bcs-ismp-bk-en-GB March 30, 2010 - 08:51 44
Information Security Management Principles
Calculating the overall risk
When we wish to assess the degree of risk for an information asset, we must
take all the above factors into account. We must identify as many threats or
hazards as possible, and for each one try to estimate the potential impact of
the threat or hazard occurring. Finally, we must identify any vulnerabilities
associated with the asset which will lead us to an assessment of the likelihood
or probability that the threat might be carried out.
The first stage of this is called a business impact analysis (BIA) in which we
decide what the impact on one or more business assets would be for each
threat. Once we have completed that, we assess the likelihood or probability
that vulnerabilities might be exploited, allowing the threats to be realised.
From these two, we can draw a risk matrix which plots impact against
likelihood, and gives us a formal risk assessment. This will be discussed in
greater detail in the next section of this chapter.
Ms Jackson, the chairperson, has been reminded that all GANT’s information
is held on a single computer system which was recently compromised by a
teenage hacker. GANT has no backup of the information and no suitable
paper documentation from which to easily recreate their records.
She has realised that all GANT’s information is highly vulnerable and has
asked you to assess the consequences of loss or failure of this computer.
Activity 2.1
Looking at the records and information held by GANT, perform a busi-
ness impact analysis based on the loss of their main computer system.
Some possible threats to consider are loss of:
membership details;
Natterjack toad breeding ground details;
financial records.
S
olution pointers for the activities can be found at the end of the
chapter.
RISK MANAGEMENT
LEARNING OUTCOMES
Following study in this area candidates should be able to understand the
overall process of risk management, and the appropriate use of controls to
enable them to manage risk in a cost effective and appropriate manner for
their organisation.
24
bcs-ismp-bk-en-GB March 30, 2010 - 08:51 45
Information Risk
Risk management process
Risk management consists of four distinct areas: identification of the threats;
impact analysis and risk assessment; treatment of the risks; ongoing monit-
oring of the results. Risk assessments may take place at a number of levels,
for example across a corporation, a business system or process or a physical
location. While these are somewhat different types of risk assessment, the
way in which they are conducted and the way in which the results will be
used are essentially the same.
This process can be represented as shown in Figure 2.1.
Figure 2.1 The risk management life cycle
Identification
One way of beginning a risk management exercise is to identify the threats.
This should be carried out in conjunction with the understanding of any
known vulnerabilities. For example if the assessment is looking at the threat
of possible hacking attacks on a web server, operating system and web server
software vulnerabilities should be considered.
Sometimes this will result in the identification of more than one
threat while, at other times, it will become clear that a number of
different vulnerabilities will all be covered by a single threat.
Once each threat has been identified (often more will appear
during the process of the work), each one should be considered
in the light of its impact on the asset concerned. In the web server
example, the threat of a hacker gaining control of the server could
potentially result in loss of service perhaps the failure of an e-
commerce facility – loss of customer data, defacement of the web
pages and so on, all of which would have a high impact on the
company’s profitability.
An alternative approach might be to start with a list of the assets
that need to be protected and then to determine the threats to
25

Get Information Security Management Principles now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.