资讯安全风险管理

ISRM的阶段

风险识别

• 识别资产: 哪些数据、系统或其他资产将被视为您组织的“皇冠上的宝石”?? 例如, which assets would have the most significant impact on your organization if their confidentiality, 完整性或可用性受到损害? It’s not hard to see why the confidentiality of data like social security numbers 和 intellectual property is important. 但是诚信呢?? 例如，如果一家企业属于萨班斯-奥克斯利法案(袜)法规要求, 财务报告数据中的一个小的完整性问题可能会导致巨大的成本. Or, if an organization is an online music streaming service 和 the availability of music files is compromised, 然后他们可能会失去订户.
• 识别漏洞: 什么系统级或软件 漏洞 是否将资产的机密性、完整性和可用性置于风险之中? What weaknesses or deficiencies in organizational 流程 could result in information being compromised?
• 识别威胁: 资产或信息泄露的一些潜在原因是什么? 例如, 贵组织的数据中心是否位于环境受到威胁的地区, 比如龙卷风和洪水, 更普遍? 业内同行是否正被一个已知的犯罪集团积极瞄准和攻击, 黑客组织, 或者政府赞助的实体? Threat modeling is an important activity that helps add context by tying risks to known threats 和 the different ways those threats can cause risks to become realized via exploiting 漏洞.
• 识别控制: 您已经采取了哪些措施来保护已识别的资产? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood 和/or impact of a risk being realized (mitigation). 例如, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination. 补偿控制是间接解决风险的“安全网”控制. 继续上面的例子, 补偿控制可以是季度访问审查过程. 在这次审查中, the application user list is cross-referenced with the company’s user directory 和 termination lists to find users with unwarranted access 和 then reactively remove that unauthorized access when it’s found.

资讯安全风险评估

这是将你收集到的有关资产的信息进行组合的过程, 漏洞, 和控制来定义风险. 为此有许多框架和方法, 但你可能会用到这个方程的一些变体:

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls

注意:这是一个非常简化的公式类比. 计算概率风险远没有这么简单，这让每个人都很沮丧.

风险管理策略

Once a risk has been assessed 和 analyzed, an organization will need to select treatment options:

• 修复:实现完全或几乎完全修复潜在风险的控制.
  例子: 您已经识别了存储关键资产的服务器上的漏洞, 然后为这个漏洞打补丁.
• 缓解降低风险的可能性和/或影响，但不完全解决它.
  例子: 您已经识别了存储关键资产的服务器上的漏洞, but instead of 修补漏洞, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
• 移情: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
  例子: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation 和 mitigation but not replace them altogether.)
• 风险接受: 没有解决风险. This is appropriate in cases where the risk is clearly low 和 the time 和 effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
  例子: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, 成功利用这个漏洞是非常复杂的. 因此，您决定不需要花费时间和资源来修复漏洞.
• 风险规避: 消除所有已识别风险的暴露 
  例子: You have identified servers with operating systems (OS) that are about to reach end-of-life 和 will no longer receive security patches from the OS creator. 这些服务器处理和存储敏感和非敏感数据. 以避免敏感数据被泄露的风险, 您可以快速地将敏感数据迁移到更新的数据中, patchable服务器. The servers continue to run 和 process non-sensitive data while a plan is developed to decommission them 和 migrate non-sensitive data to other servers.

风险沟通策略

Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to underst和 the costs of treating or not treating a risk 和 the rationale behind that decision. Responsibility 和 accountability needs to be clearly defined 和 associated with individuals 和 teams in the organization to ensure the right people are engaged at the right times in the process.

冲洗并重复

这是一个持续的过程. 如果你选择了需要实施控制的治疗方案, 这种控制需要持续监测. 您可能会将此控制插入到随时间变化的系统中. 正在开放的端口, 正在更改代码, 和 any number of other factors could cause your control to break down in the months or years following its initial implementation.

ISRM进程所有权

There are many stakeholders in the ISRM process, 和 each of them have different responsibilities. 定义这个过程中的各种角色, 以及与每个角色相关的责任, 确保这一过程顺利进行的关键步骤是什么.

过程所有者: 在高水平上, an organization might have a finance team or audit team that owns their Enterprise Risk Management (ERM) program, 而信息安全或信息保障团队将拥有ISRM计划, 哪些会进入ERM. 这个ISRM团队的成员需要在现场，不断推动过程向前发展.

业主风险: Individual risks should be owned by the members of an organization who end up using their budget to pay for fixing the problem. 换句话说，风险所有者有责任确保风险得到相应的处理. 如果你批准了预算，你就承担了风险.

除了风险所有者, 也会有其他类型的利益相关者受到, 或者参与实施, 选择的治疗方案, 例如系统管理员/工程师, 系统用户, 等.

Here’s an example: Your information security team (process owner) is driving the ISRM process forward. A risk to the availability of your company’s customer relationship management (CRM) system is identified, 和 together with your head of IT (the CRM system owner) 和 the individual in IT who manages this system on a day-to-day basis (CRM system admin), 您的过程所有者收集评估风险所需的信息.

假设您的CRM软件已经就位，可以支持公司的销售部门, 客户关系管理软件中的数据不可用，最终会影响销售, 然后是你的销售部门主管.e. 首席销售官)很可能是风险的拥有者. The risk owner is responsible for deciding on implementing the different treatment plans offered by the information security team, 系统管理员, 系统所有者, 等. 和 accepting any remaining risk; however, your system owner 和 system admin will likely be involved once again when it comes time to implement the treatment plan. System users—the salespeople who use the CRM software on a daily basis—are also stakeholders in this process, 因为他们可能会受到任何治疗方案的影响.

网络安全风险管理 是一项持续的任务, 它的成功将取决于风险评估的好坏, 沟通计划, 角色得到了维护. 识别关键人物, 流程, 和 technology to help address the steps above will create a solid foundation for a risk management strategy 和 program in your organization, 随着时间的推移，哪些可以进一步发展.

阅读更多有关法规 & 合规

遵从性:来自博客的最新消息