ISMS Scope Definition in Business Terms
Using STREAM, the user first defines the hierarchical structure of the business in terms of its divisions and functions, directorates and divisions, programmes and projects, functions and teams or any other hierarchical levels. (Generically within STREAM, these hierarchical levels are termed ‘Enterprise’, ‘Workspace’ and ‘Register’.)
The user can then enter business ‘assets’ into this hierarchical structure.
Assets include such entities as the organization itself, critical business processes, staff/teams, mobile/home workers, information in all of its forms, IT systems, networks, third parties, third party connections, services, portable storage devices, and a range of other types – which can be extended by an administrative user if necessary. This enables a risk model to be maintained as new technology becomes relevant.
Assets can be Register specific, Workspace specific (i.e. critical to many Registers) or Enterprise wide (i.e. shared across the business).
Automatic Risk Identification
Once assets are defined, STREAM automatically identifies the relevant information security risks, and registers these onto a ‘drillable’ set of hierarchical dashboards which follow the organizational structure.
These hierarchical risk register are designed to be easy for managers to navigate and understand. Once risk treatment operations are underway, the dashboards automatically calculate residual risk.
New threat types can be configured into STREAM by the user, as they are identified.
Flexible Risk Analysis
In terms of Risk Analysis, STREAM is highly configurable.
All risks can be assessed separately in terms of the traditional Confidentiality (C), Integrity (I) and Availability (A) impact types. Also, a privileged user can setup additional impact types, thereby extending and tailoring the risk analysis method to the needs of the organization.
STREAM enables the user to carry out a business impact and likelihood assessment for each identified risk, using a variety of automation options.
Quantitative and Qualitative Business Impact Assessment
STREAM can be configured such that the business impact is assessed Quantitatively (e.g. using a financial scale) or Qualitatively (e.g. reputational ‘soft’ impact scale), or a combination of both.
Using the configuration options provided, a privileged user can easily setup a 3x3, 5x5, 9x9 or other ‘soft’ matrix-style risk assessment method, with appropriate labels such as Very Low à Very High.
STREAM can easily be configured to support most organization or sector specific Business Impact schemes, such as the UK Government’s IS 1 Scheme (Level 0 – Level 6), and from the confidentiality/disclosure viewpoint can be easily aligned with common information marking schemes, e.g. PROTECT, RESTRICTED and CONFIDENTIAL.
Commercial organisations often prefer to use a ‘hard’ / financial business impact assessment scale, which can be defined in ANY applicable units of currency. The additional advantage of using a financial scale for impact assessment is for Return on Investment calculations. Individual controls can be costed, and the overall reduction in potential losses provided by those controls can be directly measured against their cost of implementation.
Business Impact Assistant
STREAM provides an optional Business Impact Assistant.
Using the BI Assistant, the user can identify the Information Asset(s) that are processed, stored or communicated within a business area. (Preparation of an Information Asset Register is a mandatory first step in any information protection initiative, and is required for ISO 27001 compliance.)
The user then assesses the potential worst case impacts for each Information Asset (in terms of confidentiality, integrity and availability). The Assistant then uses this data to automatically assess the Business Impact component of each identified risk.
Meaningful Threat Likelihood Assessment
There is similar flexibility in configuring the Likelihood/Probability component of each identified risk. Probability can be assessed in actual terms, e.g. 50% chance of the threat occurring per annum, or using a set of defined labels, e.g. Low, Medium, High, ...
In the simplest STREAM configuration, the risk-by-risk assessment can be carried out by a suitable business user or risk analyst, directly on the business dashboards / risk registers.
Threat Likelihood Assistant
STREAM also provides an optional Likelihood Assistant.
Using the Likelihood Assistant, each defined risk can be pre-configured with its Average, Above Average and Below Average likelihoods, based on available statistical data (which can then be maintained year on year).
With both the Business Impact Assistant and Threat Likelihood Assistant enabled, information security risks can be assessed (and re-assessed periodically) very quickly and easily.
Risk Metrics / Key Risk Indicators
STREAM allows a set of Key Risk Indicators (or ‘Metrics’) to be defined and then measured on an ongoing basis. Metrics are derived from the key controls which must be effective in order to mitigate the various information security risks.
Poor metrics indicate vulnerabilities, i.e. weak, ineffective or missing controls.
ISO 27001 requires an organisation to identify objective metrics for determining whether or not controls are implemented effectively. STREAM’s Metrics facility addresses this directly.
Metrics can be defined for technical, physical, procedural and personnel (soft) factors. They can be updated directly in STREAM by auditors/control owners, or optionally can be pulled by STREAM directly from a range of other technical monitoring, platform management, Anti Virus, vulnerability scanning tools, or other data sources.
Through its Metrics facility, STREAM enables senior management to monitor risks to the business at a high level, taking into account a wide range of valuable data drawn for auditors and technical IT security activities.
Real Time Reporting against Risk Appetite
Having assessed the risks, STREAM provides extensive, graphical real-time reporting across the business hierarchy, including such views as top ten risks, residual risk summary and risk history reporting showing how the levels of residual risk have changed over time.
STREAM allows a risk appetite to be set for every part of the business structure, i.e. per team, if required. To reflect the way that modern day businesses operate, the risk appetite can be reviewed and adjusted in line with changes to the business.
In real-time therefore, the level of risk can be tracked, either in absolute terms (e.g. potential losses per annum) or as a percentage of risk appetite. This is essential for compliance with ISO 27001.
On all of its reports and dashboards, STREAM automatically aggregates all compliance and risk data up through the business model, such that suitably privileged users can view the levels of compliance and residual risk for one or more Registers, Workspaces or for the whole Enterprise.
Efficient ISMS Implementation
Whether establishing an ISMS from scratch, or migrating from an existing manual ISMS, STREAM provides a superb platform for:
- Rapid identification of your key information security risks, based on simple business asset models
- Efficient assessment of risks, using your own preferred impact and likelihood schemes
- Integration of Information Asset data into your risk assessment, as required by ISO 27001
- Flexible assessment of the ISO 27001 control set, plus facility to define objective metrics for monitoring control effectiveness on an ongoing basis
- Automatic generation of the documentation required for formal certification including: scoping information, information and other asset registers, risk assessment, risk treatment plans, control assessments, security improvement plans, and Statement of Applicability.
Most importantly, STREAM provides an ISMS framework which fully delivers all Plan-Do-Check-Act elements, and provides meaningful residual risk and compliance status reports for senior managers.
To find out more about how Acuity STREAM can help you to establish and maintain your ISMS please contact us.
Register for email news
Latest
-
Information Security Europe 2010
Significant interest was expressed in the STREAM suite of products at Information Security 2010. It is clear that comprehensive risk and compliance management is becoming a key requirement for public and private organisations.
-
STREAM Seminar - Ljubljana May 2010
Richard Mayall presented a workshop in Ljubljana, Slovenia on 20 May 2010 on 'A better way to manage all your risks'. The workshop considered how STREAM can automate assurance management systems and support standards compliance.
-
Risk appetite for information security
Risk management best practice says that we need to manage risk in relation to risk appetite. But how do we do this for information security?
