Application Of A Risk Assessment

1068 Words5 Pages
1 Introduction
Typically, an organisation will focus on, and allocate resources to, ICS security due to:
• The detection of a security breach
• The requirement to conform to a compliance mandate
• The outcome of a risk assessment
Developing a secure ICS architecture based on the principles introduced in Module 4 – ICS Cyber Security Architecture will not in itself be sufficient to ensure ongoing protection. As time goes by, new vulnerabilities will be discovered in various ICS components, and new risks may be introduced through changes to work practices, to the infrastructure itself, or to the environment in which the ICS operates. For this reason, it is critical to have in place a corporate risk management framework, which incorporates
…show more content…
2 A Risk Management Framework
As outlined in the International Organization for Standardization ISO/IEC 31000:2009 standard, “the success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels” .
Once committed to the creation of a risk management framework, the implementation and maintenance of the framework consists of a number of general steps, as defined in the ISO/IEC 31000:2009 standard:
1. Designing and implementing a risk management framework
2. Implementing a risk management process, which will include risk assessment
3. Monitoring and reviewing the risk management framework
4. Continually improving the framework

Figure 1: A Risk Management Framework

The design and implementation of a risk management framework should align with the business objectives of the organisation, and a commitment to the program from senior management is crucial. The alignment process can be clarified by defining the business rationale of the organisation. According to the ISA-62443-2-1 standard , developing a business rationale for the unique needs of the organisation includes:
• Identifying and prioritising the business consequences should ICS security be compromised;
• Prioritising potential threats that are deemed credible;
• Determining their business impact of the most serious consequences; and
• Estimating the cost of countermeasures.
Establishing a
Get Access