COMP3357 Managing Cyber Risk Richard Henson University of Worcester May 2017

Week 12: Using Risk Assessment for BCP… Objectives: Use theoretical principles of risk assessment to produce a risk register and risk treatment plan Use the risk treatment plan to create a useable Business Continuity Plan

ISO27001 & Risk Assessment ISO 27001 is about… informing an organisation which incidents could occur (i.e. assess the risks) then find the most appropriate ways to avoid such incidents (i.e. treat the risks) assessing the relative importance of each risk so the organisation can treat the most important one(s)

Summary of Information Risk Assessment (ISO27001) - 1 Risk Assessment Methodology define rules on how to perform the risk management whole organization should do it the same way qualitative or quantitative risk assessment? what will be the acceptable level of risk, etc.

Summary of Information Risk Assessment (ISO27001) - 2 Risk Assessment Implementation companies typically aware of only 30% of their risks! raise awareness… list assets list threats and vulnerabilities related to those assets Identify impact and likelihood for each combination of assets/threats/vulnerabilities finally calculate the level of risk

Summary of Information Risk Assessment (ISO27001) – 3a Risk treatment Implementation four ways to mitigate unacceptable risks: apply “Annex A” security controls to decrease risks article ISO 27001 Annex A controls. transfer the risk to another party insurance company (buy an insurance policy) avoid stop doing an activity that is too risky doing activity in a completely different fashion. accept if cost for mitigation higher that the damage itself!

Summary of Information Risk Assessment (ISO27001) – 3b Risk Treatment plan… how to decrease the risks with minimum investment? management demand… (!) achieve the same result with less money need to figure out how!?!

Summary of Information Risk Assessment (ISO27001) - 4 ISMS Risk Assessment Report everything done so far compiled into readable documentation for the auditors… internal, for future reference – checking!

Summary of Information Risk Assessment (ISO27001) - 5 Statement of Applicability (SoA) shows security profile of the company… based on the results of the risk treatment lists implemented controls, why implemented, how implemented important for the audit (!) For details about the SoA, see Statement of Applicability for ISO 27001.

6 - Risk Treatment (Implementation) Plan Theory becomes reality! crucial to get management approval will take considerable time and effort (and money) to implement all the controls journey… Start: not knowing how to setup your information security Finish: having a very clear picture of what you need to implement in a real company… who (is going to implement each control) when, with which budget, etc.

Gathering Risk Assessment Data Requirements: figuring out all the threats to the organisation’s data cataloguing all hardware and software in the organisation into a Risk Register although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register! http://www.computerworld.com/article/2723652/it-management/how-to-do-a-risk-assessment-for-iso-27001.html http://www.computerweekly.com/tip/A-free-risk-assessment-template-for-ISO-27001-certification

1. Threats to Organisational Data Outsiders: hackers competitors Insiders: employees with bad intent dopey employees either of above working with outsiders

2. Information Assets & Risk data required to keep business functioning need hardware and software to be useful! these also carry risk Once identified… need to be categorised into rank order according to how well (or not…) the organisation would survive without them

The Information Asset Register (ISO27001) List of information assets… List of related assets… infrastructure needed to maintain each/all asset(s) can be non-computer hardware (e.g. cooling/ventilation system for servers) equipment to counteract effects of natural disasters (e.g. flood defences)

System Vulnerabilities Ways that assets can be compromised unpatched applications and/or operating systems user accounts with poorly protected passwords users unaware of hacker “phishing” and other social engineering tactics

Calculating Risk to Information Assets Simple formula likelihood of loss (1-10) x impact (also 1-10) bigger score, bigger risk! Can be ranked accordingly along with hardware/software to maintain each asset

Asset Register to Risk Treatment Planning “Risk Treatment” as a formal stage started with ISO27001 now an accepted part of information risk management process concludes with a risk treatment plan that shows how each of the risks regarded as significant will be mitigated

To Mitigate or Accept a Risk? Risk Register should contain all potential risks… H, M, L categorisation and/or impact assessment score should indicate the main dangers Even L categorisations and low impact assessments still need classifying as “risk accepted” register should show acceptance or mitigation for each information resource

Asset Register for BCP Use list of assets… (incl. information assets) devise a plan to protect each one, according to priority (H, M, L) for business continuity another column in asset register stating how a back up for each category H asset Protecting “H” assets make sure a plan is in place to quickly replace that asset if damaged! make sure that plan is put to the test on a regular basis! no good if replacement resources not working or compatible

ISO27001 and BCP Information security continuity fundamental to business continuity whole section A17 CIA (confidentiality, integrity, availability) essential to online trading BCP protects availability… confidentiality and integrity of information also essential

CIA (a recap…)

BCP and Business Success Online Businesses need to aim for 24-7 trading Competitors will have similar targets customers free to choose! If 24-7 uptime depends on business partners… they should be subject to BCP and BCP rehearsals as well!