Information Security Risk Management (ISRM)
What is Information Security Risk Management (ISRM)?
Information Security Risk Management (ISRM) is the ongoing process of discovering, correcting, and preventing security problems. Risk assessment is an integral part of an organization’s risk management process, designed to provide appropriate levels of security for its information systems and data.
IT enterprise security risk management allows the organization to assess, identify, and modify its overall security posture. It also enables security, operations, organizational management, and other personnel to collaborate and view the entire organization from an attacker’s perspective.
Comprehensive security risk management can also be used to determine the value of the various types of data generated and stored across the organization. Without valuing various types of data, it is nearly impossible to prioritize and allocate technology resources where they are needed most. To accurately assess risk, management must identify the data that is most valuable to the organization, the storage mechanisms of said data, and their associated vulnerabilities.
The two components of ISRM are:
- Risk assessment — The process of combining the information you have gathered about assets and controls to define a risk
- Risk treatment — The actions are taken to remediate, mitigate, avoid, accept, transfer, or otherwise manage the risks
Creating an Effective Security Risk Management Program
Defeating cybercriminals and halting internal threats is a challenging process. Bringing data integrity and availability to your enterprise risk management is essential to your employees, customers, and shareholders. Creating your risk management process and taking strategic steps to make data security a fundamental part of conducting business. In summary, best practices include:
- Implement technology solutions to detect and eradicate threats before data is compromised.
- Establish a security office with accountability.
- Ensure compliance with security policies.
- Make data analysis a collaborative effort between IT and business stakeholders.
- Ensure alerts and reporting are meaningful and effectively routed.
- Conducting a complete IT security assessment and managing enterprise risk is essential to identify vulnerability issues.
- Develop a comprehensive approach to information security.
Information Security Risk Management (ISRM) Approach
To manage risks effectively, organizations should evaluate the likelihood of events that can pose risks to the IT environment and the potential impact of each risk. Here are three criteria for determining whether your organization’s ISRM strategy is effective at improving your security posture:
- It ensures that unacceptable risks are being identified and addressed properly.
- It ensures that money and effort aren’t being wasted on risks that are not significant.
- It gives senior management visibility into the organizational risk profile and risk treatment priorities to support their ability to make strategic decisions.
Stages of Information Security Risk Management (ISRM)
- Identify assets: What data, systems, or other assets would be considered your organization’s “crown jewels”? For example, which assets would have the most significant impact on your organization if their confidentiality, integrity, or availability were compromised? It’s not hard to see why the confidentiality of data like social security numbers and intellectual property is important. But what about integrity? For example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a minor integrity problem in financial reporting data could incur an enormous cost. Or, if an organization is an online music streaming service and the availability of music files is compromised, it could lose subscribers.
- Identify vulnerabilities: What system-level or software vulnerabilities are putting the confidentiality, integrity, and availability of the assets at risk? What weaknesses or deficiencies in organizational processes could result in information being compromised?
- Identify threats: What are some of the potential causes of assets or information becoming compromised? For example, is your organization’s data center located in a region where environmental threats, like tornadoes and floods, are more prevalent? Are industry peers actively targeted and hacked by a known crime syndicate, hacktivist group, or government-sponsored entity? Threat modeling is an important activity that helps add context by tying risks to known threats and the different ways those threats can cause risks to become realized via exploiting vulnerabilities.
- Identify controls: What do you already have to protect identified assets? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination. A compensating control is a “safety net” control that indirectly addresses a risk. Continuing the example above, a compensating control may be a quarterly access review process. During this review, the application user list is cross-referenced with the company’s user directory and termination lists to find users with unwarranted access and then reactively remove that unauthorized access when it’s found.
- Assessment: This is the process of combining the information you’ve gathered about assets, vulnerabilities, and controls to define risk. There are many frameworks and approaches for this. Still, you’ll probably use some variation of this equation:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls
Note: this is a very simplified formula analogy. Calculating probabilistic risks is not nearly this straightforward, much to everyone’s dismay.
- Treatment: Once a risk has been assessed and analyzed, an organization will need to select treatment options:
- Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
- Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.
- Mitigation: Lessening the likelihood and/or impact of the risk but not fixing it entirely.
- Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
- Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
- Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)
- Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were realized.
- Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.
- Risk avoidance: Removing all exposure to an identified risk
- Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of compromised sensitive data, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.
- Communication: Regardless of how risk is treated, the decision needs to be communicated within the organization. Stakeholders must understand the costs of treating or not treating risk and the rationale behind that decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the organization to ensure the right people are engaged at the right times in the process.
- Rinse and Repeat: This is an ongoing process. If you chose a treatment plan that requires implementing a control, that control needs to be continuously monitored. You’re likely inserting this control into a system that is changing over time. Ports being opened, code being changed, and any number of other factors could cause your control to break down in the months or years following its initial implementation.