high level, an organization might have a finance team or audit team that owns their Enterprise Risk Management (ERM) program, 而信息安全或信息保障团队将拥有ISRM计划, which feeds into ERM. 这个ISRM团队的成员需要在现场，不断推动过程向前发展.

Risk Owners: Individual risks should be owned by the members of an organization who end up using their budget to pay for fixing the problem. 换句话说，风险所有者有责任确保风险得到相应的处理. 如果你批准了预算，你就承担了风险.

In addition to risk owners, 也会有其他类型的利益相关者受到, or involved in implementing, the selected treatment plan, such as system administrators/engineers, system users, etc.

Here’s an example: Your information security team (process owner) is driving the ISRM process forward. A risk to the availability of your company’s customer relationship management (CRM) system is identified, and together with your head of IT (the CRM system owner) and the individual in IT who manages this system on a day-to-day basis (CRM system admin), 您的过程所有者收集评估风险所需的信息.

假设您的CRM软件已经就位，可以支持公司的销售部门, 客户关系管理软件中的数据不可用，最终会影响销售, then your sales department head (i.e. 首席销售官)很可能是风险的拥有者. The risk owner is responsible for deciding on implementing the different treatment plans offered by the information security team, system administrators, system owners, etc. and accepting any remaining risk; however, your system owner and system admin will likely be involved once again when it comes time to implement the treatment plan. System users—the salespeople who use the CRM software on a daily basis—are also stakeholders in this process, 因为他们可能会受到任何治疗方案的影响.

Cybersecurity risk management is an ongoing task, 它的成功将取决于风险评估的好坏, plans are communicated, and roles are upheld. Identifying the critical people, processes, and technology to help address the steps above will create a solid foundation for a risk management strategy and program in your organization, which can be developed further over time.

Read More About Regulations & Compliance

Compliance: Latest News from the Blog