Amethyst Information Risk Framework
The Amethyst Information Risk Framework® (AIRF), is an information risk management methodology designed to fully conform to ISO/IEC 27005:2011. It has been designed and developed by the Amethyst Risk Management Ltd team of GCHQ (NCSC) certified practitioners.
The AIRF methodology captures many years of practical information security risk management experience in the public and private sectors; which have produced a risk assessment methodology that is ideally suited to the management of information and cyber security risks.
Some of the key characteristics of the method are:
It is knowledge based. It involves capture and re-use of the information and cyber security advice that our leading practitioners have been providing across industry
It is narrative based. Customer risk reports are written in plain English and any cyber-security jargon is de-mystified
It is evidence based. It uses known facts, including extensive data published in the current 2015 edition of the Information Security Breaches Survey to back-up our current assessments of cyber-risks and threats (http://www.pwc.co.uk/audit-assurance/publications/2015-information-security-breaches-survey.jhtml)
It demonstrates the business case for control selection; balancing costs and benefits
It is extensive and flexible. It uses a set of either industry standard or project specific risk models to align controls to risks
The baseline risk and control set is derived from the Critical Security Controls framework (V5.0), published by the US Council of CyberSecurity, as referenced by the website of the UK Centre for Protection of the National Infrastructure (CPNI) (http://www.cpni.gov.uk/advice/cyber/critical-controls/). This framework incorporates the top 23 known forms of cyber-attack, and the 20 most critical and scalable cyber-security controls that need to be applied to manage the risks associated with those forms of attack
It supports per application calibration of risk, thus implementing the best practice approach to information risk management (proportional-appropriate-cost effective) by providing a flexible scale on which to measure risks, information asset values, threat, vulnerability and likelihood, all of which can be tuned to local risk appetites.
Figure 1 – AIRF Editor
Within the AIRF methodology, risks are modelled and assessed according to their four component properties (asset impact, likelihood, threat and vulnerability) in four dimensions. The overall risk level is derived as a combination of those factors.
Figure 2 illustrates this by showing each component on the left hand, as a vector (force-arrow) super-imposed upon a tesseract projection, which is the simplest 4D construct, the 4D equivalent of a cube. Computation of risk uses the classic Euclidian geometric formula to compute the information security risk level, the magnitude of that vector (shown on the right hand side), is the square root of the sum of the squares of the components.
To facilitate this, each risk component is mapped to a scale comprising five levels which can be presented as both a numeric value between one and five and also a qualitative indicator scale (e.g. very low, low, medium, high or very high). Each deployment of the method includes calibration and alignment of the component levels onto real-world, measurable criteria.
Once all four components have been determined, the risk can be computed and is then rescaled to:
A one to five value comparable to the component values
A more granular score between one and20, used for ranking and prioritisation purposes (the higher the score, the higher it appears on any prioritised risk list)
A qualitative scale (very low, low, medium, high or very high), on “heat maps” this may also have equivalent colour coding (e.g. dark green, green, yellow, amber, red).
Figure 2 – Modelling Information Security Risks in 4-Dimensions
Assessing the risks is only the first part of the process: those risks are then managed by application of effective controls including appropriate levels of assurance. The overall AIRF information risk management process is illustrated in Figure 3.
Figure 3 – The AIRF Information Risk Management Process
The AIRF method predicates a sound footing for information security management that should exist is across the entire enterprise. This means that an Information Security Management System (ISMS) should exist. The ISMS should comply with ISO/IEC 27001:2013, and its scope of should encompass the entire information-processing environment for the project or system under consideration and defined by an appropriate Statement of Applicability (SOA). A process of gap analysis and assurance must also be applied that includes external audit to the standard, preferably based upon formalised and ongoing certification. IT Health Checks (ITHC) and Remedial Action Plans (RAP) are also incorporated in the AIRF process.
In addition, and following on from the risk assessment process, AIRF identifies further scalable information risk management controls that are applied to manage specific risks to the project or system under consideration, as follows:
Project or system specific risk and control knowledge bases are derived from the current edition of the master “root” knowledge bases. These knowledge bases are tailored to the project or system, and individual risk assessments are undertaken, including evaluation of: asset values; threats; vulnerabilities; likelihood; and resultant risk scores and levels. This generates a prioritised risk list for informing control option selections
According to the identified levels of risk, the applicable control options are applied. Given that the environment is within the scope of the ISMS, credit is provided that certain control baselines are effective at managing a certain degree of risk (medium or below, in this case). The controls are tailored and used to update the ISMS
A further gap analysis is undertaken, with explicit reference to cyber-security controls to be applied, and these are then fed through to the RAP.
This is not a one-off exercise; it is conducted in accordance with the continuous ‘Plan>Do>Check>Act’ cycle and is therefore subject to continuous review and improvement.
AIRF output is typically presented in an Information Risk Management Plan (IRMP).
For further information contact firstname.lastname@example.org