A Reference Risk Register for Information Security ...
[Pages:71]A Reference Risk Register for Information Security According to ISO/IEC 27005
Gon?alo Bernardo Mateus
Thesis to obtain the Master of Science Degree in
Engenharia de Telecomunica??es e Inform?tica
Supervisor(s): Prof. Jos? Lu?s Brinquete Borbinha
Examination Committee
Chairperson: Prof. Paulo Jorge Pires Ferreira Supervisor: Prof. Jos? Lu?s Brinquete Borbinha Member of the Committee: Prof. Andr? Ferreira Ferr?o e Couto Vasconcelos
November 2016
ii
Acknowledgments
I would like to thank Professor Jos? Borbinha and Ricardo Vieira for the amazing support during this project. Without their help, I believe I wouldn't have finished it. I would also like to thank my friends and coworkers at Muzzley. Ultimately, I would like to dedicate the work done to my friends and family. A very special thank you to my parents, Jo?o and Anabela, to my brother Hugo and to my grandparents and uncles. I would also like to thank Elisa Simion, for the great support on these last few months.
iii
iv
Resumo
Nos dias de hoje, uma das maiores preocupa??es ? garantir que a informa??o ? mantida em seguran?a, sem colocar os ativos de organiza??es em risco. A gest?o de risco tornou-se uma atividade essencial, permitindo organiza??es avaliarem os riscos e identificar os devidos procedimentos para a sua mitiga??o. Apesar da exist?ncia de um corpo consolidado de conhecimento, as organiza??es e os gestores de risco, em particular, ainda lutam para identificar o modelo de gest?o de risco em seguran?a de informa??o mais adequado que deve ser usado no processo de gest?o de riscos. O objectivo do presente documento ? analisar o corpo de conhecimento de seguran?a de informa??o, a fim de estabelecer um modelo de gest?o de risco em seguran?a de informa??o de refer?ncia. Este modelo proposto ser? aplicado no caso de uma organiza??o real, seguindo um processo proposto, terminando com o desenvolvimento de um registo de riscos de refer?ncia, que mais organiza??es podem potencialmente usar para registar informa??es num processo de gest?o de riscos em seguran?a de informa??o. Palavras-Chave: Risco, Mitigar, Gest?o, Informa??o, Registo, Seguran?a.
v
Abstract
Nowadays, one of the biggest concerns is to ensure that information is kept secure, without putting at risk organization's assets. Risk management has become an essential activity, allowing organizations to assess risks and identify procedures to mitigate risks. Despite the existence of a consolidated body of knowledge, organizations and risk managers in particular still struggle to identify the most suitable information security risk management model that should be used in the risk management process. The purpose of this document to analyse the information security body of knowledge in order to establish a reference information security risk management model. This proposed model will be applied on a real life organization, following a proposed process, ending with the development of a reference risk register, which more organizations can potentially use to record information in a information security risk management process. Keywords: Risk, Mitigate, Management, Information, Register, Security.
vi
Table of Contents
Acknowledgments ................................................................................................................................ iii Resumo ..................................................................................................................................................v Abstract .................................................................................................................................................vi Table of Contents ................................................................................................................................vii List of Figures.......................................................................................................................................ix List of Tables.........................................................................................................................................xi List of Acronyms ................................................................................................................................xiii 1. Introduction....................................................................................................................................1
1.1. Information Security...............................................................................................................1 1.2. Risk Management..................................................................................................................2 1.3. Research Problem and Proposed Solution ...........................................................................2 1.4. Research Methodology..........................................................................................................3 1.5. Document Structure...............................................................................................................4 2. Related Work ..................................................................................................................................5 2.1. Risk Management Fundamentals..........................................................................................5 2.2. Information Security Fundamentals.......................................................................................8
2.2.1. ISO/IEC 27005..........................................................................................................9 2.2.2. COBIT .....................................................................................................................12 2.2.3. OCTAVE .................................................................................................................12 2.2.4. NIST........................................................................................................................13 2.2.5. FAIR........................................................................................................................14 2.3. ISSRM .................................................................................................................................15 3. Problem Analysis.........................................................................................................................19 3.1. Analysis of ISRM References ..............................................................................................19 3.2. Analysis of the Core Domain Model Concepts ....................................................................21 3.2.1. Asset .......................................................................................................................21 3.2.2. Threat .....................................................................................................................21 3.2.3. Vulnerability ............................................................................................................22 3.2.4. Control ....................................................................................................................22 3.2.5. Risk .........................................................................................................................23 3.2.6. Event.......................................................................................................................23
vii
3.2.7. Consequence..........................................................................................................24 3.2.8. Impact .....................................................................................................................24 4. Application ...................................................................................................................................26 4.1. Domain Model Proposal ......................................................................................................26 4.2. Case Study ..........................................................................................................................27 4.3. Process Description.............................................................................................................28 4.3.1. Integrate the information .........................................................................................29 4.3.2. Structure the information ........................................................................................30 4.3.3. Complement the information...................................................................................33 5. Conclusions and Future Work....................................................................................................37 5.1. Conclusions .........................................................................................................................37 5.2. Lessons ...............................................................................................................................37 5.3. Future Work .........................................................................................................................38 References ...........................................................................................................................................39 Appendixes ..........................................................................................................................................40 Appendix A ? Translation of Portuguese terms to English .............................................................40 Appendix B ? Sample of Case Study's consolidated risk register .................................................41 Appendix C ? Sample of first risk register after analysis of the Case Study's risks .......................43 Appendix D ? Events extracted from Case Study's consolidated risk register ..............................45 Appendix E ? Controls extracted from Case Study's consolidated risk register ............................46 Appendix F ? Consequences extracted from Case Study's consolidated risk register..................47 Appendix G ? Asset list from ISO/IEC 27005 ................................................................................47 Appendix H ? Threat list from ISO/IEC 27005 ...............................................................................48 Appendix I ? Vulnerabilities list from ISO/IEC 27005.....................................................................49 Appendix J ? Sample of last proposed risk register.......................................................................50 Appendix K ? Sample of final version of risk register sent by the Case Study ..............................54
viii
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- appendix b mapping cybersecurity assessment tool to nist
- detailed risk assessment report v2
- developing a cybersecurity scorecard nist
- guide for conducting risk assessments nist
- risk management framework
- a reference risk register for information security
- part three information risk register template
- it security policy office
- risk management framework process map
- instructions for risk acceptance form the items below must
Related searches
- navy information security website
- information security classification standards
- information security data classification
- personal reference letter sample for a friend
- nist risk register template
- information security risk register
- information security risk list
- security risk register template
- cyber security risk register example
- template for a reference sheet
- register for a mojang account
- writing a reference letter for a friend