Answering Risk Estimation for ISO 27005
With the recent PCI Security Standards Council guidance on risk assessments (SIG on PCI Risk Assessments) questions have arisen about alignment with ISO 27005.
Since few organizations were doing basic risk assessments, the goal for PCI here is to determine the significance of risks so you can effectively prioritize mitigation efforts. This includes presenting all risks to an asset to enable asset owners to evaluate and determine appropriate risk mitigation measures, as well as reviewing existing controls and effectiveness of controls which could protect against identified threats or vulnerabilities. Our analysis has shown that organizations like the flexibility and defensibility of ISO 27005, along with the fact it is well suited to various risk estimation methodologies (including iRisk and FAIR). In the end, it is up to the organization to select its own approach to risk assessment (which is discussed below), but for most, using ISO as a base is a good starting point.
Brief ISO Risk Management Review
Here is a quick recap from some prior discussions: ISO 27001 describes a general process for the Information Security Management System (ISMS). ISO 27002 provides the taxonomy of information security controls. ISO 27002 does discuss some risk management and treatment as a domain in the ISMS. However, in moving up the chain of security program management, ISO 27005 defines the approach to managing security risk. Both SecureState’s iRisk and FAIR provide a methodology for analyzing security risk within these approaches. (On a side note, ISO 31000 provides principles and generic guidelines on enterprise risk management.)
The foundation for the risk management portion of the ISMS includes these steps:
- Define the risk assessment approach of the organization
- Identify the risks
- Analyze and evaluate the risks
- Identify and evaluate options for the treatment of risks
- Select control objectives and controls for the treatment of risks
- Obtain management approval of the proposed residual risks
Components of Analysis: Risk Identification and Estimation
ISO defines risk identification as the process to find, list and characterize elements of risk (in laymen’s terms: What do we have, who’s coming at it, what are the holes and what controls are in place?) Risk estimation is the process of assigning values to the probability and consequences of a risk. The reason for this blog is that ISO 27005 does not provide specifics for identifying a methodology for determining risk level. The details around these requirements are very sparse in ISO guidance and are left to the organization to create to meet their needs. Clearly, there needs to be a balance between minimizing the time and effort, while still ensuring that high risks are appropriately assessed and prioritized against risk evaluation criteria and objectives relevant to the organization. To make this more concrete, there are two methodologies for this assessment portion that you should look at as strong possibilities to meet your goals.
Using Equations for Risk Estimation
A risk equation or taxonomy provides a logical, defensible methodology to identify, analyze, and evaluate the risks within that management system. The two risk equations for assessment are iRisk as well as the FAIR taxonomy. iRisk and FAIR both provide a methodology for evaluating actual risks, meeting the needs of 27005. FAIR (Factor Analysis of Information Risk) is for those that are looking to handle more than just security risk (i.e. a complete operational taxonomy), and really are looking at risk from a top-down, enterprise-wide perspective. It allows you to apply risk to any object or asset, and can be applied to organizational risk in total. From a bottom-up perspective, the iRisk equation is targeted for the security group only and allows you start from where you are with activities you are already doing. For simplicity, it purposely omits variables that can be added in later once budget, or management buy-in, permits. It provides an engine that can be used in other security risk models to more simply align the risk assessment results with the way the organization currently works.
The big takeaway is there needs to be better rationale for the things you are and aren’t doing for managing your security program (inside and outside of PCI). An equation or taxonomy provides the requisite basic vocabulary, based on a fundamental description of what risk is. It then shows how to apply it to produce the objective, meaningful, and consistent results (really estimates using ISO terminology) that the business needs in order to make informed decisions on whether to accept, reduce, or transfer risk. A quantitative estimation and analysis offers a fast and efficient way of conveying information. Quantitative estimation is preferred in that it can be related directly to the information security objectives and concerns of the organization. Interestingly, we humans also have a strong inherent belief that quantitative data is more real or more rigorous.
In Short…Will You Pass the PCI Assessment?
Again, the goal for the PCI assessor is to see that you have determined the significance of risk and you are effectively prioritizing mitigation efforts. Thus, having an equation that simplifies the explanation of how the results were arrived at improves both your credibility and the acceptance of the results. Organizations will need to be prepared in a way that they have typically never had to before. Time is always against you, so the sooner you get started the better!
If you’d like to find out more, feel free to comment or contribute at iRisk Community, or check out the Web Seminar on March 26, 12:00 EST at Business of Security (also available for download on the site if you miss it). There are also various discussions on FAIR there.