Establish Information Risk Management (IRM) Policy

A sound IRM program is founded on a well thought out IRM policy infrastructure that effectively addresses all elements of information security. Generally Accepted Information Security Principles currently being developed based on an Authoritative Foundation of supporting documents and guidelines will be helpful in executing this task.

IRM policy should begin with a high-level policy statement and supporting objectives, scope, constraints, responsibilities, and approach. This high-level policy statement should drive subordinate controls policy, from logical access control to facilities security, to contingency planning.

Finally, IRM policy should be effectively communicated and enforced to all parties. Note that this is important both for internal control and, with EDI, the Internet, and other external exposures, for secure interface with the rest of the world.

Establish and Fund an IRM Team

Much of IRM functionality should already be in place — logical access control, contingency planning, etc. However, it is likely that the central task of IRM, risk assessment, has not been built into the established approach to IRM or has, at best, been given only marginal support.

At the most senior management level possible, the tasks and responsibilities of IRM should be coordinated and IRM-related budgets cost-justified based on a sound integration and implementation of risk assessment. At the outset, the IRM team may be drawn from existing IRM-related staffing. The person charged with responsibility for executing risk assessment tasks should be an experienced IT generalist with a sound understanding of the broad issues of information security. This person will need the incidental support of one who can assist at key points of the risk assessment task, i.e., scribing a Modified Delphi information valuation.

In the first year of an IRM program, the lead person could be expected to devote 50 to 75% of his/her time to the process of establishing and executing the balance of the IRM tasks, the first of which follows immediately below. Funds should be allocated according (1) to the above minimum staffing and (2) to acquire and be trained in the use of a suitable automated risk assessment tool — $25,000 to $35,000.

Establish IRM Methodology and Tools

There are two fundamental applications of risk assessment to be addressed, (1) determining the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically. Strategic assessment assures that risk is effectively considered before funds are expended on a specific change in the IT environment: a change that could have been shown to be “too risky.” Strategic assessment allows management to effectively consider the risks in its decision-making process.

With the availability of good automated risk assessment tools, the methodology is to a large extent determined by the approach and procedures associated with the tool of choice. A wide array of such tools is listed at the end of this chapter. Increasingly, management is looking for quantitative results that support cost/benefit analysis and budgetary planning.

Identify and Measure Risk

Once IRM policy, team, and risk assessment methodology and tool are established and acquired, the first risk assessment will be executed. This first risk assessment should be as broadly scoped as possible, so that (1) management gets a good sense of the current status of information security, and (2) management has a sound basis for establishing initial risk acceptance criteria and risk mitigation priorities.

Project sizing — This task includes the identification of background, scope, constraints, objectives, responsibilities, approach, and management support. Clear project-sizing statements are essential to a well-defined and well-executed risk assessment project. It should also be noted that a clear articulation of project constraints (what is not included in the project) is very important to the success of a risk assessment.

Threat analysis — This task includes the identification of threats that may adversely impact the target environment.

Asset identification and valuation — This task includes the identification of assets, both tangible and intangible, their replacement costs, and the further valuing of information asset availability, integrity, and confidentiality. These values may be expressed in monetary (for quantitative) or nonmonetary (for qualitative) terms. This task is analogous to a BIA in that it identifies what assets are at risk and their value.

Vulnerability analysis — This task includes the identification of vulnerabilities that could increase the frequency or impact of threat event(s) affecting the target environment.

Risk evaluation — This task includes the evaluation of all collected information regarding threats, vulnerabilities, assets, and asset values in order to measure the associated chance of loss and the expected magnitude of loss for each of an array of threats that could occur. Results are usually expressed in monetary terms on an annualized basis (ALE) or graphically as a probabilistic “risk curve” for a quantitative risk assessment. For a qualitative risk assessment, results are usually expressed through a matrix of qualitative metrics such as ordinal ranking (low, medium, high, or 1, 2, 3).