So, Where’s My IT-Risk (Or Threat) Library?

Introduction

We need a good information security risk and threat library. Rather than build one from scratch (and most internet searches do not yield meaningful results), we were wondering if MetricStream offers standard content for such a library.

That’s a question we’re frequently asked when we get a Customer up and running with MetricStream’s IT-Risk Management App. It’s an excellent question for sure because Customers, especially in the Governance, Risk, and Compliance space, require preloaded (and expert/industry-grade) content that can get them up and running on day one. The content ask is straightforward when it comes to in-depth content from authority documents (individual citations or sections and sub-sections), control statements, or even policy templates. Citations from an authority document wouldn’t change across Customers and control statements too are uniform especially if you leverage upon a harmonized control framework.

Information security risk content (threats, vulnerabilities, and risks) is, however, in a league of its own – perhaps in the league of extraordinary content. Prima facie, it’s pretty easy to be misled into believing that information security risks applicable for my business are exactly the same as those applicable for your business because, hey, come on, we’re both using information technology right?

In reality though that’s precisely where the differences arise. Information technology in the context of my business’ operating and technology environment are almost always completely different in the context of your business’ operating and technology environment. Here’s an example: Suppose we have two Customers, a Technology Infrastructure Provider and a Healthcare Provider. The Technology Infrastructure Provider is primarily concerned with risks around specific technologies being used (unpatched systems, insecure configurations, root or elevated access, availability and continuity, etc.), environmental factors (fire, flood, etc.) and such whereas the Healthcare Provider is primarily concerned with risks around identity and access management (patient data falling into the wrong hands), data integrity (patient data cannot be tampered with as it moves from system to system), and such.

A standard list of information security risks and threats is therefore not advised since that also allows for context bias to creep in – when we see a list our mental models are bounded by what we see on that list. As a best practice, MetricStream advises the following approach to building an information security risk and threat library:

1. Identify the business stakeholders (publishers and consumers of a business process, business service, or business application). This step gives you a great idea of what exactly you’re trying to protect and why.
2. Brainstorm possible causes (threat agents) and methods (threat factors) that can lead to business process/service/application disruption (vulnerabilities).
3. Compare the outcomes from step 2 against popular threat catalogs. MetricStream advises picking from this list:CSA’s ‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

• NIST SP 800-30 Rev. 1 Appendix D
• If you have access to the ISO 27005 standards document one of the appendices within this document has a threat catalog.

Once you’ve identified the information security risks and threats that are actually applicable to your business’ operating and technology environment you can leverage upon MetricStream’s content import mechanisms to easily bring this library into the MetricStream IT-Risk Management App for the purpose of risk assessment, risk analysis, and risk treatment.