Author: dapan
Introduction:
It has been nearly five years since I first came into contact with the risk assessment theory. From the very beginning, I began to worship the theory as a killer, and then I had doubts or even abandoned it for a while. Now I have recovered it, respect for the essential magic weapon to do a good job of security, such a ups and downs of the psychological process. This article analyzes and discusses the risk Methods step by step from the most prominent problems in risk assessment: How to Get consistent, comparable, and reproducible risk assessment results.
1. Current situation of risk assessment
Risk Theory has gradually been well known by the majority of information security professionals. Risk-driven management of information security has been widely known and accepted by most people. In recent years, the development of classified protection in China has been in full swing, the risk assessment work is soaring. In addition, the domestic information security consulting and service providers and institutions have spared no efforts to promote the risk assessment, and the practice is also constantly deepening. The current risk assessment methods mainly refer to two standards: The International Standard ISO13335 information security risk management guide and the domestic standard GB/T 20984-2007 information security risk assessment specification. essentially, it is a qualitative risk assessment targeting information assets. The basic method is to identify and evaluate the information systems, data, personnel, services, and other protection objects to be concerned within the organization or enterprise. In reference to the currently popular international and domestic standards such as ISO27002, COBIT, classified Protection of information systems, identifying the threats faced by these protection objects and their own vulnerabilities that can be exploited by threats, finally, the risk of information assets is evaluated from both the possibility and the extent of impact to obtain the information security risks faced by enterprises. This is the method used by most organizations for risk assessment. Of course, a few organizations/enterprises have begun to explore and develop methods similar to process risk assessment (see another blog post) on the basis of asset risk assessment, supplemented and improved the asset risk assessment.
2. Highlights of risk assessment
The risk assessment and even risk management methods in the information security field refer to the mature risk management methods of the banking industry. The banking business risk management methods have developed to a very mature level, in addition, the banking industry also has a wealth of basic data to support the use of risk analysis methods. However, risk assessment is a new thing in the information security field, or a hidden thing. Although information security is being carried out in China, it will only take 10 years, as an advanced ideology, risk assessment also has the issue that Marxism-Leninism should be combined with China's actual national conditions to take the path of socialism with Chinese characteristics. The quantitative evaluation method of risk assessment lacks the necessary soil, and does not have the foundation and statistical data to support it, making it difficult to assess quantitative risks. The essence of qualitative risk assessment is qualitative, it means estimation, rough, and inaccurate. Its essential defects bring infinite problems to practice. One of the important problems is the ROI, because we cannot assess the possible losses caused by one or more risks from the financial perspective, there is no way to get a return on investment. Although this is a problem, in practice, generally, a large enterprise has a basic annual budget. IT/security accounts for of the annual budget of the enterprise, and that's the amount of money, the risk processing priority is determined based on the risks from high to low, or the existing management and technical level of the enterprise and the difficulty of project implementation, when the money is spent, the risk processing will be handled this year. This method has very practical value and is easy to operate. Companies with a large budget are not afraid of spending money. Enterprises with a low budget have their own solutions, I have already told you what kind of risks you cannot handle. If something happens, you can't say no to me, if you have money next year, you can proceed.
This is not difficult. The most difficult and most prominent thing is that enterprises that do not just make a risk assessment have problems and the results of several risk assessments are not comparable, sometimes there are even contradictions. For example, a department was last in a certain position last year, and this year it was another, the evaluation results do not reflect the work done last year to this year, which has improved the information security risks faced by enterprises, or even to a specific risk. What's more, for example, the previous risk of system security impact caused by misoperations of an important system due to the absence of necessary operating procedures, the operation process was standardized and the relevant operators and other control measures were trained, it is reasonable to say that this risk has been necessary to control and the risk has been reduced, but the evaluation result has not been lowered but has risen. This problem can be summarized into one sentence: How to Get a consistent, comparable, and reproducible evaluation result for risk assessment.
3. Countermeasures
It is necessary to clearly define the problem before solving the problem of qualitative risk assessment. Some may ask, does a risk of 100 in the risk assessment results mean a great deal? Or do we have a risk value of 30 in the enterprise risk assessment result that is smaller than the risk value of 100 for the same type of risk of other enterprises? The answer is: none. The risk value of qualitative risk assessment is only a relative value, and its value itself is not meaningful. Its value is only of relative (high/low) value in the entire risk reference system. Security risk comparison between enterprises: only when the same risk assessment method (including the same risk calculation method and the same qualitative scale) is used, it is best to use the same industry and similar business, to be horizontally comparable. In the same enterprise, the risk assessment results should be compared horizontally in different departments and vertically in the same department. Then, the risk assessment results must also be consistent in the same risk assessment method (including the risk calculation method,.
In practice, qualitative risk assessment mainly relies on the personal experience and judgment of the evaluators. With a strong subjective nature, our problem becomes: under the same risk assessment method, how can we eliminate the subjective interference of the evaluators as much as possible to bring the risk assessment results closer to the actual risk situation (although the actual risk situation cannot be known, it must exist )?
One of the ways to solve this problem is structured. Currently, all consulting/security service companies are assisting enterprises in risk assessment, or performing risk and control self-assessment based on a set of risk assessment systems established by enterprises based on international and domestic standards, the general procedure is to first conduct the current situation survey and evaluate the risks based on the results of the current situation survey. It can be said that risk assessment is another manifestation of the Current Situation research results, which is more scientific and intuitive. Therefore, the results of the current situation survey are an important input for risk assessment. The results of the structured status survey are used to establish a structural relationship between risks and risk response measures. In this way, a risk size is evaluated, each time, we analyze and evaluate all corresponding countermeasures. Take the following example:
In terms of risk assessment, the "asset Owner Relationship" refers to the specific risk of leaking top secret files on a server in case of misoperations caused by unknown assets responsibility ", "documented operating procedures" and "information security awareness, education and training" should establish a structured connection. During the first risk assessment, only the owner of the top secret file of the enterprise has specified the protection requirement of the file, which makes the risk less weak, risk assessment result 16.
After completing the first risk assessment, we later specified the Standard Operating Procedures and conducted necessary security and operation skills training for the personnel. The operator is fully familiar with the operation specifications. During the second risk assessment, if this risk is also evaluated, the risk assessment result is 4.
Through the simple example above, we can see that once a structured relationship between risk and risk response measures is established, the risk is evaluated in an hour, through the scientific decomposition of risk control, the negative impact of subjective judgment is reduced in the evaluation process. In practice, it can also be more refined, such as dividing the control strength of the same control measure, for example, in the example above, the maturity of the "documented procedure" operation process further judges the strength and effectiveness of the control measures. Of course, we also need to consider the relationship between similar risks and the relationship between control measures.
4. Conclusion
The above is a useful discussion of the qualitative risk assessment method at the practical operation level. This discussion is derived from our practical summary and has also received good results in specific projects. In short, we need to make necessary additions to the standard method of asset risk assessment. At the same time, we also need to consider the advantages of the qualitative evaluation method, which is just simple and easy to operate and can be widely used, while adding, subtraction is also required to ensure consistent, comparable, and repeatable evaluation results, and to restore the essence of simplicity and ease of operation, in this way, the scientific nature and vitality of this method can be maintained. This is just as the "we" in the metropolis is better positioned in the city to cope with intense work competition and living pressure. We must constantly add (constantly learn to charge) to ourselves ), at the same time, we also need to constantly perform subtraction (relaxation, decompression, and kindness to ourselves) for ourselves. Don't you say that ?!