topic Risk Assessment in Tech Talk

Risk Assessment

tanveer — Mon, 10 Feb 2020 08:13:22 GMT

Hi,

i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.

Thanks

Re: Risk Assessment

Steve-Wilme — Mon, 10 Feb 2020 09:23:05 GMT

There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start. It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.

It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.

Re: Risk Assessment

tanveer — Mon, 10 Feb 2020 09:34:15 GMT

@Steve-Wilme wrote:
There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start. It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.

It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.

i am in process of building risk register below are the fields. pls suggest is it oK to start with.

risk id	risk description	risk owner	risk cause	likehood	impact	impact type	Inherit risk rating	Residual Risk	recommended mitigation	treatement owner	treatment date
R1	data ceter may go down and availablity can be impacted	DGIT	High surge from Grid	Moderate	VERY HIGH	financial			SURGE ARRESTOR SHOULD BE INSTALLED	MANAGER NEWORK
R2	Authorize staff is unable to manage card access, change authorization levels or verify card holder identity and they can not use any web-based applications. Access control doors and video cameras may lose their connection to the system during a server failure.	DGIT	Access Control Server Failure	LOW	High				cluster software installed on multiple server

Re: Risk Assessment

Steve-Wilme — Mon, 10 Feb 2020 10:40:25 GMT

Fields you'll probably need to capture, but not all will be populated for all risks, given some result from human agency and some for natural causes

Unique Id - unique id for the risk

Data Identified - when was the risk first identified

Threat Source - the source of a threat may be different from the specific actor involved e.g. organised crime

Threat Actor - the actor who causes a threat may be different from the source e.g. malware author hired to target particular firm by organised crime

Threat Description - a description of what the threat is e.g. theft of mobile assets

Inherent Likelihood - description of probability

Inherent Impact Description - stakes that what of impacts

Inherent Impact - states the aggregate cost if the risk is realised

Generic treatment option - avoid, transfer/share, reduce or accept

Current controls - the controls that are currently in place that affect likelihood or impact. Also record the type of control i.e. deter, prevent, detect, response, recovery

Cost of current controls - capture the costs associated with operating the controls

Current Likelihood - in recognition that there will be controls in place

Current Impact - in recognition that there will be controls in place

Target Likelihood - this will relate to if the current level is still above risk appetite

Target Impact - in recognition that there will be controls in place

Treatment plan - actions required to get to target level

Risk Owner - who if the organisation at senior level owns the risk.

Risk Manager - who is implementing the current treatment plan

You may also want to consider how the risks can be structured to avoid duplicates/overlaps.

Re: Risk Assessment

tanveer — Mon, 10 Feb 2020 10:44:14 GMT

Thanks

Re: Risk Assessment

CraginS — Mon, 10 Feb 2020 12:59:38 GMT

@tanveer wrote:
Hi,
i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.
Thanks

Tanveer,

Please tells what research you have done on the topic of risk assessment, particularly what resources (books, standards, journals, etc.) you have identified as possible guides. With that information, the members here will be able to give you pros and cons on different frameworks and processes you might be able to use. One framework already identified for you is ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements but there are others that may also be helpful. I suggest you investigate is NIST Special Publication (SP) 800-30 Rev. 1
Guide for Conducting Risk Assessments, and SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. SP 800-30 and 800-37, like all NIST publications, are free.

You will have to invest some money for some of the resources, and time in studying them. Although a few ISO/IEC standards are free, many are not.

Good luck!

Craig

Re: Risk Assessment

csjohnng — Mon, 10 Feb 2020 15:49:09 GMT

@tanveer

Like the other said, there are frameworks to build. like NIST 800-37 RMF, or you can use COBIT 5.

Starting from asset identification, identify key business process, threat modelling and estimating the likelihood and impact, then building risk scenarios and finally those risk scenarios will go to the risk register.

COBIT 5 is from ISACA but if you google COBIT 5 risk scenarios and COBIT 5 risk register, there are many samples on the internet

Re: Risk Assessment

tanveer — Mon, 10 Feb 2020 16:57:38 GMT

should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment,

view the fields which i mentioned in above reply.

Re: Risk Assessment

Caute_cautim — Mon, 10 Feb 2020 18:16:14 GMT

@tanveer The normal process is to actually identify the assets, categorise it - remembering many assets can actually be either tangible i,e. physical or intangible i.e. they can be information or data. Plus see if you can also identify whether the particular assets have an owner or someone who is responsible for them too. It would also be useful to put down where they are located and any other general observations such are they protected physically and by what etc.

This all helps you build up a picture of what, where, how information about the assets themselves.

Regards

Caute_cautim

Re: Risk Assessment

CraginS — Mon, 10 Feb 2020 18:57:18 GMT

@tanveer wrote:
should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment,
view the fields which i mentioned in above reply.

Tanveer,

I fear you are asking for more hand-holding and detailed instruction in the arena of risk management and risk assessment than is appropriate or possible for even wise old (and highly opinionated) folks on this forum .I suggest it is time for you to go read (at least skim for overall familiarity) ISO/IEC 27001, NIST SP 800-30,ISACA COBIT, and the Center for Internet Security (CIS) Top 20 Controls, then come back here when you have specific question based on your knowledge of those important references.

Knowledge of all of those resources is very important grounding for every CISSP, no matter which domain(s) we operate in.

Based on the nature of your own organization, you will have to decide, with internal consultation, which framework to follow and how deep to pursue the assessment details. You can go for two page quick and dirty or large team big book, or anywhere in between.

Good luck!

Craig

p.s. I see your CISSP badge here on the forum is brand new (2/10/2020). I realize that could be the date you joined the forum, but if that is recently earned, congratulations!

Re: Risk Assessment

JoshuaGabriel — Mon, 10 Feb 2020 22:28:41 GMT

The first step is your risk assessment is the asset inventory. Discuss with business owners, services managers to have a first high level view of the assets and proceed further with a business impact analysis of the assets. Once you have this high level view, you can move further to a detailed assessment.

Re: Risk Assessment

csjohnng — Tue, 11 Feb 2020 01:26:30 GMT

@tanveer

Like I am preparing for CRISC Exam domain 1... or answering the MC..

First thing first is to identify asset which support your enterprise's critical business.

if there is no asset, there is no vulnerability and threat and you won't have any risk.

And then you can have a risk based approach on the risk assesment.

Re: Risk Assessment

JoshuaGabriel — Tue, 11 Feb 2020 01:31:59 GMT

Assets are not limited to tangible ones. There are also intangible assets to be taken into account. Your organization cannot have "no assets".

Re: Risk Assessment

AppDefects — Tue, 11 Feb 2020 04:11:45 GMT

A risk assessment of an entire data center. You are going to have a busy year my friend! There are so many parts to consider from physical security of the perimeter all the way down to the application themselves. Where do you plan to start? It is a huge undertaking and understanding the business drivers and the "environmental risks' (e.g., natural hazards, and geo-political) is key to cataloging the right risks against your assets. I see lots of sound advice to align to ISO/IEC 27001 and that is good if you are thinking of eventually certifying the location - that helps win business. The ISO/IEC standard "clauses" will also give you requirements that you can audit to when building out your register.

Re: Risk Assessment

Steve-Wilme — Tue, 11 Feb 2020 09:41:18 GMT

If aiming to certify the organisation or part of its hosting operation it makes sense to adopt an outside in approach to the risk assessment. And by that I mean after clarifying the organisation of security; the senior sponsorship etc, to start with the physical and environmental risks. You can be assessing those and ensuring that there are controls in place without identifying individual systems and owners. Similarly with the personnel security risks/controls. There will be whole categories of risks that are not system specific, so don't get lost down that particular rabbit hole.