Thursday, May 24, 2018

Risk Assessment Methodology


Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs.

The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30. 

It lays out the following steps:
• System characterization
• Threat identification
• Vulnerability identification    
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on: 
a) computer systems.
b) IT security issues. 

2. FRAP (Facilitated Risk Analysis Process)

Qualitative methodology 
Focus only on the systems that really need to be assessed. 
• Helps to reduce costs and time spent in risk assessment.
• Risk assessment steps are only carried out on the item(s) that needs it the most. 
• It is to be used to analyze one system, application, or business process at a time. 
• Data is gathered and threats to business operations are prioritized based on their criticality. 
• The risk assessment team documents the controls that need to be put in place to reduce the identified risks along with action plans for control implementation efforts.
• This methodology does not support the idea of calculating probability or likelihood.
• The criticalities of the risks are determined by the team members' understanding of business processes.
• The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost-effectiveness.

3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 

• Based on the idea that the people working in the environments best understand what is needed and what kind of risks they are facing. 
• The individuals who make up the risk assessment team go through rounds of facilitated workshops. 
• The facilitator helps the team members understand the risk methodology and how to apply it to the vulnerabilities and threats identified within their specific business units. 
• Scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP.
• Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4. ISO/IEC 27005 

• is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 
• Deals with IT and the softer security issues (documentation, personnel security, training, etc.) 

5. Failure Modes and Effect Analysis (FMEA)

• is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
• commonly used in product development and operational environments. 
• The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. 

No comments: