As we’ve said in this book, risk assessment is a core competence for information security management. We’ve also said that, without using a database risk assessment tool, it is virtually impossible to adequately manage an ISO27001-compliant information security risk assessment in any organisation that has more than a handful of staff and very few information assets. This appendix builds on the content of this book to guide the reader through the process of selecting a risk assessment tool and carrying out an ISO27001-compliant risk assessment in line with the requirements of ISO27001 4.2.1 – c to j using that tool.
In this book, we have recommended vsRisk™, and our reasons for doing so are contained in Chapter 5. This appendix complements that chapter.
If you wish to purchase a copy of vsRisk™, here is a link:
www.itgovernance.co.uk/products/744.
Here is a link for the information security risk management standard, BS7799-3:2006:
www.itgovernance.co.uk/products/162.
• vsRisk™ is loaded directly onto a workstation or the Information Security Manager’s laptop.
• Before use, vsRisk™ is configured appropriately. In the Introductory section of the tool, the name and contact details for the Lead Risk Assessor are loaded. This is the person who, in line with the requirements of ISO27001 clause 7.1, is the owner of this asset. A user name and password (selected in line with company policy) are loaded into the next screen.
• In the next section (ISMS Scope/Policy) of vsRisk™ type in the first box (Scope) a reference to the document containing the scope statement, together with the interfaces and dependencies therein defined that limit the scope of the ISMS. Type in the second box (Policy Objective) the reference to the final version of the risk management framework objectives. It is possible, once configuration is complete, to upload the full version of both these documents to the tool, although a duplicate needs to be maintained for wider access through your ISMS and so it is advised that in vsRisk™ you record references to where the latest, current version of each ISMS document can be found.
• In the next configuration section (Classification Labels), enter the classification levels that you have selected as required by clause 7.2 of the standard. Note that, in the absence of a positive input, it will default to the basic levels outlined in International IT Governance: An Executive Guide ISO27001/ISO17799, which are ‘private, restricted, confidential and public’. They can be changed later, if required.
• In the next configuration section (Management scale), input the scales that you have decided to use, both of which should be documented in your risk management framework. Both the impact valuation scale and the likelihood level scale can have between three and seven levels.
• The risk level matrix will then be produced automatically by the vsRisk™ tool, using a multi-level scale that takes account of both extent of impact and frequency of occurrence.
• In the next configuration section (Risk Acceptance Criteria), use the slider to enter the acceptable risk criteria that were defined in your risk management framework. Acceptable levels of risk are defined as those that are the same as, or below, the board-approved acceptable risk level. ‘Acceptable risk’ is defined as any risk that falls into a defined level between one and ten in the risk matrix calculated in vsRisk™. (The maximum value may be less than ten, depending on the scales you have selected for likelihood and impact.)
• Note that although the decision as to risk assessment criteria can be changed at a later date, it will possibly render invalid all the risk treatment decisions made prior to the change. You should, therefore, require any changes to the risk acceptance criteria to be formally approved before any changes are made.
• You will then be presented with a screen that enables you to confirm all the input data; confirm and you will be passed to the vsRisk™ login screen.
• The vsRisk™ training requirements are limited.
• vsRisk™ has detailed onscreen guidance. The Lead Risk Assessor is required to familiarise himself/herself with the principles of ISO27001 risk management and is then required to read the vsRisk™ overview that is provided both alongside and within the vsRisk™ help function (question mark button at top right of vsRisk™ screens).
• Users other than the Lead Risk Assessor can be guided, as appropriate, by the Lead Risk Assessor. Once the user is clear about how each vsRisk™ step should be carried out, the risk assessment itself can begin.
Help instructions in vsRisk™ should be consulted and take priority over any variations with the instructions here, until such time as these instructions are issued within your applicable ISMS.
• The assets that are within the scope of the ISMS, together with their owners, are identified by the asset owners and placed within asset groups. Asset owners are responsible for loading details of their assets, by asset group, into vsRisk™, either directly through the tool itself or through the vsAsset Monitor, which is a data collection module supplied with the tool.
• The organisation maintains a single inventory of information assets, which is subdivided by information asset owner into separate asset groups (which include assets grouped into systems, as explained below) within vsRisk™. Asset groups are required and are easily created in vsRisk™. Each asset is also classified as:
• hardware (all computing and information processing equipment, including printers, fax machines, photocopiers, etc.);
• software;
• IP;
• information/database (e.g. customer database, sales records, accounting ledgers);
• service, which includes designated secure areas;
• people (those individuals whose skills, knowledge and experience are considered essential);
• intangibles;
• processes; and
• other assets.
• For each asset, the organisation identifies the business unit or business role that ‘owns’ the asset. For software, the owner is its trained system administrator. The owner is responsible for: ensuring that the asset is correctly classified within vsRisk™; using the sensitivity/ classification labels that are contained there (and which are the same as those adopted by the organisation); day-to-day maintenance of the identified controls; and ensuring that access controls are defined and periodically reviewed, and that vulnerabilities are identified and patched. The details of each identified asset owner are loaded into vsRisk™.
• The organisation may group some assets together into composite information ‘systems’, in which case it identifies the assets within the system and the owner is the business unit or role responsible for the system.
• Assets are now added to vsRisk™.
• For each asset, the asset owner either enters directly into the vsRisk™ asset screen (by adding to a group, or by adding to an asset owner) and then completes the fields provided there for asset details, or uses the vsMonitor to provide asset details to the Risk Assessor, as instructed by the Information Security Manager. The business, contractual and legal/regulatory requirements are added, for each asset, using the free text boxes in the asset entry screen. Each asset also has its asset type and classification marked, using vsRisk™ drop-down lists, when the asset details are entered.
• Details about existing controls are added by selection from the Annex A list of controls.
• All new information assets are added to vsRisk™ as and when they are acquired, together with details of their requirements and values, and removed from the schedule when they are disposed of, as the standard requires.
• When new information assets are acquired, or existing assets in any way changed, those assets are added to the vsRisk™ inventory and are treated in line with the requirements below.
• The vsRisk™ Risk Assessment Wizard is used to carry out the risk identification and treatment decision stages of the risk assessment.
• The first step is to input, using the qualitative scale defined in your risk management framework, the asset value; this is the maximum potential loss to the organisation estimated for each of confidentiality, availability and integrity for each of business, legal/regulatory and contractual (unless your organisation has opted to batch these together and use only one set of values for confidentiality, integrity and availability – this will be determined by the methodology you embrace and communicated via the document describing the risk assessment methodology). Choose the ‘Assessments’ tab from the top central menu and then click on the individual asset to bring up the ‘Assessments Overview’ page. For each of the asset attributes, select the ‘Edit’ option, use the sliding scale to identify the value, provide a full text justification for the decision, and ‘Save’.
• The threats to each of the assets are identified by the asset owners, initially by consideration of the threats listed in the vsRisk™ Threat Database, and secondly, by consideration of threats that might not be in the database and which the asset owner is responsible for adding. Threats are considered for each of the three attributes of availability, confidentiality and integrity and for each of the business, legal/regulatory and contractual requirements of the asset.
• The asset owner is responsible for identifying the vulnerabilities that might be exploited by each of these threats, initially by consideration of the vulnerabilities listed in the vsRisk™ Vulnerability Database, and secondly, by consideration of vulnerabilities that might not be in the database and which the asset owner is responsible for adding.
• Where new vulnerabilities or weaknesses are identified (e.g. through the information security event reporting procedure), the Vulnerability Database is updated and, if appropriate, the risk assessment procedure set out here is repeated and any changed controls implemented.
• The impact that might result from each threat-vulnerability is defined, as part of the risk assessment methodology, as the value of the asset the threat-vulnerability combination would exploit and this figure is held for each attribute within vsRisk™.
• The realistic likelihood that each of these failures might occur is assessed using the likelihood scale set out in the Risk Management Framework, and easily configured using the vsRisk™ sliding scale.
• The risk levels are then automatically calculated, for each risk, by vsRisk™ and shown in the ‘Risk Rating’ column for that asset.
• The vsRisk™ tool then uses the customised risk acceptance criteria (configured as set out above and in line with the requirements of the Risk Management Framework) to make a recommendation, for each of the assessed risks, as to risk treatment and whether the risk is acceptable (in which case vsRisk™ will indicate that no further action is required) or whether it must be controlled in line with the previously established criteria.
• Appropriate control objectives and controls are selected from those listed in the vsRisk™ Controls Database (which contains all the control objectives and controls from Annex A of ISO27001).
• If the Controls Database is inadequate in respect of controls for specific risks, then the Lead Risk Assessor will authorise the import, through the ‘Administration’ section of vsRisk™, of additional controls, which can then be selected to treat that risk.
• Once a control has been selected, the Risk Assessment Wizard will require the Assessor to estimate the extent to which the selected control will reduce impact and/or likelihood by adjusting the slide controls, and the tool will then automatically calculate the residual risk. If the residual risk is greater than the authorised risk acceptance criteria the Risk Assessment Wizard will provide the opportunity to repeat the control selection process continuously until the risk is level with or lower than the risk appetite. Once the residual risk is at or below the risk acceptance criteria, vsRisk™ will not require further action.
• The final residual risk will then be shown in the risk assessment table for the threat-vulnerability combination. You can also print out, from the ‘Report Generator’, a report summarising residual risk, for the board to authorise, as required by the standard.
• vsRisk™ will then summarise all the existing and selected control objectives and controls for the Statement of Applicability, which can then be drawn up together with the justification for accepting/rejecting each ISO27001 control, using the Statement of Applicability (SoA) Report Generating Wizard, as required. The SoA is then authorised by the board.
• The Statement of Applicability and the Asset Risk Report can then be used to inform the organisation’s risk treatment plan.
3.147.193.141