10 years 9 years

6th November 2012
Session 2: Chapter 6-12 + 14 and 15: Risk management and first half of controls


Two types of risk: speculative (opportunity) and none-speculative (hazard). The first being associated with a gain or loss possibility and the other has only loss associated with it. Speculative risk is associated with all kinds of business and is a necessity. Only the none-speculative is considered in risk management.

Can we eliminate all risk? Reduce risk to acceptable level

  • Live with residual risk - control it
  • Transfer it - insurance

Risk management can be divided in steps:

  1. Define risk methodology
  2. Conduct risk assessment
  3. Decide on risk acceptance and build a risk treatment plan. Part of this process is determining what controls to enable (or not enable) as to be documented in the SoA.

The risk handling process has to be formal: documented and approved and it's considered the intelligence part of the ISMS. Trying to predict what will happen and avoid bad situations. Anyone tasked with risk assessment must be qualified and experienced. Often external help must be acquired. Risk methods can be

    No matter method is chosen it must be well defined, and it's a cyclic process (at least yearly) where feedback since last session must be taken into consideration.

    When iterating through the assets the goal is to be able to represent the findings in some kind of table grouped by risk level in order to be able to prioritize the following actions to be taken to reduce risk.

    The SOA (Statement of Applicability) is then written, choosing controls that are suited for this organization. It's important to note that a rational explanation is necessary when choosing not implement a particular control.


    Controls (counter measures) can take different forms depending on what they are targeted against, and they can be

    • Preventive (including directive): Things you can do before an incident happens to minimize the likelihood or impact of the incident. Could be lowering the accessibility,
    • Detective: Being able to detect an incident has occurred, like logs and traps
    • Corrective (including recovery): Being able to recover from an incident. Typical example would be backup.

    In addition, controls can be directed at

    • People
    • Information and communication technologies
    • Physical security (like offices)

    ISO 27002 defines 11 categories containing 133 sub-clauses (controls?). In addition to following these controls it's also necessary to document their effectiveness and use gap analysis to close the "gaps" between wanted assurance level and actual level.

    Some controls talked about during lecture:

    1. External parties (ch7)

      • Specific risk assessment should be made on each individual
      • Could be advisers, consultants, temporary staff, auditors. On site or offsite, short and long term.
      • Outsourcing: Be careful with service level agreements when it comes to availability, capacity, penalties and audits (access to statistics not obviously available without inspection). Responsibility of personal related information cannot be outsourced by law.

    2. Asset management (ch8)

      • Define who is the owner of the information (responsible)
      • Create an inventory of important assets
      • Document acceptable use policy (how to use e-mail, social media, mobile devices..)
      • Classification: SEC1-3, sharing versus protecting, life cycle (marking, storing/sharing, destruction)
      • Aggregation of lower classified information

    3. Human resources (ch9)

      • Pre- employment: Job descriptions and screening (certifications, verify identification, verify CV, verify criminal/financial status..)
      • During employment: Training (Training Need Analysis TNA), periodic test to keep verification up to date, None Disclosure Agreements, and how to handle incidents
      • Post employment: Remove access, retain/replace knowledge, carefull with fireing without hard proof for reason, reminder of NDA.

    4. Physical resources (ch10)

      • Layered security, define secure areas. Keep backups offsite.
      • Alarms with response plans. Avoid insight areas give direct access to protected areas.
      • Reception of people
      • Reception of goods (delivery and loading areas)
      • Cabling (power, network, ..)

    5. Equipment security (ch11)

      • Avoid stealing
      • Fire, flood, humidity, earthquake, lightning
      • Placement of toilets, refreshments
      • Secure disposal
      • Electromagnetic radiation / TEMPEST

    6. Communication and operation (ch12)

      • Change management: Make sure new software and patches are first approved, tested before deployment. Same goes for changes of important configuration.
      • Plan moving of equipment. Requirements of up time while moving?
      • Different kinds of test (Factory Acceptance Test (FAT), System Acceptance Test (SAT) )

    7. Malicious software (ch13)
      • (Skipped)
      • Importing of files

    8. Network and media handling (ch14)
      • Separate duties (like backup and system administrators)
      • Document cabling (labels)
      • Remote administration
      • Be aware of network equipment placement (relates to physical security)
      • The danger of storage media for information theft. Same goes for mobile phones

    9. Exchanges of information (ch15)
      • Format of exchange (including encryption)