The Standard

Risk Management and Certification

This chapter provides details on the areas integral to the cluster “Risk Management and Certification” of the taxonomy, by providing a more detailed profile for each IT Security Standard. These profiles spell out the challenges regarding information security and summarize key security objectives. In addition, other area dependencies are briefly explained.

Risk Management and Certification Top-level security issues
IT Security StandardAbbr. IT components and major areas
Certification and 3rd Party Assurance
CTPThird party assessment and validation may provide a greater level of independence and acceptance in a wider market. Utilization of security practices from industry standards generates benefits since expertise and experience from a wider market are utilized.

Scope and Content:

  • Customers may require that assessments and validation are performed by third parties because this provides a greater level of independence and acceptance. Internal assessments and validations are still required and not to be replaced. Often customers require that they perform their own assessments and validations. A standard way this is carried out is auditing. All these activities provide assurance.
  • The IT service provider is interested in utilizing the expertise and experience covered by industry and other standards. Customers, in turn, gain more confidence if the IT service provider employs such practices. This also reduces the effort towards validation which may or may not utilize formal certification processes.

Goals and Objectives:

  • Security measures set forth in all other IT Security Standards shall correspond to industry standards instead of being drawn up in-house in order to utilize and take advantage of the vast expertise and experience available elsewhere. Hence, national and international standards are applied to security and quality standards.
  • Security is not an off-the-rack solution. On the contrary, security is connected to cyclical processes which are also subject to undergoing a constant further developed. Therefore, regular checks and inspections of the IT systems by customers and independent bodies are performed. It is ensured that all security processes and procedures as well as the effectiveness of their implementation are verified on a rotational basis.
  • Independent validation provides further and stronger evidence about the security level being reached and maintained. Suitable measures are to be taken to establish an appropriate level of confidence in security. An approach needs to be set up so that users’ commercial and security objectives can be met at acceptable costs for both the user organization and the supplying party.

Primary External Support:

  • None
Risk Management and Certification Top-level security issues
IT Security StandardAbbr. IT components and major areas
Risk Management
RMPSecurity and compliance can be placed at risk by different circumstances that arise. Risk management comprises the identification of risks, the analysis and categorization of risks, and determination of countermeasures to reduce the risks to an acceptable level.

Scope and Content:

  • IT service provisioning stipulates that information is created, read, changed, stored and communicated. This information is processed by applications, IT systems and components for supporting business processes. Each entity has a strong need for protection regarding security objectives. Compliance with these security objectives can be endangered by different circumstances. Information security risk management comprises the identification of risks, the analysis and categorization of risks, and determination of countermeasures to reduce the risks to an acceptable level.
  • Risk management as described here focuses on the risks in information processing. But more precise, the scope involves IT service provisioning for customers. Consequently, risk management is performed in different contexts, as described in the following:
  • Many risks are appropriately treated by the supplying party independent of customer requirements. The motive behind it concerns due care and own business reliability and resilience, which includes compliance with the legal requirements. The holding company may enforce these requirements and have their own standards and requirements to be met. A second motive involves the supplying party’s being committed or partially obliged to implement a certain standard and, for instance, provide compliance with national or international standards, regulations and the like. Customers may rely on both motives. The difference between the two is not a vital concern, but in the latter, the obligation is more visible and apparent.
  • The IT service provider has designed its business and IT infrastructure to deliver IT services that meet customer demands. An acceptable and agreed level of risk is included in the contract. Hence, a supplying party is obliged to additionally take contractual risks into account. The challenge is twofold: First, the provider must anticipate typical applications with their environment and risk appetite (or level of required control and protection). Hereby, typical or suggested risk scenarios, business impact and risk threshold levels are taken into consideration by the risk management. The situation is similar as in the bullet points above. The second challenge, however, is that this must possibly be adjusted during the sales and contracting phase. In particular, the exact business impact is only known to the customer (user organization) and the fixing of a threshold requires the making of a tradeoff between costs and risk.

Goals and Objectives:

  • The design of any countermeasure or security control requires the understanding of the problem and subject as well as the significance or priority. Therefore, it is essential to identify risks. This, in turn, requires different steps. The relevant information objects (e.g., processes, systems, and data) are identified together with their security objectives. Afterwards, threats are determined covering scenarios for a breach of information security. Vulnerabilities are to be considered in order to understand if such threats may occur and should be taken into account. Finally, the impact that will occur if an object or system is threatened is identified, since a so-called vulnerability can be avoided.
  • The identification of risks shall use different sources of information, including security reports, vulnerability notification services, as well as security events and incident management.
  • Risks need to be analyzed and categorized, to be prepared for prioritized planning and selection of appropriate controls for risk treatment. Here, the identified risks are further qualified, for instance, by the estimation of the likelihood. Qualification will include a realistic estimation of the consequences; that is, the business impact needs to be rated. Moreover, a threshold for an acceptable risk level is to be defined. Comparison and a possible further analysis may provide results useful for making decisions.
  • Options for the treatment of risks are determined. Involved are risk reduction, risk retention, risk transfer and risk avoidance. According to the business case, these risk-treatment types are to be considered in the decision-making process. The four options of risk treatment may be combined.
  • Implementation of controls is to be initiated and monitored in order to check the status of realization. Efficiency and effectiveness shall be checked and residual risks are to be determined.
  • Risk identification, analysis and treatment shall be conducted periodically. Risk management shall consider the challenges described in the previous “scope and content” section.

Primary External Support:

Type 1 Risk Management: The principles and practices described in this standard are used to perform risk management assessments and decisions with a limited scope. Examples include:

  • Vulnerabilities are identified and assessed with respect to possible business impacts; and corrective measures are planned for risk mitigation. This activity is part of the “Vulnerability Assessment and Mitigation Planning (VAM)”.

  • Risk assessment is also a mandatory component of “Change and Problem Management (CPM)”. Requested changes are analyzed and evaluated, with respect to possible business impacts, and finally approved.

  • The same applies for new services or releases being put into place. As a result, the standard “Release Management and Acceptance Testing (RMA)” is additionally mentioned here.

Type 2 Risk Management: Risk Management is also performed as an overall discipline. As a main component of an ISO/IEC 27001ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements [1] based ISMS, the (Information Security) Risk Management enables the IT service provider’s management to direct and control the organization, with regard to risk and the customer’s corporate and legal requirements. This overall risk management particularly requires support from the following areas:

  • Risk Management uses the services and results of “Vulnerability Assessment and Mitigation Planning (VAM)” in order to be notified on changes of the risk profile, in particular, of vulnerabilities which cannot be treated as desired.

  • Risk Management utilizes the services and results of “Logging, Monitoring and Security Reporting (LMR)” in order to be notified on major incidents affecting the risk profile.

  • Risk Management applies the services and results of “Incident Handling and Forensics (IHF)” in order to be notified on major findings from forensic analysis findings which impact the risk profile.