An illustration of the application of Failure Mod

(FMEA) techniques to the analysis of inform

Introduction and acknowledgement

The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to dem
security risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and reformatting

Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.

The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.

The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria

Copyright
This work is copyright © 2008, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribu
reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commer
Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.

Disclaimer
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the
information assets and by the framing of risks being considered. For these reasons, the process is best conducted by a
assessing and managing information security risks, and (b) the organization, its internal and external situation with respect
anyone. It is impossible to guarantee that all risks have been considered and analyzed correctly. Some very experienced pr
and we have some sympathy with that viewpoint.
The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other su
adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because t
security risk does not necessarily mean that it can be discounted. Organizations with immature security management proces
are not even recognized, due to inadequate incident detection and reporting processes.
Important notes:

How to carry out the Risk Assessment (RA) using FMEA:

1
2
3
4
5
6
7
8
9
10
11
12

13

14

15

16
17
18

Using prioritized risks

 Guideline to Carry out a Risk Assessment Usi
Important notes:
This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking account of the a
The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN)
Each asset can have more than one failure mode and for each failure mode there can be more than one cause.
For more clarification see the comments on the header in each cell of the FMEA sample worksheet

How to carry out the Risk Assessment (RA) using FMEA:

Identify the businesses or the services rendered by the department under the scope of RA
Compute the assets that deliver or support the business or service identified
Write down the asset number (to avoid duplication)
Write down the function of the asset in delivering or maintain the identified business or service
Now identify the failure modes for the identified function. Please note that there could be more than one failure mode for each
Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will be the effect
Now refer the severity chart and choose the number relevant to the effect of the failure mode
Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause.
Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happening.
Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each control in se
Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls.
You can now see the Risk Priority Number calculated for a failure mode of the respective asset function.
Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitigate each o
down. Kinldy list each control in separate rows.
Now identify who will implement the recommended control and by what target date the recommended control would be implem
Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RISK. If it is HI
repeated from step 1.
Refer the Probability Chart
Refer the Detectability Chart
New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process.

Using prioritized risks

Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted lat
Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN.
5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements.
All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted
If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to addres
Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence a
The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduc
down the list if more resources are allocated, and vice versa.
 FMEA Sample

Department: XYZ Department

Current Controls

P
Potential Technical Potential Business S Potential Cause(s)/ r Preventive
Potential Failure Effect(s) Consequence(s) of e Mechanism(s) of o
Sl.No. Controls
Business / Service Asset Name Asset Number Function Mode(s) of Failure Failure v Failure b

To block Rules not Diversion of

Protecting IT Procedures not Procedures
8 Assets
Firewall 5000 unauthorized appropriately IP Spoofing sensitive data 8
followed
2
available
requests configured traffic, fraud

Disclosure or
modification of
To block Rules not Entry for
Protecting IT business records; Procedures not
4 Assets
Firewall 5000 unauthorized appropriately External
prosecution; bad
7
followed
2
requests configured Hackers
PR; customer
defection

Inability to
process
To block Rules not
Protecting IT electronic Procedures not Procedures
9 Assets
Firewall 5000 unauthorized appropriately DDOS Attack
transactions; bad
10
followed
2
available
requests configured
PR; customer
defection

Disclosure of
To identify customer
Protecting IT CIA Procedures not Policies
7 Assets
Firewall 5000 trusted zones User awareness
Compromised
database; 5
followed
6
Defined
by encryption commercial and
privacy issues

Authentication
mechanism User may not
To identify Staff unable to
Protecting IT using legacy have access to Policies not fully Policies
5 Assets
Firewall 5000 trusted zones
systems having the requested
work; backlogs; 6
implemented
1
Defined
by encryption bad PR
improper service
configuration

Page 4
 FMEA Sample

Current Controls

P
Potential Technical Potential Business S Potential Cause(s)/ r
Potential Failure Effect(s) Consequence(s) of e Mechanism(s) of o
Sl.No. Business / Service Asset Name Asset Number Function Mode(s) of Failure Disclosure
Failure or v Failure b
modification of
To block Rules not Entry for
Protecting IT business records; Procedures not Procedures
3 Assets
Firewall 5000 unauthorized appropriately External
prosecution; bad
7
followed
2
available
requests configured Hackers
PR; customer
defection

Inability to
process
To block Rules not
Protecting IT electronic Procedures not
6 Assets
Firewall 5000 unauthorized appropriately DDOS Attack
transactions; bad
10
followed
2
requests configured
PR; customer
defection

Disclosure of
To identify Encryption level Data will be customer
Protecting IT Policies not fully Policies
2 Assets
Firewall 5000 trusted zones (56 bit or 128 exposed as plain database; 7
implemented
2
Defined
by encryption bit) mismatch text commercial and
privacy issues

To block Rules not Commercial and

Protecting IT Procedures not
1 Assets
Firewall 5000 unauthorized appropriately Data Theft privacy 7
available
2 Nil
requests configured consequences

Page 5
 FMEA Sample

Action Results
Recommended
Current Controls
Controls Implemented Controls
R

New Occ

New RPN
New Sev

New Det
Detective D P Preventive Responsibility &
Detective Controls Target Completion
Preventive
Detective Controls
e
Controls
t N Controls
Date
Controls

Increase audit XYZ by end Jan Increase audit

4 64 frequency 2006 frequency
5 3 2 30

Log Increase audit XYZ by end Jan Increase audit

Monitoring
4 56 frequency 2006 frequency
5 3 2 30

Increase audit XYZ by end Jan Increase audit

2 40 frequency 2006 frequency
2 5 2 20

Business owner
1 30 Not Required Not Required to formally 5 2 2 20
accept risk

XYZ by end
5 30 User Awareness
March 2006
User Awareness 1 5 3 15

Page 6
 FMEA Sample

Action Results
Recommended
Current Controls
Controls Implemented Controls
R

New Occ

New RPN
New Sev

New Det
D P Responsibility &
e Target Completion
t N Date

Increase audit XYZ by end Jan Increase audit

2 28 frequency 2006 frequency
1 4 2 8

Log Increase audit XYZ by end Jan Increase audit

Monitoring
1 20 frequency 2006 frequency
1 4 2 8

XYZ by end
1 14 User Awareness
March 2006
User Awareness 2 2 2 8

XYZ by end
1 14 User Awareness
March 2006
User Awareness 2 2 1 4

Page 7
 Severity

Effect SEVERITY of Effect Ranking

Catastrophic Resource not available / Problem unknown 10

Extreme Resource not available / Problem known and cannot be 9

controlled
Very High Resource not available / Problem known and can be 8
controlled
High Resource Available / Major violation of policies 7

Moderate Resource Available / Major violations of process 6

Low Resource Available / Major violations of procedures 5

Very Low Resource Available / Minor violations of policies 4

Minor Resource Available / Minor violations of process 3

Very Minor Resource Available / Minor violations of procedures 2

None No effect 1

Page 8
 Probability

PROBABILITY of Failure Failure Prob Ranking

>1 in 2 10
Very High: Failure is almost inevitable
1 in 3 9
1 in 8 8
High: Repeated failures
1 in 20 7
1 in 80 6
Moderate: Occasional failures 1 in 400 5
1 in 2,000 4
1 in 15,000 3
Low: Relatively few failures
1 in 150,000 2
Remote: Failure is unlikely <1 in 1,500,000 1

Page 9
 Detectability

Detection Likelihood of DETECTION Ranking

Absolute Control cannot prevent / detect potential cause/mechanism 10
Uncertainty and subsequent failure mode
Very Remote Very remote chance the control will prevent / detect potential 9
cause/mechanism and subsequent failure mode
Remote Remote chance the control will prevent / detect potential 8
cause/mechanism and subsequent failure mode
Very Low Very low chance the control will prevent / detect potential 7
cause/mechanism and subsequent failure mode
Low Low chance the control will prevent / detect potential 6
cause/mechanism and subsequent failure mode
Moderate Moderate chance the control will prevent / detect potential 5
cause/mechanism and subsequent failure mode
Moderately High Moderately High chance the control will prevent / detect 4
potential cause/mechanism and subsequent failure mode
High High chance the control will prevent / detect potential 3
cause/mechanism and subsequent failure mode
Very High Very high chance the control will prevent / detect potential 2
cause/mechanism and subsequent failure mode
Almost Certain Control will prevent / detect potential cause/mechanism and 1
subsequent failure mode

Page 10