About ISO 27001 Risk Statement and Controls
On the ISO27000 Forum list, someone asked:
I'm looking for Risk statement for each ISO 27k control; meaning
"what is the risk of not implementing a control".
That's a very ingenious way of looking at it!
One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?
Ingenious aside, I'd be very careful with an approach like this.
Risks and controlsare not, should not, be 1:1.
Sony backs U.S. ineffective cybersecurity legislation
Image via Wikipedia
http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html
"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said."By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.
To people like us, IT Audit and InfoSec types, 'control' come in 3 forms
- preventative
- detective
- compensatory
It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.
Related articles
- Sony backs U.S. cybersecurity legislation (canada.com)
- DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
- Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
- Obama to Introduce Cybersecurity Proposal (circleid.com)
- White House to unveil cybersecurity proposal (theglobeandmail.com)
- What do we need to do to reach "cybersecurity awareness"? (nakedsecurity.sophos.com)
- White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
- Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)
The FBI risk equation
It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:
risk = threat x vulnerability x consequence
rather than solely focusing on threat vectors and actors.
To be honest, I sometimes wonder why people obsess about threat vectors in the first place. There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.
Look at it this way: what do you have control over?
Why do you think that people like auditors refer to the protective and detective mechanisms as "controls"?
Yes, if you're a 600,000 lb gorilla like Microsoft you can take down one - insignificant - botnet, but the rest of us don't have control over the threat vectors and threat actors.
What do we have control over?
Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the "vulnerability surface" such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn't it behind the web server, which in turn is behind a firewall).
Asset to a large extent. Document them. Identify who should be using them and implement IAM.
And very import: we have control over RESPONSE.
Did the FBI equation mention response? I suppose you could say that 'awareness' is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.
And response is - or should be - totally independent of the threats
since it focuses on preserving and recovering the assets.
I think they have it very, very confused and this isn't the most productive, most effective way of going about it. But then the FBI's view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.
But lest face it, most corporations and are not in the business of policing. neither are home users.
Which is why I focus on the issue of "what you have control over".
Related articles by Zemanta
- School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
- The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
- FBI searching for 'Flavor Flav Bandit' (seattlepi.com)
- Why Security Vendors are loosing (tech.bl0x.info)
- Editorial: Flawed F.B.I. Background Checks (nytimes.com)
- FBI details surge in death threats against lawmakers (americablog.com)
