2. Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner

3.  Information Security Risk Management Risk Define relevant terms Steps to manage risk  Recovery Factors General Steps Disaster Recovery

4.  What is risk? The chance that undesired events will take place For businesses, risks are things that can be seen as exploitable by outside/inside threats Examples Information leakage, denial of service, natural disaster  Risk has uncertainty

5.  What is risk management? Identification of vulnerabilities and threats to organizational resources Determining countermeasures necessary to reduce risk to acceptable level Methods to mitigate the uncertainty of risk

6.  Organizational Assets Main asset is information Comprised of all components that contribute to organizational information architecture Information assets all have different values, which can be approximated based on their business value Examples: ▪People, data, procedures, technologies, network, etc.

7.  Organizational Threats Natural Threats that are random and related to the environment Consequence usually involves reduced availability of services Bad weather, earthquakes, … Natural events can also exacerbate man made problems Nuclear problems in Japan after earthquake

8.  Organizational Threats Man-made Accidental ▪Mistakes made by individuals (e.g. bugs in a program) ▪Not targeted at a specific process or asset ▪Can occur anytime and anywhere ▪Consequences are unpredictable, as the threat is not targeted

9.  Organizational Threats Man-made Intentional ▪Attacks that deliberately target a victim/asset ▪Usually perpetrated by a hacker or insider ▪Usually have a calculated consequence ▪Examples  Unauthorized access to assets, disclosure of data, denial of service  Denial of Service (DoS) to disable web portal  Think the unexpected – 9/11

10.  Impact Potential harm that could be inflicted on an asset and the resulting effect on organization Usually can be measured in loss of income that would have been made in ideal situation Should be determined for every individual asset for the specific threats that they face

11.  Steps for organizational risk management  Risk Identification Must identify threats and asset vulnerabilities Should be done by multiple groups with varying perspectives Information owners, business experts, security experts Stakeholder analysis is a good tool

12.  Risk Assessment 1 Determine what the asset vulnerabilities are and the likelihood that they could be exploited  Risk Assessment 2 Assess the threats that were identified and determine the chance that they will occur

13.  Impact Estimation Estimate the impact of each threat on each asset  Risk Estimation Using the previous steps, estimate a basic level of risk At the level of individual assets and at the organizational level

14.  Security Controls Select/develop appropriate security controls based on cost-benefit analysis of the risk estimate for specific assets Know that threats can often cascade, and each threat has a set of actions that can ameliorate the situation

15.  Implementing Security Controls Mitigate risks by implementing the security control scheme that was developed in Step 6 Examples Multi-layer user authentication, physical access controls, training Insurance, detailed incident handling procedures, developing a recovery plan

16.  Evaluation Evaluate the effectiveness of the implemented security control scheme Ensure that risk has been reduced to acceptable levels

17.  Affected by many factors Importance of asset that was compromised Cost of general recovery process The cause of the asset compromise The extent of the damage The type of damage How quickly the disruption was detected and fixed Presence/lack of contingency plan

18.  General Steps Implement contingency plan Assess damage Determine cause of damage Repair damage Document incident Develop new security controls to prevent repeat of situation Evaluate recovery response

19.  Disaster Recovery Restoration of information architecture achieved through duplication of computing operations Often requires off-site backup which is frequently updated ▪Backup should be off-site to ensure that disaster does’t compromise all data centers Most effective when a well-designed disaster recovery plan has been written and evaluated Save all configuration information for all devices

20.  Disaster Recovery Important to write and implement procedures for activating important information systems in a safer environment Mission critical assets must be prioritized Goal is to create an environment where operating conditions can be reestablished at a functional level Hot standby is one method

21.  Importance of Risk Management Similar to security management; needed in order to assess and protect assets against various threats Understanding threats allows an organization to defend against them and prepare in case a disruption occurs Lack of defense/preparation can significantly impact/destroy an organization