Sun Sep 14 19:45:16 PDT 2014

Risk Management: Risk management process: What risk assessment processes should be used?


Options:

Option 1: Do minimal due diligence only.
Option 2: Do probabilistic risk analysis or use covering approaches.
Option 3: Do lightweight initial and periodic reassessments.
Option 4: Do a protection posture assessment.
Option 5: Use expert facilitated analysis or an augmented protection posture assessment.
Option 6: Use scenario-based analysis.
Option 7: Use systems analysis.

Decisions:

Create your variation on the following table by filling in types of enterprise ICS facilities where they belong - assume that all items are minimal for the identified risk level and higher:
High threat Avoid this risk OR do deceptions only here Use expert facilitated analysis or in-depth protection posture assessments - manage attentively - maturity defined or managed Use systems analysis - manage continuously - involve top management - reassess continuously - maturity optimizing
Medium threat Avoid or accept the added risk and use minimal due diligence approaches OR lightweight initial and periodic reassessments (annual) - Consider deception - maturity initial or repeatable Use protection posture assessments OR lightweight initial and periodic reassessments (6 months) - manage carefully - sound change control - accreditation process - manage configurations - maturity defined or higher Use scenario-based analysis - manage tightly - systematic change management - maturity managed or higher
Low threat Use lightweight initial and periodic reassessments (annual) OR minimal due diligence approaches - vulnerability testing - simple approaches - loose controls - minimum cost and effort - limited review process - maturity initial or repeatable Use lightweight initial and periodic reassessments (9 months) OR if mandated, probabilistic risk analysis or covering approaches - managed configurations and changes - periodic oversight - maturity repeatable or defined Treat the threat as at least medium and reassess
Low consequenceMedium consequenceHigh consequence
Risk management approaches

Typical ICS ratings would be:

High threat N/A Facilities that manufacture fungibles (e.g., paper money, gold coins, etc.), integrated circuits, smart cards, computers, ICS systems for Medium surety applications, and other similar sorts of items. WMD manufacturing and control facilities, Nuclear power plants, chemical plants with deadly chemicals in high volumes, biological weapons and infectious disease facilities, spacecraft and aerial intelligence systems manufacturing facilities, high explosives and missile systems manufacturing facilities, nuclear material, reprocessing facilities, etc.
Medium threat N/A Most large-scale manufacturers, car makers, shipyards, etc. Drug manufacturing, chemical processing plants, fuel processing plants, real-time critical infrastructures (i.e., power and water), medical procedure systems (e.g., MRI machines, X-ray machines, etc.), military aircraft manufacturers, weapons systems manufacturers, etc.
Low threat Part-time local automated office-like systems (e.g., envelope stuffers, copiers, light assembly lines, light-weight sorting facilities, vending machines, automatic photo-developing machines, local pharmacy pill counters, HVAC, elevators, escalators, service stations, etc.) Packaging plants for dry goods, wood and glass processing plants, metal shops, non-medical and non-toxic testing laboratories, bottling plants, medium volume light manufacturing facilities, automated car parks, amusement parks, home appliance manufacturers, etc. N/A
Low consequenceMedium consequenceHigh consequence
Specific ICS systems and their risk profiles

Basis:

Use a minimal due diligence approach: For the low risk end of the spectrum, where most day-to-day users tend to work, due diligence approaches and vulnerability testing are adequate to the risk assessment process. Diligence with respect to not becoming a hazard is required for any system, and vulnerability testing is a good way to get a handle on easily repaired problems. These are inexpensive and reasonable things to do in most cases. Common operating environments are often used to save on costs of operation and maintenance. At this end of the risk spectrum, it is easy to accept risks. As long as there isn't any really serious consequence associated with failures in these systems, they should be optimized for life cycle cost and business efficiency.

Use probabilistic risk assessment or covering approaches: As risks increase, more demands are made on systems to assure the utility of content. For medium risk situations, many things are different. Sound change control and accreditation processes are necessary, configurations should be closely managed, and infrastructure supporting the application should fall under closer scrutiny and management. Probabilistic risk analysis may be used for natural threats, and covering approaches for low threat, medium consequences is also reasonable.

Do lightweight initial and periodic reassessments: Lightweight initial and periodic assessments provide a way to achieve many of the objectives of a protection posture assessment at far lower initial cost. The notion is that, for situations that are likely to change rapidly over time, the cost and delay involved in more in-depth processes is not as good a tradeoff as a series of smaller and faster assessments. This is particularly useful in situations where a protection program is being started up or over the period of a major change. These assessments typically only deal with as-is and future state and don't include gap analysis or transition planning. They are normally done every 3-6 months for the duration of the major changes or until the start-up program becomes mature enough for a more thorough process. If an independent audit process is used to verify factual accuracy of assessments, low risk should reassess annually, and medium risk every 6-9 months.

Use protection posture assessments or expert facilitated analysis: Protection posture assessments and expert facilitated analysis are more suitable as the threats increase. While periodic oversight is acceptable at low threat levels, management must keep tighter reins and review at a higher rate for higher consequence systems or systems under more severe threats.

Use scenario-based analysis or systems analysis: When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary. When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary.

Risk management is the core process underlying reasonable and prudent decisions about information protection. In order to make prudent decisions, a risk management process must be put in place. The question is, what process?

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved