Basic principles of information security risk management. Management of risks. Full Coverage Safety Model

One of the most important aspects of the implementation of the information security policy is the analysis of threats, the assessment of their reliability and the severity of the probable consequences. In reality, the risk appears where there is a possibility of a threat, while the magnitude of the risk is directly proportional to the magnitude of this probability (Fig. 4.11).

The essence of risk management activities is to assess their size, develop mitigation measures and create a mechanism to control that residual risks do not go beyond acceptable limits. Thus, risk management includes two types of activities: risk assessment and the selection of effective and cost-effective protective and regulatory mechanisms. The risk management process can be divided into the following stages [Galatenko V.A., 2006]:

• identification of assets and resource values ​​in need of protection;
• the choice of analyzed objects and the degree of detail of their consideration;
• analysis of threats and their consequences, identification of weaknesses in protection;
• risk classification, choice of risk assessment methodology and assessment;
• selection, implementation and verification of safeguards;
• residual risk assessment.

Rice. 4.11. Uncertainty as the basis for risk formation

The information security policy includes the development of a risk management strategy for different classes of risks.

A brief list of the most common threats has been provided above (see 17.2). It is advisable to identify not only the threats themselves, but also the sources of their occurrence - this will help to correctly assess the risk and choose appropriate neutralization measures. For example, illegal logon increases the risk of guessing a password or connecting an unauthorized user or equipment to the network.

Obviously, each method of illegal entry needs its own security mechanisms to counteract. After identifying the threat, it is necessary to assess the likelihood of its implementation and the amount of potential damage.

When assessing the severity of the damage, it is necessary to keep in mind not only the immediate costs of replacing equipment or restoring information, but also more distant ones, in particular, undermining the company's reputation, weakening its position in the market, etc.

After the identification and analysis of threats, their possible consequences, there are several approaches to management: risk assessment, risk reduction, risk avoidance, change in the nature of risk, risk acceptance, development of corrective measures (Fig. 4.12).

Rice. 4.12. Risk Management Scheme

When identifying assets and information resources - those values ​​that need to be protected - it is necessary to consider not only the components information system, but also supporting infrastructure, personnel, and intangible assets, including the current rating and reputation of the company. However, one of the main outcomes of the asset identification process is to obtain a detailed organizational information structure and how to use it.

The choice of analyzed objects and the degree of detail of their consideration is the next step in risk assessment. For small organization it is permissible to consider the entire information infrastructure; for a large one, one should focus on the most important (critical) services. If there are many important services, then those of them are selected, the risks for which are obviously large or unknown. If information basis organization is a local network, then the number of hardware objects should include computers, peripheral devices, external interfaces, cable management and active network equipment.

Software objects include operating systems (network, server and client), application software, tools, network management programs and individual subsystems. It is important to fix in which network nodes the software is stored, where and how it is used. The third type of information objects are data that are stored, processed and transmitted over the network. It is necessary to classify data by types and degree of confidentiality, identify where they are stored and processed, as well as ways to access them. All this is important for assessing the risks and consequences of violations. information security.

Risk assessment is based on the accumulated initial data and assessment of the degree of certainty of threats. It is perfectly acceptable to apply such a simple method as multiplying the probability of a threat being carried out by the amount of the estimated damage. If we use a three-point scale for probability and damage, then there will be six possible products: 1, 2, 3, 4, 6 and 9. The first two results can be attributed to low risk, the third and fourth to medium, and the last two to high. This scale can be used to assess the acceptability of risks.

If any risks are found to be unacceptably high, additional protective measures must be implemented. To eliminate or reduce the weakness that made a dangerous threat real, several security mechanisms can be applied that are effective and low cost. For example, if there is a strong possibility of illegal login, you can enter long passwords, use a password generator program, or purchase an integrated smart card authentication system. If there is a possibility of intentional damage to servers for various purposes, which threatens with serious consequences, you can restrict the physical access of personnel to the server rooms and strengthen their security.

Risk assessment technology should combine formal metrics and the formation of real quantitative indicators for assessment. With their help, it is necessary to answer two questions: are the existing risks acceptable, and if not, what protective measures are cost-effective to use.

Rice. 4.13. Risk assessment and mitigation scheme

Risk reduction methodology. Many risks can be substantially reduced by using simple and inexpensive countermeasures. For example, competent (regulated) access control reduces the risk of unauthorized intrusion. Some classes of risks can be avoided - moving the organization's Web server outside the local network avoids the risk of unauthorized access to the local network by Web clients. Some risks cannot be reduced to a small value, but after the implementation of a standard set of countermeasures, they can be accepted, constantly monitoring the residual value of the risk (Fig. 4.13).

The assessment of the cost of protective measures should take into account not only the direct costs of purchasing equipment and / or software, but also the costs of introducing innovations, training and retraining of personnel. This cost can be expressed in some scale and then compared with the difference between the calculated and acceptable risk. If, according to this indicator, the means of protection is cost-effective, it can be accepted for further consideration.

Rice. 4.14. Iterative Risk Management Process

The control of residual risks is mandatory included in the current control of the information security system. When the planned measures are taken, it is necessary to check their effectiveness - to make sure that the residual risks have become acceptable. In case of a systematic increase in residual risks, it is necessary to analyze the mistakes made and take corrective measures immediately.

Risk management is a multi-stage iterative process (Figure 4.14).

Almost all of its stages are interconnected, and upon completion of almost any of them, it may be necessary to return to the previous one. Thus, when identifying assets, it may be understood that the selected boundaries of the analysis should be expanded, and the degree of detail should be increased. Primary analysis is especially difficult when multiple returns to the beginning are inevitable. Risk management is a typical optimization task, the fundamental difficulty lies in its competent formulation at the top management level, the combination of optimal methods and description of the initial data (Fig. 4.15).

Rice. 4.15. Shaping IT risk management activities

Methodologies "Risk Assessment" (Risk Assessment) and "Risk Management" (Risk Management) have become an integral part of activities in the field of business continuity (Business Continuity) and information security (Information Security). The IS implementation program and policy sets are based on a set of system actions and practical steps (Fig. 4.16-Fig. 4.19).

Rice. 4.16. Sets of systemic actions and practical steps (1)

Rice. 4.17. Sets of systemic actions and practical steps (2)

Rice. 4.18. Sets of systemic actions and practical steps (3)

Rice. 4.19. Sets of systemic actions and practical steps (4)

More than a dozen different international standards and specifications have been prepared and are actively used, which regulate in detail the procedures for managing information risks: ISO 15408: 1999 ("Common Criteria for Information Technology Security Evaluation"), ISO 17799:2002 ("Code of Practice for Information Security Management"), NIST 80030, SAS 78/94, COBIT.

The RA Software Tool methodology and tool are based on the requirements of the international standards ISO 17999 and ISO 13335 (parts 3 and 4), as well as the requirements of the British National Standards Institute (BSI) - PD 3002 ("Guidelines for Assessing and Managing Risks"), PD 3003 ("Assessment of a company's readiness for audit in accordance with BS 7799"), PD 3005 ("Guidelines for choosing a security system").

In practice, such risk management techniques allow:

• create models of information assets of the company in terms of security;
• classify and value assets;
• compile lists of the most significant security threats and vulnerabilities;
• rank security threats and vulnerabilities;
• assess and work out risks;
• develop corrective measures;
• justify the means and measures of risk control;
• evaluate the effectiveness/cost of various protection options;
• formalize and automate risk assessment and management procedures.

Risk development includes a number of important stages, which are mandatory included in the planned work to ensure information security (Fig. 4.20).

The use of appropriate software tools can reduce the complexity of risk analysis and selection of countermeasures. Currently, more than a dozen software products have been developed for analyzing and managing risks of a basic level of security. An example of a fairly simple tool is the BSS (Baseline Security Survey, UK) software package.

Higher-class software products: CRAMM (Insight Consulting Limited, UK), Risk Watch, COBRA (Consultative Objective and Bi-Functional Risk Analysis), Buddy System. The most popular of them is CRAMM (Complex Risk Analysis and Management Method), which implements the method of risk analysis and control. An essential advantage of the method is the possibility of conducting a detailed study in a short time with full documentation of the results.

Rice. 4.20. Stages of risk development

Methods like CRAMM are based on an integrated approach to risk assessment that combines quantitative and qualitative methods of analysis. The method is universal and is suitable for both large and small organizations, both government and commercial sectors.

The strengths of the CRAMM method include the following:

• CRAMM is a well-structured and widely tested risk analysis method with real practical results;
• CRAMM software tools can be used at all stages of the IP security audit;
• the software product is based on a fairly large knowledge base on countermeasures in the field of information security, based on the recommendations of the BS 7799 standard;
• the flexibility and versatility of the CRAMM method allows it to be used to audit IP of any level of complexity and purpose;
• CRAMM can be used as a tool to develop an organization's business continuity plan and information security policies;
• CRAMM can be used as a means of documenting IP security mechanisms.

For commercial organizations, there is a commercial profile of security standards (Commercial Profile), for government organizations - government (Government Profile). The government version of the profile also allows you to audit for compliance with the requirements of the American standard TCSEC ("Orange Book").

How to properly assess information security risks - our recipe

The task of assessing information security risks today is perceived by the expert community ambiguously, and there are several reasons for this. First, there is no gold standard or accepted approach. Numerous standards and methodologies, although similar in general terms, differ significantly in details. The application of one method or another depends on the area and object of assessment. But choosing the right method can become a problem if the participants in the assessment process have different ideas about it and about its results.

Secondly, information security risk assessment is a purely expert task. Analysis of risk factors (such as damage, threat, vulnerability, etc.) carried out by different experts often gives different results. Insufficient reproducibility of the evaluation results raises the question of the reliability and usefulness of the data obtained. Human nature is such that abstract estimates, especially those relating to probabilistic units of measurement, are perceived by people in different ways. Existing applied theories designed to take into account the measure of subjective perception of a person (for example, prospect theory) complicate the already complicated risk analysis methodology and do not contribute to its popularization.

Thirdly, the risk assessment procedure itself in its classical sense, with the decomposition and inventory of assets, is a very laborious task. Attempting to perform manual analysis using common office tools (such as spreadsheets) inevitably drowns in a sea of ​​information. Specialized software tools designed to simplify individual stages of risk analysis facilitate modeling to some extent, but do not at all simplify the collection and systematization of data.

Finally, the very definition of risk in the context of the problem of information security has not yet been settled. Just look at the changes in terminology in ISO Guide 73:2009 compared to the 2002 version. Whereas earlier risk was defined as the potential for damage due to exploitation of a vulnerability by a threat, now it is the effect of deviation from expected outcomes. Similar conceptual changes have taken place in the new edition of ISO/IEC 27001:2013.

For these and a number of other reasons, information security risk assessments are treated with caution at best and with great distrust at worst. This discredits the very idea of ​​risk management, which leads to the sabotage of this process by management, and, as a result, the emergence of numerous incidents that are full of annual analytical reports.

Given the above, from which side is it better to approach the task of assessing information security risks?

A fresh look

Information security today is increasingly focused on business goals and is built into business processes. Similar metamorphoses are taking place with risk assessment - it acquires the necessary business context. What criteria should a modern IS risk assessment methodology meet? Obviously, it should be simple and universal enough so that the results of its application are credible and useful to all participants in the process. Let us single out a number of principles on which such a technique should be based:

1. avoid excessive detail;
2. rely on the opinion of the business;
3. use examples;
4. consider external sources of information.

The essence of the proposed methodology is best demonstrated by a practical example. Consider the task of assessing information security risks in a trading and manufacturing company. Where does it usually start? From the definition of the boundaries of the assessment. If the risk assessment is being carried out for the first time, the boundaries should include the main business processes that generate revenue, as well as the processes that serve them.

If business processes are not documented, a general idea of ​​them can be obtained by examining the organizational structure and regulations on departments that contain a description of the goals and objectives.

Having determined the boundaries of the assessment, let's move on to the identification of assets. In accordance with the foregoing, we will consider the main business processes as aggregated assets, postponing the inventory of information resources to the next stages (rule 1). This is due to the fact that the methodology involves a gradual transition from the general to the particular, and given level detailed information is simply not needed.

Risk factors

We will assume that we have decided on the composition of the assets being valued. Next, you need to identify the threats and vulnerabilities associated with them. However, this approach is applicable only when performing a detailed risk analysis, where the objects of the information asset environment are the object of assessment. IN new version ISO/IEC 27001:2013 has shifted the focus of risk assessment from traditional IT assets to information and its processing. Since at the current level of detail we are considering the aggregated business processes of the company, it is sufficient to identify only the high-level risk factors inherent in them.

A risk factor is a specific characteristic of an object, technology or process that is a source of problems in the future. At the same time, we can talk about the presence of risk as such only if the problems have a negative impact on the performance of the company. A logical chain is built:

Thus, the task of identifying risk factors is reduced to identifying unsuccessful properties and characteristics of processes that determine the likely risk scenarios that have a negative impact on the business. To simplify its solution, we will use the information security business model developed by the ISACA association (see Fig. 1):

Rice. 1. Information security business model

The nodes of the model indicate the fundamental driving forces of any organization: strategy, processes, people and technology, and its edges represent the functional links between them. In these ribs, basically, the main risk factors are concentrated. As it is easy to see, the risks are associated not only with information technology.

How to identify risk factors based on the above model? It is necessary to involve business in this (rule 2). Business units are usually well aware of the problems they face in their work. The experience of colleagues in the industry is often recalled. You can get this information by asking the right questions. Personnel-related issues should be directed to Human Resources, technology issues to Automation (IT), and business process issues to the appropriate business units.

In the task of identifying risk factors, it is more convenient to start from problems. Having identified any problem, it is necessary to determine its cause. As a result, a new risk factor may be identified. The main difficulty here is not to roll in particular. For example, if an incident occurred as a result of an employee's unlawful actions, the risk factor will not be that the employee violated the provision of some regulation, but that the action itself became possible. A risk factor is always a prerequisite for a problem to arise.

In order for the staff to better understand what exactly they are being asked, it is advisable to accompany the questions with examples (rule 3). The following are examples of several high-level risk factors that may be common to many business processes:

Staff:

• Insufficient qualifications (edge ​​of Human Factors in Fig. 1)
• Shortage of employees (rib Emergence)
• Low motivation (rib Culture)

Processes:

• Frequent change of external requirements (governing edge)
• Underdeveloped process automation (Enabling & Support edge)
• Combination of roles by performers (rib Emergence)

Technologies:

• Legacy software (Enabling & Support edge)
• Poor user accountability (Human Factors edge)
• Heterogeneous IT landscape (architecture edge)

An important advantage of the proposed assessment method is the possibility of cross-analysis, in which two different departments consider the same problem from different angles. Given this circumstance, it is very useful to ask interviewees questions such as: “What do you think about the problems identified by your colleagues?”. This great way get additional estimates, as well as adjust existing ones. To refine the result, several rounds of such an assessment can be carried out.

Impact on business

As follows from the definition of risk, it is characterized by the degree of impact on the business performance of the organization. A convenient tool that allows you to determine the nature of the impact of risk implementation scenarios on business is the Balanced Scorecards system. Without going into details, we note that Balanced Scorecards identifies 4 business prospects for any company, related in a hierarchical way (see Fig. 2).

Rice. 2. Four Business Perspectives of the Balanced Scorecard

In relation to the methodology under consideration, a risk can be considered significant if it negatively affects at least one of the following three business perspectives: finance, customers and/or processes (see Fig. 3).

Rice. 3. Key business indicators

For example, the risk factor "Low user accountability" could result in a "Customer Information Leakage" scenario. In turn, this will affect the number of customers business metric.

If a company has developed business metrics, this greatly simplifies the situation. Whenever it is possible to track the impact of a particular risk scenario on one or more business indicators, the corresponding risk factor can be considered significant, and the results of its assessment should be recorded in the questionnaires. The higher up the hierarchy of business metrics the impact of a scenario is, the greater the potential impact on the business.

The task of analyzing these consequences is an expert one, so it should be solved with the involvement of specialized business units (rule 2). For additional control of the estimates obtained, it is useful to use external sources of information containing statistical data on the magnitude of losses as a result of incidents (rule 4), for example, the annual Cost of Data Breach Study report.

Probability score

At the final stage of the analysis, for each identified risk factor whose impact on the business could be determined, it is necessary to assess the likelihood of the scenarios associated with it. What does this assessment depend on? To a large extent, from the sufficiency of the protective measures implemented in the company.

There is a small caveat here. It is logical to assume that since the problem has been identified, it means that it is still relevant. At the same time, the implemented measures are most likely not enough to level the prerequisites for its occurrence. The sufficiency of countermeasures is determined by the results of evaluating the effectiveness of their application, for example, using a system of metrics.

For evaluation, you can use a simple 3-level scale, where:

3 - implemented countermeasures are generally sufficient;

2 - countermeasures are implemented insufficiently;

1 - no countermeasures.

As reference books describing countermeasures, you can use specialized standards and guidelines, such as CobiT 5, ISO / IEC 27002, etc. Each countermeasure should be associated with a specific risk factor.

It is important to remember that we analyze the risks associated not only with the use of IT, but also with the organization of internal information processes in the company. Therefore, countermeasures should be considered more broadly. It is not for nothing that the new version of ISO/IEC 27001:2013 contains a clause that when choosing countermeasures, it is necessary to use any external sources (rule 4), and not just Annex A, which is present in the standard for reference purposes.

The magnitude of the risk

A simple table can be used to determine the final risk value (see Table 1).

Tab. 1. Risk assessment matrix

In the event that a risk factor affects several business perspectives, such as "Customers" and "Finance", their indicators are summarized. The dimension of the scale, as well as the acceptable levels of IS risks, can be determined by any convenient way. In the above example, risks with levels 2 and 3 are considered high.

At this point, the first stage of the risk assessment can be considered completed. The final value of the risk associated with the assessed business process is determined as the sum of composite values ​​for all identified factors. The owner of the risk can be considered the person responsible in the company for the assessed object.

The resulting figure does not tell us how much money the organization is at risk of losing. Instead, it indicates the area of ​​concentration of risks and the nature of their impact on business performance. This information is necessary in order to further focus on the most important details.

Detailed assessment

The main advantage of this technique is that it allows you to perform information security risk analysis with the desired level of detail. If necessary, you can “fall through” into the elements of the information security model (Fig. 1) and consider them in more detail. For example, by identifying the highest concentration of risk in IT-related edges, you can increase the level of detail of the Technology node. If earlier a separate business process acted as an object of risk assessment, now the focus will shift to a specific information system and the processes of its use. In order to provide the required level of detail, an inventory of information resources may be required.

All of this applies to other assessment areas as well. When you change the detail of the People node, the objects of evaluation can become personnel roles or even individual employees. For the Process node, these could be specific work policies and procedures.

Changing the level of detail will automatically change not only the risk factors, but also the applicable countermeasures. Both will become more specific to the object of evaluation. However, the general approach to performing a risk assessment will not change. For each factor identified, it will be necessary to evaluate:

• the degree of risk impact on business prospects;
• sufficiency of countermeasures.

Russian Syndrome

The release of the ISO/IEC 27001:2013 standard has put many Russian companies in a difficult position. On the one hand, they have already developed a certain approach to the assessment of information security risks, based on the classification of information assets, the assessment of threats and vulnerabilities. National regulators have managed to issue a number of regulations supporting this approach, for example, the standard of the Bank of Russia, FSTEC orders. On the other hand, the task of risk assessment is long overdue for change, and now it is necessary to modify the established order to meet both the old and the new requirements. Yes, today it is still possible to get certified according to the GOST R ISO / IEC 27001:2006 standard, which is identical to previous version ISO/IEC 27001, but not for long.

The risk analysis methodology discussed above addresses this issue. By controlling the level of detail in the assessment, you can consider assets and risks at any scale, from business processes to individual information flows. This approach is also convenient because it allows you to cover all high-level risks without missing anything. At the same time, the company will significantly reduce labor costs for further analysis and will not waste time on a detailed assessment of insignificant risks.

It should be noted that the more detailed the assessment area is, the greater the responsibility lies with the experts and the greater the competence required, because when the depth of analysis changes, not only risk factors change, but also the landscape of applicable countermeasures.

Despite all attempts at simplification, information security risk analysis is still time-consuming and complex. The leader of this process has a special responsibility. Many things will depend on how competently he builds an approach and copes with the task - from budget allocation for information security to business sustainability.

When implementing an information security management system (ISMS) in an organization, one of the main stumbling blocks is usually the risk management system. Reasoning about information security risk management is akin to the UFO problem. On the one hand, no one around seems to have seen this and the event itself seems unlikely, on the other hand, there is a lot of evidence, hundreds of books have been written, there are even relevant scientific disciplines and associations of pundits involved in this research process and, as usual, special services have in this area with special secret knowledge.

Alexander Astakhov, CISA, 2006

Introduction

There is no unanimity among information security specialists on risk management issues. Someone is in denial quantitative methods risk assessment, someone denies qualitative, someone generally denies the feasibility and the very possibility of risk assessment, someone accuses the organization's management of insufficient awareness of the importance of security issues or complains about the difficulties associated with obtaining an objective assessment of the value of certain assets, such as like the reputation of the organization. Others, seeing no way to justify the cost of security, suggest treating it as a kind of hygienic procedure and spending as much money on this procedure as you feel sorry for, or as much as is left in the budget.

Whatever opinions exist on the issue of information security risk management and no matter how we relate to these risks, one thing is clear that this issue is the essence of the multifaceted activity of information security specialists, directly connecting it with business, giving it reasonable meaning and expediency. This article outlines one possible approach to risk management and answers the question of why different organizations treat and manage information security risks differently.

Main and auxiliary assets

Speaking of business risks, we mean the possibility of incurring certain damage with a certain probability. This can be both direct material damage and indirect damage, expressed, for example, in lost profits, up to exit from the business, because if the risk is not managed, then the business can be lost.

Actually, the essence of the issue lies in the fact that the organization has and uses several main categories of resources to achieve the results of its activities (its business goals) (we will use the notion of an asset directly related to the business). An asset is anything that is of value to an organization and generates its income (in other words, it is something that creates a positive cash flow, or saves money)

There are material, financial, human and information assets. Modern international standards also define another category of assets - these are processes. A process is an aggregated asset that operates on all other company assets to achieve business goals. The image and reputation of the company are also considered as one of the most important assets. These key assets for any organization are nothing more than a special kind of information assets, since the image and reputation of a company is nothing more than the content of open and widely disseminated information about it. Information security deals with image issues insofar as organizational security problems, as well as leakage confidential information extremely negative impact on the image.

Business results are affected by various external and internal factors related to the risk category. This influence is expressed in the negative impact on one or several groups of the organization's assets at the same time. For example, a server failure affects the availability of information and applications stored on it, and its repair diverts human resources, creating their shortage in a certain area of ​​work and causing disruption of business processes, while temporary unavailability of client services can negatively affect the company's image.

By definition, all types of assets are important to an organization. However, every organization has core vital assets and supporting assets. Determining which assets are the main ones is very simple, because. these are the assets around which the organization's business is built. So, an organization's business can be based on the ownership and use of tangible assets (for example, land, real estate, equipment, minerals), a business can also be built on the management of financial assets (credit activities, insurance, investment), a business can be based on competence and the authority of specific specialists (consulting, audit, training, high-tech and knowledge-intensive industries) or business can revolve around information assets (software development, information products, e-commerce, business on the Internet). The risks of fixed assets are fraught with loss of business and irreparable losses for the organization, therefore, the attention of business owners is primarily focused on these risks and the management of the organization deals with them personally. Ancillary asset risks usually result in recoverable damage and are not a top priority in an organization's management system. Usually, these risks are managed by specially appointed people, or these risks are transferred to a third party, such as an outsourcer or an insurance company. For the organization, this is more a matter of management effectiveness than survival.

Existing approaches to risk management

Since information security risks are far from being the main ones for all organizations, three main approaches to managing these risks are practiced, differing in depth and level of formalism.

For non-critical systems, when information assets are auxiliary, and the level of informatization is not high, which is typical for most modern Russian companies, there is a minimal need for risk assessment. In such organizations, we should talk about some basic level of information security, determined by existing regulations and standards, best practices, experience, as well as how it is done in most other organizations. However, existing standards, describing a certain basic set of security requirements and mechanisms, always stipulate the need to assess the risks and economic feasibility of applying certain control mechanisms in order to select from the general set of requirements and mechanisms those that are applicable in a particular organization.

For critical systems in which information assets are not the main ones, but the level of informatization of business processes is very high and information risks can significantly affect the main business processes, it is necessary to apply risk assessment, however, in this case it is advisable to confine ourselves to informal qualitative approaches to solving this problem, paying special attention to the most critical systems.

When an organization's business is built around information assets and information security risks are the main ones, it is necessary to apply a formal approach and quantitative methods to assess these risks.

In many companies, several types of assets can be vital at the same time, for example, when the business is diversified or the company is engaged in the creation of information products, both people and informational resources. In this case, the prudent approach is to conduct a high-level risk assessment to determine which systems are highly risky and which are critical to business operations, followed by a detailed risk assessment for the identified systems. For all other non-critical systems, it is advisable to limit yourself to applying the basic approach, making risk management decisions based on existing experience, expert opinions and best practice.

maturity levels

The choice of approach to risk assessment in an organization, in addition to the nature of its business and the level of informatization of business processes, is also influenced by its level of maturity. Information security risk management is a business task initiated by the organization's management due to its awareness and degree of awareness of information security problems, the meaning of which is to protect the business from real-life information security threats. According to the degree of awareness, several levels of maturity of organizations can be traced, which, to a certain extent, correlate with the levels of maturity defined in COBIT and other standards:

1. On entry level there is no awareness as such, the organization takes fragmentary measures to ensure information security, initiated and implemented by IT specialists under their own responsibility.
2. At the second level, the organization defines responsibility for information security, attempts are made to use integrated solutions with centralized management and implement separate information security management processes.
3. The third level is characterized by the application of a process approach to information security management, described in the standards. The information security management system becomes so significant for the organization that it is considered as a necessary component of the organization's management system. However, a full-fledged information security management system does not yet exist, because there is no basic element of this system – risk management processes.
4. Organizations with the highest degree of awareness of information security problems are characterized by the use of a formalized approach to information security risk management, which is distinguished by the presence of documented planning, implementation, monitoring and improvement processes.

Process model of risk management

In March of this year, the new British standard BS 7799 Part 3 - Information Security Management Systems - Information Security Risk Management Practices was adopted. It expects ISO to adopt this document as an International Standard by the end of 2007. BS 7799-3 defines risk assessment and management processes as an integral element of an organization's management system, using the same process model as other management standards, which includes four process groups: plan, implement, check, act (PRAP), which reflects standard cycle of any management processes. While ISO 27001 describes the overall security management continuum, BS 7799-3 contains its projection on information security risk management processes.

In the information security risk management system, at the Planning stage, the risk management policy and methodology are determined, and a risk assessment is performed, including an inventory of assets, profiling threats and vulnerabilities, assessing the effectiveness of countermeasures and potential damage, and determining the acceptable level of residual risks.

During the Implementation phase, risks are treated and controls are put in place to mitigate them. The management of the organization makes one of four decisions for each identified risk: ignore, avoid, transfer to an external party, or minimize. After that, a risk treatment plan is developed and implemented.

During the Audit stage, the functioning of control mechanisms is monitored, changes in risk factors (assets, threats, vulnerabilities) are controlled, audits are conducted and various control procedures are performed.

At the Actions stage, based on the results of continuous monitoring and ongoing audits, the necessary corrective actions are taken, which may include, in particular, reassessment of the magnitude of risks, adjustment of the risk management policy and methodology, as well as the risk treatment plan.

Risk factors

The essence of any approach to risk management lies in the analysis of risk factors and making adequate decisions on risk treatment. Risk factors are the main parameters that we use when assessing risks. There are only seven options:

• Asset
• Damage
• Threat
• Vulnerability
• Control mechanism (Control)
• Average annual loss (ALE)
• Return on investment (ROI)

How these parameters are analyzed and evaluated is determined by the organization's risk assessment methodology. At the same time, the general approach and reasoning scheme are approximately the same, no matter what methodology is used. The risk assessment process (assessment) includes two phases. In the first phase, which is defined in the standards as risk analysis (analysis), it is necessary to answer the following questions:

• What is the main asset of the company?
• What is the real value of this asset?
• What are the threats to this asset?
• What are the consequences of these threats and the damage to the business?
• How likely are these threats?
• How vulnerable is the business to these threats?
• What is the expected average annual loss?

In the second phase, which is defined by the standards as risk assessment (evaluation), it is necessary to answer the question: What level of risk (size of average annual losses) is acceptable for the organization and, based on this, what risks exceed this level.

Thus, based on the results of the risk assessment, we obtain a description of the risks that exceed the permissible level, and an estimate of the magnitude of these risks, which is determined by the size of the average annual losses. Next, a decision must be made on the treatment of risks, i.e. answer the following questions:

• Which risk treatment option do we choose?
• If a decision is made to minimize the risk, what control mechanisms should be used?
• How effective are these controls and what return on investment will they provide?

The output of this process is a risk treatment plan that defines how the risks are treated, the cost of the countermeasures, and the timing and responsibility for implementing the countermeasures.

Making a risk treatment decision

Making a risk treatment decision is a key and most critical moment in the risk management process. In order for management to make the right decision, the person responsible for risk management in the organization must provide him with relevant information. The form of presentation of such information is determined by the standard business communication algorithm, which includes four main points:

• Issue message: What is the business threat (source, target, implementation) and why does it exist?
• Severity of the problem: How does this threaten the organization, its management and shareholders?
• Suggested solution: What is proposed to be done to correct the situation, how much will it cost, who should do it, and what is required directly from management?
• Alternative solutions: What other ways to solve the problem exist (there are always alternatives and management should have a choice).

Items 1 and 2, as well as 3 and 4 can be interchanged, depending on the specific situation.

Risk Management Methods

There are a sufficient number of well-established and fairly widely used methods for assessing and managing risks. One such method is OCTAVE, developed at Carnegie Melon University to internal use In the organisation. OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation has a number of modifications designed for organizations different size and areas of activity. The essence of this method lies in the fact that a sequence of appropriately organized internal seminars (workshops) is used for risk assessment. Risk assessment is carried out in three stages, which are preceded by a set of preparatory activities, including agreeing on the schedule of seminars, assigning roles, planning, and coordinating the actions of project team members.

At the first stage, in the course of practical seminars, the development of threat profiles is carried out, which includes an inventory and assessment of the value of assets, identification of applicable legal requirements and regulatory framework, identification of threats and assessment of their likelihood, as well as the definition of a system of organizational measures to maintain the IS regime.

At the second stage, a technical analysis of the vulnerabilities of the organization's information systems against threats, whose profiles were developed at the previous stage, is carried out, which includes the identification of the existing vulnerabilities of the organization's information systems and an assessment of their magnitude.

At the third stage, information security risks are assessed and processed, which includes determining the magnitude and probability of damage as a result of the implementation of security threats using vulnerabilities that were identified in the previous stages, determining the protection strategy, as well as choosing options and making decisions on risk treatment. The risk value is defined as the average value of the organization's annual losses as a result of the implementation of security threats.

A similar approach is used in the well-known CRAMM risk assessment method, developed at the time, by order of the British government. At CRAMM, the main way to assess risk is through carefully planned interviews that use detailed questionnaires. CRAMM is used in thousands of organizations around the world, thanks, among other things, to the availability of a highly developed software toolkit containing a knowledge base on risks and mechanisms for minimizing them, tools for collecting information, generating reports, and also implementing algorithms for calculating the magnitude of risks.

Unlike the OCTAVE method, CRAMM uses a slightly different sequence of actions and methods for determining the magnitude of risks. First, the feasibility of risk assessment in general is determined, and if the organization's information system is not critical enough, then a standard set of control mechanisms described in international standards and contained in the CRAMM knowledge base will be applied to it.

At the first stage, in the CRAMM method, an information system resource model is built that describes the relationship between information, software and technical resources, and the value of resources is estimated based on the possible damage that the organization may suffer as a result of their compromise.

At the second stage, a risk assessment is performed, which includes the identification and assessment of the likelihood of threats, the assessment of the magnitude of vulnerabilities and the calculation of risks for each triple: resource - threat - vulnerability. CRAMM evaluates "pure" risks, regardless of the control mechanisms implemented in the system. At the risk assessment stage, it is assumed that no countermeasures are applied at all and a set of recommended countermeasures to minimize risks is formed based on this assumption.

At the final stage, the CRAMM toolkit generates a set of countermeasures to minimize the identified risks and compares the recommended and existing countermeasures, after which a risk treatment plan is formed.

Risk management tools

In the process of risk assessment, we go through a series of successive stages, periodically rolling back to previous stages, for example, reassessing a certain risk after choosing a specific countermeasure to minimize it. Questionnaires, lists of threats and vulnerabilities, registers of resources and risks, documentation, minutes of meetings, standards and guidelines should be at hand at each stage. In this regard, some programmed algorithm, database and interface are needed to work with these diverse data.

To manage information security risks, you can use tools, for example, as in the CRAMM method, or RA2 (shown in the figure), but this is not mandatory. About the same is said in the standard BS 7799-3. The usefulness of using the toolkit may lie in the fact that it contains a pre-programmed risk assessment and management workflow algorithm, which simplifies the work of an inexperienced specialist.

Using the toolkit allows you to unify the methodology and simplify the use of the results for risk reassessment, even if it is performed by other specialists. Through the use of tools, it is possible to streamline data storage and work with the resource model, threat profiles, lists of vulnerabilities and risks.

In addition to the actual risk assessment and management tools, the software toolkit may also contain additional funds for documenting the ISMS, analyzing discrepancies with the requirements of the standards, developing a resource register, as well as other tools necessary for the implementation and operation of the ISMS.

conclusions

The choice of qualitative or quantitative approaches to risk assessment is determined by the nature of the organization's business and the level of its informatization, i.e. the importance of information assets for him, as well as the level of maturity of the organization.

When implementing a formal approach to risk management in an organization, it is necessary to rely primarily on common sense, existing standards (for example, BS 7799-3) and well-established methodologies (for example, OCTAVE or CRAMM). It may be useful to use for this purpose a software tool that implements the appropriate methodologies and meets the requirements of the standards to the maximum extent possible (for example, RA2).

The effectiveness of the information security risk management process is determined by the accuracy and completeness of the analysis and assessment of risk factors, as well as the effectiveness of the mechanisms used in the organization for making management decisions and monitoring their implementation.

Links

• Astakhov A.M., “History of the BS 7799 standard”, http://www.globaltrust.ru/shop/osnov.php?idstat=61&idcatstat=12
• Astakhov A.M., “How to build and certify an information security management system?”,

Annotation: The lecture provides a detailed definition of information security, discusses aspects of risk management. A security model with full overlap is described.

Introduction

The purpose of this course is to study modern methods for analyzing and managing risks associated with information security (IS). Due to the fact that in the risk management process, the introduction of specific means and mechanisms of protection can be carried out, in the practical part of the course, the emphasis is on Management of risks in systems based on operating systems (OS) of the Microsoft Windows family.

IS risk we will call the potential opportunity to incur losses due to a violation of the security of the information system (IS). The concept of risk is often confused with the concept of threat.

IS threat refers to a potential incident, whether intentional or not, that could have an undesirable effect on computer system, as well as the information stored and processed in it.

IP Vulnerability- this is a certain unfortunate characteristic that makes the occurrence of a threat possible. A vulnerability is insufficient security and/or some errors in the system, as well as the presence of secret entrances to it in the system, left by the developers of this system when debugging and configuring it.

Risk is distinguished from a threat by the presence of a quantitative assessment of possible losses and (possibly) an assessment of the probability of the threat being realized.

But let's figure out why it is necessary to investigate the risks in the field of information security and what this can give when developing an information security system for IS. For any project that requires financial costs for its implementation, it is highly desirable to determine already at the initial stage what we will consider as a sign of completion of the work and how we will evaluate the results of the project. For tasks related to ensuring information security, this is more than relevant.

In practice, two approaches to substantiating the design of the security subsystem are most widely used.

The first of them is based on checking the compliance of the IP security level with the requirements of one of the standards in the field of information security. This can be a security class in accordance with the requirements of the governing documents of the State Technical Commission of the Russian Federation (now it is the FSTEC of Russia), a protection profile developed in accordance with the ISO-15408 standard, or some other set of requirements. Then the criterion for achieving the goal in the field of safety is the fulfillment of a given set of requirements. Efficiency criterion- the minimum total costs for the implementation of the set functional requirements: where c i - the costs of the i -th means of protection.

The main disadvantage of this approach is that in the case when the required level of security is not strictly specified (for example, through legal requirements), it is rather difficult to determine the "most effective" level of IS security.

The second approach to building an information security system is related to risk assessment and management. Initially, it originated from the principle of "reasonable sufficiency" applied to the sphere of information security. This principle can be described by the following set of statements:

• it is impossible to create an absolutely insurmountable defense;
• it is necessary to strike a balance between the costs of protection and the effect obtained, incl. and economic, which consists in reducing losses from security breaches;
• the cost of protection means should not exceed the cost of protected information (or other resources - hardware, software);
• the offender's costs unauthorized access(UAS) to information must exceed the effect that he will receive by exercising such access.

But back to the risks. In this case, considering the IS in its initial state, we estimate the amount of expected losses from information security incidents (as a rule, a certain period of time is taken, for example, a year). After that, an assessment is made of how the proposed security tools and measures affect risk mitigation, and how much they cost. If we imagine some ideal situation, then the idea of ​​​​the approach is shown in the graph below (Fig. 1.1).

As protection costs rise, the amount of expected losses falls. If both functions have the form shown in the figure, then it is possible to determine the minimum of the function "Expected total costs", which is what we need.

Unfortunately, in practice, it is not possible to determine the exact relationship between costs and the level of security, therefore, the analytical method for determining the minimum costs in the presented form is not applicable.

In order to proceed to the consideration of risk description issues, we introduce one more definition of . resource or asset we will call a named IS element that has a (material) value and is subject to protection.

Then the risk can be identified by the following set of parameters:

• the threat, the possible realization of which caused this risk;
• resource for which it can be implemented this threat(a resource can be informational, hardware, software, etc.);
• a vulnerability through which a given threat against a given resource can be realized.

It is also important to determine how we know that an unwanted event has occurred. Therefore, in the process of describing risks, events are usually also indicated - "triggers", which are identifiers of risks that have occurred or are expected in the near future (for example, an increase in the response time of a web server may indicate that one of the varieties of denial of service attacks is being carried out against it).

Based on the above, in the risk assessment process, it is necessary to estimate the cost of damage and the frequency of occurrence of undesirable events and the likelihood that such an event will cause damage to the resource.

The amount of damage from the realization of a threat to a resource depends on:

1. From the cost of the resource that is at risk.
2. From the degree of destructiveness of the impact on the resource, expressed as a coefficient of destructiveness. As a rule, the specified coefficient lies in the range from 0 to 1.

Thus, we obtain an estimate that can be represented as a product:

(Resource cost)*(Coefficient of destructiveness).

Next, it is necessary to estimate the frequency of occurrence of the considered undesirable event (for some fixed period) and the probability successful implementation threats. As a result, the cost of risk can be calculated using the formula:

(Frequency)*(Probability)*(Resource Cost)*(Destructive Coefficient).

Approximately such a formula is used in many risk analysis techniques, some of which will be discussed further. The expected damage is compared with the costs of measures and remedies, after which a decision is made regarding this risk. He can be:

• reduced (for example, due to the introduction of means and mechanisms of protection that reduce the likelihood of a threat or the coefficient of destructiveness);
• eliminated (by refusing to use the resource exposed to the threat);
• transferred (for example, insured, as a result of which, in the event of a security threat, the losses will be borne by the insurance company, and not the IP owner);
• accepted.

Management of risks. Full Coverage Safety Model

The ideas behind risk management go back a lot to the full overlap security model developed in the 70s.

The model of the security system with full overlap is built on the basis of the postulate that the security system should have at least one means to ensure security in each possible path of influence of the intruder on the IS.

The model precisely defines each area requiring protection, evaluates the security features in terms of their effectiveness and their contribution to security in the entire computing system.

It is believed that unauthorized access to each of the many protected objects (IS resources) O is associated with a certain "value of damage" for the owner of the IP, and this damage can be quantified.

Each object requiring protection is associated with a certain set of actions that an intruder can resort to in order to gain unauthorized access to the object. Potential malicious actions against all objects form a set of IS threats T . Each element of the set of threats is characterized by the probability of occurrence.

The set of "object-threat" relations form a bipartite graph (Fig. 1.2), in which the edge (t i ,o j ) exists if and only if t i is a means of obtaining access to the object o j . It should be noted that the relationship between threats and objects is not a one-to-one relationship - a threat can spread to any number of objects, and an object can be vulnerable to more than one threat. The purpose of the defense is to "block" each edge of the given graph and erect a barrier to access t i ,m k ) and (m k ,o j ). Any edge in the form (t i ,o j ) defines an unprotected object . It should be noted that the same security tool can resist the implementation of more than one threat and (or) protect more than one object. The absence of an edge (t i ,o j ) does not guarantee complete security (although the presence of such an edge gives the potential for unauthorized access unless the probability of occurrence of t i is zero).

Further consideration includes set-theoretic model secure system - Clements security system. It describes the system as a five-tuple set S=(O,T,M,V,B) , where O is a set of protected objects; T is a set of threats; M - a set of security tools; V - a set of vulnerabilities - a mapping of TxO to a set of ordered pairs V i =(t i ,o j) , representing the ways of penetration into the system; B - a set of barriers - a mapping of VxM or TxOxM to a set of ordered triples b i =(t i ,o j ,m k) representing the points at which protection is required in the system.

Thus, a full coverage system is a system in which there are means of protection for every possible penetration path. If in such a system , That .

The model of the security system with full overlap describes the requirements for the composition of the IP protection subsystem. But it does not consider the issue of the cost of the implemented means of protection and the ratio of the costs of protection and the effect obtained. In addition, it can be quite difficult to determine the full set of "paths" into the system in practice. Namely, how fully this set is described depends on how adequate the result will be. real situation affairs.

In January 2018, the Global Risks to Humanity Report 2018 was presented at the World Economic Forum in Davos. It follows from the report that the importance of information security risks is increasing both due to the increase in the number of implemented attacks, and taking into account their destructive potential.

CRAMM, COBIT for Risk, FRAP, Octave and Microsoft are some of the most common information security risk management methodologies in the world. Along with certain advantages, they also have their limitations. In particular, the listed foreign methods can be effectively used by commercial companies, while government organizations, when assessing and managing information security risks, must be guided by the provisions of the regulations of the FSTEC of Russia. For example, for automated control systems for production and technological processes at critical facilities, one should be guided by the order of the FSTEC of Russia dated March 14, 2014 No. 31. At the same time, this document could also be used as additional material by federal executive authorities.

Information security risks in modern society

Behind Lately the number of attacks on organizations has doubled. Attacks that cause extraordinary damage are becoming commonplace. The financial cost of attacks is on the rise, with some of the biggest losses associated with ransomware attacks. A striking example of this is the WannaCry and NotPetya ransomware attacks that affected more than 300,000 computers in 150 countries around the world and led to financial losses of more than $300 million.

Another trend is an increase in the number of attacks on critical infrastructure and strategic industrial facilities, which can lead to the failure of systems that support the life support of mankind and the emergence of global man-made disasters.

Thus, information security risks are included in the top three most likely risks (together with the risks of natural disasters and extreme weather conditions) and in the list of the six most critical risks in terms of possible damage (together with the risks of using weapons of mass destruction, natural disasters, weather anomalies and lack of drinking water). Therefore, information security risk management is one of the priority areas for the development of organizations around the world and is absolutely necessary for their further functioning.

Goals and approaches to information security risk management

The goal of any organization is to achieve certain indicators that characterize the results of its activities. For example, for commercial companies it is profit making, growth of capitalization, market share or turnover, and for government organizations it is the provision of public services to the population and solving management problems. In any case, regardless of the purpose of the organization's activities, the realization of information security risks can interfere with the achievement of this goal. At the same time, each organization in its own way assesses the risks and the possibility of investing in their reduction.

Thus, the goal of information security risk management is to maintain them at an acceptable level for the organization. To solve this problem, organizations create integrated information security systems (ISS).

When creating such systems, the question arises of choosing protection tools that ensure the reduction of information security risks identified in the process of analysis without excessive costs for the implementation and support of these tools. Analysis of information security risks allows you to determine the necessary and sufficient set of information security tools, as well as organizational measures aimed at reducing information security risks, and develop an organization's ISS architecture that is most effective for its specific activities and aimed at reducing its information security risks.

All risks, including information security risks, are characterized by two parameters: potential damage to the organization and the likelihood of implementation. Using the combination of these two characteristics for risk analysis allows you to compare risks with different levels of damage and probability, leading them to a common expression that is understandable to decision makers regarding risk minimization in the organization. At the same time, the risk management process consists of the following logical stages, the composition and content of which depends on the risk assessment and management methodology used:

1. Determination of the level of risk acceptable to the organization (risk appetite) - the criterion used in the decision to accept the risk or its treatment. Based on this criterion, it is determined which risks identified in the future will be unconditionally accepted and excluded from further consideration, and which ones will be subjected to further analysis and included in the risk response plan.
2. Identification, analysis and assessment of risks. In order to make a decision regarding risks, they must be unambiguously identified and assessed in terms of the damage from the realization of the risk and the likelihood of its realization. Damage assessment measures the impact of the risk on the organization's IT assets and the business processes they support. When assessing the probability, an analysis is made of the probability of risk realization. The assessment of these parameters can be based on the identification and analysis of vulnerabilities inherent in IT assets, which may be affected by the risk, and threats, the implementation of which is possible through the exploitation of these vulnerabilities. Also, depending on the risk assessment methodology used, the attacker’s model, information about the organization’s business processes and other factors related to the implementation of the risk, such as the political, economic, market or social situation in the environment of the organization’s activities, can be used as initial data for their assessment. When assessing risks, a qualitative, quantitative or mixed approach to their assessment can be used. The advantage of a qualitative approach is its simplicity, minimization of time and labor costs for risk assessment, limitations - lack of visibility and complexity of using the results of risk analysis for economic justification and assessment of the feasibility of investments in risk response measures. The advantage of the quantitative approach is the accuracy of risk assessment, the visibility of the results and the ability to compare the value of the risk, expressed in money, with the amount of investment required to respond to this risk, the disadvantages are complexity, high labor intensity and duration of execution.
3. Risk ranking. In order to prioritize the response to risks and subsequently develop a response plan, all risks must be ranked. When ranking risks, depending on the methodology used, such criteria for determining criticality can be applied, such as damage from the realization of risks, the likelihood of realization, IT assets and business processes affected by the risk, public outcry and reputational damage from the realization of the risk, etc.
4. Making a risk decision and developing a risk response plan. To determine the totality of risk response measures, it is necessary to analyze the identified and assessed risks in order to make one of the following decisions regarding each of them:
   • Risk avoidance;
   • Acceptance of risk;
   • Transfer of risk;
   • Risk reduction.
   The decision made for each risk should be recorded in the risk response plan. Also, this plan may contain, depending on the methodology used, the following information necessary to respond to risks:
   • Responsible for response;
   • Description of response measures;
   • Assessing the necessary investments in response measures;
   • The timing of the implementation of these measures.
5. Implementation of measures to respond to risks. In order to implement risk response measures, the responsible persons organize the implementation of the action described in the risk response plan within the required time frame.
6. Evaluation of the effectiveness of implemented measures. To ensure that the measures applied in accordance with the response plan are effective and the level of risks is acceptable to the organization, the effectiveness of each risk response implemented is evaluated, as well as the organization's risks are regularly identified, analyzed and assessed.

Overview of the CRMM methodology

The CRAMM Method (CCTA Risk Analysis and Management Method), developed by the UK Security Service in 1985, is based on the information security management standards of the BS7799 series (currently revised in ISO 27000) and describes an approach to qualitative risk assessment. At the same time, the transition to the scale of values ​​of qualitative indicators occurs with the help of special tables that determine the correspondence between qualitative and quantitative indicators. Risk assessment is based on an analysis of the value of an IT asset for business, vulnerabilities, threats and the likelihood of their implementation.

The CRAMM risk management process consists of next steps:

1. Initiation. At this stage, a series of interviews are conducted with stakeholders in the information security risk analysis process, including those responsible for the operation, administration, security and use of the IT assets for which the risk analysis is being performed. As a result, a formalized description of the area for further research, its boundaries is given, and the composition of the persons involved in the risk analysis is determined.
2. Identification and evaluation of IT assets (Identification and Valuation of Assets). A list of IT assets used by the organization in the previously defined area of ​​study is determined. According to the CRAMM methodology, IT assets can be one of the following types:
   • Data;
   • Software;
   • physical assets.
   For each asset, its criticality for the organization's activities is determined and, together with representatives of departments using the IT asset to solve applied problems, the consequences for the organization's activities from a violation of its confidentiality, integrity and availability are assessed.
3. Threat and Vulnerability Assessment. In addition to assessing the criticality of IT assets, an important part of the CRAMM methodology is assessing the probability of threats and vulnerabilities of IT assets. The CRAMM methodology contains tables describing the correspondence between IT asset vulnerabilities and the threats that can affect IT assets through those vulnerabilities. There are also tables describing the damage to IT assets if these threats materialize. This stage is performed only for the most critical IT assets, for which the implementation of a basic set of information security measures is not enough. Determination of actual vulnerabilities and threats is made by interviewing persons responsible for the administration and operation of IT assets. For other IT assets, the CRAMM methodology contains a set of necessary basic information security measures.
4. Risk Calculation The risk is calculated according to the formula: Risk = P (implementation) * Damage. In this case, the probability of risk realization is calculated by the formula: P (implementations) = P (threats) * P (vulnerabilities). At the risk calculation stage, for each IT asset, the requirements for a set of measures to ensure its information security are determined on a scale from "1" to "7", where the value "1" corresponds to the minimum required set of measures to ensure information security, and the value "7" - maximum.
5. Risk Management. Based on the results of the risk calculation, the CRAMM methodology determines the necessary set of measures to ensure information security. For this, a special catalog is used, which includes about 4 thousand measures. The set of measures recommended by the CRAMM methodology is compared with the measures already taken by the organization. As a result, areas are identified that require additional attention in terms of the application of protection measures, and areas with excessive protection measures. This information is used to form an action plan to change the composition of the protection measures used in the organization - to bring the level of risks to the required level.

• A repeatedly proven method, which has accumulated considerable experience and professional competence; the results of CRMM application are recognized by international institutions;
• The presence of a clear formalized description of the methodology minimizes the possibility of errors in the implementation of risk analysis and management processes;
• The availability of risk analysis automation tools allows minimizing labor costs and time for performing risk analysis and management activities;
• Catalogs of threats, vulnerabilities, consequences, information security measures simplify the requirements for special knowledge and competence of the direct executors of risk analysis and management activities.

• The high complexity and laboriousness of collecting initial data, requiring the involvement of significant resources within the organization or from outside;
• Large expenditures of resources and time for the implementation of information security risk analysis and management processes;
• Involvement of a large number of stakeholders requires significant organization costs joint work, communications within the project team and coordination of results;
• The impossibility of assessing risks in terms of money makes it difficult to use the results of information security risk assessment in a feasibility study of the investments required to implement information security tools and methods.

Overview of the COBIT for Risk methodology

When implementing the function and process of risk management in an organization, the methodology identifies the following components that affect both information security risks and the process of managing them:
• Principles, policies, procedures of the organization;
• processes;
• Organizational structure;
• Corporate culture, ethics and rules of conduct;
• Information;
• IT services, IT infrastructure and applications;
• People, their experience and competencies.

In terms of organizing the information security risk management function, the methodology defines and describes the requirements for the following components:
• Required process;
• Information flows;
• Organizational structure;
• people and competencies.
The main element of information security risk analysis and management in accordance with the methodology are risk scenarios. Each scenario is "a description of an event that, if it occurs, could lead to an uncertain (positive or negative) impact on the achievement of the organization's objectives." The methodology contains more than 100 risk scenarios covering the following impact categories:
• Creation and maintenance of IT project portfolios;
• Program / project life cycle management;
• Investments in IT;
• Expertise and skills of IT staff;
• Operations with personnel;
• Information;
• Architecture;
• IT infrastructure;
• Software;
• Inefficient use of IT;
• Selection and management of IT providers;
• Compliance with regulatory requirements;
• Geopolitics;
• Theft of infrastructure elements;
• Malicious software;
• Logic attacks;
• Technogenic impact;
• Environment;
• natural phenomena;
• Innovation.
For each risk scenario, the methodology defines the degree to which it belongs to each type of risk:
• Strategic risks - risks associated with missed opportunities to use IT to develop and improve the efficiency of the organization's core activities;
• Project risks - risks associated with the influence of IT on the creation or development of existing processes of the organization;
• IT management and IT service delivery risks are risks associated with ensuring the availability, stability and provision of IT services with the required level of quality to users, problems with which can lead to damage to the organization's core business.
Each risk scenario contains the following information:
• Threat source type - internal/external.
• Type of threat - malicious action, natural phenomenon, error, etc.
• Description of the event - access to information, destruction, modification, disclosure of information, theft, etc.
• Types of assets (components) of the organization that are affected by the event - people, processes, IT infrastructure, etc.
• Event time.
In case of implementation of the risk scenario of the organization's activities, damage is caused. Thus, when analyzing information security risks in accordance with the COBIT for Risk methodology, risk scenarios relevant to the organization and risk mitigation measures aimed at reducing the likelihood of these scenarios are identified. For each of the identified risks, an analysis of its compliance with the risk appetite of the organization is carried out, followed by the adoption of one of the following decisions:
• Risk avoidance;
• Acceptance of risk;
• Transfer of risk;
• Risk reduction.
Further risk management is carried out by analyzing the residual risk level and deciding on the need to implement additional risk mitigation measures. The methodology contains recommendations for implementing risk mitigation measures for each type of organizational component.

From the point of view of practical application, the following advantages of the COBIT for Risk methodology can be distinguished:
• Connection with the common COBIT library and the ability to use approaches and "IT controls" (risk mitigation measures) from related areas, allowing you to consider information security risks and mitigation measures in relation to the impact of risks on the organization's business processes;
• A repeatedly proven method, by which significant experience and professional competencies have been accumulated, and the results of which are recognized by international institutions;
• The presence of a clear formalized description of the methodology allows minimizing errors in the implementation of risk analysis and management processes;
• Catalogs of risk scenarios and "IT controls" make it possible to simplify the requirements for special knowledge and competence of the direct executors of risk analysis and management activities;
• The ability to use the methodology when conducting audits allows you to reduce labor costs and the time required to interpret the results of external and internal audits.
At the same time, the COBIT for Risk methodology has the following disadvantages and limitations:
• The high complexity and laboriousness of collecting initial data requires the involvement of significant resources either within the organization or from outside;
• The involvement of a large number of stakeholders requires significant costs for organizing joint work, allocating time for the involved persons to communicate within the project team and agree on the results with all stakeholders;
• The lack of the possibility of assessing risks in money makes it difficult to use the results of information security risk assessment when justifying the investments necessary for the implementation of information security tools and methods.
This method used by both government and commercial organizations around the world. The method is most suitable for large technology organizations or organizations with a high degree of dependence on information technology for their core business, for those who already use (or plan to use) COBIT standards and methodologies for information technology management and have the necessary resources and competencies to do so. In this case, it is possible to effectively integrate information security risk management processes and processes general management IT and achieving a synergistic effect that will optimize the costs of implementing the processes of analyzing and managing information security risks.