Failure mode and effects analysis: Process and system risk assessment

Information security pros are always trying to assess which systems and processes pose the greatest risk to an organization. In this tip, Gideon T. Rasmussen explains how the failure mode and effects analysis (FMEA) methodology can help quantify the significance of exposures to management as well as facilitate remediation.

What is Six Sigma?

Tom Bowers explains how Six Sigma can be used to determine a "business value."

Failure mode and effects analysis (FMEA) is widely used by corporations, manufacturing firms and the U.S. military to evaluate processes or systems (e.g. an incident-response process or a three-tiered application). It prioritizes potential failures by impact severity, probability of occurrence and likelihood of detection. FMEA risk ratings and narrative rationale can be used to quantify exposure to management and facilitate remediation. Most recently, FMEA was incorporated into Six Sigma and the Information Technology Infrastructure Library (ITIL).

FMEA overview

Under FMEA, each process step or system component is evaluated by the criteria using the table below:

Process step or system component

 

 

Potential failure mode

(How could a failure occur?)

 

 

Potential effect(s) of failure

(What are the consequences of failure?)

 

 

Severity

(How severe would the impact be on a scale of 1 to 5?)

 

 

Potential cause(s) of failure

(What would be the cause of the failure?)

 

 

Occurrence

(What is the probability of failure occurring on a scale of 1 to 5?)

 

 

Current process controls

(What controls are in place to detect or prevent failure?)

 

 

Detection

(What is the probability of failure being detected on a scale of 1 to 5?)

 

 

RPN

 

 

FMEA calculates a risk priority number (RPN) for each process step or system component using this simple technique:

Risk priority number = Severity x Occurrence x Detection

Preparation

Have a current process or system diagram available before beginning the FMEA process. The diagram must document process steps or system components with sufficient detail to support a thorough evaluation. Number each entry for easy reference.

The FMEA team should be comprised of people involved in the day-to-day operations of the process or system (e.g. the team manager and system administrators). Consider using an internal auditor or a peer team manager to act as a facilitator. At a minimum, engage an objective, independent third party. The facilitator is responsible for hosting FMEA meetings and should be actively involved in the evaluation of each process step or system component.

Execution

Begin the first meeting with an FMEA overview. Review the process diagram and enter it into an FMEA worksheet. Consider process flow, inputs, outputs and dependencies.

Conducting a system evaluation is a bit more complex. For example, to review a three-tiered architecture, the diagram should include systems and applications associated with the presentation, application and database layers. For additional scrutiny, review firewall and monitoring configurations and the system development life cycle.

Assign each team member a section of documentation to evaluate before the next meeting. Depending on process or system complexity, it may be necessary to have more than one. Carefully evaluate each process step or system component. Document control deficiencies and associated risk ratings in an FMEA worksheet.

Once the FMEA evaluation is complete, review the RPNs for each process step or system component, It will be apparent which areas pose the greatest risk exposure. The highest numbers correspond to the items with the greatest potential for risk. Corresponding narrative entries provide rationale and detail which can be used to prioritize remediation.

The second half of an FMEA worksheet documents remediation activity. Enter mitigating controls in the first two fields. Complete the Action Results section to determine if the new controls will reduce residual risk to an acceptable level.

 

Recommended Action(s)

Responsibility and Target Completion Date

Action Results

Actions Taken

SEV

OCC

DET

RPN

 

 

 

 

 

 

0

 

 

 

 

 

 

0

 

 

 

 

 

 

0

Conduct FMEA reviews at least annually. In additional to evaluation, FMEA helps ensure team members are familiar with critical processes and systems. FMEA also accomplishes process reviews and updates required by common security standards and frameworks.

Simplicity is FMEA's greatest strength. It documents risk posture using qualitative and quantitative approaches. FMEA is a great way to evaluate the risks associated with a process or a system. Consider adding it to your annual security management routines.

More on this topic

About the author:
Gideon T. Rasmussen is a Charlotte-based Information Security Vice President with a background in Fortune 50 and military organizations. His website is http://www.gideonrasmussen.com.

References:

  1. Failure Mode and Effects Analysis (Wikipedia)
  2. Failure Mode and Effects Analysis (U.S. Department of Defense)
This was first published in March 2008

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close