Maintain a risk measurement and scoring system.

UCF ID: 00703

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Analyze and quantify the risks to systems and information. [UCF Control ID 00701]

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 49, Pg 51; FFIEC IT Examination Handbook – Audit, August 2003, Pg 16; FFIEC IT Examination Handbook – Information Security, Pg 15, Exam Tier I Obj 3.1; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.4.4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; CobiT, Version 4.1, PO9.4; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 4.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.2(d); ISO/IEC 27002 Code of practice for information security management, 2005, § 4.2; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 9.3.3

Sarbanes Oxley Guidance

A combination of qualitative and quantitative techniques should be used when determining risk to the organization. Qualitative techniques are used when risks cannot be measured in qualitative measures. Quantitative techniques usually require more effort and rigor. [Pg 49, Pg 51, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Banking and Finance Guidance

The organization should develop a scoring system that is understandable and objective. Risk factors used for scoring systems include the adequacy of controls; volume of transactions; the age of the system or application; physical and logical security; previous reports; and human resources (experience, turnover, technical competence). [Pg 16, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should rank the level of risk associated with all information. These levels are subjective and should be based on the threat likelihood and the level of exposure to the threat. [Pg 15, Exam Tier I Obj 3.1, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

[§ 3.4.4, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

NIST Guidance

Risk measurement to include asset valuation, consequence assessment, threat identification, safeguard analysis, vulnerability analysis and likelihood assessment is called for. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

The organization should develop criteria for deciding if risks can or cannot be accepted. [§ 4.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The organization should define how the effectiveness of security controls should be measured. The organization should also state how these measurements will be used to assess the effective of controls. [§ 4.2.2(d), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

The organization should develop criteria for deciding if risks can or cannot be accepted. [§ 4.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Valuation of Assets and Establishment of Dependencies Between Assets. An organization should list all assets of the IT system under review, values should be assigned to these assets. These values represent the importance of the assets to the business of the organization. This may be expressed in terms of security concerns such as the potential adverse business impacts from the disclosure, modification, non-availability and/or destruction of information, and other IT system assets. Thus asset identification and valuation, based on the business needs of an organization, is a major factor in the determination of risks.
The input for the valuation of assets should be provided by owners and users of the assets. The person(s) carrying out the risk analysis will list the assets. They should seek assistance from those involved in business planning, finance, information systems and other relevant activities in order to identify values for each of these assets. The values assigned should be related to the cost of obtaining and maintaining the asset, and the potential adverse business impacts from loss of confidentiality, integrity, availability, accountability, authenticity and reliability. Each of the assets identified should be of value to the organization. However, there will not be a direct or easy way to establish financial value for all. It is also necessary to establish the value or extent of importance in non-financial, i.e. qualitative, terms to the organization. Otherwise it will be difficult to identify the level of protection and the amount of resource the organization should devote to protect the assets. An example for such a valuation scale could be a distinction between low, medium and high, or, in more detail:
negligible - low - medium - high - very high.
Regardless of which scale is used, issues to be considered in this valuation could be the possible damages resulting from:
· violation of legislation and/or regulation,
· impairment of business performance,
· loss of goodwill/negative effect on reputation,
· breach of confidentiality associated with personal information,
· endangerment of personal safety,
· adverse effects on law enforcement,
· breach of commercial confidentiality,
· breach of public order,
· financial loss,
· disruption to business activities, and
· endangerment of environmental safety.
An organization might need to think of other criteria important for its business. Also, an organization has to define its own limits for damages like 'low' or 'high'. For example, financial damage which might be disastrous for a small company might be low or even negligible for a very big company.
The method for assessment must allow not only quantitative valuation, but also qualitative valuation where quantitative valuation is impossible or illogical (for example, the potential for loss of life, or loss of business goodwill). Explanation should be given of the valuation scale used.
Dependencies of assets on other assets should also be identified, since this might influence the values of the assets. For example, the confidentiality of data should be kept throughout its processing, i.e. the security needs of a data processing program should be directly related to the value representing the confidentiality of the data processed. Also, if a business process is relying on the integrity of certain data being produced by a program, the input data of this program should be of appropriate reliability. Moreover, the integrity of information will be dependent on the hardware and software used for its storage and processing. Also, the hardware will be dependent on the power supply and possibly the air conditioning. Thus information about dependencies will assist in the identification of relevant threats and particularly vulnerabilities. It will also help to assure that the true value of the assets (through the dependency relationships) is given to the assets and thereby ensuring an appropriate level of protection.
The values of assets on which other assets are dependent may be modified in the following way:
· if the values of the dependent assets (e.g. data) are lower or equal to the value of the asset considered (e.g. software), its value remains the same, and
· if the values of the dependent asset (e.g. data) is greater, then the value of the asset considered (e.g. software) should be increased according to:
· the degree of dependency, and
· the values of the other assets.
An organization may have some assets which are available more than once, like copies of software programs or the same type of PC used in most of the offices. It is important to consider this fact when doing the asset valuation. On one hand, these copies etc. are overlooked easily, so care must be taken to identify all of them; on the other hand, they could be used to reduce availability problems.
The final output of this step is a list of assets and their values relative to disclosure (preservation of confidentiality), modification (preservation of integrity), non-availability and destruction (preservation of availability), and replacement cost. [¶ 9.3.3, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

It is recommended that an organization creates a quantitative risk scoring system. Scoring should be available for impact of a threat and likelihood of a threat occurring. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

On a regular basis, identified risks should be assessed using qualitative and quantitative methods. [PO9.4, CobiT, Version 4.1]