Information security risk assessment using the Facilitated Risk Analysis Process
Author: Evgeniy Baklushin, Senior Analyst, UCSB
Good afternoon! We continue a series of reviews methodologies for assessing information security risks (hereinafter referred to as IS), and today’s issue will be devoted to the Facilitated Risk Analysis Process (hereinafter referred to as FRAP) methodology.
Why FRAP?
The FRAP methodology is focused on a qualitative assessment of information security risks in terms of their impact on the achievement of the organization’s business goals, and not on the fulfillment of some catalogs of security controls or audit requirements. At the same time, the technique has several advantages compared to quantitative risk assessment, such as:
Documentation has a practical use, not a useless ream of paper.
The assessment takes into account not only the experience and skills of the information security department specialists, but also the experience of business process owners.
Additionally, experience gained from national information security incident response centers, professional associations and specialized literature can be taken into account.
Risk Analysis
Analysis and assessment of IS risks according to FRAP consists of several stages. Let’s take a look at them.
Stage 1 – FRAP group
Duration: 1 day.
It all starts with the definition of a FRAP group, which includes business managers, a project manager (hereinafter – PM) and a facilitator (responsible for communication).
The FRAP group sets the project goal and identifies all participants in the information security risk assessment for the relevant session, which may include:
business process owners;
users of information (automated) systems;
system and network administrators;
software developers;
representatives of the information security department and the security service;
external auditors;
lawyers;
and others.
The final composition can be determined in the first part of the session. The main thing is to involve all stakeholders and consider all possible scenarios that can disrupt the business processes (goals) of the organization.
Stage 2 – FRAP session
Duration – 1 day.
First of all, the FRAP team introduces itself to all participants in the session, and also announces the names, titles and roles of all those present (process owner, project manager, secretary, session members, and others).
The second important moment at the beginning of the session is the announcement of the agenda and the approval of basic definitions, such as:
ВАЖНО! С точки зрения FRAP риски ИБ рассматриваются в разрезе и процессов управления ИБ, и систем, автоматизирующих основные бизнес-процессы организации
measures and means of control and management – measures and means taken and used to prevent, detect, reduce (reduce) or accept risk as part of ensuring the protection of business processes;
integrity – the information is appropriate for its intended purpose, without unauthorized or unwanted changes or distortions;
confidentiality – the information has not been subjected to unauthorized or unwanted disclosure;
availability – applications, systems or information resources should be available when needed.
The RP then initiates a brainstorming session with some examples of information security risks:
Third parties gain access to confidential information.
Data can be corrupted by an incomplete transaction.
There are no IS assurance control processes.
ВАЖНО! Члены команды должны использовать в обсуждении не только hardskills, но и softskills, т.е. быть заинтересованными в процессе, слышать и доверять друг другу, включаться в процесс и задействовать воображение.
Begins BRAINSTORM!
For 3-5 minutes, group members write down risks on sticky notes or pieces of paper based on what they are concerned about and what they consider important. Then the process goes according to the following algorithm:
1. The facilitator collects all the stickers and announces a small coffee break.
2. Further, recurring risks are removed from the total mass, and new ones are added if someone else has ideas over a cup of coffee.
3. Next comes risk prioritization. This is done by identifying the possible vulnerabilities that are causing the risks, as well as the possible impact of the risks on the organization’s business objectives. Usually, there are 3 levels of vulnerabilities:
High: There is a serious weakness in the system or day-to-day operations that has the potential to have a serious or significant impact on the business, and controls need to be clearly improved.
Medium: There is some weakness where the potential for business impact is severe, with measures already partially in place but need to be improved.
Low: the system works correctly and does not require additional measures and controls.
The following determines the degree of impact on the business goals of the organization:
High: May lead to bankruptcy or seriously damage the organization’s development prospects.
Medium: Will cause significant damage at great expense, but the organization is likely to survive in the end…
Low: Can be easily managed in the normal activities of the organization.
Then the RP summarizes everything in a common risk prioritization table. An example of such a table is shown below:
Degree of business impact | ||||
High | Medium | Low | ||
Level | Tall | BUT | IN | FROM |
Middle | IN | IN | FROM | |
Short | FROM | FROM | D | |
At this point, the team members prioritize the risks by assigning each of the identified risks the corresponding letter values:
A – Corrective action must be taken and controls implemented.
C – Corrective action is required and controls are recommended to be implemented.
C – periodic monitoring is required.
D – No action required.
In this case, there are several options for prioritizing risks:
The facilitator brings up a discussion of each identified risk in turn, at the end of which the team reaches a consensus and fixes its priority.
The facilitator discusses 2-3 risks with the team to make sure the team has the right understanding of the prioritization process. After that, each team member independently prioritizes risks. At the end, the average priority is taken.
Team members are given small colored stickers to place on the risks they believe require the implementation of controls. The more stickers, the higher the risk priority.
4. This completes the brainstorming. Let’s go drink coffee!
Stage 3 – measures and controls
Duration – 3-5 days.
The FRAP team analyzes the results of the session and generates a list of controls and controls for the identified risks. The facilitator then reconvenes session participants to discuss risk treatment with controls and controls.
ВАЖНО! Не забываем про бизнес цели, иногда будет выгоднее принять риск, чем понижать его путем внедрения мер и средств контроля и управления
Under the guidance of the RP, the facilitator asks session members to determine which of the checklisted measures and controls will help mitigate the risk. In this case, the discussion moves from A-risks to D.
After completing the identification of controls and interviewing session members, the FRAP team generates a cross-reference sheet, thereby determining which controls will help mitigate the greatest number of high (A) priority risks.
Further, it will not be superfluous to re-consult with the owners of the identified risks. Having seen the cost of implementing controls and controls, do they still consider them necessary, or can the risk be accepted?
And here is the final! The FRAP team generates a final report that identifies the risks and their priorities, the controls and controls and their cost-effectiveness, and who will be responsible for their implementation of these measures and controls.
Output
Having considered the FRAP methodology, its approaches to the analysis of information security risks and the results, let’s highlight the results.
Pros:
Business orientation. Throughout the process, risks are identified and assessed in terms of their impact on the achievement of the organization’s business objectives.
Speed. In about a week of active work, we get practically applicable results and a reporting document, on which we do not spend several months a year.
Involvement. The maximum number of employees whose activities and business goals directly depend on the risk assessment process are connected to the session.
Minuses:
Facilitator. With any methodology, the process of risk assessment is not easy, but in FRAP it is clearly necessary to have a strong facilitator who will be able to coordinate the work of a large team and who can correctly convey all key details to its members.
The number of group members. It often happens that the owner of a business process does not know all its subtleties and included sub-processes, and therefore may not be aware of some (non-obvious) risks. Therefore, it will be necessary to attract additional members to the group. Imagine if this situation is repeated – the declared advantages of the technique will begin to fade away.
![[Личный опыт] How it works for a QA engineer in Finland: what’s wrong with the schedule, corporate culture and bonuses](https://prog.world/wp-content/uploads/2021/05/u1q6pxrhhb82yomtdtzsvwbz0ik-768x480.jpeg)
