Any typical risk management process can be broken down to 3 phases:
- Assessment of Risk(s);
- its Treatment; and
- Management/Monitoring process.
These could be further broken down to following 5 steps:
- Identification of risk to the assets;
- Quantify the level of each risk;
- Decide whether risks at current level are acceptable based on risk appetite of the organization or do we need to treat (through retention/reduction/transfer/avoidance) those risks.
- Identify and Implement controls to reduce the consequence(s)/impact the of risk (if exploited) to an acceptable level
- Put in place a process for monitoring of these risk and identification of emergent one
Now, to perform a risk assessment, you require knowledge of the
- Information assets;
- their Vulnerabilities;
- their Threat profile (level of threat and probability of exploitation); and,
- Ways to mitigate the risks to these assets.
MEHARI risk management helps in the whole process by segregating the risk assessment in to two activities:
- Creation of knowledge base for risk assessment
- Analysis and treatment of risk with the help of this knowledge base.
The strength of the MEHARI risk management methodology drives from the fact that, except for few risks that are specific to organization, most of the risks that companies face are relatively same. So MEHARI risk management knowledge base could supplement your risk management process and assist you in ensuring that all critical areas/factors of your risk management process have been addressed. However, you may develop variations to the knowledge base considering the nature/risk profile of your organization/business.
MEHARI Risk Management Process:
The CLUSIF (Club de la Sécurité de l’Information Français) provides an open-source information risk analysis assessment and risk management toolkit to evaluate and manage the organization’s risks relating to information assets and processes. The macro-enabled excel based toolkit is easy to navigate and as you fill in required data at each step, necessary information is auto-populated in the next via the use of formulas. Therefore, redundant information is not punched in by the user.
To start with the process, you need to start with business impact analysis via
- Identifying business domains and their objectives;
- Identification of malfunctions (what could go wrong); and
- Effect of the malfunction.
Then, we move towards the classification of assets. These would be derived from business domains and activities as already highlighted above. This way, any malfunctioning in a business activity is directly correspondent to an asset.
Next step, is calculating the threat profile by assessment of exposure to the organization to various types of events/disasters.
The above will help in identification of relevant risk scenarios. Just navigate to risk scenarios sheet, and you can filter around 800 risk scenarios based on the following:
- Threat (to the asset)
We need to determine the likelihood (probability) of threat and extent of the damage (impact) if vulnerabilities are exploited. When taken both in to account, it will help in calculating risk level / seriousness.
The knowledge base could be used to:
- Auto-complete intrinsic impact analysis once the asset classification in previous steps has been performed.
- Auto-complete intrinsic likelihood analysis if the user decides to use default evaluation provided by knowledge base; or else provide own likelihood value (from 1-4 where by 1 being very low exposure to 4 being high exposure).
- (optional) provide a mechanism to reduce likelihood/impact due to risk deduction factors (as deduced by MEHARI audit)
This part corresponds to the decision by the user whether the risk at current level is an acceptable one or not. This would be deducted from the risk seriousness calculated earlier. Based on this, following risk treatment method could be used:
- Acceptance of risk at current level;
- Reduction of risk either by reducing the likelihood or the impact of the risk;
- Avoidance of risk (this could be done by removing the process/business activity from where the risk emerge the first place); and ,
- Transfer the risk through insurance coverage.
Based on the risk treatment method decided for each risk scenarios, action plan to mitigate the risk are devised. To facilitate, action plans can be chosen from knowledge base that are sorted by asset type and type of damage.
MEHARI risk management does provide a set of audit questionnaires to assess the current level of governance and security controls in place. The domains covered include physical & environmental security, network/data/application security, program/project development, management process etc.
The risk management process is an iterative one. The controls you put in place today may not be relevant tomorrow. Therefore, risk management exercise is repeated periodically to see whether control implemented yesterday are still effective today or whether, due to change in business process, any significant emergent risk(s) still remains unaddressed.