Information Security Management Systems (ISMS) consist of various interconnected elements. This article aims to serve as a roadmap, leveraging a detailed diagram to unpack the complex relationships between these components. Developing a solid understanding of how these elements interrelate will help you to secure the assets of your organisation more effectively.
Risk Management
Information security management follows a risk based approach.
Establish Context
Before diving into risk identification or analysis, it’s crucial to establish the context in which the organization operates. This involves understanding the internal and external factors that can affect the organization's assets. Establishing context provides a lens through which risks can be identified and evaluated.
Risk Identification
This stage involves identifying what could go wrong, how, and why. Similar to spotting the key players and strategies of an opposing team, risk identification is about recognizing the threat sources, threat events, vulnerabilities, and assets at risk. This provides a comprehensive list of risks that need to be further analyzed.
Risk Analysis
Once the risks are identified, they need to be analyzed to understand their nature, likelihood, and impact. Risk analysis provides a detailed view of each risk, helping the organization to prioritize them. This will help organisations to understand which scenarios are most likely to happen and how damaging they can be if not properly treated.
Risk Evaluation
Risk evaluation involves comparing the analyzed risks against pre-defined criteria to decide which risks need to be treated. This can be thought of as deciding which opponent's plays need the most defensive focus. The evaluation helps in allocating resources more effectively by focusing on the most critical risks.
Risk Treatment
This stage involves selecting one or more options for modifying the risks and implementing those options. Risk treatment can involve risk avoidance, risk modification, risk sharing, or risk retention. Please note that the impact of risks can not be mitigated to zero. There will always be a residual risk, unless it can be completely avoided.
Risk Monitoring
Last but not least, risks need to be continuously monitored and reviewed to assess the effectiveness of the risk management process and to identify any changes in the risk landscape. This is the equivalent of making game-time adjustments based on how well the initial strategy is working.
Threat Sources: The Starting Point
According to the National Institute of Standards and Technology (NIST), Threat Sources are defined as the origin of adverse events that could potentially harm an organization's assets and operations. These sources can be intentional or unintentional and can come from a variety of places such as nature, individuals, or organizations.
NIST categorizes Threat Sources into two main types:
Adversarial: These are intentional actions taken by individuals, groups, or organizations with the motive of causing harm or exploiting vulnerabilities. Adversarial threats include hackers, terrorists, insider threats, and even competitors.
Non-Adversarial: These are unintentional actions or natural events that could potentially harm an organization but lack a targeted intent. Examples include natural disasters like floods or earthquakes, accidental data deletion by an employee, or system failures due to a bug.
By understanding the nature and types of Threat Sources as defined by NIST, organizations can better prepare for, and mitigate, various risks that may affect them.
From Threat Sources to Threat Events
Threat Sources impose Threat Events, which are specific actions or incidents that can potentially harm your organization. For example, a hacker (Threat Source) might attempt to break into your network (Threat Event).
Vulnerabilities: The Weak Spots
Vulnerabilities are the weak spots in your system where Threat Events can sneak in. These could be outdated software, weak passwords, or even a staff member who's not trained in security protocols.
Supporting Assets
Vulnerabilities often expose Supporting Assets, which are the various components of your system that aren't core to your business but are still important. These can include:
Hardware: Servers, computers
Software: Applications, databases
Network: Internet connection, firewalls
Personnel: Employees, contractors
Sites: Physical locations like offices or data centers
Primary Assets
Primary Assets are what your business absolutely needs to function. These can be your main business processes or crucial pieces of information. Supporting Assets enable these Primary Assets to function. For example, your network (Supporting Asset) enables your online sales platform (Primary Asset).
The Chain Reaction: Security Events and Incidents
When a Threat Event exploits a vulnerability, it causes a Security Event. Not all Security Events are disastrous; some might be easily contained or harmless. However, when a Security Event has a significant negative impact, it is classified as a Security Incident. These incidents can compromise your operations and, ultimately, your Primary Assets.
Implementing Controls Through Risk Treatment
Once you've identified your Threat Sources, analyzed your vulnerabilities, and assessed your risks, the next step is to implement controls to manage these risks effectively. In the realm of information security, controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
Types of Controls Based on Risk Treatment
Controls are generally determined during the Risk Treatment phase and can be categorized into three main types:
Preventive Controls: These are measures designed to prevent an unwanted or unauthorized activity from occurring. They act as the first line of defense in risk mitigation. For instance, strong user authentication can prevent unauthorized access.
Detective Controls: These controls are aimed at detecting and alerting when an unauthorized or unwanted activity occurs. They don’t prevent an action but can trigger an alert or initiate corrective measures. An example would be intrusion detection systems that notify administrators about suspicious activities.
Corrective Controls: These come into play after a threat event has occurred, aiming to minimize the impact and bring the system back to its secure state. Data backups and system recovery plans are examples of corrective controls.
In the next article we are going to explore how an effective documentation library, consisting of policies, standards, procedures and guidelines works.