Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition Chapters 7 & 8.

Similar presentations


Presentation on theme: "INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition Chapters 7 & 8."— Presentation transcript:

1 INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition Chapters 7 & 8

2 What’s the problem ? Management still ask – “How secure are we ?” “Are our controls adequate ?” “Do we comply with Standards?” “Do we have the best blend of controls in place ?” “How do we measure our IS security ?” “What controls do I need ?” “How much will controls cost ?”

3 Overview What is Risk Management? Why is it important? Risk Analysis Risk Control Strategies Other Risk Management Techniques Summary

4 Risk Management Extracted from Australian Standard AS/NZS 4360:2004

5 Why is it important? Subsidiaries of large orgs. Have an obligation (e.g. Agencies of SA Govt.) Corporate management may wish to compare these subsidiaries Shareholders may demand a certain level of compliance with Standards Directors have a ‘duty of care’ responsibility Trading partners may need you to prove your level of security (or they won’t trade with you)

6 Slide 6 Managing Risk The goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’s risk appetite

7 Residual Risk When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for.

8 Risk Tolerance Risk tolerance (also known as risk appetite) defines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility

9 Risk Analysis (RA) Various methods Qualitative Quantitative Software packages (e.g. RiskPac, RiskCalc, CRAMM, SPAN, Courtney’s Method, Rank-it) The quantitative approach- Identify IS assets Identify threats to those assets Estimate probability of occurrence Estimate cost of impact of threat Calculate Annual Loss Exposure (ALE) Build a control profile to match risk profile

10 Identify Assets Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) Assets are then classified and categorized. For example: Unclassified Sensitive but unclassified Confidential Secret Top secret

11 Identify Threats Realistic threats need investigation; unimportant threats are set aside Threat assessment: Which threats present danger to assets? Which threats represent the most danger to information? How much would it cost to recover from attack? Which threat requires greatest expenditure to prevent?

12 Threat Analysis 1.Errors & omissions 2.Data network breakdowns 3.Software errors & omissions 4.Computer-based fraud 5.Accidental & natural disasters 6.Equipment failure 7.Unauthorised access 8.Deliberate destruction of equipment 9.Misuse of computing equipment 10.Theft of computers 11.Loss of key personnel 12.Theft of information 13.Logical sabotage 14.Software piracy 15.Loss of vital services Impact (H, M, L) Probability (H, M, L) Risk Exposure (H, M, L) Threat Low Medium High Medium High LowMedium

13 The Metrics Annual Loss Expectancy (ALE) = Threat probability (ARO) X Single Loss Expectancy(SLE) ROI is the reduction in ALE due to the implementation of the control Uses Courtney’s Scales Temptation to ‘manufacture’ desired outcome

14 Courtney’s Scales for calculating Annual Loss Exposure (ALE) Probability of occurrence of threat Once in 100 years Once in 10 years Once per year 10 times per year 100 times per year 1000 times per year Impact of threat $100 million $10 million $1 million $100, 000 $10,000 $1,000

15 Application Software Network Server & OS Database IS People Virus Attack Hardware Malfunction Physical Sabotage Input Errors T H R E A T S ASSETSASSETS 1:1 year $1000 $1000 pa 1:1 year $10000 $10000 pa 1:1 year $10000 $10000 pa 1:10 yrs $ $10000 pa 10:1 year $100 $1000 pa Risk Exposure per threat per annum $12000$20000 $1000 $21000 $31000 $53000 Risk Exposure per asset per annum 1:1 year $1000 $1000 pa 1:1 year $10000 $10000 pa 1:1 year $10000 $10000 pa

16 Benefits of RA Improves awareness by involving people Relate security mission to management objectives Identifies assets, vulnerabilities and controls Improves basis for decision Helps justify expenditure for security

17 Arguments against RA Not precise Hard to perform False sense of precision & confidence Never up-to-date No scientific foundation Not designed for small business Not self assessment method

18 Risk Control Strategies An organization must choose one of four basic strategies to control risks Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Transference: shifting the risk to other areas or to outside entities Mitigation: reducing the impact should the vulnerability be exploited Acceptance: understanding the consequences and accepting the risk without control or mitigation

19 Avoidance Attempts to prevent exploitation of the vulnerability Preferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards Three common methods of risk avoidance: Application of policy Training and education Applying technology

20 Transference Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

21 Mitigation Attempts to reduce impact of vulnerability exploitation through planning and preparation Approach includes three types of plans: Incident response plan (IRP) Disaster recovery plan (DRP) Business continuity plan (BCP)

22 Acceptance Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify cost of protection Risk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls

23 Other RM Techniques Baselining Benchmarking Best Practices Due Care Due Diligence

24 Baselining Baselining is the analysis of measures against established standards In information security, baselining is the comparison of security activities and events against the organization’s future performance

25 Benchmarking Benchmarking is seeking out and studying the practices from other organizations that produce the results desired, and then measuring the differences between the way the organizations conduct business In the field of information security, two categories of benchmarks are used: Standards of due care and due diligence Best practices

26 Best Business Practices Security efforts that seek to provide a superior level of performance are referred to as best business practices Best security practices are those that are among the best in the industry, balancing access to information with adequate protection, while maintaining a solid degree of fiscal responsibility

27 Due Care and Due Diligence For legal reasons, an organization may be forced to adopt a certain minimum level of security When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances This is referred to as a standard of due care Due diligence is the demonstration that the organization is persistent in ensuring that the implemented standards continue to provide the required level of protection

28 What you need to know The risk analysis process The risk analysis metrics Risk control strategies The terminology used in this presentation


Download ppt "INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition Chapters 7 & 8."

Similar presentations


Ads by Google