Cabinet Office

Main navigation

Risk Assessment and Risk Management

Introduction

Without an understanding of the risks to its information assets, an organisation cannot be sure that the measures which it applies to protect those assets are either justified or effective. Risk assessment is the cornerstone of effective IA.

The model set presented here is aligned with the risk management model set out in the emerging guidelines set out in the current draft of BS7799 Part 3. The IAPC contributed to the drafting process to ensure that additional policy and guidance is provided to support this standard in the wider public sector.

Statement of Best Practice

The conduct of a risk assessment ensures that:

• Countermeasures are justified on the basis of asset valuations.
• The organisation gains an insight into their specific risk environment.
• The residual risk to information assets can be accepted (through the process of accreditation) on an informed basis. against the ‘risk appetite’ of the organisation.
• The analysis results in a knowledge base which can be used to manage the impact of changes.

The individual conducting the risk assessment should have an understanding of the business of the organisation as well as any necessary IS and security skills.

Principles of Governance

In the case of systems processing Government information the application of HMG Infosec Standard No 1 is mandatory, in order to assess the assurance level target for the system. In addition, IS2 sets out a model in which risks are identified, each is assessed for the most appropriate treatment in the context of an organisational risk management strategy, and those remaining are accepted.

For companies with List X sites and for Government Departments, the National Security Advice Centre (NSAC) requirements apply.

There may be local issues that apply, in terms of an organisation’s internal audit process; the recommended best practice is to include an assessment of these requirements into the overall risk management process.

Finally, it should be noted that in the wider context, risk management on an open and considered basis is an increasingly important part of government, as set out in the HM Treasury website [External website].

A Risk Assessment Model

The asset value is the starting point for risk assessment, since without an asset to have compromised, there can be no risk.

Identifying assets and their values must be undertaken at the business level. The concepts of asset ownership and business requirements are key factors in being able to assign values. Included in this valuation should be elements of legal and statutory requirements and the potential impact to the business of non-compliance.

Attackers and assets are linked in that the motivation for a directed attack (as opposed to an accident or Act of God) is driven by both the nature of the asset and the nature of the attacker. A threat relies upon motivation, opportunity and capability, since without all three there can be no route to an attack. Increased opportunity for attack also leads to increased likelihood of attack.

Vulnerabilities also depend on motivation, since this leads an attacker to exploit a vulnerability, upon capability, since the level of capability determines the level of vulnerability, and upon opportunity, which leads to the exploitation of a vulnerability.

The level of vulnerability, combined with the levels of threat and likelihood, combined to identify the risk.

Only when a risk is realised is there a business impact, which depends primarily upon two factors: the level of risk, and the asset value. This is quite separate from the likelihood of occurrence.

Risk Management

Once a risk has been identified, the management options are as set out below:

• Mitigate. In most cases this will be the most likely option, and involves the implementation of countermeasures to reduce the likelihood of the event, and/or the impact.
• Avoid. For high impact, high likelihood issues one option is to avoid the problem by ceasing the activity that leads to the risk.
• Transfer. Under some circumstances it may be beneficial to transfer the risk to another party better equipped to manage it.
• Accept. If the likelihood and impact are judged to be sufficiently low, or if there genuinely is no practical means of countering the problem, then one option is to accept it.
• These options are not mutually exclusive: a mixture may be used where appropriate with, for example, a risk being mitigated to some degree by countermeasures, a particular element of the remaining risk being transferred, and the final level of residual risk being accepted. The process may be iterative, adjusting and reviewing different options to achieve an acceptable level of residual risk.

Which of these ways (or which combination) an organisation decides to adopt as its risk treatment plan depends on business requirements, and circumstances.

The diagram below provides an indication of the one possible starting point for the consideration of options at different levels of impact and likelihood.

Ongoing Risk Assessment and Management

The ongoing monitoring of risk and countermeasures is vital in maintaining effectiveness. This can be achieved through management reviews, audits and risk reviews.

In the general case there will be one of four drivers for a change to the protection profile of a system:

• the emergence or discovery of a new threat;
• the emergence or discovery of a new vulnerability (through audit and/or exploitation);
• a requirement for new technology and/or a revised configuration to existing technology; or
• a change to asset valuations.

In all cases the recommended first step is to review the significance of the changes. Significant changes should prompt a review of the risk assessment, leading if necessary to a review of the implemented countermeasures. The aim should always be to ensure that the implemented countermeasures are appropriate to the risks.

Less significant changes can be addressed on a case by case basis. However, organisations must remember the aggregated changes may result in a need for re-approval, and a piecemeal approach, if continued over time, leads to a piecemeal solution that does not necessarily provide a coherent defence against the totality of identified threats.

Risk Reviews
ISO/IEC 17799 recommends the use of independent security analysts when conducting security reviews. The CESG CLAS scheme is described elsewhere in this document, and can provide public sector organisations with experienced support in cases where protectively marked material is involved. Use of CLAS consultants is recommended where:

• organisations are seeking to bring their networks into line with the Government Secure Intranet (GSi) requirements;
• organisations are addressing emerging security requirements associated with e–government;
• there is a need to safeguard the Critical National Infrastructure (CNI) in cases where protectively marked material is involved.

IT Health Checks
Regular IT Security Health Checks are recommended, to guard against ‘drift’ in the configuration of a system.

For commercial systems and for HMG systems processing less sensitive information up to and including the CONFIDENTIAL protective marking, IT Health Checks can be performed by CHECK-registered companies. The CESG CHECK scheme is described elsewhere in this document. For sensitive HMG or CNI systems, and under other agreed circumstances, the IT Security Health Check should be conducted by CESG personnel.

Risk Treatment Plan
The production and maintenance of a risk treatment plan can assist in the management of risks identified through a risk analysis, and in the monitoring of progress towards compliance. Where such a plan is produced it should provide a compilation of all non–compliances from inspections and IT Health Checks etc. and should provide a scale of priorities e.g.:

• High – fix immediately
• Medium – correct within one month
• Low – Correct within