This is a continuation from the other days posting focused on the Risk Management aspect of what we need to change in industry. Over the past 20 years or so the conversation of risk has been discussed but very little has been detailed around it. A lot of conversation relating to risk has been little more than just grabbing severity ratings from tools. The purpose of a risk position is to do a couple of things, in my opinion. The first is to prioritize issues based on a specific desire by the entity in which it is to be reviewed. In our general case we are prioritizing issues based on the importance of a business. As a result we categorize the risks in three areas. They are Value, Brand and Operation. The second purpose is to translate the technical underbelly of Information Security into a language that the audience understands. With that the three business oriented categories work out well.
With my implementation of the risk methodology I needed to get a few understandings out of the way. It was important to understand why and acknowledge them for my audience. The first is the concept of qualitative vs. quantitative. I don't believe we have enough data from industry to enable a quantitative model. In addition, the tools we use give us inherent qualitative ratings in numerical form that we misunderstand and state it's quantitative. Hence the "Qualys says it's a 5" statements. The other point on this is that I don't think there's a problem with a qualitative assessment as long as it's done with a vetted and repeatable methodology and done with qualified individuals.
Of the three categories, this is probably the easiest to do. Value defines the impact of a security issue to the functioning revenue stream of the business. This includes the combined facility of the revenue generating application such as firewalls, switches, etc. Also, we need to determine what makes a "high value" risk vs. a "medium or low". We need to get a business units opinion of what revenue impact is significant vs. minor. In a revenue of 6 billion, is 10 million a medium or low impact? It's obvious to state that 1 billion is high.
Brand incorporates a couple of different things. It's anything that can affect the brand or reputation of the business. This includes anything externally facing, public or customer audits, data that results in public data breaches, disruption of customer dependent applications, etc. There is a significant dependency on data identification and classification in this category. With that, as well as other factors, it's simple to start molding the high, medium and low classifications of the impact of data.
Operational is probably the most difficult and business value add of all of them. Operational risk is designed to identify risks to critical operations to the business. In a software company, this includes not only Sales channels but also the System Development Life Cycle (SDLC) as it's the "assembly line" of the product. Secondary processes can be placed into the medium and low categories such as back office support, HR, etc.
With these the mapping of the threats to controls to assessments starts to take shape as "Risk", by my definition, is not the possibility of an issue but the actual identification of the problem within context of impact. In other words, finding a vulnerability in a development system is not the same risk as finding it in a externally facing web server that generates half of our revenue. With this model we can then start applying our environment to the identified issues in a business language and context.