An illustration of the application of Failure Modes and Effects Analysis (FMEA) techniques to the analysis of information security risks

Introduction and acknowledgement

The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to demonstrate how the FMEA method can be used to analyze information security risks. Subsequently, Bala kindly agreed to donate it to the

Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall. The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline. The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria.

Copyright
This work is copyright 2008, ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers

Disclaimer
Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by the accuracy of the users' assessment of risk factors, on the definition of information assets and on the framing of risks being considered. For these reasons, the process is best conducted by a team of people with solid expertise and practical experience of (a) assessing and managing information security risks, and (b) the organization, its internal and external situation with respect to The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other support functions and/or information security consultants) and may be adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because the organization has little if any experience of a particular informaiton security risk does not necessarily mean that it can be discounted. Organizations with immature security management processes

Guideline to Carry out a Risk Assessment Using FMEA

Important notes: This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking account of the asset values. The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN) Each asset can have more than one failure mode and for each failure mode there can be more than one cause. For more clarification see the comments on the header in each cell of the FMEA sample worksheet How to carry out the Risk Assessment (RA) using FMEA: 1 Identify the businesses or the services rendered by the department under the scope of RA 2 Compute the assets that deliver or support the business or service identified 3 Write down the asset number (to avoid duplication) 4 Write down the function of the asset in delivering or maintain the identified business or service 5 Now identify the failure modes for the identified function. Please note that there could be more than one failure mode for each function 6 Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will be the effect on the business or service. 7 Now refer the severity chart and choose the number relevant to the effect of the failure mode 8 Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause. 9 Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happening. 10 Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each control in separate rows. 11 Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls. 12 You can now see the Risk Priority Number calculated for a failure mode of the respective asset function. Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitigate each of these HIGH RISK has to be 14 listed down. Kinldy list each control in separate rows. 15 Now identify who will implement the recommended control and by what target date the recommended control would be implemented. 16 Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RISK. If it is HIGH RISK then the process has to be repeated from step 1.

17 Refer the Probability Chart 18 Refer the Detectability Chart 19 New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process. Using prioritized risks Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted later. Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN. 5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements. All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted above. If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to address lower risks. Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence according to the RPNs. The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduction: the cutoff point should go further down the list if more resources are allocated, and vice versa.

FMEA Sample

Department: XYZ Department

Action Results Current Controls P r o b Recommended Controls Responsibility & Target Completion Date Implemented Controls New Occ New RPN New Sev New Det

Sl.No. 8

Business / Service

Asset Name

Asset Number

Function

Potential Failure Mode(s)

Potential Technical Effect(s) of Failure

Potential Business Consequence(s) of Failure

S e v

Potential Cause(s)/ Mechanism(s) of Failure

Preventive Controls

Detective Controls

D e t

R P N 64

Preventive Controls

Detective Controls

Preventive Controls

Detective Controls

Protecting IT Assets

Firewall

5000

To block unauthorized requests

Rules not appropriately configured

IP Spoofing

Diversion of sensitive data traffic, fraud

Procedures not Procedures 2 followed available

Increase audit XYZ by end Jan frequency 2006

Increase audit frequency

30

Protecting IT Assets

Firewall

5000

To block unauthorized requests

Rules not appropriately configured

Entry for External Hackers

Disclosure or modification of business Procedures not 7 2 records; followed prosecution; bad PR; customer defection Inability to process electronic Procedures not Procedures 10 2 transactions; bad followed available PR; customer defection Disclosure of customer database; commercial and privacy issues

Log Monitoring

56

Increase audit XYZ by end Jan frequency 2006

Increase audit frequency

30

Protecting IT Assets

Firewall

5000

To block unauthorized requests

Rules not appropriately configured

DDOS Attack

40

Increase audit XYZ by end Jan frequency 2006

Increase audit frequency

20

Protecting IT Assets

Firewall

5000

To identify CIA trusted zones User awareness Compromised by encryption

Procedures not 6 followed

Policies Defined

30

Not Required

Not Required

Business owner to formally accept risk

20

Protecting IT Assets

Firewall

5000

Authentication mechanism User may not To identify using legacy have access to trusted zones systems having the requested by encryption improper service configuration

Staff unable to work; backlogs; bad PR

Policies not fully 1 implemented

Policies Defined

30

User Awareness

XYZ by end March 2006

User Awareness

15

Protecting IT Assets

Firewall

5000

To block unauthorized requests

Rules not appropriately configured

Entry for External Hackers

Disclosure or modification of business Procedures not Procedures records; 7 2 followed available prosecution; bad PR; customer defection Inability to process electronic Procedures not 10 2 transactions; bad followed PR; customer defection Disclosure of customer database; commercial and privacy issues

28

Increase audit XYZ by end Jan frequency 2006

Increase audit frequency

Protecting IT Assets

Firewall

5000

To block unauthorized requests

Rules not appropriately configured

DDOS Attack

Log Monitoring

20

Increase audit XYZ by end Jan frequency 2006

Increase audit frequency

Protecting IT Assets

Firewall

5000

To identify Encryption level trusted zones (56 bit or 128 by encryption bit) mismatch To block unauthorized requests Rules not appropriately configured

Data will be exposed as plain text

Policies not fully 2 implemented

Policies Defined

14

User Awareness

XYZ by end March 2006

User Awareness

Protecting IT Assets

Firewall

5000

Data Theft

Commercial and Procedures not privacy 7 2 available consequences

Nil

14

User Awareness

XYZ by end March 2006

User Awareness

Page 3

Severity

Effect
Catastrophic Extreme Very High High Moderate Low Very Low Minor Very Minor None

SEVERITY of Effect
Resource not available / Problem unknown Resource not available / Problem known and cannot be controlled Resource not available / Problem known and can be controlled Resource Available / Major violation of policies Resource Available / Major violations of process Resource Available / Major violations of procedures Resource Available / Minor violations of policies Resource Available / Minor violations of process Resource Available / Minor violations of procedures No effect

Ranking 10 9 8 7 6 5 4 3 2 1

Page 4

Probability

PROBABILITY of Failure
Very High: Failure is almost inevitable

Failure Prob Ranking >1 in 2 10

1 in 3 1 in 8

9 8 7 6 5 4 3 2 1

High: Repeated failures 1 in 20 1 in 80 Moderate: Occasional failures 1 in 400 1 in 2,000 1 in 15,000 Low: Relatively few failures 1 in 150,000 Remote: Failure is unlikely <1 in 1,500,000

Page 5

Detectability

Detection
Absolute Uncertainty Very Remote Remote Very Low Low Moderate Moderately High High Very High Almost Certain

Likelihood of DETECTION
Control cannot prevent / detect potential cause/mechanism and subsequent failure mode Very remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Remote chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Very low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Low chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Moderate chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Moderately High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode High chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Very high chance the control will prevent / detect potential cause/mechanism and subsequent failure mode Control will prevent / detect potential cause/mechanism and subsequent failure mode

Ranking 10 9 8 7 6 5 4 3 2 1

Page 6