Information Risk Assessment Process Overview
For a full breakdown of the methodology within Abriska please refer to the Information Security Methodology. To undertake a ISO 27001:2013 compliant risk assessment within Abriska the following phases must be completed:
Identify Information and Information Processing Facilities
- Identify information and supporting resources / information processing facilities
- Relate information to supporting resources so that once attributes have been assigned to information they will be inherited by the linked supporting resources. How this is done is explained here
- For each information resource assign attribute values for confidentiality, integrity and availability. This is done from the Resources screen and achieved by updating the 'Resource Attribute' (the attribute descriptions are default values but can be amended as required from within Organisation > Org. Setup > Resource Attributes)
Identify and Evaluate the Threats and Vulnerabilities
- First the entity that relates to the scope of the risk assessment needs to be created and set up in Abriska. Once set up the resources should be associated with the entity.
- Once the resources are selected, an option to 'Default Threats' will appear, this will result in threats being linked to the entity based on the resource types that are selected as being within the scope.
- The list of threats that are linked may include some that are not appropriate to the type of risk assessment being completed therefore from the list of threats that is presented when selecting the ‘View Applicable Threats’ option from the entity workflow, those that are not appropriate to the scope and type of risk assessment can be deselected. To do this, select the threat and uncheck the ‘Applicable’ checkbox. Text should also be entered in the ‘Justification’ box to support the de selection.
- There are three components to a risk assessment that are applied to every threat/resource combination. By default these are impact, probability and vulnerability (however this terminology and methodology can be customised by the organisation).
- Vulnerability: Threats are linked by default to controls, which is used to calculate the resulting vulnerability score.
- Impact: the consequence of each threat must be evaluated to determine how each threat affects confidentiality, integrity and availability. A total score of 100 must be shared between these three attributes.
- Probability: The criteria to be used in the assessment are included in Abriska, but can be changed if required. The threat probability should be assessed ignoring any controls that are in place as far as possible (the effect of controls is taken into account in the vulnerability score, so would be ‘double counted’ if taken into account at this stage).
- Finally, additional specific vulnerabilities can be added on the ‘Identify Vulnerabilities’ screen in the entity workflow. There is a library of vulnerabilities to choose from, or a different one can be added.
Identify and Evaluate the Controls
- Within Abriska control maturity can be assessed for each Division that has been created within an organisation. However, the default position is that all of the divisions that are below the top level division naturally inherit the maturity of controls from the top level division unless the organisation decides otherwise.
- Control maturity inheritance or assigning to a lower level division is outlined separately in this guide.
- The first task when considering controls is to determine which controls are applicable and determine appropriate owners of controls.
- It is the necessary to assess the maturity of the applicable controls which is done from Control Maturity Assessment>Control Maturity Overview.
- For each control assign a maturity level by selecting the appropriate radio button on the control’s page. A description must be entered of mow the control is implemented and this description should support the assigned maturity level.
- In addition, a Recommended Improvement must also be entered. If the control maturity is acceptable at its current level, then this should be reflected as the recommended level with the appropriate radio button selected.
- The ‘Documents’ tab on the control screen provides the facility to attach any relevant documents that are referred to in the current level description e.g. policy documents. Adding documents is explained in the Organisation Setup section of this user guide