Risk assessmentRolf Sture Normann CISA, CRISC, 27001 Lead implementer

Secretary for information security in HE Norway, UNINETT

Risk assessment?

Identify wich assets we have and what can happens to them that have a negative impact on the informations

• Confidentiality

• Integrity

• Availability

Assess the risk – combination of impact and likelihood (asset value) for each event

Evaluate and treat the risk by implementing proper controls that reduce likelihood and/or impact the incident will cause

Bring the risk to a accepted level

Why do risk assessment?

Comply with regulations and laws

To keep a trust between the registrant and the registered

Quality

Know witch assests you have

Important part of the information security!

We do it every day…

What is our descision based on?..not documented and structured

Challenges

Time- and resource consuming

Need special knowledge or expensive consultant

Support from the management

Delivering services is more important than securing them?

Research report in Norway HE sector

http://complexserien.net/content/201404-styring-av-informasjonssikkerheten-i-universiteter-og-h%C3%B8yskoler

Important topics in white paper

As easy as possible (but not easyer)

Get started, dont wait until you think you have the perfect system

Risk assessment for endusers and highly technical personell

Practical

• Planning

• Leadership

• Workshop

• Do methods really matter

• Report

Risk treatment

Risk process in the ISMS

Improvement

Planned activities

SCOPE GoalSTRATEGI Organizing

Accept criteria

Requirements/guidelines

Risk assesment

Risk managementControls/SOA

TrainingAssets

Year plan for CISOCourse/training AuditsROS Security culture

Security audit

Incidents

Incidents

Top 10 incidents

Managements review

Corrective decisions / actions

Governance documents

Impl

emen

ting

docu

men

ts a

nd ta

sks

Controlling activities

Yearly report for managements

rewiew

Corrections

Status report from CISO

Risk assessments different level

The business

Process 1 Process 2 Process 3 Process 4

System 1 System 2 System 3 System 4 System 5 System 6 System 7 System 8

OverallRisk assessment

Risk assessment for business processes

Risk assessment for systems

Infrastructure

The business

Helicopterview

What is the «built in» risks in our sector

What kind of information do we have

Facilities

Regions

Business processes

Assessing a specific business process

Ex. The research and development process

Different participants on different stages

Business systems

Scope

Usage og the system

What information

End users or superusers

Technical staff/operations

Administrators

System n

User perspective

Technical perspective

ROS-workshop

Workshop to find what events can occure and theirs impact.

Not to many participants.

One person with experience in risk assessments should facilitate the workshop.

A secretary who takes notes of the events

Try to involve persons witch makes a representative of your organisations use of the system/process

To avoid invole people that should have been involved can makes «enemies»

Workshop-planning

The scope

Who should attend

Dont create «enemies»

All types of users

Create a preparing document

Can be an eye opener (awareness)

Workshop - the meeting

What are risk assessment

Participant are important

Discuss the provided examples

One should write down the incidents coming up

Try to find out when to end this part

Likelihood and impact

Risk matrix and the values

Acceptable criteria

How often?

Should be done on a regular basis

ROS should be done after each changes in the system or environements that can affect the information security

Once a thorough ROS is done it is more effecient to use the last assessment as a base it will become less timeconsuming

Risk treatment

After the ROS is done it is crucial to treat the newly discovered risks. A Risk treatmentplan should be made. There should be based on the policy for treating risk.

Methods

Reduce (Mitigate)

Accept

Transfer

Avoid

Risk should be treated until it is acceptable due to accept criteria set by the management

Risikomatrisen

Likelihood scale

Impact scale

Workshop results

The report

ISMS HE sector in Norway