The following diagram shows the process flow for risk assessment as part of the overall ISMS framework.
1. Risk Assessment Definitions
For a given information asset, Risk is defined is a probability of a threat materializing as a result of a vulnerability compromise resulting in the undesired impact. In other words the assessment of risk includes the following key elements:
- An Asset (1)
- Applicable Threat category (2)
- Threat & Impact (3)
- Threat & Vulnerability (4)
- Threat & Probability (5)
- Overall Risk (to an asset against a specific threat)
This is illustrated in Table 1.
For the process of Risk assessment the following table has been used:
|Asset Group(I)||Threat Categories(II)||Impact (III)|
(1- Low, 2- Medium, 3 – High, 4 – Very High)
(1- Low, 2- Medium, 3 – High, 4 – Very High)
(1- Low, 2- Medium, 3 – High, 4 – Very High)
(1 – 64)
|Examples (Personnel,||(Breach of) Confidentiality (Intentional or Accidental)|
|paper, Business Applications)||(Breach of) Integrity (Intentional, Accidental)|
|(Source: Asset Master)||(Breach of) Availability (Intentional, or Accidental)|
Table 1: Risk Assessment Formula
|Asset Groups||Threat||Impact||Vulnerability||Probability||Risk Value|
|This includes all forms of assets including personnel, paper, software, hardware, internal service providers, external service providers||Any disaster event due to loss of confidentiality, integrity, and/or availability (CIA) (not exhaustive)||Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the impact value represents the scale of business impact to the organization in the event of security compromise||Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the vulnerability value represents the state of control for a given asset. Management takes action on all vulnerability greater than equal to 2.||Measured on a 4-point scale (4-Very High, 3 – High, 2-Med, 1- Low), the probability value represents the likelihood of a threat realization in the near future (next year). For all probabilities greater than equal to 3, management defines a continuity plan.||Measured on a 64-point scale (>12-High, 8-12 – Med, <8-Low), the risk value represents the state of risk for a given asset.|
Table 2: Risk Assessment Terminology explained
- (Information) Asset Groups
An Asset is defined as any business asset, which has information contents. Examples of asset (not exhaustive) are listed below:
- Business applications hosting information
- IT infrastructure items supporting information
- Office Infrastructure supporting Operation
- Office Infrastructure supporting Security operations
- Documents – electronic and Paper
- External Service providers
Each department head creates and maintains their asset masters.
1.2 Risk Assessment Formula
Risk Assessment for each asset is carried out using the following formula.
Risk = Threat X Business Impact or loss of “Value” X Vulnerability X Probability. Each component of the risk assessment also undergoes a qualitative valuation based on the judgment of the risk analyst.
Listed below is an explanation of each of these terms.
1.1.1 Threat X (Business) Impact (valuation)
Each asset undergoes three major classifications of threat analysis – Confidentiality, integrity and availability. The risk analyst defines the appropriateness of the asset and the commensurate threat applicable to the asset. Each threat so chosen also undergoes a business impact or “valuation” on a range of 1(one) to 4(four) based on the following guideline. The risk analyst takes into consideration the worst scenario for valuation purposes:
|New Business & Project opportunities||4|
|Company Risk Register||4|
|Joint Operations Agreement – JOA||3|
|Production Sharing Contracts – PSC||3|
|Sales Purchase Agreement||3|
|G & G data including Seismic data||3|
|Skills & Competency matrix of people (competitive advantage)||3|
|Oil & Gas Reserve data numbers (competitive advantage)||3|
|Oil & Gas sales report||2|
|Employee compensations & employee personal information (privacy of information)||4|
|Reservoir Data (e.g. Eclipse)||3|
Table: Confidentiality Rating
|Availability Requirement||Availability Rating|
|< 4 Hours IT infrastructure and communication services and supporting utilities (Air-conditioning, Power etc.) Active directory serversShare pointFirewall and VPN servicesAll data & voice supporting network devicesCloud Services – Microsoft office 365 suite, Email||4 = Very High Essential Infrastructure Services # XXX is more connectivity driven as they need to remain in contact with their area & regional offices to fulfill all their requirements.|
|< 8 hours Oracle e-business suits||3 = High # Access to and availability of data stored on server mapped G: drive is paramount to XXX business operations in additions to specific business applications they connect to|
|> 8 hours and within 1 day (24 hours) – Shared drive – LiveQuest – Petrel, G & G, Petrel RE – REP 5, Pansystem, – Rose, Questor – Geoframe||2 = Medium Delayed Start Service|
|All other information that does not fall in the above categories||1 = Low|
Table: Availability Rating
|Inaccuracy in content accessible to employees concerning health & safety||4|
|Inaccuracy results in financial loss to company or its employees or legal/regulatory reporting obligations||4|
|Inaccuracy in content accessible to public||3|
|Inaccuracy in content accessible to employees but not financial/health/safety in nature||3|
|No available category||2 & 1|
Table: Integrity Rating
The asset ‘impact’ rating is performed based on enterprise context.
1.3 Threat X Vulnerability
Vulnerability is by definition, an inherent weakness by which a treat can be exploited. Vulnerability is the base factor and covers absence (or existence) of controls or countermeasures. Vulnerability is rated on the following 4-point scale:
|4||Very High Vulnerability||Rate 4 where there is more than 1 vulnerability but in the opinion of the analyst, the vulnerability is easy to exploit.|
|3||High Vulnerability||Rate 3 where there is more than 1 vulnerability|
|2||Medium Vulnerability||Rate 2 where there is at least one vulnerability.|
|1||Low Vulnerability||Rate 1 where there are no identified vulnerability.|
Typical assessment (not exhaustive) made are presence of preventive, detective, maintenance and/or monitoring controls present to prevent the threat materialization. The risk owner and the risk analyst jointly agree on the valuation of asset.
1.4 Threat X Probability
Probability is the likelihood of a threat materializing for the given asset. The asset owner and the risk analyst jointly agree on the valuation of asset. Probability is rated on the following 4-point scale:
|4||Very High Probability||Rate 4 when there are more than 2 incidents in the last one year.|
|3||High Probability||Rate 3 when there has been two incidents in the past one year.|
|2||Medium Probability||Rate 2 when there has been one incident in the past one year.|
|1||Low Probability||Rate 1 when there has been no incident in the past, nor likely in the future.|
For a given asset the risk is therefore calculated by a measure of threat, business impact, vulnerability and probability.
Each element of risk assessment i.e. Impact, vulnerability and probability is provided with justification of their valuation or reference to Very High, High, Medium and Low probabilities.
2. Risk Assessment Process
The process of risk assessment for a given asset consists of three stages as explained below:
- Asset Definition
The Asset owner (typically HOD) creates and maintains an Asset master. The Asset master contains provision to captures all forms of information asset (paper, people, documents, hardware, business applications, and external service providers)
- CIA Impact Valuation
Each asset owner conducts an Impact valuation on the loss of Confidentiality, Integrity and Availability (CIA) to a given asset. While doing he/she looks at the CIA reference table to assess whether the asset correlates to the CIA criteria.
- Risk Valuation
Assets with a value of 4 as a result of either C,I and/or A, where the impact of the security violation is Very High, has mandatory requirement to be assessed for the other values of risk, namely vulnerability and probability.
Risks that cannot be treated is considered to be ‘Residual Risks’ and subject to approval by risk owner.
2.2 Risk Assessment Worksheets
- All assets which have an impact value of 4 are rated with their vulnerability and probability in a centralized record called – XXX-ISMS-RA record.
- A risk revaluation is done for those assets where a decision has been identified as closed.
3. Risk Treatment Process
- Risk treatment process has the following parameter – All weakness areas are reported in a centralized vulnerability dashboard. ISMS QA/MR discusses each area of the weakness and reports to the applicable departments for closure.
- ISMS QA/MR discusses the vulnerability or the associated risk with the risk owner.
- Decisions to close an identified vulnerability are taken by either Head of Department. When the decision for implementation cannot be made by the department, the decision is moved up the chain of command, for senior management for final decision.
- Each decision so made are ensured implementation through allocation of responsibilities, which in turn is coordinated with Head of Departments/applicable enforcer,
- Areas wherein senior management/head of department does not take decisions or the implementation totality takes a certain period of time, it is considered as residual risk. However reference to senior management decision either as closed, work in progress (WIP) or residual risk (RR) is referred in the Gap dashboard.
- An annual plan of future initiatives is made available demonstrating the senior management commitment to ensure effective implementation of existing security framework.
- Reassessment of Risk values is done for those assets wherein decisions have been taken to reduce their Risk. This is an ongoing activity and ISMS QA/MR keeps track of all such Risk areas.
4. Risk Acceptance Criteria & Residual Risk Management
All risk values are rated on the 64-point scale. All attempts are being made to reduce the value of risk to the extent possible. However the following rule applies:
Risk Acceptance criteria is vulnerability value 1. When an asset’s vulnerability value is more than 1, it means that the asset has vulnerability. A vulnerability value of 1 reflects no known vulnerability, and is therefore becomes the benchmark for risk acceptance.
- All vulnerabilities equal to 2 and above are presented to the management for reduction. Management includes department heads, and top management – depending on the areas of the risk.
- All values of risk equal to greater than 12 are presented to the management
- Upon the introduction of controls, there could be risks whose values do not come down below 12 and therefore, continue to remain on the higher side. Such values are part of the residual risk.
- Risks are classified as High – if the value of the risk is >=12, Medium – if the value is =>8 and <12, and Low <8. Except for personnel assets, the objective of all remaining assets is to bring down the vulnerability value to <=2. For personnel, a HIGH Risk is acceptable, as they may be an operational requirement.
- Residual risk are reflected against each asset group where risk assessment is performed.
4. Risk Communication
For those risks, where the vulnerability is 1, risk owners are communicated. The risk owner is required to own and accept the residual risk.
5. Supporting Worksheets/reports
- XXX – Department-wise ISMS Compliance sheet
- XXX-ISMS-Risk Assessment record (Also includes revised RA values),
- Latest Statement of Applicability – reflects references to existing controls
- Management review records includes residual risk and future plan of action.