What is to measure? Can you measure security?
Introduction to the O-ISM3 Risk Assessment Method and SpreadSheet. Learn how to model the Business, Model the Information Technology, the dependencies between them, the Threat level, the Protection level, arriving at a Qualitative evaluation of the Risk, using the SpreadSheet Tool.
Every time some designs a new RA method, they face the same problems and degrees of freedom. For threats, they need a Threat Taxonomy, for controls or coutermeasures, a Countermeasure Taxonomy, for the business and the information systems, a Model of the business, and a Model of the information systems, modelled with adequate Scope and Depth. Then you need a way to measure the Threat Likelihood, and the Value of the assets. The resulting method might be correct, and if it is cost effective, it might be even be useful, resulting in savings greater than performing the analysis. In order to be useful, the method should answer questions like:
- What are we learning that we don’t know already? (Non-Banal Analysis)
- What are important threats to the organisation?
- What should I do?
- How safe am I? / How likely is that an incident will happen?
- How much will I lose this year?
- How much should I invest this year?
Unfortunately there are so many degrees of freedom that almost every professional makes up his own method. Because of this multiplicity of methods, it is exceedingly difficult to compare risk between companies, or even between different points in time in the same company.
A hidden assumption of most Risk Assessment methods is the decisions taken when modelling the IT components, and the modelling (if it is performed at all) of the business that relies on the IT infrastructure
One of the first steps for a new ISMS implementation project is finding out what would be the ISMS best suited to the company goals, that the organization can afford. As an incident is an attack, accident or error that prevents a business objective to be met, it is necessary to find out what those business objectives are. Generally speaking the goals of any company are:
- Achieving a vision and mission;
- Continuing to exist;
- Maintaining and growing revenue;
- Attract, maintain and fostering talent;
- Maintaining and growing brand and reputation;
- Complying with internal ethics and social responsibility goals;
- Complying with regulations and contracts;
The more specific we can get, the better design of the ISMS will result. It is possible to add granularity to the analysis of business objectives, using the the following list business functions:
- Governance: Definition of the organisation's goals, steering of the organisation by rules, instruction and challenge rules and instructions.
- Research. Creation of new knowledge in every area of interest to the organisation.
- Advertising. Promotion of the organisation's services and products to potential customers, suppliers and investors.
- Business Intelligence. Maintenance and delivery of knowledge.
- Human Resources. Finding, selecting and procuring, promoting and releasing personnel.
- Information Technology. Finding, filtering and procuring information and communication systems.
- Legal. Claiming legally binding obligations from third parties and fulfilling the organisation's own.
- Relationships. Creating and maintaining trust, association and familiarity with customers, suppliers, and investors.
- Administration. Management of paperwork associated with all business functions..
- Financing / Accounting. Finding, selecting and procuring financial instruments like e.g. money, bonds, etc.
- Infrastructure. Management of real estate, air conditioning, heating, water supply, energy supply, furniture, food supply, waste , recycling , physical access control, etc
- Logistics. Delivery of physical products or services.
- Maintenance. Preventing and repairing faults and the general dilapidation of infrastructure, tools, etc
- Procurement. Finding, comparing, choosing, selecting and procuring information, tools, supplies, assets and professional services.
- Production. Production of products and services.
- Sales: Sale of products or services.
A top down approach (What is the business about?) can deliver superior results than the bottom up approach (How important to the business is this particular IT system? And this one? And this one?)
O-ISM3-RA uses this simplest business model, there many other, sometimes more complicated ways to model a business.
An alternative view of Threats, with a lower level of detail, and therefore more expensive and slower, lead to taxonomies of Threats and Incidents like this:
The Open Group published a guide entitled Optimizing ISO/IEC 27001:2013 using O-ISM3 that will be of interest to organizations interested in taking ISO27001:2013 ISMS to higher maturity levels.
O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives, and spending decisions are driven by (and aligned with) business objectives. We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used in managing information security alongside ISO27001/27002.
This new guide provides specific guidance on this topic. We view this as an important resource, for the following reasons:
- O-ISM3 complements ISO27001/2 by adding the "how" dimension to information security management.
- O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics.
- O-ISM3 provides a framework for continuous improvement of information security processes Some of the specific guidance to be found in the guide include these items:
- Maps O-ISM3 and ISO27001 security objectives.
- Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs.
- Provides a critical linkage between the controls-based approach found in ISO27001, to the process-based approach found in O-ISM3.
If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001:2013 using O-ISM3.
In this video we examine how exactly risk decreases with increasing investment, and how this correlates to maturity.