A METHOD OF OPTIMIZING ASSET RISK CONTROLS

FIELD OF THE INVENTION

The present invention generally relates to the field of information security. In particular, the invention relates to asset risk controls optimization scheme implemented over information security.

BACKGROUND OF THE INVENTION

Organizations are becoming increasingly dependent on inter-networked information technology systems for the implementation of their daily business processes. A direct outcome of this trend has been an increase in the number and type of security Threats and attacks on organizations' networks. The possibility that a given security Threat can exploit a weakness or absence of protection, known as Vulnerability, in an Asset, i.e. an organizational entity with a defined value, is represented by a suitably measured entity called Risk. Risk can lead to a variety of negative outcomes, both measurable, such as financial loss, and intangible, for example, loss of customer confidence, lost business opportunity, etc.

Risk assessment is the process of identifying the Threats and Vulnerabilities that exist within a defined domain, called the Scope, and measuring the impending Risk. Best security practices mandate that a Risk assessment to be conducted prior to the process of treating the Risks. This process of treating Risk is called Risk Mitigation. Therefore, Risk Mitigation aims at selecting and implementing risk treatment solutions called Controls.

A universal guideline towards managing information security Risk is provided by a variety of international standards and directives such as the International Organization of Standardization (ISO) 27001, Health Insurance Portability and Accountability Act (HIPAA) - USA, Payment Card Industry Data Security Standards (PCI), Federal Information Security Management Act (FISMA), Information Technology Act Amendment (ITAA) 2008, Gramm Leach Bliley Act (GLBA), Data Protection Act - UK, etc.

Organizations seek to demonstrate the competence and trustworthiness of their information system networks and the data they store, process or transmit by achieving compliance with one or more of the above standards as applicable to their respective industry sectors. Security compliance provides a host of benefits to an organization such as (i) customer confidence (ii) new business avenues (iii) growth of reputation, etc.

Each of the afore-mentioned compliance standards and directives seeks to indicate that the certified organization has identified its information security risks within a given scope and has taken reasonable measures of security implementation by selecting and implementing relevant controls to mitigate or manage them. Hence, compliance with all the aforementioned standards and directives commences with the foundational process of identifying and evaluating the existing risks within the organization - i.e.

Risk Assessment.

However, an increased emphasis on compliance has led to the negative outcome of a controls focused approach to information security management in organizations. A controls focused approach emphasizes implementing controls for a given set of risks, without a formal evaluation of their applicability to the organization's unique environment.

The primary drawback of this approach to compliance and risk management is that the controls are selected and implemented mainly based on the subjective judgment and knowledge of the implementer. Without a formal risk assessment process in place that identifies, evaluates and measures risks, it is not possible to effectively select and implement controls.

Associated with this primary drawback are secondary outcomes in which organizations implement controls towards compliance without

a. identifying what information asset(s) they are protecting with a given control

b. appreciating whether or not a given control is applicable to their industry sector or their organization.

c. appreciating whether or not a given control is appropriate to a particular asset.

In some cases controls are applied in excess of their actual requirement. This results in unnecessary cost, whereas in others, the controls do not meet the expected risk treatment performance.

Therefore there exists a need to provide a method to identify and implement the most relevant controls for a given combination of asset, threat, and vulnerability, which overcomes the drawbacks of a controls focused approach to compliance and risk management.

SUMMARY OF THE INVENTION

The main object of the present invention is to provide a method of identifying and implementing the most relevant controls for a given combination of asset, threat, and vulnerability.

Another object of the present invention is to provide a method of identifying and implementing an effective system for information security management and overall regulatory compliance within an organization.

Another object of the present invention is to provide a method of identifying and implementing a risk centric approach to information security management and regulatory compliance.

In order to achieve the above mentioned objects the present Invention discloses a method of assessing risk on an information asset of an organization and optimizing selection of controls for securing such information asset. The method includes identifying risk parameters associated with such information transaction and generating a Risk Scenario based on Threats and Vulnerabilities of such information asset, characterizing and measuring such risk parameters based on user inputs, evaluating Nature of Risk based on the organization's conditions and calculating Measure of Risk (MOR) and selecting optimized number of controls of appropriate nature based on a Risk Treatment Plan (RTF) for managing such risk parameters in order to mitigate risk on said information asset of the organization.

In an embodiment, the method of assessing risk on an information asset includes considering the Risk Scenario and propounding the assets, Threats, Vulnerabilities and selecting optimized controls from these.

In another embodiment, identifying risk parameters further includes identifying Geography (G), Nature of Business (NB), Compliance Standard (Cs) of the organization, Scope (S) of the information asset, Threats associated with the information asset and Vulnerabilities of the information asset.

In another embodiment, characterizing and measuring such risk parameters further includes characterizing the Scope of the information asset based on geographical region of business operation, nature of the organization's primary business function, purpose of the scoped environment, size of the workforce and domain expertise of the workforce, characterizing the information asset based on type, function, confidentiality, integrity, and availability, characterizing the threats associated with the information asset based on access channel, actor, motive, and potential outcome and measuring Likelihood of Threat (LHOT), and characterizing the vulnerabilities of the information asset based on technical vulnerabilities, process vulnerabilities and measuring Level of Vulnerability (LOV).

In another embodiment, the selecting optimized number of controls further includes profiling the Risk by formulating the Risk Treatment Plan (RTP) based on the nature and Measure of the risk (MOR) parameters, optimizing such Risk Treatment Plan (RTP) to organization's condition, selecting optimized number of controls of appropriate nature to manage such risk, and implementing such controls to appropriate level. Further the profiling the Risk by formulating the Risk Treatment Plan (RTP) further includes selecting at least one action plan from the group of treating, accepting, transferring, and avoiding the Risk.

It is to be understood that both the foregoing general description and the following detailed description of the present embodiments of the invention are intended to provide an overview or framework for understanding the nature and character of the invention as it is claimed. The accompanying drawings are included to provide a further understanding of the invention and are incorporated into and constitute a part of this specification. The drawings illustrate various embodiments of the invention and together with the description serve to explain the principles and operation of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The above-mentioned and other features and other advantages of the invention will be better understood and will become more apparent by referring to the exemplary embodiments of the invention, as illustrated in the accompanying drawings, wherein

FIG. 1 is a flow diagram illustrating a method of optimizing asset risk controls for managing information assets of an organization according to one embodiment of the present invention;

FIG. 2a schematically illustrates a method of optimization of controls selection according to one embodiment of the present invention;

FIG. 2b schematically illustrates a method of optimization of controls implementations according to one embodiment of the present invention;

FIG 3 is a flow diagram illustrating method steps of identification of risk parameters according to one embodiment of the present invention;

FIG. 4 is a flow diagram illustrating method steps of characterization and measurement of risk parameters according to one embodiment of the present invention;

FIG. 5 is a flow diagram illustrating method steps of optimization of controls for risk management according to one embodiment of the present invention; and

Fig. 6 Is a flow diagram illustrating method of compliance to standards according to one embodiment of the present invention.

DEATILED DESCRIPTION OF THE INVENTION

Reference will now be made to the exemplary embodiments of the invention, as illustrated in the accompanying drawings. Where ever possible same numerals will be used to refer to the same or like parts.

Disclosed herein is a method of optimizing asset risk controls for managing information assets of an organization according to one embodiment of the present invention. FIG. 1 is a flow diagram illustrating such a method of optimizing asset risk controls for managing information assets of an organization according to one embodiment of the present invention. The method primarily includes the following method steps:

(i) Fetching details about the nature of the business and the scope, including the technological components of scope and generating a standardized set of assets and risk scenarios pertaining to the scope (shown at step 102). Risk scenarios detail a particular threat vector that can exploit vulnerability in the asset to cause a negative impact.

(ii) Seeking user inputs to measure/quantify the dimensions of the risk scenarios.

These dimensions include asset value, details about the threat such as threat likelihood, threat outcome, level of vulnerability, etc. Measure the risks applicable to the assets using a suitable risk measurement formula that takes into account aforementioned risk parameters, namely. Scope, Asset Value, Likelihood of Threat and Level of Vulnerability (shown at step 104).

(iii) Evaluating nature of risks and measure of risks (MOR) from such risk parameters (shown at step 106)
(vi) Optimizing controls for the risks in terms of the nature of the controls selected and implemented to the appropriate level (shown at step 108)

Now the method of optimization of controls is described in detail with reference to FIG. 2a and 2b. The level of control implementation is a cost determinant to the overall risk treatment exercise. Controls such as access control system, a firewall configuration and so forth require two types of financial investment, namely, the initial purchase cost, and the subsequent operational costs for their integration into the existing infrastructure, training personnel to operate them, performance monitoring, and for any maintenance issues they might encounter. Hence, there is a key need for the optimization of controls both in terms of their selection and implementation. The asset risk control optimization method seeks to meet this need.

Optimization of Controls Selection:

Risk is measured as a function of the fundamental entities, namely. Scope, Asset Value, Likelihood of Threat and Level of Vulnerability (explained with reference to FIG. 2a). Depending on this characterization of the risk, the Nature of Risk is arrived upon (shown at step 202 ) and is considered towards selecting and proposing the most optimized controls for its mitigation (shown at step 204).

Optimization of Controls Implementation:

Optimization of the controls implementation process (shown as 208 in FIG. 2b) is achieved in the present method based on the Measure of Risk and the Nature of Risk (at step 206).

The primary objective of the asset risk control optimization method is to measure and characterize risk in terms of primary and secondary entities and use this information to identify the nature, quantity and magnitude of the most relevant controls for risk mitigation.

The primary entities are

(i) Scope
(ii) Asset Value,
(iii) Threat Probability or Likelihood of Threat
(iv) Magnitude of Vulnerability
(v) Existing Controls (if applicable) the secondary entities are
(i) the nature of the organizational business, and characteristics of Scope
(ii) the type of the Assets
(iii) the Asset Value
(iv) the Asset Ownership
(v) the nature of the Threat,
(vi) the mode of manifestation of the Threat
(vii) the magnitude of the Threat
(viii) the magnitude of the Vulnerability

Based on this information, the present method deduces

(i) the nature of the controls that will mitigate the risk
(ii) the number of controls that are to be implemented for the risk and
(iii) the optimum level to which the control is required to be implemented

Phase f:

Identification (shown at 302):

The primary variables that contribute towards control optimization are identified in the Identification phase, which is explained with reference to FIG. 3. These variables are captured based on user responses to pre-defined questions put across to them.

Geography:

The physical geography within which the scope is contained is identified. Compliance regulations, business practices and requirements, legal regulations, etc. depend on the physical location of the scope and are typified by the Geography variable, 'G'. Geography is also used to comprehend the risk landscape of the scope. For example, regions with high seismic activity are more prone to threats from earthquakes.

Nature of Business:

The nature of the business helps in optimizing controls selection. For example, a manufacturer of spectacle lenses will have a security risk landscape that is highly different from that faced by a call centre providing offshore services to technology clients. The nature of controls selected will vary with the risk landscape, and therefore is dependent on the nature of the business.

The nature of the business is also crucial to optimizing the level of control implementation. For example, an online vendor of books might not require the level of protection required by a government organization that manufactures military equipment. Nature of business is represented by variable, NB.

Compliance Standard:

The standard with which the organization seeks to achieve compliance is a key determinant of the controls to be selected and implemented for risk treatment. The details of the compliance standard and its mandates are captured by the Compliance Standard variable, 'Cs'.

Scope:

The scope, 'S' is the finite domain within which the assets that are subject to risks are contained.

Scope may be

(i) A physical entity such as a building, a floor within a building, a room, etc.

(ii) Technological Infrastructure such as an IT data center, server farm, etc.

(iii) An abstract entity such as a business process (eg. online transfer of employee salary), business unit (eg. financial department, marketing division), etc. The method of scope identification is explained with reference to step 304.

Generation of Optimized Assets and Risk Scenario, Rscenario A Risk Scenario is a condition that describes the exploitation of vulnerability in an asset by a given threat and the impact that it thus generates. The method refers to the information collected from the user thus far, pertaining to the Geography, the Nature of the Business, the Compliance Standard and the nature of the Scope to generate a set of standardized assets and risk scenarios that they face (explained with reference to 306, 308, and 310 respectively).

Risk Scenarios are constituted of the Asset, Threat and the Vulnerability. Rscenario = f (Asset, Threat, Vulnerability)

Hence, the generation of optimized Assets and Risk Scenarios is done by fetching and typifying the Assets, Threats and Vulnerabilities.

Assets:

An asset can be

(i) a virtual entity such as business information or business processes.

(ii) a physical entity, This includes

a) technological entities such as laptops, servers, network devices (firewalls, routers, switches, etc.)

b) personnel/employees/staff members who operate on the aforementioned components, namely business processes and technology

Threats:

Potential threats that could affect the assets are fetched. The mapping need not be one-on-one. One asset can have multiple threats, and one threat can map to more than one asset.

Vulnerabilities:

Weaknesses in the assets that could facilitate exploitation by a threat are fetched.

End of identification Phase:

At the end of the Identification phase, the following variables are available.

Asset Type, AT

Risk Scenario, Rscenario

Phase II:

Measurement (shown at 402):

The actual typification of the primary entities is conducted in the Measurement phase, which is explained with reference to FIG. 4. Each of the primary entities from the Identification phase is characterized in terms of its defining characteristics which constitute the secondary entities.

Scope Characterization:

Some of the factors that contribute to scope characterization are

* the geographical region of business operation, according to which various compliance laws may be applicable to the scope.
* the nature of the organization's primary business function, according to which the corresponding assets and business processes are prioritized.
* the purpose of the scoped environment, which also determines the priority levels of various assets within the scope.
* size of the workforce,
* domain expertise of the workforce

For example, while an IT data centre and an independent business unit can both be considered valid examples of scope for a risk assessment, their nature and objectives are vastly different from each other's. These defining typifications of the scope are noted in this phase.

Asset Characterization:

An asset is defined as an entity contained within the scope, having a finite value to the organization. Assets are characterized primarily on the basis of type. Typical examples of asset type include hardware, software, information, people, processes, organization and site.

Another system of asset classification is based on their function. For example, sensitive information is classified as a primary asset, whereas other assets that store, process or transmit this asset are classified as supporting assets. These can include hardware, software, network devices, people, processes, etc.

Quantitative characterization of the Asset is done by assigning a numerical value to the asset that depends on the criticality of its confidentiality, integrity and availability.

Confidentiality: The condition that the information asset is revealed or accessible only to authorized entities.

Integrity: The condition that the data presented in the information asset is true, unmodified and completely free of errors or factual aberrations.

Availability: The condition that the asset is available fully and functionally to authorized entities.

To calculate the Asset Value (shown at step 404), each of the above conditions is given a rank based on their criticality for the given asset (for example. Low -0,

Medium - 1, High - 2, Very High - 3, Critical - 4). Asset Value is computed as the highest of these ranks.

Asset Value = MAX (Confidentiality, Integrity, Availability) of the Asset For example, if Confidentiality (C) = 4, Integrity (I) = 3, Availability (A)= 2, then Asset Value = MAX (C, I, A) = MAX (4, 3, 2) i.e. Asset Value = 4

From the above conditions describing Asset Type and Asset Value, the Asset is defined in terms of two variables, Aj and Av

Asset Type, AT is a qualitative variable as follows:
AT = {Primary, Supporting}

Primary Assets are classified as Information and/or business processes, while Supporting Assets include Hardware, Software, Network, Personnel, Organization and Site.

Hence,
AT={(Information, Business Process), (Hardware, Software, Network, Personnel, Organization, Site)}

Asset Value, Av is a discrete variable as follows:
Av= {0,1,2,3,4}

Threat Characterization

A threat is an entity or event that can instigate an undesirable outcome on an asset. A list of possible threats that can impact an asset is identified. Threats thus identified are characterized in a process called Threat Profiling. The background of the threat vector is defined in terms of its access channel, actor, motive, and the potential outcomes.

For example, consider the threat 'Employee disclosure of sensitive information'. The access channel can be either via a network, or physical communication, the actor is a Human Insider, the motive is most likely to be deliberate, and the outcome is the loss of confidentiality of the sensitive information.

Quantitative characterization of the Threat is done by assigning a numerical value to the probability of its occurrence, denoted by the variable. Likelihood of Threat (shown at step 406).

For example, the Likelihood of Threat (LHOT) is ranked on a scale as being High: 2, Medium: 1 or Low: 0.
Likelihood of Threat = High
i.e LHOT = 2

The Threat is characterized in terms of two variables, Threat Type, TT and Likelihood of Threat, LHOT.

Threat Type, TT is a qualitative variable as follows:
TT = f {Access, Actor, Motive, Outcome}
LHOT is a discrete variable as follows:
LHOT = {0,1,2}

Vulnerability Characterization

Vulnerability is a property of an asset that renders it susceptible to some form of exploitation by a threat. For example, the lack of password protection for the business information asset is a vulnerability that renders it prone to the threat of disclosure.

Vulnerabilities are classified in terms of nature as technical vulnerabilities or process vulnerabilities. Technical vulnerabilities are related primarily to hardware such as servers, workstations, firewalls, routers, etc. and software assets. Software technical vulnerabilities are identified by vulnerability scanning tools, while hardware technical vulnerabilities are identified by audits.

Process vulnerabilities relate to people and operational processes within organizations. For example, the password management process may comprise vulnerabilities such as lack of regular change of passwords at user workstations, or sharing of passwords amongst different users, etc. Process vulnerabilities are typically identified by audits.

Vulnerabilities are quantitatively measured by the Level of Vulnerability (shaown at step 408), which is rated on a scale as being High -2, Medium - 1 or Low - 0.

For example, Level of Vulnerability = Medium
i.e LOV = 1

The Vulnerability is characterized in terms of the discrete variable. Level of Vulnerability as follows.
LOV = {0.1,2}

The Level of Vulnerability is a function of the existing controls (CE) and varies inversely with it.
LOV = f(1/CE)

Risk Characterization
Nature of Risk = f (Asset, Threat, Vulnerability)
i.e. Nature of Risk =f {(AT, AV), (TJ, LHOT), (LOV)}

Measure of Risk is a Numerical Value derived based on the numerical entities in the above relation.
Measure of Risk, MOR = f {Av, LHOT, LOV}

MOR may be calculated as per ISO 27005 using the relation depicted in Table 1. The MOR may be calculated by other methods based on organizational standardrs.


Table 1: Calculation of Measure of Risk as per ISO 27005

Phase III:

Optimization (shown at 502):

The Optimization phase aims at generating an Optimized Risk treatment plan (RTP) (shown at 504) and selecting the most controls (shown at 506) for a given risk treatment activity and implementing them to the appropriate level (shown at 508). This is explained with reference to FIG. 5.

Generation of Optimized RTP

Based on the various variables identified in the Measurement phase, a series of optimized risk treatment actions is fetched and proposed to manage each risk. This process of formulating a risk treatment plan (RTP) by evaluating the nature and magnitude of the risks is called Profiling and is optimized to the organization's conditions. The Risk Treatment Plan specifies how to manage a risk depending on the Risk Magnitude, also called Measure of Risk, MOR.

There are four different ways to manage a risk in a Risk Treatment Plan.

Treat: The risk is eliminated or minimized by the selection and implementation of suitable controls. The risk scenario is analyzed in terms of its constituent components, ( Rscenario = f (Asset, Threat, Vulnerability)), and is elected for treatment under the following conditions:

Total Cost of Control < Total Cost of Impact of Risk

Accept: The measure of risk is considered insignificant enough to be tolerated as is. The risk scenario is analyzed in terms of its constituent components, (Rscenario = f (Asset, Threat, Vulnerability)), and is elected for acceptance under the following conditions:

Total Cost of Control > Total Cost of Impact of Threat. Eg. Access control system for the employee canteen.

Likelihood of Threat, LHOT is Low AND Impact of Risk is Low.

Eg. Server racks might not require stringent protection from humidity in a desert country with typically low humidity.

Impact of Risk is High AND Likelihood of Threat, LHOT is Low,

Eg. Threat of Earthquake in a region with low seismic activity.

Likelihood of Threat, LHOT is High AND Impact of Risk is Low.

Eg Employees stealing/misplacing office supplies such as pens or staplers are not monitored by most organizations.

Transfer: The liability for the risk is entitled to another body, such as an insurance organization. The risk scenario is analyzed in terms of its constituent components, (Rscenano = f (Asset, Threat, Vulnerability)), and is elected for transfer under the following conditions:

Cost of Control is high AND Impact is High OR Measure of Risk, MOR is high.

Eg. Expensive server's equipment may be insured against fire, theft, earthquakes, etc. depending on the risk appetite and risk landscape of the organization.

Avoid: The risk is avoided by not involving in the activity that causes it. The risk scenario is analyzed in terms of its constituent components, (Rscenano = f (Asset, Threat, and Vulnerability)), and is elected for avoidance under the following conditions:

Impact is High OR Measure of Risk, MOR is high AND Asset Value, Av is low.

Eg. Expensive servers equipment may be insured against fire, theft, earthquakes, etc. depending on the risk appetite and risk landscape of the organization.

The control selection and its subsequent optimization process are demonstrated by the following example.

Consider the case of a bank located in San Francisco Bay Area, California, United States. The bank seeks to certify its IT data center located in the same region with Payment Card Industry Data Security Standards. The data center stores, processes and transmits customer transactions including confidential and sensitive data such as cardholder information and sensitive authentication data. The following case is drawn to illustrate the present method.

Geography, G = {(Regulatory requirements applicable to the San Francisco Bay Area - California - USA = PCI, HIPAA, GLBA, FISMA), (Threat Landscape of the San Francisco Bay Area - California - USA = Increased Likelihood of strong earthquakes)}

Nature of Business, NB = f{Banking Sector, (Bank branching. Online Banking, Mobile Banking)}
Compliance Standard, Cs = {12 Requirements of PCI DSS v2.0}

Scope, S = f{(Physical Entity = Facility hosting the data center), (Technological Entity=Servers, Network Devices [Firewalls, Routers, Switches, Hubs], Laptops ), (Abstract Entity = Organizational Division [Network Team, IT Team], Business Processes [Ecommerce Transactions, Mobile Transactions, Branch Transactions], Third Party Organizations [Call centre. Card Personalization Organization])}

Asset

Based on the above variables, namely, G, Cs, NB, S, optimized generation of Assets by the present method occurs. Cardholder Information is an example primary asset that is identified. As derived earlier.

Asset = ({AT, Av}
I n the case of cardholder information, C=4,1=4, A=4.

Hence,
Av = MAX(C, l,A) = 4
Hence,
Asset = {Primary, 4}

= {Cardholder Information, 4}

Risk Scenario

Based on the above variables, namely, G, Cs, NB, S, AV, an optimized risk scenario is proposed by the algorithm. The logs containing cardholder information on the database server located in the data center are accessible by the IT Infrastructure team. Cardholder information is stored un-truncated. It can be extracted from here and misused or shared with an unauthorized third party by the IT Infrastructure team members.

The Threat and Vulnerability are identified based on the Risk Scenario and subsequently typified.

Threat

The threat is, "Theft of cardholder data by IT Infrastructure team members from the database server.
The Threat Type, Tj is defined accordingly.
TT = f {Access, Actor, Motive, Outcome}
TT = {(Network), (Human Insider), (Deliberate), (Loss of Confidentiality)}
The Likelihood of Threat is quantified based on TT.
LHOT = 2

Vulnerability

The vulnerability to the above risk scenario is that the cardholder number is stored in full, with no truncation.

Existing Controls are taken into account to define the Level of Vulnerability. For the purpose of illustration, the following existing control is assumed to be in place and active within the scope:

Non-Disclosure Agreement has been signed by team members, which prohibits them from accessing or misusing the cardholder information.

Accordingly, the Level of Vulnerability is defined: L0V=1
Measure of Risk

Measure of Risk, MOR = f {Ay, LHOT, LOV}
Av = 2
LHOT = 2
L0V=1

Referring to Table 1.1,
MOR = 6

Compared to a maximum value of 8, an MOR of 6 is High.

Risk Treatment Plan

Based on the optimized generation of Risk Treatment Plan, the four risk management options are evaluated, ie. to treat, accept, transfer or avoid the risk.

Total Cost of Control < Total Cost of Impact of Risk Also,

Av is high - Risk Avoidance cannot be done. Cost of Control is low - Risk Transfer cannot be done. Also, MOR is high, LHOT is high. Impact is high and Total Cost of Control < Total Cost of Impact.

Hence, Risk Acceptance cannot be done.

Hence, treating the risk is chosen as the optimized approach for this risk scenario. Controls are thus selected and implemented.

Optimization of Control Selection

In the absence of optimized control selection, one would

(i) select the strongest control, i.e. encrypt the cardholder information or. (ii) select already existing controls or (iii) select all the above controls

However, an optimized approach to control selection, as deployed in the present method, aims at selecting a combination of those of the aforementioned controls that are most suited to the current scope, asset, threat and vulnerability combination, while the risk is effectively mitigated.

C = f{ Nature of Risk} G, NB, CS, S

C = { f{(AT, Av), (TT, LHOT), (LOV)}} G, NB. CS, S = [(Information, 4), {(Network), (Human Insider), (Deliberate), (Loss of Confidentiality)), LH0T=2}, L0V=1] G, NB, CS, S

The Geography variable, G, analyzes the need for storage of the cardholder data in the logs, and recommends their non-storage in the absence of sufficient business, legal or regulatory justification for their retention.

There are two types of payment cards, namely magnetic stripe based cards, which are in use in the USA and chip and pin based cards, used in the UK. The risk landscape varies according to these types. Risks from fraudulent card skimming are prevalent in the case of magnetic stripe cards. G analyzes the threat landscape of the San Francisco Bay Area and highlights their relevance by pointing towards the United States region.

'G' also analyzes the threat landscape of the San Francisco Bay Area and recommends the implementation of earthquake proof construction for the physical facility that houses the data centre. This however, does not apply to the risk scenario currently considered.

The Compliance Standard Variable, Cs, analyzes the risk scenario in light of the 12 requirements of the PCI DSS.

1. Requirement 3 of PCI DSS 2.0 instructs that cardholder data storage should be kept to a minimum and mandates protection of stored cardholder data via mechanisms such as encryption, truncation, masking and hashing.

As per Requirement 3, cardholder data storage is minimized. This is implemented within the restrictions of the business requirement identified by the Geography variable.

Also as per Requirement 3, stored cardholder data is encrypted.

2. Requirement 7 of PCI DSS 2.0 prescribes that access to cardholder data should be restricted only to authorized personnel, systems and processes, who are bound by a business need to know condition to gain access to the data.

As per Requirement 7, the logs containing access control rights of IT Infrastructure team members are re-analyzed, and access to cardholder data is confined only to those who have a business need to know justification to access the stored and encrypted data.

From TT = {(Network), (Human Insider), (Deliberate), (Loss of Confidentiality)}, it is clear that the threat vector is manifested only by human insiders via network channels.

Considering Geography, Compliance Standard and Tj, the optimized controls selected are

i. Minimized storage of cardholder data as per the business requirements identified by Geography variable.

ii. Encryption of stored cardholder data as identified by the Compliance Standard variable.

iii. Revalidated access control for IT Infrastructure team members based on a business need to know factor as identified by the Compliance Standard variable.

Optimization of Control Implementation

The Measure of Risk is a key component towards optimization of control implementation. MOR is calculated as a function of Asset Value, LHOT and LOV. Measure of Risk = f {Av, LHOT, LOV}

Level of Control Implementation is decided optimized based on

• The MOR
• The Nature of Risk
• Scope
• Earlier risk assessment reference

Encryption of cardholder information is one of the controls selected. The level of encryption, eg, 128 bit or 256 bit encryption is decided in the Optimization of Control Implementation phase.

The MOR in this case was calculated earlier:

MOR = 6

Compared to a maximum value of 8, an MOR of 6 is High. Hence, control implementation mechanisms should be strong enough to bring the MOR to a Medium or Low level.

Accordingly, the level of control implementation is optimized as follows:

i. Encryption of stored cardholder data using 256 bit encryption is implemented.

ii. Access to cardholder data is reviewed for every member of the IT infrastructure team and restricted as per their business need to know.

Some other examples where control implementation optimization is deployed are i. How frequently users should change their passwords, ii. Identifying the facilities in a building that do and do not require physical access control.

Residual Risk

Residual Risk is defined as the risk that is left behind after applying the risk treatment plan. The method defines residual risk by the variable, Revised Measure of Risk, RMOR. Additionally, the present method of optimizing the controls selection may consider and calculate RMOR.

RMOR = f(Asset Value, Revised Likelihood of Threat, Revised Level of Vulnerability)
RMOR = f {Av, RLHOT, RLOV} Where,
RLHOT is a discrete variable as follows: RLHOT = {0,1,2}
RLOV is a discrete variable as follows: RLOV = {0,1,2}

RMOR, RLHOT and RLOV are analogous to the MOR, LHOT and LOV and are derived using the same techniques. The only difference lies in their time of calculation, i.e. before/after applying controls. End of Optimization Phase: At the end of the Optimization phase, the following variables are available.

Optimized Risk Scenario, Rscenano
Optimized Selection of Controls
Optimized Implementation of Controls
Residual Risk, RMOR
Phase IV:

Compliance (shown at 602):

The outcome of the asset risk control optimization method is the managed compliance of the organization with the respective regulatory standard (explained with reference to FIG. 6). By virtue of its property of identifying and evaluating the various risks prevalent within a given scope, risk assessment constitutes the effective foundation of organizations' information security compliance programmes. The process of measuring and evaluating risks enables decision makers to manage the risks more effectively. Owing to the above, a formal risk assessment is mandated by most compliance standards such as PCI, HIPAA, FISMA, FISAP, GLB and so forth (shown at 604).

The present method contributes towards the same by optimizing the selection and implementation of controls to manage risks as per the organization's scope and risk landscape.

The method of optimizing controls selection finds its applicability in the field of risk assessment. By optimizing the selection and implementation process of controls post risk identification and evaluation, the present method leverages the benefits of cost and effort optimization towards the overall risk management process.

With the above defined scope of functionality, the method may be applicable towards risk assessments addressing the following areas. However its applicability may not be limited to only these areas.

1. Risk Assessments mandated by a compliance standard as a requisite for compliance
a. Payment Card Industry Data Security Standards (PCI DSS) Compliance
b. Health Insurance Portability and Accountability Act (HIPAA) Compliance
c. Statement on Standards for Attestation Engagements (SSAE) (previously SAS 70)
d. Sarbanes Oxiey (SOX) Compliance
e. ISO 27001
f. Federal Information Security Management Act (FISMA)
g. FISAP
h. Gramm Leach Bliley Act (GLBA), etc.

2. Application Security Risk Assessments
a. Web Application security testing
b. Penetration Testing
c. Vulnerability Assessments

3. Network Security Risk Assessments
a. Network Penetration Testing

b. Vulnerability Scanning

The present method of optimizing asset risk controls effectively forms a bridge between the unique organizational conditions/circumstances and the assets that are being protected by deploying a formal risk assessment process. The present method measures and characterizes the risk in terms of organizational components, namely, Assets, Threats and Vulnerabilities. In this way, the control selection and implementation process is optimized and tailored to the unique organizational circumstances. As a result, only the relevant and appropriate controls are implemented for a given risk. The primary advantages of the present method may be found in:

(i) Only organization-specific controls are implemented

(ii) The level of control implementation is optimized to risk thereby leading to a significant saving of investment and helping organizations meet their regulatory compliance objectives more effectively and efficiently

(iii) There is a well-defined mapping between of the

a. Organization's Assets

b. Organization's Threats

c. Asset's Vulnerabilities

d. Organization's unique conditions and circumstances - eg, geographical phenomena, legal and regulatory landscape, organizational mergers, acquisitions which lead to change in scope, nature of assets, security management practices, change of ownership, etc.

e. Organization's Unique Risk Landscape (Risk = Function of (Asset, Threat, Vulnerability))Scope the most relevant and effective controls

Further, the method of optimizing asset risk control may produce certain secondary benefits as follows:

(i) By implementing only the organization-specific controls, in-house domain expertise Is utilized more effectively.

(ii) By implementing optimized controls, the compliance timeframe is compressed.

(iii) By mapping controls to their respective assets, there is a greater level of clarity in monitoring and maintaining controls when reviewing them for their effectiveness.

It is to be understood by a person of ordinary skill in the art that various modifications and variations may be made without departing from the scope and spirit of the present invention. Therefore, it is intended that the present invention covers such modifications and variations provided they come within the ambit of the appended claims and their equivalents.

We claim:

1. A method of assessing risk on an information asset of an organization and optimizing selection of controls for securing such information asset comprising:

identifying risk parameters associated with such information transaction and generating a Risk Scenario based on Threats and Vulnerabilities of such information asset;

characterizing and measuring such risk parameters based on user inputs;

evaluating Nature of Risk based on the organization's conditions and calculating Measure of Risk (MOR) therefrom; and

selecting optimized number of controls of appropriate nature based on a Risk Treatment Plan (RTP) for managing such risk parameters in order to mitigate risk on said information asset of the organization.

2. The method of assessing risk on an information asset according to claim 1, further comprising considering the Risk Scenario and propounding the assets, Threats, Vulnerabilities and selecting optimized controls there from.

3. The method of assessing risk on an information asset according to claim 1, wherein identifying risk parameters further comprising:

identifying Geography (G), Nature of Business (NB), Compliance Standard (Cs) of the organization, Scope (S) of the information asset, Threats associated with the information asset and Vulnerabilities of the information asset.

4. The method of assessing risk on an information asset according to claim 1, wherein characterizing and measuring such risk parameters further comprising:

characterizing the Scope of the information asset based on at least one selected from geographical region of business operation, nature of the organization's primary business function, purpose of the scoped environment, size of the workforce and domain expertise of the workforce;

characterizing the information asset based on at least one selected from type, function, confidentiality, integrity, and availability;

characterizing the threats associated with the information asset based on at least one selected from access channel, actor, motive, and potential outcome and measuring Likelihood of Threat (LHOT) there from; and

characterizing the vulnerabilities of the information asset based on at least one selected from technical vulnerabilities, process vulnerabilities and measuring Level of Vulnerability (LOV) there from.

5. The method of assessing risk on an information asset according to claim 1, wherein the selecting optimized number of controls further comprising:

profiling the Risk by formulating the Risk Treatment Plan (RTP) based on the nature and magnitude (MOR) of the risk parameters;

optimizing such Risk Treatment Plan (RTP) to organization's conditions;

selecting optimized number of controls of appropriate nature to manage such risk; and implementing such controls to appropriate level.

6. The method of assessing risk on an information asset according to claim 5, wherein the profiling the Risk by formulating the Risk Treatment Plan (RTP) further comprising selecting at least one action plan from the group of treating, accepting, transferring, and avoiding the Risk.