1. Information Systems Risk
Assessment Framework
(ISRAF)
(Addendum of NIST 800-39 information systems risk management and
revision of NIST SP 800 30 )
Prepared by
S. Periyakaruppan (PK)
8. The Model/Framework
Frame
(CONTEXT)
Tier 1
Tier 2
Tier 3
The Frame work addresses comprehensive risk management function in
a hierarchical approach and leverage context centric approach.
9. The Focus
Assess Respond Monitor
Risk Assessment is a key element of risk
management
Risk Assessment process in modular approach.
Preparation checklist.
Activity checklist.
Protocol to maintain appropriate result of risk
assessments.
Method of communicating risk results across
organization.
15. Conducting Assessment
Intent,Target,Capability
Identify Threat source and events Capability of adversaries
Step 1 Range of effects
Identify vulnerabilities and pre-disposing conditions
Step 2 Effect of existing controls
Intentional/accidental
Determine likelihood of Occurrence flaw /weakness in
Step 3 system/process
Determine Magnitude of Impact
Depends on the degree of
Step 4 Step 1 and the effect of
Determine Risk Step 2
Step 5
Result of BIA
Depends on effective
BCP/DR
MTTR/MTBF
RTO/RPO
16. Method of Risk Analysis
Threat oriented Vulnerability oriented Asset/Impact Oriented
• Identify threat source • Identify pre-disposing • Identify mission/business
and event conditions critical assets
• Developing Threat • Identify exploitable • Analyze the
scenario and model vulnerabilities consequences of the
• Identify vulnerabilities in • Identify threats related adversarial threat event
context of threats to the known/open • Identify vulnerabilities to
vulnerabilities the threat
events/scenario of
critical assets with severe
adverse impact.
17. Method of Risk Assessments
• Objective oriented assessment
• Using non-numerical values to define risk factors
Qualitative • Likelihood and impact with definite value based on
individual expertise
• Subjective oriented approach
• Using numerical values to define risk factors
Quantitative • Likelihood and impact with definite number based
on history of events.
• Contextual analysis and result oriented approach
• Using Bin values (numerical range) with unique
Semi Quantitative meaning and context.
• Likelihood and impact derived with range of
numerical values with degree of unique context
18. Sample Assessment Scale
Qualitative Quantitative Semi Qualitative
Caution: The assessment scales and its descriptive meanings are subject to vary
between organization to organization and with in organization discretion to the
organizational culture and its policies and guidelines
19. Communicate Result
Determine the Communicate to the Furnish evidence comply
appropriate method of designated organizational with organizational
communication stakeholders policies & Guidelines
Format defined by Identify appropriate Capture appropriate
organization. authority. analysis data support the
Executive briefings Ensure right result.
Presenting Illustrative information reach right Include applicable
risk figures person at right time. supporting documents
Risk Assessment Present contextual to convey the degree of
Dashboards information in results
Out sketch the accordance with risk Identify and
organizational prioritized strategy document the source of
risk internal and external
information.
20. Maintain Risk Posture
Identify Key Risk Define Frequency of Reconfirm the scope
factors revisit and assumptions
• Monitor the key • Track the risk • Get the
risk factors response as concurrence of
• Document the required scope and
variations. • Initiate the assumptions from
• Re-define the key assessment when appropriate
risk factors needed authorities
• Communicate the • Document the plan
results to of action with
organizational respect to the risk
entities response.
21. Applications of Risk Assessment
Information Risk Strategy decisions
Contribute EA design decisions
IS Policy/Program/Guidance decisions
Common Control/Security Standards
decisions.
Help risk response –
Avoid/Accept/Mitigate/Transfer
Investment decisions – ROSI(Returns Of
Security Investments)/VAR(value at
Risk)/ALE(Annual Loss Expectancy)
Support EA(Enterprise Architecture)
integration in to SA.
Assist in business/function information
continuity decisions
Assist in business process resiliency
requirements
Contribute IS systems design decisions
Supports vendor/product decisions
Supports on-going system operations
authorizations