Sunteți pe pagina 1din 16

An illustration of the application of Failure Mo

(FMEA) techniques to the analysis of infor


Introduction and acknowledgement

The original version of this spreadsheet was kindly provided to the ISO27k Implementers' Forum by Bala Ramanan to dem
security risks. Subsequently, Bala kindly agreed to donate it to the ISO27k Toolkit. Apart from minor updates and reformatting

Contents
The FMEA Sample tab has the actual illustration - an analysis of possible failure modes for a firewall.
The Guidelines provide additional notes on the FMEA method, including a step-by-step process outline.

The Severity, Probability and Detectability tabs have tables demonstrating scales commonly used to rank risks by these criteria

Copyright

This work is copyright 2008, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-N
circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial produ
www.ISO27001security.com, and (c) derivative works are shared under the same terms as this.

Disclaimer

Risk analysis is more art than science. Don't be fooled by the numbers and formulae: the results are heavily influenced by th
information assets and on the framing of risks being considered. For these reasons, the process is best conducted by a team
and managing information security risks, and (b) the organization, its internal and external situation with respect to informat
impossible to guarantee that all risks have been considered and analyzed correctly. Some very experienced practitioners in
some sympathy with that viewpoint.

The results of the analysis should certainly be reviewed by management (ideally including IT auditors, Legal, HR, other s
adjusted according to their experience, so long as the expert views are taken into consideration. Remember: just because
security risk does not necessarily mean that it can be discounted. Organizations with immature security management proce
are not even recognized, due to inadequate incident detection and reporting processes.

Important notes:

How to carry out the Risk Assessment (RA) using FMEA:


1
2
3
4
5
6
7
8
9
10
11
12
14
15
16
17
18
19
Using prioritized risks

Guideline to Carry out a Risk Assessment Usi


Important notes:
This method does not consider asset values. Rrisks are identified for each asset and prioritized without taking account of the
The Cumulative risk for the identified asset for each threat is ascertained by the Risk Priority Number (RPN)
Each asset can have more than one failure mode and for each failure mode there can be more than one cause.
For more clarification see the comments on the header in each cell of the FMEA sample worksheet
How to carry out the Risk Assessment (RA) using FMEA:
Identify the businesses or the services rendered by the department under the scope of RA
Compute the assets that deliver or support the business or service identified
Write down the asset number (to avoid duplication)
Write down the function of the asset in delivering or maintain the identified business or service
Now identify the failure modes for the identified function. Please note that there could be more than one failure mode for each

Now identify the effect, if the identified failure mode happens. That if the identified failure mode happens what will be the effec
Now refer the severity chart and choose the number relevant to the effect of the failure mode
Now identfiy the cause for the failure mode. Please note that each failure mode can have more than one cause.
Now refer to the probability chart and choose the number that is more relevant to the frequency of the cause happening.

Now list down the current controls. Kindly categorize the controls as preventive and detective controls. Write each control in se
Now refer to the detectability chart and choose a number relevant to the effectiveness of the controls.
You can now see the Risk Priority Number calculated for a failure mode of the respective asset function.

Now if the RPN is not under the acceptable value then the risk status shows "HIGH RISK", recommendation to mitigate each o
down. Kinldy list each control in separate rows.

Now identify who will implement the recommended control and by what target date the recommended control would be implem

Now if the RPN is under the acceptable value then the risk status shows "LOW RISK". Else it displays as HIGH RISK. If it is H
repeated from step 1.
Refer the Probability Chart
Refer the Detectability Chart
New RPN is calculated. Compare it with the acceptable norms and if not satisfying then redo the same process.

Using prioritized risks


Management may decide to target, say, the top 5% of risks initially. This is an arbitrary value that can be reviewed/adjusted lat
Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked by RPN.
5% of 1000 (the maximum RPN value) is 50. So any RPN above 50 requires review and (probably) control improvements.
All risks with RPNs above 50 are identified as "HIGH RISK". This criterion is of course based on the arbitrary 5% value noted

If the organization is well controlled with relatively few HIGH RISK items, the 5% value may be extended to, say 15% to addres

Alternatively, if there are simply too many HIGH RISK items to tackle at once, they may be addressed in top-down sequence a

The prioritized list of risks provides management with a rational basis for determining how much resource to apply to risk reduc
down the list if more resources are allocated, and vice versa.

FMEA Sample

Department: XYZ Department

Current Controls

Sl.No.

Business / Service

Asset Name

Asset Number

Function

Potential Failure
Mode(s)

Protecting IT
Assets

Firewall

5000

To block
unauthorized
requests

Rules not
appropriately
configured

Protecting IT
Assets

Protecting IT
Assets

Protecting IT
Assets

Protecting IT
Assets

Firewall

Firewall

Firewall

Firewall

5000

To block
unauthorized
requests

Rules not
appropriately
configured

Potential Business
Consequence(s) of
Failure

S
e
v

Potential Cause(s)/
Mechanism(s) of
Failure

IP Spoofing

Diversion of
sensitive data
traffic, fraud

Procedures not
followed

Disclosure or
modification of
business
records;
7
prosecution; bad
PR; customer
defection

Procedures not
followed

DDOS Attack

Inability to
process
electronic
Procedures not
10
transactions; bad
followed
PR; customer
defection

Procedures
available

Entry for
External
Hackers

Preventive
Controls

Procedures
available

5000

To block
unauthorized
requests

5000

To identify
trusted zones User awareness
by encryption

CIA
Compromised

Disclosure of
customer
database;
commercial and
privacy issues

Procedures not
followed

Policies
Defined

5000

Authentication
mechanism
using legacy
systems having
improper
configuration

User may not


have access to
the requested
service

Staff unable to
work; backlogs;
bad PR

Policies not fully


1
implemented

Policies
Defined

To identify
trusted zones
by encryption

Rules not
appropriately
configured

P
r
o
b

Potential Technical
Effect(s)
of Failure

Page 5

FMEA Sample

Current Controls

Sl.No.
3

Business / Service

Protecting IT
Assets

Protecting IT
Assets

Asset Name

Firewall

Firewall

Asset Number

Function

Potential Failure
Mode(s)

Potential Technical
Effect(s)
of Failure

5000

To block
unauthorized
requests

Rules not
appropriately
configured

Entry for
External
Hackers

Potential Business
Consequence(s) of
Disclosure
or
Failure

S
e
v

modification of
business
records;
7
prosecution; bad
PR; customer
defection

Potential Cause(s)/
Mechanism(s) of
Failure

P
r
o
b

Procedures not
followed

Inability to
process
electronic
Procedures not
10
transactions; bad
followed
PR; customer
defection

5000

To block
unauthorized
requests

Rules not
appropriately
configured

DDOS Attack

Encryption level
(56 bit or 128
bit) mismatch

Data will be
exposed as
plain text

Disclosure of
customer
database;
commercial and
privacy issues

Policies not fully


2
implemented

Rules not
appropriately
configured

Data Theft

Commercial and
privacy
consequences

Procedures not
available

Protecting IT
Assets

Firewall

5000

To identify
trusted zones
by encryption

Protecting IT
Assets

Firewall

5000

To block
unauthorized
requests

Page 6

Procedures
available

Policies
Defined

Nil

FMEA Sample

Action Results
Recommended
Controls

Current Controls

Increase audit
frequency

56

40

30

Not Required

30

User Awareness

New RPN

64

Detective Controls

New Occ

Preventive
Controls

New Det

Log
Monitoring

D
e
t

Implemented Controls
New Sev

Detective
Controls

R
P
N

XYZ by end Jan


2006

Increase audit
frequency

30

Increase audit
frequency

XYZ by end Jan


2006

Increase audit
frequency

30

Increase audit
frequency

XYZ by end Jan


2006

Increase audit
frequency

20

Not Required

Business owner
to formally
accept risk

20

15

Responsibility &

Detective Controls Target Completion


Date

XYZ by end
March 2006

Preventive
Controls

User Awareness

Page 7

FMEA Sample

Action Results
Recommended
Controls
D
e
t

New Occ

New Det

New RPN

Log
Monitoring

Implemented Controls

R
P
N

New Sev

Current Controls

28

Increase audit
frequency

XYZ by end Jan


2006

Increase audit
frequency

20

Increase audit
frequency

XYZ by end Jan


2006

Increase audit
frequency

14

User Awareness

XYZ by end
March 2006

User Awareness

14

User Awareness

XYZ by end
March 2006

User Awareness

Responsibility &
Target Completion
Date

Page 8

Severity

Effect

SEVERITY of Effect

Ranking
10

Catastrophic

Resource not available / Problem unknown

Extreme

High

Resource not available / Problem known and cannot be


controlled
Resource not available / Problem known and can be
controlled
Resource Available / Major violation of policies

Moderate

Resource Available / Major violations of process

Low

Resource Available / Major violations of procedures

Very Low

Resource Available / Minor violations of policies

Minor

Resource Available / Minor violations of process

Very Minor

Resource Available / Minor violations of procedures

None

No effect

Very High

Page 9

8
7

Severity

Page 10

Severity

Page 11

Severity

Page 12

Severity

Page 13

Severity

Page 14

Probability

PROBABILITY of Failure
Very High: Failure is almost inevitable

High: Repeated failures

Moderate: Occasional failures

Low: Relatively few failures


Remote: Failure is unlikely

Failure Prob Ranking


>1 in 2

10

1 in 3

1 in 8

1 in 20

1 in 80

1 in 400

1 in 2,000

1 in 15,000

1 in 150,000

<1 in 1,500,000

Page 15

Detectability

Detection
Absolute
Uncertainty
Very Remote
Remote
Very Low
Low
Moderate
Moderately High
High
Very High
Almost Certain

Likelihood of DETECTION
Control cannot prevent / detect potential cause/mechanism
and subsequent failure mode
Very remote chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Remote chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Very low chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Low chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Moderate chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Moderately High chance the control will prevent / detect
potential cause/mechanism and subsequent failure mode
High chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Very high chance the control will prevent / detect potential
cause/mechanism and subsequent failure mode
Control will prevent / detect potential cause/mechanism and
subsequent failure mode

Page 16

Ranking
10
9
8
7
6
5
4
3
2
1

S-ar putea să vă placă și