Page 1

t rin rR ep fo ot N lia er at M pl e

Sa

m

Certified ISO 27005

Risk Manager

release 1.0.0

INSTRUCTOR GUIDE

e Portfolio


ITpreneurs Nederland B.V. is affiliated to Veridion.

fo

Copyright Š 2013 ITpreneurs. All rights reserved.

rR ep

Copyright and Trademark Information for Partners/Stakeholders.

rin

Certified ISO 27005 Risk Manager, Classroom course, release 1.0.0

t

Copyright

N

ot

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

Sa

m

pl e

M

at

er

ia

l-

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.


Certified ISO 27005 | Risk Manager | Instructor Guide

rin

t

Follow Us

rR ep

Before you start the course, please take a moment to:

“Like us” on Facebook

fo

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

N

ot

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

ia

l-

http://gplus.to/ITpreneurs

er

"Link with us" on Linkedin

at

http://www.linkedin.com/company/ITpreneurs

M

"Watch us" on YouTube

Sa

m

pl e

http://www.youtube.com/user/ITpreneurs

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

1


rin

t

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

Sa


Certified ISO 27005 | Risk Manager | Instructor Guide

rin

t

Contents

rR ep

Certified ISO 27005 Risk Manager

-------------------------------------------------------------

5

Day 2

-------------------------------------------------------------

103

Exam Preparation Guide --------------------------------------

217

ot

fo

Day 1

----------------------------------------------------------------------

l-

Appendix B: Exercises List

N

Appendix A: Case Study

227 235 251

Appendix D: Release Notes ---------------------------------

263

Instructor Feedback Form -----------------------------------

265

Sa

m

pl e

M

at

er

ia

Appendix C: Correction Key for Exercises ---------------

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

3


rin

t

his pl pae geM haa steb reiea nl l -efNt b loan t fk int or ent i R ona ep lly

m T

Sa


Certified ISO 27005 | Risk Manager | Instructor Guide

Sa

m

pl e

M

at

er

ia

l-

N

ot

fo

rR ep

rin

Certified ISO 27005 Risk Manager

t

Day 1

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

5


rR ep

1

rin

t

Certified ISO 27005 | Risk Manager | Instructor Guide

fo

DAY

N

ot

Certified ISO 27005 Risk Manager

l-

Content

Sa

m

pl e

M

at

er

ia

Section 1: Course objectives and structure Section 2: Concepts and definitions of risk Section 3: Standard and regulatory framework Section 4: Implementing a risk management programme Section 5: Understanding the organization and its context Section 6: Risk identification Section 7: Risk analysis and risk evaluation Section 8: Risk assessment with a quantitative method Section 9: Risk treatment Section 10: Risk acceptance and residual risk management Section 11: Information Security Risk Communication and Consultation Section 12: Risk monitoring and review

© 2008 PECB Version 4.7 Eric Lachapelle Document number: 27005RMV4.7 Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

6


Certified ISO 27005 | Risk Manager | Instructor Guide

Main standards ‡ ISO Guide 73:2009, Risk management – Vocabulary. ‡ ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary. ‡ ISO/IEC 27001:2005, Information Security Management Systems – Requirements. ‡ ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information security management. ‡ ISO/IEC 27005:2011, Information technology — Security techniques — Information security risk management. ‡ ISO 31000:2009, Risk Management – Principles and Guidelines. ‡ ISO/IEC 31010:2009, Risk management — Risk assessment techniques.

rR ep

rin

‡

t

Normative references used in this training

er

ia

l-

N

ot

fo

2. Other standard references ‡ ISO 9000:2005, Quality management systems – Fundamentals and vocabulary. ‡ ISO 9001:2008, Quality management systems – Requirements. ‡ ISO 14001:2004, Environmental management systems – Requirements with guidance for use. ‡ ISO 17024:2003, Conformity assessment — General requirements for bodies operating certification of persons. ‡ OHSAS 18001:2007, Occupational Health and Safety Management Systems — Requirements. ‡ ISO/IEC 20000-1:2011, Information Technology — Service Management. Information technology — Part 1: Service management system requirements. ‡ ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems. ‡ ISO 22000:2005, Food safety management systems — Requirements for any organization in the food chain. ‡ ISO 22301:2012, Societal security — Business continuity management systems — Requirements. ‡ ISO/IEC 27003:2010, Information technology — Security techniques — Information security management system implementation guidance. ‡ ISO 28000:2007, Specification for security management systems for the supply chain.

at

List of acronyms and abbreviations use in this training

Sa

m

pl e

M

ANSI: American National Standards Institute BS: British Standard CERT: Computer Emergency Response Team CMS: Content Management System CobiT: Control Objectives for Business and related Technology COSO: Committee of Sponsoring Organizations of the Treadway Commission CPD: Continuing Professional Development DMS: Document Management System EDM: Electronic Document Management System EMS: Environment management system FISMA: Federal Information Security Management Act GAAS: Generally Accepted Auditing Standards GLBA: Gramm-Leach-Bliley Act HIPAA: Health Insurance Portability and Accountability Act IMS2: Integrated Implementation Methodology for Management Systems and Standards ISMS: Information security management system ISO: International Standards Organization ITIL: Information Technology Infrastructure Library LA: Lead auditor Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

7


rin rR ep

Sa

m

pl e

M

at

er

ia

l-

N

ot

fo

LI: Lead Implementer NC: Non-conformity NIST: National Institute of Standards and Technology OHSAS: Occupational Health and Safety Assessment Series OECD: Organization for Economic Co-operation and Development PCI-DSS: Payment Card Industry Data Security Standard PDCA: Plan-Do-Check-Act QMS: Quality management system PECB: Professional Evaluation and Certification Board ROI: Return on Investment ROSI: Return on Security Investment SMS: Service management system SOX: Sarbanes-Oxley Act

t

Certified ISO 27005 | Risk Manager | Instructor Guide

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

8


Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

t

Section 1

rin

Course objectives and structure

rR ep

a. Meet and greet b. General information c. Training objectives d. Educational approach e. Examination and certification

fo

f. PECB

2

l-

N

ot

g. Schedule of the training

er

ia

Activity

Sa

m

pl e

M

at

Meet and greet

3

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

9


Certified ISO 27005 | Risk Manager | Instructor Guide

rin

‡ Name; ‡ Current position; ‡ Knowledge of and experience with risk management and information security standards as ISO 27001, ISO 27005, ISO 31000; ‡ Knowledge and experience with risk management; ‡ Course expectations and objectives.

t

To break the ice, participants introduce themselves stating:

rR ep

Duration of activity: 20 minutes

Use of a computer and access to the Internet

Smoking area

er

ia

l-

N

Use of mobile phones and recording devices

ot

fo

General Information

Meals

Absences

at

Timetable and breaks

4

Sa

m

pl e

M

‡ For simplification, only the masculine is used throughout this training and is not meant to offend anyone. ‡ In case of emergency, please be aware of exits. ‡ Agree on course schedule and two breaks (be on time). ‡ Set your cell phone on vibration and if you need to take a call, please do it outside the classroom. ‡ Recording devices are prohibited because they may restrict free discussions.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

10


Certified ISO 27005 | Risk Manager | Instructor Guide

Training Objectives

Understand the basic concepts of risk management related to information security

rR ep

1

rin

t

Acquiring Knowledge

Explain the goal, content and correlation between ISO 27005, ISO 31000 and ISO 27001 as well as with other standards and regulatory frameworks

3

Explain the functioning of a risk management system according to ISO 27005 and ISO 31000 to its key processes

N

ot

fo

2

5

er

ia

l-

The main objective of this training is to acquire and / or enhance the competency to participate in the implementation of a risk management programme according to ISO 27005 and ISO 31000. From an educational view, competency consists of the following 3 elements: ‡ Knowledge; ‡ Skill; ‡ Behavior (attitude).

at

It should be noted that the training focuses on the acquisition of knowledge in risk management related to information security and not on the acquisition of expertise on a particular methodology of risk management.

M

To obtain further knowledge on risk assessment methods, we recommend that you attend a practical workshop on a specific method such as OCTAVE, Mehari or EBIOS.

Sa

m

pl e

At the end of this course, participants will have obtained the competency on how to implement and manage a risk management program and not only on why or what to do.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

11


Certified ISO 27005 | Risk Manager | Instructor Guide

Training Objectives

rin

t

Development of competencies Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management programme

2

Interpret the requirements of ISO 27001 on risk management

3

Acquire the skills necessary to effectively advise organizations on the best practices in Risk Management

4

Strengthen the personal qualities necessary to act with due professional care when implementing a risk management pr programme pr

N

ot

fo

rR ep

1

6

l-

The objective of this training is to ensure that the candidate can actively participate in the planning and implementation of a framework for risk management according to ISO 27005 and ISO 31000 the day following the end of the training.

Sa

m

pl e

M

at

er

ia

This training focuses on the reality of implementing a risk management programme. The case study and lessons learned are used to simulate conditions as close as possible to reality in the field. The tools and templates provided in this training are based on those currently used by several organizations.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

12


Certified ISO 27005 | Risk Manager | Instructor Guide

Course Structure

N

ot

fo

rR ep

rin

t

Student oriented

7

ia

l-

This course is primarily based on: ‡ Trainer lead sessions, where questions are welcomed. ‡ Student involvement in various ways: exercises, case studies, role-plays, notes, comments, discussions (participant experiences).

er

Remember, this course is yours: you are the main players of its success. Students are encouraged to take additional notes.

Sa

m

pl e

M

at

Exercises are essential in the acquisition of the competencies necessary to allow an effective management of risk. Thus it is very important to do them conscientiously. In addition, these exercises are used to prepare students for the final exam.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

13


Certified ISO 27005 | Risk Manager | Instructor Guide

Examination

Fundamental principles and concepts in information security risk management

2

Information security risk management program

3

Information security risk assessment

4

Information security risk treatment

5

Information security risk communication, monitoring and improvement

N

ot

fo

rR ep

1

rin

t

Competency domains

8

l-

The objective of the certification examination is to ensure that auditor candidates have mastered the concepts and techniques related to risk management according to ISO 27005 and ISO 31000 so that they are able to participate in assignments.

er

ia

The PECB examination committee shall ensure that the development and adequacy of the exam questions is maintained based upon current professional practice. The questions are developed and maintained by a committee of risk management specialists that are all Certified ISO 27005 Risk Manager.

at

The exam only contains essay questions. The duration of the exam is 2 hours. The minimum passing score is 70%.

M

All notes and reference documents may be used during the exam excluding the use of a computer.

pl e

The exam is available in several languages. When taking the exam, please ask the trainer or check on the PECB website to know the list of available languages.

Sa

m

All five competency domains are covered by the examination. To read a detailed description of each competency domain, please visit the PECB website.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

14


Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

Pass the exam

1 2 3 4 5 6

rin

t

Prerequisites for Certification

rR ep

Adhere to the PECB Code of Ethics 2 years professional experience

1 years risk management experience 200 hours risk management activity

fo

Professional references

N

ot

Certified ISO 27005 Risk Manager 9

l-

Passing the exam is not the only pre-requisite to obtain the credential of “Certified ISO 27005 Risk Manager”. This credential will endorse both the passing the exam and the validation of the professional experience records.

ia

The set of criteria and the certification process are explained at the last day of the training.

er

A candidate with lesser experience can apply for the credential of “Certified ISO 27005 Provisional Risk Manager”.

Sa

m

pl e

M

at

Important note: Certification fees are included in the examination price. The candidate will therefore not have to pay any additional costs when applying for certification at their corresponding experience level and receive one of the other professional credentials.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

15


Certified ISO 27005 | Risk Manager | Instructor Guide

N

ot

rin

fo

rR ep

Candidates who met all the prerequisites for eceive a certificate: ication willl rreceive certification

t

Certificate

10

l-

After passing the exam, the candidate has a maximum period of three years to apply for one of the professional credentials related to the ISO 27005 certification scheme.

er

ia

When the candidate is certified, he will receive, via electronic mail, from PECB a certificate valid for three years. To maintain his certification, the applicant must demonstrate every year that he is satisfying the requirements for the assigned credential and abiding to PECB’s Code of Ethics. To learn more about certificate maintenance and renewal procedure please visit PECB Website. At the end of the training, more details will be given.

Sa

m

pl e

M

at

An electronic version (in .PDF) course completion certificate which is valid of 21 CPD (Continuing Professional Development) credits will be issued (sent via email) to participants after the training.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

16


Certified ISO 27005 | Risk Manager | Instructor Guide

N

ot

fo

rR ep

1. Certification of personnel (Auditor and Implementer) 2. Certification of training organizations 3. Certification of trainers

rin

Professional Evaluation and Certification Board Main services:

t

What is PECB?

11

ia

l-

Founded in 2005, PECB is a personnel certification body for various standards, including ISO 9001 (Quality), ISO 14001 (Environment), OHSAS 18001 (Health & Safety), ISO 20000 (IT Service), ISO 22000 (Food safety), ISO 22301 (Business continuity), ISO 26000 (Social Responsibility), ISO 27001 (Information security), ISO 27005 (Information security risk) and ISO 28000 (Supply Chain Security).

at

er

Our mission is to provide our clients with comprehensive individual examination and certification services. PECB develops, maintains and continually improves high quality recognized certification programs. PECB is accredited by ANSI under ISO/IEC 17024 (accreditation ID: 1003). PECB is the only personnel certification body certified ISO 9001 and ISO 27001.

M

The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification and to administer credible certification programs for individuals who practice in disciplines involving the audit and the implementation of a compliant management system. This principal purpose includes: Establishing the minimum requirements necessary to qualify certified professionals; Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification examinations; Developing and maintaining reliable, valid, and current certification examinations; Granting certificates to qualified candidates, maintaining certificant records, and publishing a directory of the holders of valid certificates; Establishing requirements for the periodic renewal of certification and determining compliance with those requirements; Ascertaining that certificants meet and continue to meet the PECB Code of Ethics; Representing its members, where appropriate, in matters of common interest; Promoting the benefits of certification to employers, public officials, practitioners in related fields, and the public.

pl e

‡ ‡

Sa

m

‡ ‡

‡

‡ ‡ ‡

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

17


Certified ISO 27005 | Risk Manager | Instructor Guide

Customer Service

rin

t

Comments, questions and complaints

rR ep

1. Submit a complaint

Training Provider

Participant

2. Answer in writing

fo

4. Final arbitration

N

PECB

ot

3. Appeal

12

l-

In order to ensure your satisfaction and continually improve the training, examination and certification processes, PECB Customer Service has established a support ticket system for handling complaints and services for our clients.

er

ia

As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that might arise between you and these parties.

at

To send comments, questions or complaints, please open a ticket on PECB’s website in the Contact Us section.

M

If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and evaluate the input we get from our members. Please open a ticket directed to Training Department on PECB’s website in the Contact Us section.

Sa

m

pl e

In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the certification processes, please open a ticket under “Make a complaint” category on PECB’s website in the Contact Us section.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

18


Certified ISO 27005 | Risk Manager | Instructor Guide

N

ot

fo

rR ep

rin

t

QUESTIONS?

Sa

m

pl e

M

at

‡

ia

‡

The main objective of this training is to acquire the competencies to participate in the implementation of a risk management programme according to ISO 27005 and ISO 31000. Success of the training is based on participant involvement (experience feedback, discussions, exercises, etc.). The final exam is an open-book 2-hour exam and is focused on the understanding the concepts of risk management applied to concrete cases.

er

‡

l-

Section summary:

13

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

19


Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

t

Section 2

rin

Concepts and definitions of risk

rR ep

a. Concepts of risk b. Scientific definition of risk c. Risk and statistics d. Opportunities of risk

f. Information security risk

ia

Exercise 1

14

l-

N

h. Advantages of Risk Management

ot

g. The 11 principles of Risk Management

fo

e. The perception of risk

Sa

m

pl e

M

at

er

Myths and Realities - Risk Management

15

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

20


Certified ISO 27005 | Risk Manager | Instructor Guide

Sa

m

pl e

M

at

er

ia

l-

N

ot

fo

rR ep

rin

Certified ISO 27005 Risk Manager

t

Day 2

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

103


rR ep

2

rin

t

Certified ISO 27005 | Risk Manager | Instructor Guide

fo

DAY

N

ot

Certified ISO 27005 Risk Manager

l-

Content

Sa

m

pl e

M

at

er

ia

Section 1: Course objectives and structure Section 2: Concepts and definitions of risk Section 3: Standard and regulatory framework Section 4: Implementing a risk management programme Section 5: Understanding the organization and its context Section 6: Risk identification Section 7: Risk analysis and risk evaluation Section 8: Risk assessment with a quantitative method Section 9: Risk treatment Section 10: Risk acceptance and residual risk management Section 11: Information Security Risk Communication and Consultation Section 12: Risk monitoring and review

© 2008 PECB Version 4.7 Eric Lachapelle Document number: 27005RMV4.7

Documents provided to participants are strictly reserved for training purposes and are copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including photocopy and microfilm.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

104


Certified ISO 27005 | Risk Manager | Instructor Guide

Certified ISO 27005 Risk Manager

t

Section 6

rin

Risk identification

rR ep

a. Techniques for gathering information b. Identification of assets c. Identification of threats d. Identification of existing controls e. Identification of vulnerabilities

N

ot

fo

f. Identification of consequences

2

er

ia

l-

ISO 31000, clause 5.4.2: Risk identification The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences. The aim of this step is to generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. It is important to identify the risks associated with not pursuing an opportunity. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis.

M

at

Identification should include risks whether or not their source is under the control of the organization, even though the risk source or cause may not be evident. Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects. It should also consider a wide range of consequences even if the risk source or cause may not be evident. As well as identifying what might happen, it is necessary to consider possible causes and scenarios that show what consequences can occur. All significant causes and consequences should be considered.

Sa

m

pl e

The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced. Relevant and up-to-date information is important in identifying risks. This should include appropriate background information where possible. People with appropriate knowledge should be involved in identifying risks.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

105


Certified ISO 27005 | Risk Manager | Instructor Guide

3. Risk Identification

4.2 Assessment of incident likelihood

6.1 Risk treatment options 5.1 Evaluation of levels of risk based on risk evaluation criteria

7.1 Risk treatment plan acceptance

6.2 Risk treatment plan

3.4. Identification of vulnerabilities 3.5. Identification of consequences

7. Risk Acceptance

rin

6. Risk Treatment

4.1. Assessment of consequences

3.2 Identification of threats 3.3. Identification of existing controls

5. Risk Evaluation

rR ep

3.1 Identification of assets

4. Risk Analysis

7.2 Residual risk acceptance

4.3 Level of risk determination

6.3 Evaluation of residual risk

fo

2. Context Establishment

3. Risk Identification

t

1. Risk Management Programme

Risk Assessment

ot

8. Risk Communication and Consultation

N

9. Risk Monitoring and Review 9 Re ie

3

l-

In the risk identification phase, all potential risks should be listed in the form of scenarios. The result is the "Risk Catalog" commonly known as hazard list.

at

er

ia

It appears that the starting point of this approach is characterized by the identification of the information assets that can be affected in respect to their integrity, confidentiality, and availability. An asset can be a machine, software, database, process, or a document as a contract and basically anything that has value for the company. It is from this list of assets that the risk analysis should be conducted to establish a risk treatment plan that is in accordance with the ISMS policy and aligned with the business expectations of the company.

M

The threat identification step will allow the organization to determine the threats to its Information security. At this stage, the organization selects and classifies the threats it believes that are relevant within its context.

pl e

The analysis of controls that already exist within the organization should consist of assessing the full range of potential controls and allow concluding whether the recommended strategies are advantageous to the organization.

Sa

m

The identification of vulnerabilities is the phase where anomalies or errors (intrinsic to the construction or during operations) are detected that could be exploited by threats to the organization. NOTE: Vulnerabilities are construction weaknesses or errors in the design (manufacturing) of a product, a service or a system. The vulnerabilities during operations are the weaknesses or errors during the putting into service or use of the product, a service or a system. At this stage, the analysis of vulnerabilities can be limited to the risk factors and risk items. Finally, it is important to consider what the effect of the threats on potentially vulnerable assets would be, not only in terms of probability or frequency of their occurrence, but also by measuring their possible effects. These consequences, depending on the circumstances and when they occur, can be negligible or catastrophic in terms of impact on the organization. The sequence and the linking of these activities will enable the organization to better assess the risks to which it is exposed. Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

106


Certified ISO 27005 | Risk Manager | Instructor Guide

Information Gathering Techniques Sending questionnaires to a sample of people who represent the stakeholders

Interviews

Interviews with key persons at different hierarchical levels within the organization

Documentation review

Reading and analysis of relevant documentation: internal policies, procedures, previous audit reports, legal opinions, contracts, etc.

Scanning tools

Use technical tools to detect technical vulnerabilities, establish a list of assets present on a network, perform a code review, etc.

N

ot

fo

rR ep

rin

t

Questionnaire surveys

4

Sa

m

pl e

M

at

er

ia

l-

The risk management team should build a detailed knowledge of risk from the collection of information obtained from multiple stakeholders. A risk assessment carried out only with computer security experts would be just as biased as if they were excluded.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

107


Certified ISO 27005 | Risk Manager | Instructor Guide

Individual and Group Interview

rin rR ep

Individual

t

Individual interviews usually provide more accurate information and allow to have a more correct risk assessment

Interview

Group

N

ot

fo

Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc

5

er

ia

l-

Some people might question the value of detailed security questions to people without professional experience on matters of risks associated with information protection. Experience shows, however, that it is essential to ascertain the views of stakeholders, expert or not, on its exposure to the resources they manage. Those responsible for business processes will include a much more "business“ oriented view on risks, e.g. the public relations officer will indicate his concern about the risk of image damaging and reputation, etc.

M

at

Individual interview Individual interviews are preferred because one can concentrate on the risk assessment of a single person. In general, it is possible to obtain more detailed information (contrary to a group interview where each member gives his summarized opinion) and individual interviews prevent that a dominant member from the group influences the response of others (“sheep” effect).

Sa

m

pl e

The individual interview enables to more easily: ‡ Read the body language of the individual interviewed ‡ Identify the sensitive elements of the discussion ‡ Ensure the confidentiality of discussions with the interviewee ‡ Adjust the follow-up questions ‡ Obtain detailed information ‡ Avoid having dominant members to influence others Group interview Group interviews are more effective to establish basic criteria to reach a consensus on risk assessment, discuss treatment options, etc. between the different members of a group.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

108


Certified ISO 27005 | Risk Manager | Instructor Guide

fo

Take notes during the interview

rR ep

Ensure you cover all the subjects while controling the time

rin

Use open-ended questions and avoid close-ended or guided questions

t

Conducting an Interview

N

ot

Ask questions to clarify a response or situation 6

l-

Experience shows that the more you prepare an interview, the more productive the meeting will be. One strategy is to build a knowledge base of risks that can exist in an organization to take advantage of the experience of risk assessments done in the past.

Sa

m

pl e

M

at

er

ia

During maintenance on the collection of risks on information assets, it may be useful to translate the terms related to security as "threats" and "vulnerabilities" in a language more meaningful for unskilled stakeholders. One can, for example, use the following wording: "What are you trying to avoid? Or "What do you fear may happen to the resource?"

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

109


Certified ISO 27005 | Risk Manager | Instructor Guide

3.1. Identification of Assets

Activities

Input

‡ List of assets to be riskmanaged ‡ List of business processes related to assets and their relevance

rR ep

‡ Identification of assets included in the scope

N

ot

fo

‡ Scope and boundaries ‡ List of assets with their owners ‡ business processes ‡ Premises, etc.

Output

rin

t

ISO 27005, clause 8.2.2

7

ia

l-

The identification of assets must be performed at a level of detail that provides sufficient information for risk evaluation. However, the identification of assets should be limited to those that have the most important value to the organization. In some methodologies such as OCTAVE, it is suggested only to take into consideration between 5 and 10 primary assets.

Sa

m

pl e

M

at

er

The level of detail used in the identification of assets will affect the overall volume of information gathered during the risk evaluation. The level can be refined in further iterations of the risk assessment.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

110


Certified ISO 27005 | Risk Manager | Instructor Guide

Asset

Definition

rin

t

ISO 27000, clause 2.3 and ISO 27005, annex B

Primary Asset

rR ep

Asset category

Anything that has value to the organization

Supporting Asset

Hardware Software

Information Asset

Network

fo

Business Process

Personnel Organization's structure

N

ot

Site

8

l-

An asset is anything that has value to the organization and therefore needs to be protected. For the identification of assets, it should be kept in mind that an information system consists of much more than only hardware and software. ISO 27005 divides assets into two broad categories: Primary assets consist of business processes and information assets. These are the primary assets that have the most importance to take into account in the risk analysis and not the supporting assets like servers, for example.

‡

The supporting assets include the hardware, software, computer networks, staff, sites and organizational structures.

Sa

m

pl e

M

at

er

ia

‡

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

111


Certified ISO 27005 | Risk Manager | Instructor Guide

Creating an Inventory of Assets

Asset type Its format

rR ep

Inventory of assets

rin

t

ISO 27002, clause 7.1.1

Its location Its owner

Its user license

fo

Continuous updating and verification

Backup Information

N

ot

Its value 9

l-

The process of creating an inventory of assets is an important requirement in managing risk. The asset inventory is essential to establish an effective and appropriate protection of assets of the organization.

at

er

ia

The inventory of assets should include all the necessary information to do the risk assessment, particularly the type of property, its size, its location, its owner, the information relating to its protection and the license and its value to the organization. If the inventory of assets consists of several registers, the unnecessary duplication of information should be avoided to ensure an alignment of the content.

M

The inventory of assets may also be needed for other purposes for the organization. For example, for insurance purposes or for financial reasons (accounting).

Sa

m

pl e

The inventory should be kept updated on an ongoing basis and be subject to an annual audit (for example, when reviewing the inventory for accounting).

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

112


Certified ISO 27005 | Risk Manager | Instructor Guide

rR ep

Business processes to be considered

rin

t

Identification of Business Processes

ƒ Supporting the organization's mission and are vital to its achievement ƒ Involves the handling of confidential information

N

ot

fo

ƒ Related to a legal and/or contractual obligations

10

ia

Process: Accounting Sub-process: Manage accounts receivable, payroll, etc. Activity: Creating an invoice, monthly report writing, etc. Tasks: Checking the current address of a client, adding information into the accounting system, etc.

er

‡ ‡ ‡ ‡

l-

By establishing a mapping of business processes, the processes are split into sub-processes, activities and then finally into tasks. Some examples related to the accounting process are:

Sa

m

pl e

M

at

It should be noted that, to conduct a risk analysis in accordance with the recommendations of ISO 27005, an organization is not required to enter a granular level of detail that would include all the tasks associated with the analyzed process.

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

113


Certified ISO 27005 | Risk Manager | Instructor Guide

Main Business Processes Management of infrastructure Human Resources management Finance & accounting

Marketing

Design

Production

Sales

Distribution

Customer service

rR ep

R&D

rin

t

Example based upon the value chain of Porter

Supply

Packaging Research & Development

Transformation

Marketing

Manufacturing

Design

After sale services

fo

Export

N

ot

Quality control

11

Sa

m

pl e

M

at

er

ia

l-

As defined by ISO 9001, a process is a set of interrelated or interacting activities which transform the inputs into outputs. According to Michael Porter, one can distinguish among the processes involved in the value chain: ‡ The main processes, processes that contribute directly to the material creation and sale of products such as R & D, marketing, design, production, distribution and customer service. ‡ The supporting processes, processes to support the core business and form the infrastructure of the company such as infrastructure management, management of human resources, accounting and finance.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

114


Certified ISO 27005 | Risk Manager | Instructor Guide

ƒ Vital to the organization so that it can achieve its mission ƒ Containing information that has economic, administrative or legal value for the organization

R&D

ƒ Subject to costs for collection, acquisition or storage

fo

Customer data

rR ep

Patents

Information assets to be considered

rin

t

Identification of Information Assets

N

ot

Financial Statements

12

l-

An organization often has a wealth of information assets. They are not necessarily all to be analyzed. It should be limited to information assets that have economic, administrative or legal value for the organization.

er

ia

To facilitate analysis, the information assets should be consolidated in groups having roughly the same features and the same classification level in terms of information security. For example, one can identify the accounting data as a single asset rather than dealing with subsets: payroll data, accounts receivable, accounts payable, bank statements, etc.

Sa

m

pl e

M

at

Examples of information assets that can be frequently identified as important to the organization: ‡ Employee files ‡ Customer list ‡ Strategic Plan of the organization ‡ Network Setup ‡ Patents ‡ Accounting data

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved.

115


Certified ISO 27005 | Risk Manager | Instructor Guide

Identification of Supporting Assets

Definition

Examples

All the physical elements supporting processes.

Server, laptop, printer, disk drive, CD-ROM, etc.

Software

All the programmes contributing to the data processing.

Operating system, word processing software, accounting software, etc.

Networks

All telecommunications devices used to interconnect several physically remote computers or elements of an information system.

Router, firewall, network cable, switch, bridge, etc.

Personnel

All people involved in the information system.

Owner, user, developer, trustee, client, decision maker, etc.

Sites

Physical places where the operation take place.

Desktop, server room, staff residence, secure area, air conditioning system, etc.

Organization's structure

Organizational framework, assigned to realisation of the activities

Headquarters, division, department, project teams, subcontractors, suppliers, etc.

N

ot

fo

rR ep

Hardware

rin

Category

t

Categories

13

l-

The supporting assets are generally easier to identify because they are the most tangible assets, such as facilities, furniture and office supplies, IT equipment and software.

Sa

m

pl e

M

at

er

ia

In Appendix B.1.2. of ISO 27005, sub-categories can be found for each asset class of supporting assets, with examples.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

116


Certified ISO 27005 | Risk Manager | Instructor Guide

Primary and Supporting Assets Hardware

Software

Personnel

R&D

Patents

Server

CRM

Marketing Specialist

Sales

Customer data

Laptop

Word processing

Network Administrator

Design

Marketing Research Report

External Drive

Excel

Database Manager

Production

Financial Statements

Network

Production Simulation

Finance Director

Accounting

Source Code

Printer

Accounting

Sales Representative

rin

Information

N

ot

fo

rR ep

Process

t

Examples of links

14

l-

To have a decent risk assessment of an asset, the relationship between major assets of the organization should be analyzed.

Sa

m

pl e

M

at

er

ia

Using the previous example of the customer database, the smooth functioning and security of this asset depends on several other assets, the sales process, the server, CRM software, sales representatives, etc.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

117


Certified ISO 27005 | Risk Manager | Instructor Guide

Identification of the Asset Owners

rR ep

z The asset owner does not necessarily has property rights over the asset but he has the responsibility for its production, development, maintenance, operation and its security

rin

z An owner must be identified for each asset, to take responsibility and traceability of assets

t

ISO 27001, clause A.7.1.2

N

ot

fo

z The owner is often the person best suited to determine the value of the asset for the organization

15

l-

The management of an asset may be delegated to a custodian (guardian). Despite the fact that the trustee oversees the daily use of an asset, the owner remains responsible.

Sa

m

pl e

M

at

er

ia

In the case of shared assets (e.g., a server), it may be helpful to designate assets or groups of assets with a "special service function� . Thus, one may appoint a person responsible for shared service delivery, including operating assets providing this service. For example, the sales manager is identified as owner and manager of customer databases (the primary active). In contrast, the server hosting the database (the supporting asset) may be the responsibility of the IT manager.

Copyright Š 2013, ITpreneurs Nederland B.V. All rights reserved.

118


ISO 27005 Risk manager Course Instructor Guide  
Advertisement
Read more
Read more
Similar to
Popular now
Just for you