ISO 27001 is arguably the most comprehensive information security framework available today. Moreover, it is a vendor neutral standard. However – ISO 27001 doesn’t relate to assets or asset value and doesn’t address business context which requires prioritizing security controls and their costs. This article discusses the benefits of performing an ISO 27001 based risk assessment exercise using techniques of threat modeling. An organization that follows this methodology will reap the benefits of improved data security and achieving readiness for ISO 27001 certification.
Why is threat analysis beneficial for ISO 27001?
Quantitative threat analysis using the popular PTA (Practical Threat Analysis) modeling tool provides a number of meaningful benefits for ISO 27001 risk assessments:
- Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
- Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
- Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
- Effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.
The Practical threat analysis calculative model is implemented in a user-friendly Windows desktop application available as a free software download at the PTA Technologies web site. You can download the Practical Threat Analysis library for ISO 27001 for free; the library is licensed under the Creative Commons Attribution License.
The importance of providing business context to ISO 27001 and making it accessible to any sized business
The ISO 27001 library we developed for PTA is a full implementation of the ISO 27001 standard and is extremely accessible to any ISO consultant or business wishing to certify to the standard.
ISO 27001 is the information security risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The standard continues to gain a reputation for helping organizations improve their business practices and protect information assets.
ISO 27001 is increasingly popular because of compliance regulation and the growing need to reduce the operational risk of information security. The ISO organization has also recently (October 2010) taken measures to make ISO more accessible to SME by “providing practical advice for small and medium-sized enterprises (SMEs) on how to achieve the benefits of implementing an information security management system (ISMS) based on the International Standard ISO/IEC 27001” – see the ISO news release: ISO/IEC 27001 information security explained for small businesses
The role of compliance
Governance and privacy compliance regulation like SOX, GLBH and PCI are fueling demand to improve information security practices. Regulatory compliance has become a trend trickling up and down the supply chain of customers and suppliers. The tall wave of customer data breach incidents over the past 3 years has poured additional fuel on the supply chain. Once the exclusive domain of large institutions; many SMEs are now performing security risk assessments as their customers call on them to manage their data better and prove it by certifying to ISO 27001.
The need for effective risk reduction
Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.
The question is: What security controls should a firm implement after a risk assessment?
An ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.
However, implementing additional controls does not necessarily reduce risk.
For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.
Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.
The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.
Choosing the most cost-effective controls
Using a quantitative threat model enables a risk analyst to discuss risk in business terms and construct an financially justifiable set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of an all-or-nothing checklist implementation that may blindside you into thinking you’re secure just because you comply. Since it’s based on ISO 27001 – you get the best of both worlds; a prioritized security plan and ISO 27001 certification readiness.
How ISO 27001 maps to a threat model
The ISO 27001 contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a “Confidentiality agreements” security policy with the following control: “Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed”
We needed to map the ISO 27001 data model to the PTA threat model that is composed of threats, vulnerabilities, assets and countermeasures. Unlike PTA, the ISO 27001 model does not refer to particular threats or assets. We observed that the top-level items in each section mapped nicely to PTA vulnerabilities and that the sub-items were controls that translate directly to PTA countermeasures. For example the ISO item 06.1 ” Internal organization; information security is lacking or not well-defined” is a vulnerability mitigated by the countermeasures:
- 6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
- 6.1.2 Information security activities shall be coordinated by representatives from different parts of the organization with relevant roles and job functions.
- 6.1.3 All information security responsibilities shall be clearly defined
- 6.1.4 a management authorization process for new information processing facilities shall be defined and implemented.
- 6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
- 6.1.6 appropriate contacts with relevant authorities shall be maintained.
- 6.1.7 appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
- 6.1.8 the organization’s approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.
After mapping the ISO 27001 data model to the PTA threat model, we then used the import entities from text file functions in the PTA desktop application in order to load an Excel worksheet of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and pack it as a PTA library.
Using the PTA ISO 27001 library in a risk assessment project
The standard specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The PTA ISO 27001 library provides a systematic, and quantitative approach to risk assessment and adds value with an optimized risk mitigation program. Doing a risk audit process with the PTA ISO 27001 library is faster, easier, more robust and lot more fun than with an Excel spreadsheet.
An ISO 27001 risk assessment with PTA involves a two-stage process:
- Stage 1 is a “first cut” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This is done by cycling through the PTA threat model, tagging top-level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.
- Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in PTA Professional Edition countermeasures detail screen. Controls needing work would be tagged with an action-required status (see the tagging option of the PTA tool).
Here is how you would use the ISO 27001 PTA library for a risk assessment (after installing the PTA Professional Edition freeware on your Windows PC)
- Step 0 – Fire up the program
- Step 1 – Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
- Step 2 – Create assets with valuations
- Step 3 – Enter the costs of countermeasures; the PTA ISO 27001 library that we provide is agnostic; we understand that each organization has their own estimates of how much a control policy should cost.
- Step 4 – Run the Optimized Countermeasures report. You have just built a cost-justified plan of controls compliant with ISO 27001.
- Step 5 – Refine the model. Don’t stop here; return to the model periodically and test the effectiveness of your risk mitigation program. For a practical methodology of software security assessment see our article “Make your business secure by making your software secure”
The power of the PTA ISO27001 library is demonstrated by a simple risk assessment with assets and threats that was built in just a few minutes – available as a free online download on the Software Associates web site
Download the Practical Threat Analysis library for ISO 27001 here