CSFaaS Risk Assessment Methodology
To fulfill the NIST and ISO requirements, CSFaaS offers a comprehensive framework, ensuring a thorough and effective risk assessment process. The risk model developed by CSFaaS follows several detailed steps, which are outlined below.
Risk Model
The risk model developed by CSFaaS integrates four key orientations:
Threat-Oriented
By identifying specific threats, actors, and motivations, CSFaaS ensures a threat-oriented perspective.
Asset/Impact-Oriented
By emphasizing the business goals, critical assets, and impacts, the model adopts an asset/impact-oriented view.
Vulnerability-Oriented
By understanding weaknesses in the current context and recommending controls, the vulnerability-oriented approach is addressed.
Risk Aggregation
CSFaaS also incorporates risk aggregation, combining multiple risks and their relationships, such as cause and effect, to evaluate the overall risk impact on the organisation.
This combined approach ensures a holistic risk assessment process, covering threats, impacts, vulnerabilities, and the relationships between risks effectively.
Step 1: Gathering Information
The initial phase involves gathering key information about what you want to assess. This includes:
- The project phase.
- The impact of changes, whether in a system or third party.
- Region and country details.
- Business unit involved.
- Functional domain.
- Data classification, including PII (Personally Identifiable Information) and PHI (Protected Health Information).
Step 2: Contextualise Your Information
Next, CSFaaS helps you frame the gathered information by specifying:
Context
The current context of the assessment.
As-Is Situation
The existing state of the system or asset being assessed.
To-Be Situation
The desired state following changes or improvements.
In Scope and Out of Scope
Identifying the boundaries of the assessment, including what is relevant and what falls outside the focus of the analysis.
Step 3: Defining Specifics
In this step, specific details that are essential to the assessment are defined, including:
Business Goal and Objective
- The primary goals of the topic under assessment.
Business Driver for Security
Reasons driving security decisions.
Applicable Policies
Relevant organisational policies that apply to the systems or assets being assessed.
Involved Third Parties and Systems
Identifying all stakeholders and systems that have a role in the risk scenario.
Related Risks
If applicable, highlight related risks for contextualisation or aggregation.
Security Domain and Attributes
Identify security domains impacted, business attributes, risk categories, and the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) and detailed threat analyzer including threat actions, vectors, actors, and motivations, as well as the quantification of victims.
Step 4: Risk Assessment
Based on the gathered and contextualised information, the risk assessment is carried out:
Inherent Risk Analysis
Evaluate the inherent risks by identifying strengths, weaknesses, opportunities based on the contextualised information and defining impact and likelihood;
Current Risk Analysis
Evaluate the current risks by identifying strengths, weaknesses, opportunities based on the contextualised information and defining impact and likelihood;
Recommended Controls
Identify and propose controls to mitigate the identified risks.
Target Risk Analysis
Evaluate of the target risks by identifying strengths, weaknesses, opportunities based on the contextualised information and defining impact and likelihood;
Next Steps: Risk Registration and Remediation Follow-Up
From there, identified risks can be registered in the risk registry, and remediation plan can be followed and monitored through the remediation process.