General guidelines regarding risk management used by CASES are taken from the ISO/IEC 27005 standard, part of the ISO/IEC 27000 family of standards. ISO/IEC 27001 governs the implementation of an information security management system which must include a risk management procedure. Risk management is the approach specified in ISO/IEC 27001 which forms the basis of the security policy for the organisation concerned.
The diagram below outlines the risk management process.
To produce a risk analysis, first, you need to specify the basic criteria (risk assessment, impact, acceptance of risks, availability of resources, etc.), then you need to define the objective and the scope of the analysis. The definition of the context describes the environment and the subject of the risk management process.
The risk assessment criteria include:
For a registration service, for example, the confidentiality criterion is less important than the integrity criterion. In certain business lines, some risks must be avoided at all costs. In others, some assets must be protected at all costs. These contextual values are defined during the assessment phase. They must be applied throughout the whole risk analysis.
The basic criteria must also be determined:
Then, the organisation of the risk analysis must be defined:
The purpose of risk identification is to determine the causes of impacts and understand how, where, and why this damage can occur. This is the preparation phase for the risk estimation itself. It proceeds as follows:
As a result, it is possible to draw up a list of assets which require risk management.
Risk estimation is comprised of several phases:
It involves calculating a value, in other words, an approximative level for identified risks, based on the method used (which must guarantee repeatability), by estimating the impacts as well as the likelihood of occurrence. (For example, an approximate impact (qualitative scale) is multiplied by the likelihood of occurrence (qualitative scale) to determine the risk estimation).
Asset ID | Asset name | Asset type | Imp. level | Threat | Threat name | threat level | Vulnerability | Vulnerability name | Vulne. level | Risk level | Comment |
---|---|---|---|---|---|---|---|---|---|---|---|
ASB01 | Locaux de l"admin. | Locaux batiments | 2 | ME11 | Incendie | 1 | V001 | Absence de plan de secours (evacuation, possibilite DRP, etc.) | 2 | 4 | |
V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 2 | ||||||||
V003 | Absence de moyens pour combattre le feu (extincteurs, sprinklers, gaz, etc.) | 2 | 4 | ||||||||
ME12 | Dommage cree par l'eau ou zone inondable | 2 | V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 4 | |||||
V007 | Zone inondable (riviere, vallee, crue historique, etc.) | 2 | 8 |
During this stage, you will need to use the knowledge of the risk obtained from the risk analysis, and also take the entity’s contractual, legal and regulatory obligations into consideration. The estimated risks are prioritised in order of importance, based on the decisions made when defining the context of the risk analysis.
Asset ID | Asset name | Asset type | Imp. level | Threat | Threat name | threat level | Vulnerability | Vulnerability name | Vulne. level | Risk level | Comment |
---|---|---|---|---|---|---|---|---|---|---|---|
ASB01 | Locaux de l"admin. | Locaux batiments | 2 | ME11 | Incendie | 1 | V001 | Absence de plan de secours (evacuation, possibilite DRP, etc.) | 2 | 4 | |
V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 2 | ||||||||
V003 | Absence de moyens pour combattre le feu (extincteurs, sprinklers, gaz, etc.) | 2 | 4 | ||||||||
ME12 | Dommage cree par l'eau ou zone inondable | 2 | V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 4 | |||||
V007 | Zone inondable (riviere, vallee, crue historique, etc.) | 2 | 8 |
This final stage suggests the measures to be put in place. For this, the security measures need to be organised depending on:
The whole system is based on the ‘Return on Security Investment’ calculation – the income obtained from the implementation of risk reduction solutions. These calculations are based on the previously calculated ALE (‘Annualised Loss Expectancy’) and on the calculation of costs incurred to implement the solution.
The risk analysis method ends with the choice of treatment. The analysis must still be implemented and the methods applied. However, it does help with the implementation of an action plan.
There are four risk treatment options:
Any resulting residual risk must be approved by the management board of the entity concerned.
Numero actif | Libelle actif | Type d'actif | Niv. Imp. | Menace | Libelle menace | Niv men. | Vulnerabilite | Libelle vulnerabilite | Niv vulne. | Niv. risque | Commentaire | Type de traitement | Mesure 27002 | Risque vise |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ASB01 | Locaux de l"admin. | Locaux batiments | 2 | ME11 | Incendie | 1 | V001 | Absence de plan de secours (evacuation, possibilite DRP, etc.) | 2 | 4 | ||||
V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 2 | |||||||||||
V003 | Absence de moyens pour combattre le feu (extincteurs, sprinklers, gaz, etc.) | 2 | 4 | |||||||||||
ME12 | Dommage cree par l'eau ou zone inondable | 2 | V002 | Batiments vetustes (plancher, electricitem plomberie, etc.) | 1 | 4 | ||||||||
V007 | Zone inondable (riviere, vallee, crue historique, etc.) | 2 | 8 | T001 | x.y.z | 4 |
Risk acceptance is the approval given by the management board of choices made during the risk treatment. The management board, therefore, agrees to the treatment plan, as well as to the residual risks.
This is a continuous process that allows the exchange and sharing of information on the risks between the decision-makers and the stakeholders. The purpose of risk communication is to:
This process consists of monitoring and re-examining elements of the risk: