Keywords applicable to this article: dissertation, thesis, research, topics, information, security, risk
management, IT governance, it security, information security, computer security, isms, iso 27001,
iso 27002, iso 27005, iso 13335, information asset classification, storage, retrieval, transit, business
By: Sourabh Kishore, Chief Consulting Officer
IT and Information Risk Management and Business Impact
Analysis at Corporate and Enterprise Levels: The
Opportunities for Academic Dissertations and Thesis Projects
Copyright 2010 EPROINDIA. All Rights Reserved
I hereby discuss the Information Risk Management and Business Impact Analysis framework from the perspective of the latest standard: ISO 27005:2008
which is based on ISO 27001:2005 and ISO 27002:2008 controls. The ISO 27005:2008 standard is the formal replacement of ISO 13335-3 & ISO 13335-4:2000
which essentially recommends a 100% metrics based evaluation of all the steps of risk assessment described in ISO 13335-3 using quantitative techniques.
This standard considers Risk Management, Configuration Management and Change Management as an integrated framework to deliver IT security in an
organization. The risk management framework recommended by this standard can be viewed as a "concentric spheres" model with the information assets
placed at the core of the model as shown in the figure below. This model was originally part of ISO 13335-3 that represents an environment of threats that
change continuously thus changing the risk baselines (residual acceptable risk levels) of the organizations and hence requires periodic assessment of the
effectiveness of controls such that the vulnerabilities are not exploited by the external threats to affect the information assets.
Figure Description: Concentric Spheres Model of Risk Management Framework (LEFT) and the Relationships Among Various Attributes of the Information
Risk Management Framework (RIGHT) (Source: ISO 27005 conceptual framework)
Based on the environment of threats and resulting risks the relationships in risk management, as defined by ISO 27005 framework is presented in the figure
above. A close observation of the figure shall reveal that every parameter can be assigned a metric value which can be measured objectively within a given
environment. The interrelationships of these parameters will result in a matrix like structure whereby the metrics of these parameters form a relationship and
hence control each other. For example, high asset value and high impact with low probability value may lead to lower threat value and hence lower risk
value. Hence, in spite of high asset value and high impact, the risk treatment may not be urgent for this asset. Typical example may be - impact due to
flooding to a Data Centre on the top floor of a building that is many miles away from a river and also has water storage tank located few hundred meters
away from the base of the building. A threat analysis coupled with history of flooding may lead to very low probability of flooding and hence the risk value
may arrive to be below the threshold of residual risks. Now let us imagine that the building authorities decided to install an overhead water tank on the roof
top. In this case the probability of impact on the asset may suddenly shoot up thus increasing the risk value beyond the threshold. Now the risk will need
urgent treatment by the asset owner to bring it back to the residual level below the threshold. This is the magic of metrics based risk assessment as defined in
the ISO 27005 standard. Variation of metrics would lead to variation in risk values thus changing the perspective of the risk management team related to an
asset. Thus, the standard recommends metrics based relationship analysis of all parameters against every information asset identified in the organization.
The analytics require various databases to be maintained by the risk management team such that the metrics analysis can be revisited periodically whereby
the additions in the related databases may lead to variations demanding change in perspective of the risks identified. The databases required to manage this
relationship model effectively is presented in the figure above.
Dear Visitor: Please visit the page detailing SUBJECT AREAS OF SPECIALIZATION pertaining to our services to view the broader perspective of our
offerings for Dissertations and Thesis Projects. Please also visit the page having TOPICS DELIVERED by us. With Sincere Regards, Sourabh Kishore.
Apologies for the Interruption!! Please Continue Reading!! I hereby argue that ISO 27005 is the future of Information Risk Management. Whichever
organization is able to establish the relationships correctly will save lot of time & efforts in managing information risks and will also be able to achieve
employee satisfaction because this framework ensures enormous participation by employees without needing to be specialists in IRM domain. This however
is still a hypothesis and requires efforts by academic researchers to be converted into an empirical theory. Although a number of academic research studies
have been conducted on these areas, they are largely inadequate because these areas have evolved and grown many times faster than the pace of researches
by academicians and students. I suggest that students should undertake new topics for dissertations and theses in these areas given that a lot remains
unaddressed by the academic community in the fields of Information Security Risk Management and Business Impact Analysis and Management.
Now, let us discuss the process in detail. Information Assets are very critical for success of modern IT enabled businesses. In the modern world, information
assets are exposed to threats that have emerged as major IT security challenges. The threats to information assets result in "Risks" with potential impact to
businesses. The potential damage against an impact classifies the "Criticality" of the Risk. The key to Information and IT Security of an organization is to
know the assets, to know the threats to the assets, assess the probability and impacts to business, accurately measure the associated risks, and finally
establish appropriate mitigation strategies to reduce, avoid or transfer the risks. I recommend that Information Risk Management should be an integral part of
an organization's corporate governance such that adequate executive attention to the risks and corresponding Information and IT security controls can be
invited and mitigation strategies can be formulated. In many countries, it is legally required to implement appropriate IT Security if the organization is
managing critical public systems or data. Dear Visitor, Please visit the page pertaining to STANDARDS ON INFORMATION RISK MANAGEMENT AND
IT GOVERNANCE. With Sincere Regards, Sourabh Kishore. Apologies for the interruption; Please continue reading!!
To manage Information Risks it is mandatory to know ALL the critical information assets of the organization. Every system that creates, processes, transfers
or stores information is an information asset - like, file/folders, databases, hard copy storage areas, desktops, laptops, shared network resources, employees'
drawers/lockers, or the employees' own memory (tacit knowledge). The primary requirement of Risk Management is to have an "Information Asset Register"
which is a secured database that needs to be updated regularly as and when new assets are added, modified or deleted. Every organization can have their
own definitions of "Confidentiality", "Integrity" and "Availability" parameters related to an Information Asset. These parameters should translate into metrics
that should be assigned to EVERY critical information asset identified in the Information Asset Register. The outcome is known as an "Asset Value" tagged
against every asset entered in the Asset Register.
The next important step is to assess the "Threat Value" by virtue of an in-depth analysis of the possible causes, the impact value (a function of multiple
impacts like Financial or Reputational impact), and the probability of an impact. Every organization can have their own parameters for calculation of Threat
Value because it largely depends upon the exposure factors (like Legal, Competition, Environmental, etc) that the organization is facing or can potentially
face in future.
The subsequent step is to assess the "Loss Event Value" which is a function of the possible events of asset compromising that the organization can face. Again
every organization can have their own loss event descriptions and the assessment methodology that are normally categorised under the known
vulnerabilities in the organization.
The final step is to arrive at the "Risk Value" which is a function of the Asset Value, the Threat Value and the Loss Event Value. The calculation of Risk Value
can be carried out differently for different organizations depending upon how many levels of escalation is feasible within the organization. Information
Assets with high Risk Values have high "Vulnerabilities" and hence appropriate controls need to be applied urgently.
Business Impact Analysis is the next step after completion of the Risk Assessment. Risk Assessment process will ensure that all the Information Assets of the
organization are identified and the corresponding "Risk Values" are assessed.
The scale of the Risk values can be defined depending upon the number of escalations feasible within an organization. A large organization may like to keep
a larger scale of Risk Values leading to more levels of escalation such that minor risks are not un-necessarily escalated to senior levels. However, a small
organization may like to implement smaller scale of Risk Values such that the visibility of risks to the senior/top management is better.
At every level of Risk, a mitigation strategy is mandatory. The mitigation strategy may include extra investments or extra precautions depending upon the
potential Business Impact of the risk. Some organizations may like to accept the Risks up to a certain levels because the cost to mitigate the risk is higher than
the business impact. Example, an organization may like to accept risks causing a financial impact of up to $500,000 because the cost of risk mitigation may be
higher than this value. Such decisions are possible after thorough "Business Impact Analysis" in various round table discussions at the top
management/board level. Please be aware that business impacts are different from the asset impacts that have been analysed during the risk assessment.
Business impact analytics are applied to the entire business and not only to the information assets. These decisions are critical to ensure that an accurate
investment plan can be approved such that the organization does not over-invest in low critical areas or under-invest in high critical areas.
The Business Impact Analysis should result in a list of Mitigation Actions that needs to be taken. Whenever an action is completed, the Risk Value can be
"Normalized" to a lower value such that the impact is within acceptable limits. Examples of Mitigation actions are: addition of CCTV surveillance, better
verification of visitors, visitors allowed up to visitor rooms only where CCTV cameras and microphones are installed, thorough analysis of surveillance data
by security experts, offsite data storage, transition of backup tapes allowed in secured metallic boxes via Bonded Couriers, Backup system ensuring data
encryption before writing on tapes, addition of clustering, fail-over, etc. to single Server installations, and so on.
Although such mitigation actions can always be accomplished to reduce the Risk Values, a sound approach of keeping Risk Values in control is to have a
sound Information Security Management System (ISMS) within the organization supported by Disaster Recovery Strategy, Business Continuity Planning,
Service Support & Service Delivery Processes.
Electronic Publishing and Research Organisation India (EPROINDIA) - formerly the ePublishing and research division of ETCO India