Risk assessment methodology based on AS/NZS 4360

The methodology described here follows AS/NZS 4360.

For asset definition and valuation a technique known as Business Attributes Profiling is used, in which the real physical and logical assets are conceptualised as a set of standardised, normalised attributes, each of which is then defined in the specific terms of business context. Each attribute is associated with a performance measurement method so as to be able to specify the required performance level for that attribute, and the performance indicator is set according to the risk appetite of the organisation - how much do you need that attribute to hit the performance target and how high does that target need to be? These Business Attributes therefore become key risk indicators against which the risk assessment can be made (using them as the assets) and against which controls can be designed and a cost / benefit analysis performed so as to make risk treatment decisions.

Each of these steps is linked into an ongoing communications and consultation process and also into a continuous monitoring and review process (see the diagram above). The latter ensures that there is an iterative process rather than a 'one-shot' approach. The intention is to review only changes, but this assumes that there is a pre-requisite process in place for managing and tracking these changes.

There is also a feedback loop from Step 5 to Step 1 whereby results of the 'Risk Treatment' phase are fed back into the 'Establish Context' phase as part of the continuous iterative process (see the diagram above).

AS/NZS 4360 Step 1: Establish context

This means understanding what, from a business perspective, is at risk. It has two main phases, each of which covers several aspects:

Descriptive phase

· What are the business objectives?

· What are the measurable success criteria for these objectives (covering all aspects of success)?

· How can measurements of risk (qualitative or quantitative) be made?

· Make a clear distinction between measuring the 'likelihood' of a risk event and the 'impact' of its occurrence;

· Take into account stakeholders' concerns and objectives.

Creative phase

· Split the entire enterprise into components: 'key elements';

· Focus thinking on these key elements;

· Stimulate creative thought through workshops and brainstorming sessions;

· Speak specific risk-oriented language;

AS/NZS 4360 Step 2: Identify risks

· What can happen? How can it happen?

· Cover both threats and vulnerabilities;

· Checklists may be used but you should avoid preconditioning expectations;

· Checklists can help to verify the completeness of the identification process;

· The recommended approach is a structured brainstorming workshop;

· A secondary approach is to use questionnaires, surveys or interviews by skilled consultants;

· You should include a creative assessment of the future - what might happen?

AS/NZS 4360 Step 3: Analyse risks

· Assign to each risk a significance rating using simple 'impact' versus 'likelihood' scales;

· Where risks are complex, custom-modelling techniques should be used;

· The outcome is an initial view of the significance of each risk but it is recognised that at first pass ratings can be either too high or too low.

AS/NZS 4360 Step 4: Evaluate risks

· Apply a screening process to ensure the system does not become bogged down with too many risk items;

· Prioritise the risks relative to the complete set taking into account known priorities and the supporting business requirements.

AS/NZS 4360 Step 5: Treat risks

· What will you do about each risk, both in terms of preventive measures and contingency arrangements?

· Calculate and sign-off of the residual risk after risk treatment plan has been applied - the business accepts this level of residual risk.

An Introduction To Information, Network and Internet Security
Risk assessment methodology based on AS/NZS 4360 The methodology described here follows AS/NZS 4360. For asset definition and valuation a technique known as Business Attributes Profiling is used, in which the real physical and logical assets are conceptualised as a set of standardised, normalised attributes, each of which is then defined in the specific terms of business context. Each attribute is associated with a performance measurement method so as to be able to specify the required performance level for that attribute, and the performance indicator is set according to the risk appetite of the organisation - how much do you need that attribute to hit the performance target and how high does that target need to be? These Business Attributes therefore become key risk indicators against which the risk assessment can be made (using them as the assets) and against which controls can be designed and a cost / benefit analysis performed so as to make risk treatment decisions. Each of these steps is linked into an ongoing communications and consultation process and also into a continuous monitoring and review process (see the diagram above). The latter ensures that there is an iterative process rather than a 'one-shot' approach. The intention is to review only changes, but this assumes that there is a pre-requisite process in place for managing and tracking these changes. There is also a feedback loop from Step 5 to Step 1 whereby results of the 'Risk Treatment' phase are fed back into the 'Establish Context' phase as part of the continuous iterative process (see the diagram above). AS/NZS 4360 Step 1: Establish context This means understanding what, from a business perspective, is at risk. It has two main phases, each of which covers several aspects: Descriptive phase · What are the business objectives? · What are the measurable success criteria for these objectives (covering all aspects of success)? · How can measurements of risk (qualitative or quantitative) be made? · Make a clear distinction between measuring the 'likelihood' of a risk event and the 'impact' of its occurrence; · Take into account stakeholders' concerns and objectives. Creative phase · Split the entire enterprise into components: 'key elements'; · Focus thinking on these key elements; · Stimulate creative thought through workshops and brainstorming sessions; · Speak specific risk-oriented language; AS/NZS 4360 Step 2: Identify risks · What can happen? How can it happen? · Cover both threats and vulnerabilities; · Checklists may be used but you should avoid preconditioning expectations; · Checklists can help to verify the completeness of the identification process; · The recommended approach is a structured brainstorming workshop; · A secondary approach is to use questionnaires, surveys or interviews by skilled consultants; · You should include a creative assessment of the future - what might happen? AS/NZS 4360 Step 3: Analyse risks · Assign to each risk a significance rating using simple 'impact' versus 'likelihood' scales; · Where risks are complex, custom-modelling techniques should be used; · The outcome is an initial view of the significance of each risk but it is recognised that at first pass ratings can be either too high or too low. AS/NZS 4360 Step 4: Evaluate risks · Apply a screening process to ensure the system does not become bogged down with too many risk items; · Prioritise the risks relative to the complete set taking into account known priorities and the supporting business requirements. AS/NZS 4360 Step 5: Treat risks · What will you do about each risk, both in terms of preventive measures and contingency arrangements? · Calculate and sign-off of the residual risk after risk treatment plan has been applied - the business accepts this level of residual risk.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security