Monday, June 20, 2016

Security and Risk Management - Some basic terms

  1.  Risk is the probability of threat agent exploiting vulnerability.
  2. Threat is the danger of threat agent exploiting vulnerability.
  3.  Data Classification is a way of putting information under named categories (mostly by Data Owner) based on it's worth and loss involved if wiped off/ leaked out / edited by unauthorized person. Ultimately based on category were information is lying, Data Custodian may choose different controls and spend more or less to keep the data safe and destroy safely when no longer needed.
  4.  AV (Asset Value) is the $ worth of entity under risk of exposure to threat under quantitative risk analysis.
  5.  EF (Exposure Factor) is percentage loss of asset value a single exposure may do.
  6.  SLE (Single Loss Expectancy) defines how much money an organization may probably loose when exposure happens once. Under quantitative risk analysis, Asset value is multiplied by Exposure Factor to get SLE. Say, I have laptop (asset) worth $200 (asset value) and if my son (threat agent) finds laptop kept on the table (not closing it and locking is vulnerability) and he throws water on it (threat), based on previous experience, I know it costs $100 to change damaged parts. So EF (Exposure Factor) is 100/200 (= 0.5). So next time I don't use cupboard (Physical control) to lock laptop, there is a risk of my son (threat agent) to throw water on it (exploit vulnerability). And SLE will be $200 (AV) * 0.5 (EF) = $100 (SLE), the single repair cost. EF is uncertainty here, next time threat agent may have more water in his glass.
  7.  ARO (Annualized Rate of Occurrence) defines probable yearly frequency of exposure. Under quantitative risk analysis, this is multiplied by SLE (single loss expectancy) to get ALE (annual loss expectancy). Say, if ARO is 5, it means exposure may happen five times in a year, if ARO is 0.5, it means threat agent may be successful once in two years.
  8.  Policy is version controlled and dated set of principles and concise & unambiguous statements formulated to ensure compliance with industry standards, to define behavior and activities of subjects or just to inform the subjects, thereby playing the role of an enabler to achieve business objectives. It should clearly define consequences of noncompliance with policy documented.
  9.  SLA (Service Level Agreements); as discussed under CobiT > Deliver & Support > Define service levels; is a ‘formal’ / ‘legal and formal’ agreement between customer and vendor where various essential properties of service are defined including ways to measure & report deviation and corresponding ownership is agreed upon. Customer and vendor could be two departments of same organization too. Based upon what type of service is being formally documented, SLA could include mandatory level of availability, response time to issues based on category, reporting planned downtime, who is responsible for what and who takes up ‘unforeseen things not documented here’ and so on.
  10.  CobiT (Control Objectives for Information and Related Technology) is business-focused, process-oriented, controls-based and measurement-driven IT (Information Technology) Governance framework developed and promoted by ISACA (Information Systems Audit and Control Association) and ITGI (IT Governance Institute) for IT management targeting needs of internal/external stakeholders across the enterprise.

Conducting Risk Assessment

Conducting Risk Assessment
Risk Assessment is part of Risk Management Process. The purpose of Risk Assessment is to identify threats, internal and external vulnerabilities, potential loss and probability of loss, the end result being determination of risk. Under Risk Assessment, risk is determined based on adverse effects due to the event and likelihood of occurrence. Risk Assessment is employed at organization level, mission/business process level, and information system level.
NIST Special Publication 800-30 Revision 1 suggests Risk Assessment as an ongoing activity throughout the system development life cycle and closely interacting with components of Risk Management. Risk Assessment Process (under Risk Management Process) includes preparation, conducting assessment, communicate results and maintain the assessment. Maintaining the assessment and communication may trigger steps to conduct assessment repeatedly. The second step of Risk Assessment – conducting assessment may be further understood going through activities involved in this step:
Identify Threat Sources
Threat Sources are identified at every level - organization level, mission/business process level, and information system level. And they are identified based on taxonomy – adversarial (adversary capability, intent and targeting / non adversarial), accidental, structural and environmental.
Identify Threat Events
The purpose of this activity is to identify potential threat events, relevance of the events, and the threat sources that could initiate the events.
Identify Vulnerabilities and Predisposing Conditions
The purpose of this activity is to identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts. As in case of identification of threat sources, these are also identified and categorized based on different levels & taxonomies and tagged for severity – quantitative/ qualitative.
Determine Likelihood of Occurrence
In this activity, based on threat source, vulnerability and implemented safeguards, likelihood of occurrence is formulated and determined. Without diligent efforts in previous activities and proper knowledge and documentation of safeguards/ controls in place, this activity may give false results.
Determine Magnitude of Impact
Purpose of this step is to determine impact based on first three activities and maximum worth of affected entity in terms of value of loss / unavailability.
Determine Risk
Purpose of this step is to determine risk based on impact and likelihood determined previously. 

Can a risk mitigation create value to an organization based on the COBIT framework?
Risk is not something tangible, but can be minimized with help of CobiT framework. Risk minimization makes sure, risk doesn't exceed risk appetite of the organization, thereby helping organization to survive and grow, based on CobiT framework. With help of CobiT, risk may be tied to business strategy, thereby helping make better informed decisions within risk tolerance by risk mitigation. Further, even though CobiT may not help much define risk analysis methods, but it helps establish a link b/w risk scenario and appropriate response via enablers(controls), also how to manage risk ( Risk function and Risk Management).


United States. Joint Task Force Transformation Initiative, & National Institute of Standards Technology. (2012). Guide for conducting risk assessments (Revision 1.. ed., NIST special publication ; 800-30). Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-30r1