Académique Documents
Professionnel Documents
Culture Documents
Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall. The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline. The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria.
Copyright
This work is copyright 2008, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers
Disclaimer
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the accuracy of the users' assessment of risk factors, on the definition of information assets and on the framing of risks being considered. For these reasons, the process is best conducted by a team of people with solid expertise and practical experience of (a) assessing and managing information security risks, and (b) the organization, its internal and external situation with respect to The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other support functions and/or information security consultants) and may be adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because the organization has little if any experience of a particular informaiton security risk does not necessarily mean that it can be discounted. Organizations with immature security management processes
17 Refer the Probability Chart 18 Refer the Detectability Chart 19 New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process. Using prioritized risks Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted later. Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN. 5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements. All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted above. If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to address lower risks. Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence according to the RPNs. The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduction: the cutoff point should go further down the list if more resources are allocated, and vice versa.
FMEA Sample
Sl.No. 8
Business / Service
Asset Name
Asset Number
Function
S e v
Preventive Controls
Detective Controls
D e t
R P N 64
Preventive Controls
Detective Controls
Preventive Controls
Detective Controls
Protecting IT Assets
Firewall
5000
IP Spoofing
30
Protecting IT Assets
Firewall
5000
Disclosure or modification of business Procedures not 7 2 records; followed prosecution; bad PR; customer defection Inability to process electronic Procedures not Procedures 10 2 transactions; bad followed available PR; customer defection Disclosure of customer database; commercial and privacy issues
Log Monitoring
56
30
Protecting IT Assets
Firewall
5000
DDOS Attack
40
20
Protecting IT Assets
Firewall
5000
Policies Defined
30
Not Required
Not Required
20
Protecting IT Assets
Firewall
5000
Authentication mechanism User may not To identify using legacy have access to trusted zones systems having the requested by encryption improper service configuration
Policies Defined
30
User Awareness
User Awareness
15
Protecting IT Assets
Firewall
5000
Disclosure or modification of business Procedures not Procedures records; 7 2 followed available prosecution; bad PR; customer defection Inability to process electronic Procedures not 10 2 transactions; bad followed PR; customer defection Disclosure of customer database; commercial and privacy issues
28
Protecting IT Assets
Firewall
5000
DDOS Attack
Log Monitoring
20
Protecting IT Assets
Firewall
5000
To identify Encryption level trusted zones (56 bit or 128 by encryption bit) mismatch To block unauthorized requests Rules not appropriately configured
Policies Defined
14
User Awareness
User Awareness
Protecting IT Assets
Firewall
5000
Data Theft
Nil
14
User Awareness
User Awareness
Page 3
Severity
Effect
Catastrophic Extreme Very High High Moderate Low Very Low Minor Very Minor None
SEVERITY of Effect
Resource not available / Problem unknown Resource not available / Problem known and cannot be controlled Resource not available / Problem known and can be controlled Resource Available / Major violation of policies Resource Available / Major violations of process Resource Available / Major violations of procedures Resource Available / Minor violations of policies Resource Available / Minor violations of process Resource Available / Minor violations of procedures No effect
Ranking 10 9 8 7 6 5 4 3 2 1
Page 4
Probability
PROBABILITY of Failure
Very High: Failure is almost inevitable
9 8 7 6 5 4 3 2 1
High: Repeated failures 1 in 20 1 in 80 Moderate: Occasional failures 1 in 400 1 in 2,000 1 in 15,000 Low: Relatively few failures 1 in 150,000 Remote: Failure is unlikely <1 in 1,500,000
Page 5
Detectability
Detection
Absolute Uncertainty Very Remote Remote Very Low Low Moderate Moderately High High Very High Almost Certain
Likelihood of DETECTION
Control cannot prevent / detect potential cause/mechanism and subsequent failure mode Very remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Very low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Moderate chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Moderately High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Very high chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Control will prevent / detect potential cause/mechanism and subsequent failure mode
Ranking 10 9 8 7 6 5 4 3 2 1
Page 6