Back to M2.2.1 - P1 - INFORMATION SECURITY RISK IDENTIFICATION
There is a lot of information related to the performance of information security risk assessments; therefore, this implementation guidance will just provide an overview of the most important concepts. Entities should take into account relevant NESA’s issuances and guidance with regard to risk management when performing risk assessment.
LEVEL OF DETAIL OF THE INFORMATION SECURITY RISK ASSESSMENT
Some entities might find it difficult or time consuming to conduct a detailed risk assessment. The choice of a suitable risk management approach should be taken when drafting the Information Security Risk Management Policy (refer to M2.1.1), and the implementation guidance there explains the considerations the entity should take into account when deciding on a suitable way of doing information security risk management. The entity should document these results and should be able to provide reasons for the decision taken.
An entity will only be considered as being compliant with the requirements of this Standard if they apply a suitable information security risk management policy.
ASSET IDENTIFICATION
The assets to be considered in the information security risk assessment are all information assets, i.e. include:
A. INFORMATION: Databases, files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, etc.
B. SOFTWARE ASSETS: Application software, system software, development tools, and utilities
C. PHYSICAL ASSETS: Computer equipment, communications equipment, removable media
D. OTHER EQUIPMENT
E. SERVICES: Computing and communications services, general utilities, e.g. heating, lighting, power, and air-conditioning
F. PEOPLE, and their qualifications, skills, and experience
G. INTANGIBLES, such as reputation and image of the entity
The identified assets are summarized in the Asset Inventory (refer to T1.2.1).
It might be useful to summarize assets in suitable groups (e.g. all PCs in a call center, processing the same type of information), but care should be taken to only group “like with like” when doing so. It is also helpful to take account of business processes, as they often can help to understand the information flow and how assets are working in the entity.
IDENTIFICATION OF THREATS
Threats are not very dependent on the entity and its business; they are just out there trying to succeed. When identifying threats, it can be helpful to use threat lists (e.g. those provided in this Standard, or in other standards, such as ISO/IEC 27005), and to look into incident reports (incidents are always related to threats that have been successful- and audit reports, and to keep an open mind to the latest development as new threats will continue to emerge. It is also important to not only look at threats from the outside, such as hackers or malware, but also consider inside threats. A disgruntled employee with given access rights can often do more damage as outsiders.
IDENTIFICATION OF VULNERABILITIES
The identification of vulnerabilities should be based on an assessment of the existing controls. To do so, it is recommended to conduct a gap analysis, which checks the controls in place against this Standard. The results of the gap analysis form an input in the identification of vulnerabilities as well as into the assessment of the risk likelihood (see also M2.2.2 below). Any control, which has been identified as missing, not completely in place, not fully documented or not complied with identifies at least one (if not more- vulnerabilities, which might be exploited by the identified threats.
PLEASE NOTE: The identification of threats and vulnerabilities takes place per each identified asset, so this easily produces a lot of information. To keep the amount of information manageable, it is recommended to:
- Identify threats and vulnerabilities with the existing controls in mind
- Identify only threat/vulnerability pairs where the threat will actually exploit the vulnerability
See also T 7.7 on Technical Vulnerability Management
UAE Information Assurance Standard Chapter 05 Security Controls
Back to M2.2.1 - P1 - INFORMATION SECURITY RISK IDENTIFICATION
