Powered by GitBook

使用Verinice操作資訊安全管理系統(ISMS)

基於ISO 27005的風險管理(Risk Management according to ISO 27005)

本教學透過verinice執行基於ISO 27005的風險評鑑,主要步驟如下:

  1. 建立範圍(Create a new scope)
  2. 建立資產(Create a new asset)
  3. 建立程序(Create a new process)
  4. 建立弱點(Create a new vulnerability)
  5. 建立威脅(Create a new threat)
  6. 建立情境(Create a new scenario)
  7. 連接情境與資產(Connect scenario and asset)
  8. 執行風險計算(Running the risk calculation)
  9. 確認風險值(Check risk values)
  10. 建立第二個情境(捷徑)(Create a second scenario(shortcut))
  11. 微調風險分析(Fine tuning the risk analysis)
  12. 建立風險評鑑報告(Create a risk assessment report)
  13. 風險處理(Risk Treatment)
  14. 套用控制措施(Apply controls)

詳細步驟:

建立範圍

  1. Create a new scope by clicking the "Add New Organization" icon in the ISM view. It looks like an empty sheet with a yellow star in the top right corner.
  2. Double click on the scope. Change its name to "My Organization". Set the "Risk Acceptance" levels" to "3" for confidentiality, integrity and availability. Save your changes by clicking on "File -> Save" or by pressing Ctrl+S.
  3. Scroll down and read through the definitions of business impact, threat and vulnerability levels. You will have to change these to fit your actual organization later.

建立資產

  1. Expand the scope object. Right-click on the "Asset" category.
  2. Choose "Add New Asset...". Enter "Mail server" as title and change the type of the asset to "Physical". Save by pressing Ctrl+S.

建立程序

  1. Right-click on "Processes". Choose "Add Process...". Enter "Marketing" as title and set the "Business Impact" to "Confidentiality: Public", "Integrity: Normal", "Availability: High". Save by pressing Ctrl+S.
  2. Link your asset to the process: one way to do this is located in the editor view: open the "Relations to:" checkbox and choose "Asset".
  3. Click "Add...". Select your asset and click "OK". The caption will show "depends on" now - meaning the process "Marketing" depends on a functioning "Mail Server" to work.

建立弱點(Create a new vulnerability)

  1. Right-click on the "Vulnerability" category in the ISM view. Choose "Add Vulnerability...".
  2. Enter "Remote exploit" as title and set the "Vulnerability Level" to "1: Low". Save by pressing Ctrl+S.

建立威脅(Create a new threat)

  1. Right-click on the "Threats" category. Choose "Add Threat...".
  2. Enter "External attacker" as title and set the "Likelihood" level to "4: Daily". Save by pressing Ctrl+S.

建立情境(Create a new scenario)

  1. So far, you have created separate objects, you have not yet connected them with each other to represent an actual risk scenario.
  2. Let's do that now: connect the threat you have just created with the vulnerability to create a new scenario: use your mouse to drag and drop the threat over to the scenario in the ISM view.
  3. Now verinice asks you if you want to create a new scenario, click "Yes". The new object should appear under the "Scenarios" group. If it doesn't, press Ctrl+F5 to refresh your view.

連接情境與資產(Connect scenario and asset)

  1. Now we have to connect our scenario with our mail server to show that something could go wrong with it.
  2. Either drag-and-drop the scenario over to the asset or open the mail server and use the "Relations to" drop-down to connect it with your scenario.

執行風險計算(Running the risk calculation)

  1. This is important: threat levels and risk values are only updated when you choose the "Run risk analysis" button. This action button is available on the upper button bar for faster access. Click on the button now!

確認風險值(Check risk values)

  1. Double-click on the asset, it will have inherited the business impact from the "Marketing" process.
  2. In the "Relations to" list, you will now see numbers next to the scenario.
  3. This means, that the scenario adds to the total risk for this asset.
  4. Risk is calculated separately for confidentiality, integrity and availability (CIA).

建立第二個情境(捷徑)(Create a second scenario(shortcut))

  1. You do not have to create an actual threat / vulnerability object for each scenario that you want to take care of in verinice. You can also just right-click on "scenarios" and choose "Add scenario".
  2. You can enter values for threat and likelihood of this scenario right here. In this case, you should disable the checkbox "Deduce from threat and vuln." to prevent your settings from being overwritten on risk calculation.
  3. If you buy verinice.PRO, you will get an extensive catalog of common scenarios based on the threats and vulnerabilities that are contained in the annex of ISO 27005.

微調風險分析(Fine tuning the risk analysis)

  1. By default, a scenario is assumed to affect all three impact categories: confidentiality, integrity and availability.
  2. You can fine-tune this by disabling some of the checkboxes in the scenario editor, i.e. a flood affects availability, but maybe not confidentiality.

建立風險評鑑報告(Create a risk assessment report)

  1. Click on "File -> Generate report...". Select the "ISM: Risk Management Results" report.
  2. Choose your scope as the top level element. Select "PDF" as output type and select a directory and a filename to save the report to.
  3. Click "OK". You can open the generated report with any PDF viewer.

風險處理(Risk Treatment)

  1. Now we have to do something about the identified risks. Create a new control by right-clicking on "Controls -> Add Control...".
  2. Enter "Patch Management" as title, set "Implemented" to "Yes".
  3. Scroll down to "Control Strength" and "Probability of scenario".Choose there "Reduces 1 level". Save by pressing Ctrl+S.

套用控制措施(Apply controls)

  1. Create a relation between the control and the scenario.
  2. Controls can be applied to a scenario or to single assets.
  3. The control will thereby reduce the impact of a risk towards individual assets or for all assets that are affected by a scenario.
  4. If you double-click on the scenario in the list, you will see all relations from the scenarios side.
  5. For instance, the link to the control should read "likelihood reduced by" "Patch Management".
  6. The control will be displayed as a green checkmark to show that is already implemented.