Professional Documents
Culture Documents
Apeiron
Prezentacija 2
Content
Introduction
Scope of ISO/IEC 27005:2011
Structure of the Standard
Proposed method to Information Security Risk
Management
Conclusion
Introduction
1 – 24 1
25 – 49 2
50 – 74 3
75 – 99 4
100 – 125 5
Asset Categories in the Overall Risk Analysis
Databases
Data Rooms
Information systems
Authentication services
Computer network
Internet services
Workstations
Collaboration services
User assets
Human resources
Offices
Documentation
Proposed method - Vulnerabilities Identification
The threats that are identified are the ones which are the most
frequent and characteristic for areas of the Organization.
Threats are grouped in three categories:
Natural disasters
Technological threats
Human threats
Proposed method - Identification and
assessment of threats and vulnerabilities
In a matrix below, joint impact levels of threats and vulnerabilities
are given.
Levels are estimated with L (Low), Medium (M) and H (High).
In the matrix, joint impacts of threats and vulnerabilities on the
asset itself are given, depending on normalized asset value.
L M H
Vulnerability
levels
Threats L M H L M H L M H
levels
Asset 1 1 2 3 2 3 4 3 4 5
value
2 2 3 4 3 4 5 4 5 6
3 3 4 5 4 5 6 5 6 7
4 4 5 6 5 6 7 6 7 8
5 5 6 7 6 7 8 7 8 9
Measuring of security risks and incident ranking
1. Measure of an impact which given security incident has on
relating assets, i.e. a measure of an possible regulation,
financial and reputational consequences to the Organization
by losses of CIA for the given assets (ranked from 1 to 10
where 10 is the biggest impact)
2. Probability that the incident will happen (from 1 to 5 where 5
is the biggest probability)
3. A risk measure is a multiple of 1 and 2
4. Group value of threats-vulnerabilities level from the previous
table which is an average of all possible combination of
threats and vulnerabilities leading to the given incident
5. A risk is calculated as a multiple of risk measure (3) and
group value of threats-vulnerabilities level (4)
6. Risk ranking – according to highest risk value (5)
Conclusions