Risk Management: The Open Group Guide (eBook)

Preface 6
Acknowledgements 7
References 8
Introduction 16
Part 1 The Open Group Technical Standard 18
Risk Taxonomy 18
Chapter 1 Introduction to risk taxonomy 19
1.1 Scope 19
1.2 Purpose/objective 20
1.3 Context 20
1.4 The risk language gap 20
1.5 Using FAIR with other risk assessment frameworks 22
1.5.1 The ability of a FAIR-based approach to complement other standards 22
1.5.2 An example: using FAIR with OCTAVE 22
1.5.3 Conclusion 23
Chapter 2 Business case for a risk taxonomy 24
2.1 What makes this the standard of choice? 26
2.2 Who should use this Technical Standard? 27
2.3 Related dependencies 28
Chapter 3 Risk management model 29
3.1 Risk assessment approach 29
3.2 Why is a tightly-defined taxonomy critical? 29
Chapter 4 Functional aspects 30
4.1 What is defined? 30
4.2 What is in/out of scope and why? 30
4.3 How should it be used? 30
Chapter 5 Technical aspects 31
5.1 Risk taxonomy overview 31
5.2 Component definitions 32
5.2.1 Risk 32
5.2.2 Loss Event Frequency (LEF) 32
5.2.3 Threat Event Frequency (TEF) 33
5.2.4 Contact 33
5.2.5 Action 34
5.2.6 Vulnerability 34
5.2.7 Threat Capability 36
5.2.8 Control Strength (CS) 36
5.2.9 Probable Loss Magnitude (PLM) 37
5.2.10 Forms of loss 38
5.2.11 Loss factors 39
5.2.12 Primary loss factors 40
5.2.13 Secondary loss factors 43
Chapter 6 Example application 48
6.1 The scenario 48
6.2 The analysis: FAIR basic risk assessment methodology 48
6.2.1 Stage 1: Identify scenario components 49
6.2.2 Stage 2: Evaluate Loss Event Frequency (LEF) 50
6.2.3 Stage 3: Evaluate Probable Loss Magnitude (PLM) 53
6.2.4 Stage 4: Derive and articulate risk 58
6.3 Further information 59
Appendix A Risk taxonomy considerations 60
A.1 Complexity of the model 60
A.2 Availability of data 61
A.3 Iterative risk analyses 61
A.4 Perspective 62
Part 2 The Open Group Technical Guide 64
Requirements for riskassessment methodologies 64
Chapter 1 Introduction to requirements for risk assessment methodologies 65
1.1 Business case for risk assessment methodologies 65
1.2 Scope 66
1.3 Using this Technical Guide 66
1.4 Definition of terms 66
1.5 Key operating assumptions 67
Chapter 2 What makes a good risk assessment methodology? 68
2.1 Key component: taxonomy 68
2.2 Key risk assessment traits 68
2.2.1 Probabilistic 68
2.2.2 Accurate 69
2.2.3 Consistent (repeatable) 70
2.2.4 Defensible 70
2.2.5 Logical 70
2.2.6 Risk-focused 71
2.2.7 Concise and meaningful 71
2.2.8 Feasible 71
2.2.9 Actionable 72
2.2.10 Prioritized 72
2.2.11 Important note 72
Chapter 3 Risk assessment methodology considerations 73
3.1 Use of qualitative versus quantitative scales 73
3.1.1 When is using numbers not quantitative? 74
3.2 Measurement scales 74
3.2.1 Nominal scale 74
3.2.2 Ordinal scale 74
3.2.3 Interval scale 74
3.2.4 Ratio scale 75
3.2.5 Important note 75
3.3 How frequent is ‘likely’? 75
3.4 Risk and the data owners 76
Chapter 4 Assessment elements 77
4.1 Identifying risk issues 77
4.1.1 Interviews and questionnaires 77
4.1.2 Testing 78
4.1.3 Sampling 79
4.1.4 Types of sampling 79
4.2 Evaluating the severity/significance of risk issues 79
4.3 Identifying the root cause of risk issues 80
4.4 Identifying cost-effective solution options 80
4.5 Communicating the results to management 81
4.5.1 What to communicate 81
4.5.2 How to communicate 81
Part 3 The Open Group Technical Guide 84
FAIR–ISO/IEC 27005 Cookbook 84
Chapter 1 Introduction to the FAIR–ISO/IEC 27005 Cookbook 85
1.1 Purpose 85
1.2 Scope 85
1.3 Intended audience 85
1.4 Operating assumptions 86
1.5 Using this Cookbook 86
Chapter 2 How to manage risk 87
2.1 Information Security Management System (ISMS) overview 87
2.2 How FAIR plugs into the ISMS 89
2.3 Major differences in approach 93
2.4 Recommended approach 95
2.5 Points to consider 95
2.5.1 Concerns about the complexity of the model 95
2.5.2 Availability of data to support statistical analysis 96
2.5.3 The iterative nature of risk analyses 96
Chapter 3 What information is necessary for risk analysis? 97
3.1 Introduction to the landscape of risk 97
3.2 Asset landscape 97
3.2.1 ISO definition and goal 98
3.2.2 Major differences in asset landscape treatment 99
3.3 Threat landscape 99
3.3.1 ISO definition and goal 99
3.3.2 Major differences in threat landscape treatment 99
3.3.3 Structure of classification 99
3.3.4 Consideration of threat actions 100
3.3.5 The development of metrics for the threat landscape 100
3.4 Controls landscape 101
3.4.1 ISO definition and goal 101
3.4.2 Major differences in controls landscape treatment 101
3.4.3 Development of metrics for the controls landscape 101
3.5 Loss (impact) landscape 102
3.5.1 ISO definition and goal 102
3.5.2 Major differences in loss (impact) landscape treatment 102
3.5.3 Structure of classification 102
3.5.4 Development of metrics for the loss (impact) landscape 103
3.5.5 Probability of indirect operational impacts 103
3.6 Vulnerability landscape 104
3.6.1 ISO definition and goal 104
3.6.2 Major differences in vulnerability landscape treatment 104
3.6.3 Consideration for the vulnerability landscape 104
3.6.4 Development of metrics for the vulnerability landscape 105
Chapter 4 How to use FAIR in your ISMS 106
4.1 Recipe for ISO/IEC 27005 risk management with FAIR 107
4.2 Define the context for information security risk management 110
4.2.1 General considerations 110
4.2.2 Risk acceptance criteria 111
4.3 Calculate risk 112
4.3.1 Stage 1 112
4.3.2 Stage 2 113
4.3.3 Stage 3 116
4.3.4 Stage 4 117
4.4 Determine the appropriate information risk treatment plan 118
4.5 Develop an information security risk communication plan 119
4.6 Describe the information security risk monitoring and review plan 120
Appendix A Risk Management Program Worksheet 121
A.1 Define the context for information security risk managementGeneral considerations 121
A.2 Calculate risk 122
A.3 Determine the appropriate information risk treatment plan 125
A.4 Develop an Information Security Risk Communication Plan 126
A.5 Describe the Information Security Risk Monitoring and Review Plan 127
Glossary 128
Index 132