Risk Management & Information Security Management Systems

Risk Management and Risk Assessment are major components of Information Security Management (ISM). Although they are widely known, a wide range of definitions of Risk Management and Risk Assessment are found in the relevant literature [ISO13335-2], [NIST], [ENISA Regulation]. Here a consolidated view of Risk Management and Risk Assessment is presented. For the sake of this discussion, two approaches to presenting Risk Management and Risk Assessment, mainly based on OCTAVE [OCTAVE] and ISO 13335-2 [ISO13335-2] will be considered. Nevertheless, when necessary, structural elements that emanate from other perceptions of Risk Management and Risk Assessment are also used (e.g. consideration of Risk Management and Risk Assessment as counterparts of Information Security Management System, as parts of wider operational processes, etc. [WG-Deliverable 3], [Ricciuto]).

It seems to be generally accepted by Information Security experts, that Risk Assessment is part of the Risk Management process. After initialization, Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control and monitoring of implemented measurements and the enforced security policy. On the contrary, Risk Assessment is executed at discrete time points (e.g. once a year, on demand, etc.) and – until the performance of the next assessment – provides a temporary view of assessed risks and while parameterizing the entire Risk Management process. This view of the relationship of Risk Management to Risk Assessment is depicted in the following figure as adopted from OCTAVE .

It is worth mentioning, that in this figure both Risk Management and Risk Assessment are presented as processes, that is, as sequences of activities (s. arrows in figure above). Various standards and good practices exist for the establishment of these processes (e.g. through structuring, adaptation, re-configuration etc.). In practice, organizations tend to generate their own instantiations of these methods, in a form most suitable for a given organizational structure, business area or sector. In doing so, national or international standards (or combination of those) are taken as a basis, whereas existing security mechanisms, policies and/or infrastructure are adapted one-by-one. In this way, new good practices for a particular sector are created. Some representative examples of tailored methods/good practices are:

a method based on a native national standard (e.g. [IT-Grund]);

a method based on an native international standard (e.g. [ISO13335-2]);

a method based on a de facto standard (e.g. [OCTAVE]);

a method based on a sector standard (e.g. [SIZ-DE]);

a method based on an individual basic protection profile for the IT-systems of an organization (e.g. [SIZ-PP]);

adoption of an already existing risk analysis of similar systems (e.g. based on an existing Protection Profiles according to Common Criteria [CC]).

In practice, combinations of the above examples are very common.

For the sake of the presentation within this site, the assumption is made, that the Risk Management life-cycle presented in the figure (i.e. plan, implement, monitor, control, identify, assess), refers solely to risks. Similar activities that might be necessary within the Information Security Management process are considered to apply to operational aspects related to the implementation and control of security measurements .

Even although organizations tend to use a single method for Risk Management, multiple methods are typically be used in parallel for Risk Assessment. This is because different Risk Assessment methods might be necessary, depending on the nature of the assessed system (e.g. structure, criticality, complexity, importance, etc.).

Through a series of activities, ENISA has established inventories of existing Risk Management and Risk Assessment methods and tools in Europe (also referred to as products here). Any of these products can be used for the instantiation of both the Risk Management and Risk Assessment processes mentioned in the figure above. The contents of these inventories and the inventories themselves are presented in this site.

It should be noted that a more detailed representation of Risk Management and Risk Assessment is given in ISO 13335-2 [ISO13335-2]. In general, the contents of Risk Management and Risk Assessment processes as described here are compatible with ISO 13335. In the future, detailed examples of how to adapt the processes presented to existing business and IT-needs by means of demonstrators will be given. The generation of such material will be part future work at ENISA in form of demonstrators.