IT risk

Information technology risk, or IT risk, IT-related risk, is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Assessing the probability of likelihood of various types of event/incident with their predicted impacts or consequences should they occur is a common way to assess and measure IT risks.[1] Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.

Definitions of IT risk

ISO

IT risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.[2]

Committee on National Security Systems

The Committee on National Security Systems of United States of America defined risk in different documents:

National Information Assurance Training and Education Center defines risk in the IT field as:[5]

  1. The loss potential that exists as the result of threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces the risk.
  2. The uncertainty of loss expressed in terms of probability of such loss.
  3. The probability that a hostile entity will successfully exploit a particular telecommunications or COMSEC system for intelligence purposes; its factors are threat and vulnerability.
  4. A combination of the likelihood that a threat shall occur, the likelihood that a threat occurrence shall result in an adverse impact, and the severity of the resulting adverse impact.
  5. the probability that a particular threat will exploit a particular vulnerability of the system.

NIST

Many NIST publications define risk in IT context in different publications: FISMApedia[6] term[7] provide a list. Between them:

NIST SP 800-30[8] defines:

IT-related risk
The net mission impact considering:
  1. the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and
  2. the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:
    1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
    2. Unintentional errors and omissions
    3. IT disruptions due to natural or man-made disasters
    4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Risk management insight

IT risk is the probable frequency and probable magnitude of future loss.[10]

ISACA

ISACA published the Risk IT Framework in order to provides an end-to-end, comprehensive view of all risks related to the use of IT. There,[11] IT risk is defined as:

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

According to Risk IT,[11] IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact

Measuring IT risk

You can't effectively and consistently manage what you can't measure, and you can't measure what you haven't defined.[10][12]

It is useful to introduce related terms, to properly measure IT risk.

Information security event
An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.[2]
Occurrence of a particular set of circumstances[13]
  • The event can be certain or uncertain.
  • The event can be a single occurrence or a series of occurrences. :(ISO/IEC Guide 73)
Information security incident
is indicated by a single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security[2]
An event [G.11] that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.[14]
Impact[15]
The result of an unwanted incident [G.17].(ISO/IEC PDTR 13335-1)
Consequence[16]
Outcome of an event [G.11]
  • There can be more than one consequence from one event.
  • Consequences can range from positive to negative.
  • Consequences can be expressed qualitatively or quantitatively (ISO/IEC Guide 73)

The risk R is the product of the likelihood L of a security incident occurring times the impact I that will be incurred to the organization due to the incident, that is:[17]

R = L × I

The likelihood of a security incident occurrence is a function of the likelihood that a threat appears and the likelihood that the threat can successfully exploit the relevant system vulnerabilities.

The consequence of the occurrence of a security incident are a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.

So R can be function of four factors:

If numerical values (money for impact and probabilities for the other factors), the risk can be expressed in monetary terms and compared to the cost of countermeasures and the residual risk after applying the security control. It is not always practical to express this values, so in the first step of risk evaluation, risk are graded dimensionless in three or five steps scales.

OWASP proposes a practical risk measurement guideline[17] based on:

Overall Risk Severity
Impact HIGH Medium High Critical
MEDIUM Low Medium High
LOW None Low Medium
  LOW MEDIUM HIGH
  Likelihood

IT risk management

Risk Management Elements
Main article: IT risk management

IT risk management can be considered a component of a wider enterprise risk management system.[18](faisal)

The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.[19]

Different methodologies have been proposed to manage IT risks, each of them divided in processes and steps.[20]

The Certified Information Systems Auditor Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."[21]

IT risk laws and regulations

In the following a brief description of applicable rules organized by source.[22]

United Nations

United Nations issued the following:

OECD

OECD issued the following:

European Union

The European Union issued the following, divided by topic:

Council of Europe

USA

United States issued the following, divided by topic:

Standards organizations and standards

Short description of standards

The list is chiefly based on:[22]

ISO

BSI

Information Security Forum

See also

References

  1. "Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)" (OHSAS 18001:2007)
  2. 1 2 3 ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008
  3. CNSS Instruction No. 4009 dated 26 April 2010
  4. National Information Assurance Certification and Accreditation Process (NIACAP) by National Security Telecommunications and Information Systems Security Committee
  5. "Glossary of Terms". Retrieved 23 May 2016.
  6. a wiki project devoted to FISMA
  7. FISMApedia Risk term
  8. 1 2 NIST SP 800-30 Risk Management Guide for Information Technology Systems
  9. FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
  10. 1 2 FAIR: Factor Analysis for Information Risks
  11. 1 2 ISACA THE RISK IT FRAMEWORK ISBN 978-1-60420-111-6 (registration required)
  12. Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  13. "Glossary". Retrieved 23 May 2016.
  14. "Glossary". Retrieved 23 May 2016.
  15. "Glossary". Retrieved 23 May 2016.
  16. "Glossary". Retrieved 23 May 2016.
  17. 1 2 "OWASP Risk Rating Methodology". Retrieved 23 May 2016.
  18. ISACA THE RISK IT FRAMEWORK (registration required)
  19. Enisa Risk management, Risk assessment inventory, page 46
  20. Katsicas, Sokratis K. (2009). "35". In Vacca, John. Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 605. ISBN 978-0-12-374354-1.
  21. ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association. p. 85. ISBN 1-933284-15-3. External link in |publisher= (help)
  22. 1 2 Risk Management / Risk Assessment in European regulation, international guidelines and codes of practice Conducted by the Technical Department of ENISA Section Risk Management in cooperation with: Prof. J. Dumortier and Hans Graux www.lawfort.be June 2007
This article is issued from Wikipedia - version of the 9/10/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.