The Information Security Forum (ISF) has updated its risk assessment methodology to address better threat profiling and vulnerability assessment, among other things.
The ISF’s Information Risk Assessment Methodology version 2 (IRAM2) is a practical methodology that helps businesses to identify, analyze and treat information risk throughout the organization. In the updated version, “react and prepare” have been incorporated into the supporting information used during the threat profiling phase, including the common threat list (CTL) and the threat event catalogue (TEC).
Also, on the vulnerability front, the previous IRAM2 control library, consisting of 29 controls, has been replaced with a more comprehensive set of 167 controls based on The Standard of Good Practice for Information Security and the Security Healthcheck. The approach for determining control strength also now includes the extent of ‘relevance’ and ‘implementation’ of environmental controls. This enhanced approach is supported with the introduction of control relevance tables (CRT) to provide objectivity and repeatability.
Its supporting tool, the IRAM2 Assistant, was previously a single, Excel-based supporting tool. It has now been split into four integrated modules collectively referred to as the IRAM2 Assistants. Each module supports one or more phases of the methodology. The IRAM2 Assistants automate parts of the methodology that would otherwise require a greater amount of manual effort and offer in-depth analysis to enhance business decision making. They also deliver specific templates that can be applied for enterprise-wide information risk assessments, and use report templates to convey the key risks to stakeholders. Each IRAM2 Assistant is accompanied by a practitioner guide providing step-by-step instructions on how to use the methodology.
“Developing a robust mechanism to assess and treat information risk throughout your organization is essential,” said Steve Durbin, managing director at the ISF. “Risk assessment is all about balance, and IRAM2 allows for teams to assess risk in a realistic manner. IRAM2 focuses on simplicity and practicality, while embedding reliability and steadfastness throughout the assessment process. This enables consistent results and a depth of analysis that improves decision-making.”
IRAM2 provides organizations with the ability to tailor their threat tables to reflect an organization’s overall risk appetite. IRAM2 works by evaluating and assessing a variety of information risk factors that comprise each information risk equation. Once defined at an organizational level, risk appetite can be communicated and presented differently throughout an organization. If an organization does not have a defined risk appetite, the decisions regarding the treatment for each risk will have to be made by the key stakeholders on a risk-by-risk basis. The practitioner should make the key stakeholders aware that the lack of a defined risk appetite could result in inconsistent decisions regarding the amount of risk the organization accepts.
“Managing information risk fundamentally relates to effectively balancing risk against reward,” continued Durbin. “IRAM2 empowers information risk practitioners to engage with key business, risk and technology stakeholders in an organized and enterprise-aware manner. With this foundation, they can work more effectively across the organization to assess appropriate risk profiles and provide input to the business to address – or not.”