RA Whiz - risk assessment automation for an information security management system

Abstract

Information is a business asset that needs to be accessed and processed for it to bring value to the business. The use of technologies in handling information introduces information security risks that are inherited from flaws and weaknesses in the implementation of these technologies. Information security risks could be addressed systematically by having a comprehensive management system in place. ISO/IEC 27001 is a standard for information security management system (ISMS). It is published in a joint effort by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard introduces a risk-based approach in managing information security. A risk assessment exercise for an ISMS implementation requires human expertise with comprehensive understanding and considerable knowledge in information security. Risk assessment exercise is based on three steps; identification, analysis and evaluation. There are available tools which cater for the automation of the analysis and evaluation steps. However, there is still a lack of automation in an overall information security risk area. This could be due to the fact that the analysis and evaluations phases are based on risk assessment approach whereas the identification phase requires specific knowledge in information security risks. This work aims to automate the risk identification process by studying key parameters in risk assessment and develop relationship models of these parameters. Scopes undertaken by ISMS certified organizations in Malaysia will be analyzed to determine a significant scope for this study. Key parameters for risk assessment will be identified and relationship models will be developed for these parameters. The key parameters are assets with explicit grouping and definitions, corresponding threats and vulnerabilities. Asset relationship model presents a link between three types of assets. This model demonstrates the idea of information container, primary assets and supporting assets which needs to be understood by organizations to enable efficient risk assessment. Information is a primary asset with supporting assets such as infrastructure and system. Threats relationship model presents a link between the types of threats. It demonstrates how a data security threat could become a result of inherited risk from threats on infrastructure and system. Vulnerabilities relationship model presents the relationship between specific threat and common vulnerabilities. The relationship models are implemented using Protégé, an ontology editor. The risk assessment ontology becomes the knowledge base of RA Whiz, a risk assessment advisory system. RA Whiz produces results for risk assessment on a secure data centre, which is a scope identified earlier in this study. Validation of the results is sought from information security professionals with ISMS working experience to gauge the reliability of the results produced by RA Whiz