Scribd Logo
Hochladen

Willkommen bei Scribd!

  • ISO 27005 Presentation Slide

    Hochgeladen von

    Son Tran Hong Nam
    858 Ansichten25 Seiten
    ISO 27005 Presentation Slide

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    ISO 27005 Presentation Slide

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    858 Ansichten25 Seiten

    ISO 27005 Presentation Slide

    Hochgeladen von

    Son Tran Hong Nam
    ISO 27005 Presentation Slide

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 25

    RiskAssessmentasperISO27005

    PresentedbyDharshanShanthamurthy,
    RiskAssessmentEvangelist
    WWW.SMARTRA.COM

    SMARTRA.COMisapatentpendingproductofSISAInformationSecurityPvt.Ltd.
    What is Risk Assessment?
    WhatisRiskAssessment?
    NISTSP80030
    RiskAssessmentistheanalysisofthreatsinconjunctionwith
    vulnerabilitiesandexistingcontrols.
    l biliti d i ti t l
    OCTAVE
    ARiskAssessmentwillprovideinformationneededtomake
    riskmanagementdecisionsregardingthedegreeofsecurity
    remediation.
    remediation
    ISO27005
    RiskAssessment=Identification,Estimationand
    Risk Assessment Identification Estimation and
    Evaluation
    WhyRiskAssessment?
    RegulatoryCompliance
    Compliance RiskAssessmentRequirement
    St d d
    Standard
    PCIDSS Formal andstructuredriskassessmentbasedonmethodologieslikeISO27005,
    Requirement NISTSP80030,OCTAVE,etc.
    12 1 2
    12.1.2
    HIPAASection Conductanaccurateandthoroughassessmentofthepotentialrisksand
    164.308(a)(1) vulnerabilitiestotheconfidentiality,integrity,andavailabilityofelectronic
    protected health information held by the covered entity
    protectedhealthinformationheldbythecoveredentity.
    FISMA3544 Periodictestingandevaluationoftheeffectivenessofinformationsecurity
    policies,procedures,andpractices,tobeperformed atleastannually.

    ISO27001Clause Riskassessmentsshouldidentifyrisksagainstriskacceptancecriteriaand
    4.1 organizationalobjectives.Riskassessmentsshouldalsobeperformed
    periodicallytoaddresschangesinthesecurityrequirementsandintherisk
    situation.
    GLBA, SOX,FISMA,DataProtectionAct,ITActAmendment2008,PrivacyAct,HITRUST
    WhyRiskAssessment?
    y
    BusinessRationale
    Function Explanation
    Returnon StructuredRAMethodologyfollowsasystematicandpredefined
    Investment approach,minimizesthescopeofhumanerror,andemphasizes
    process driven rather than human driven activities
    processdriven,ratherthanhumandrivenactivities.

    BudgetAllocation Assistsincontrolscostplanningandjustification

    Controls Costandeffortoptimizationbyoptimizingcontrolsselectionand
    implementation

    Efficient Resourceoptimizationbyappropriatedelegationofactionsrelatedto
    utilization of
    utilizationof controls implementation
    controlsimplementation.
    resources
    What is IS
    IS-RA?
    RA?
    Risk assessment is the cornerstone of any information
    security program, and it is the fastest way to gain a
    complete understanding of an organization's security
    profile its strengths and weaknesses,
    weaknesses its vulnerabilities
    and exposures.

    IF YOU CANT MEASURE IT

    YOU
    YOU CANT MANAGE IT!
    Reality Check
    RealityCheck
    ISRA aneedmorethanawant
    Each organization has their own ISRA
    EachorganizationhastheirownISRA
    ISRAlearningcurve
    Cumbersome 1000assets,20worksheets
    Two months efforts
    Twomonthsefforts
    Complicatedreport
    Exercise
    ThreatScenarios
    ThreatProfilestobefilled.
    Threat Profiles to be filled.
    RiskAssessmentreferencepoints
    OCTAVE
    NISTSP80030
    ISO27005
    COSO
    RiskIT
    ISO31000
    AS/NZS4360
    FRAP
    FTA
    MEHARI
    ISO 27005 Introduction
    ISO27005Introduction
    ISO27005isanInformationSecurityRiskManagementguideline.
    ISO 27005 i I f ti S it Ri k M t id li

    LaysemphasisontheISMSconceptofISO27001:2005.

    DraftedandpublishedbytheInternationalOrganizationfor
    Standardization (ISO) and the International Electrotechnical
    Standardization(ISO)andtheInternationalElectrotechnical
    Commission(IEC)

    Provides
    ProvidesaRAguidelineanddoesnotrecommendanyRA
    a RA guideline and does not recommend any RA
    methodologies.

    Applicabletoorganizationsofalltypes.
    f
    ISO 27005 Workflow
    ISO27005Workflow
    Advocatesaniterativeapproach
    pp
    toriskassessment

    Aims
    Aimsatbalancingtimeand
    at balancing time and
    effortwithcontrolsefficiencyin
    mitigatinghighrisks

    ProposesthePlanDoCheckAct
    cycle.

    Source:ISO27005Standard
    ISO 27005 Risk Assessment
    ISO27005RiskAssessment
    IInformationSecurityRiskAssessment=RiskAnalysis+
    f i S i Ri k A Ri k A l i
    RiskEvaluation
    Risk Analysis:
    RiskAnalysis:
    RiskAnalysis=RiskIdentification+RiskEstimation

    1.RiskIdentification
    Risk characterized in terms of organizational conditions
    Riskcharacterizedintermsoforganizationalconditions

    IdentificationofAssets:Assetswithinthedefinedscope
    IdentificationofThreats:BasedonIncidentReviewing,Asset
    Owners,AssetUsers,Externalthreats,etc.
    ISO 27005 Risk Assessment Contd.
    ISO27005RiskAssessmentContd.
    Identification
    IdentificationofExistingControls:Alsocheckifthecontrolsareworking
    of Existing Controls: Also check if the controls are working
    correctly.
    IdentificationofVulnerabilities:Vulnerabilitiesareshortlistedin
    organizationalprocesses,IT,personnel,etc.
    IdentificationofConsequences:TheimpactoflossofCIAofassets.

    2.RiskEstimation

    Specifiesthemeasureofrisk.

    QualitativeEstimation
    Qualitative Estimation
    QuantitativeEstimation

    Risk Evaluation:
    RiskEvaluation:
    ComparesandprioritizesRiskLevelbasedonRiskEvaluationCriteriaandRisk
    AcceptanceCriteria.
    ISO27005RAWorkflow

    Step1 Step2 Step3 Step4


    General
    General RiskAnalysis:
    Risk Analysis:
    Descriptionof RiskAnalysis:
    Risk RiskEvaluation
    ISRA RiskEstimation
    Identification
    Step1
    General
    RiskAnalysis:Risk
    Risk Analysis: Risk RiskAnalysis:Risk
    Risk Analysis Risk
    Descriptionof Identification Estimation
    RiskEvaluation

    ISRA

    1. GeneralDescriptionofISRA

    Identify,Describe
    d f b Assessedrisks
    d ik
    BasicCriteria
    (quantitativelyor prioritizedaccordingto
    ScopeandBoundaries
    qualitatively)and RiskEvaluation
    OrganizationforISRM
    g
    P i iti Ri k
    PrioritizeRisks C it i
    Criteria.
    Step2
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis Risk
    ofISRA Ri k
    Risk Estimation
    RiskEvaluation
    Identification

    2.RiskAnalysis:RiskIdentification
    IdentificationofAssets

    SScopeandBoundaries
    d d i
    ListofAssets.
    Assetowners
    Assetsaredefined Listofassociated
    AssetLocation
    businessprocesses.
    p
    A t f ti
    Assetfunction
    Step2
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis Risk
    ofISRA Ri k
    Risk Estimation
    RiskEvaluation
    Identification

    2.RiskAnalysis:RiskIdentification
    IdentificationofThreats

    ThreatInformation
    Threat Information
    from Threats
    ReviewofIncidents Threatsaredefined Threatsource
    AssetOwners Threattype
    yp
    AssetUsers,etc.
    Step2
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis Risk
    ofISRA Ri k
    Risk Estimation
    RiskEvaluation
    Identification

    2.RiskAnalysis:RiskIdentification
    IdentificationofExistingControls

    Existing
    Existingand
    and
    Documentationof plannedcontrols
    Existingandplanned
    controls Implementation
    controlsaredefined
    RTP status
    Usagestatus
    Step2
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis Risk
    ofISRA Ri k
    Risk Estimation
    RiskEvaluation
    Identification

    2.RiskAnalysis:RiskIdentification
    IdentificationofVulnerabilities

    Vulnerabilities
    Vulnerabilitiesrelated
    related
    IdentifiedAssets
    d ifi d
    toassets,threats,
    IdentifiedThreats Vulnerabilitiesare
    controls.
    IdentifiedExisting identified
    Vulnerabilitiesnot
    C t l
    Controls
    relatedtoanythreat.
    Step2
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis Risk
    ofISRA Ri k
    Risk Estimation
    RiskEvaluation
    Identification

    2.RiskAnalysis:RiskIdentification
    IdentificationofConsequences

    Incident
    Incidentscenarios
    scenarios
    Assetsandbusiness
    db i
    withtheir
    processes Theimpactoftheloss
    consequencesrelated
    Threatsand ofCIAisidentified
    toassetsand
    vulnerabilities
    l biliti
    businessprocesses
    Step3
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis: Risk
    ofISRA Identification Ri k
    Risk RiskEvaluation
    Estimation

    3.RiskAnalysis:RiskEstimation
    RiskEstimationMethodologies

    ((a)) QualitativeEstimation:High,Medium,Low
    Q lit ti E ti ti Hi h M di L
    ((b)) QuantitativeEstimation:$,hours,etc.
    Step3
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis: Risk
    ofISRA Identification Ri k
    Risk RiskEvaluation
    Estimation

    3.RiskAnalysis:RiskEstimation
    Assessmentofconsequences

    Assets
    Assetsandbusiness
    and business Assessedconsequences
    Assessed consequences
    Thebusinessimpact
    h b
    processes ofanincidentscenario
    frominformation
    Threatsand expressedintermsof
    securityincidentsis
    vulnerabilities p
    assetsandimpact
    assessed.
    d
    Incidentscenarios criteria.
    Step3
    RiskAnalysis:
    General Description
    GeneralDescription RiskAnalysis:Risk
    Risk Analysis: Risk
    ofISRA Identification Ri k
    Risk RiskEvaluation
    Estimation

    3.RiskAnalysis:RiskEstimation
    LevelofRiskEstimation

    Incidentscenarios
    withtheir Levelofriskis
    l f k
    consequences estimatedforall Listofriskswithvalue
    Theirlikelihood relevantincident levelsassigned.
    (quantitativeor scenarios
    i
    qualitative).
    Step4

    GeneralDescription
    General Description RiskAnalysis:Risk
    Risk Analysis: Risk RiskAnalysis:Risk
    Risk Analysis: Risk Risk
    Risk
    ofISRA Identification Estimation
    Evaluation

    4.RiskAnalysis:RiskEstimation
    LevelofRiskEstimation

    Risksprioritized
    Risks prioritized
    Levelofriskis
    l f k
    Riskswithvaluelevels accordingtorisk
    comparedagainstrisk
    assignedandrisk evaluationcriteriain
    evaluationcriteriaand
    evaluationcriteria. relationtotheincident
    riskacceptancecriteria
    ik t it i
    scenarios.
    Summary
    KeepitSimpleandSystematic
    Comprehensive
    Risksensitivecultureintheorganization.
    Drivesecurityfromariskmanagement
    p p
    perspective,ratheronlyacompliance
    , y p
    perspective.
    HelpRAtohelpyou
    H l RA t h l
    Questions?

    Be a Risk Assessment Evangelist!


    BeaRiskAssessmentEvangelist!
    ISRAForumonLinkedin
    SMART RA Forum on Linkedin
    SMARTRAForumonLinkedin

    DharshanShanthamurthy,
    Email:dharshan.shanthamurthy@sisa.in
    y
    Phone:+919945122551

    Das könnte Ihnen auch gefallen