Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

Similar presentations


Presentation on theme: "Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico."— Presentation transcript:

1 Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico

2 Agenda Dia 1  Comunidades Technet Mexico  Entrenamiento Comunidades Mexico  Essentials of Security Parte 1 Dia 2  Essentials of Security Parte 2  Security Risk Management Parte 1 Dia 3  Security Risk Managemnt Parte 2  Peguntas y Respuestas

3 Puntos de interes User grup IT pro Mexico  Gaia Security Risk Management

4 Walk-through Scenario 1: Facilitating Risk Discussions Facilitating a risk discussion meeting for Woodgrove Bank

5

6

7

8

9

10

11 Defining Impact Statements Impact data includes the following information:

12 Walk-through Scenario 2: Defining Impact Statements Defining an impact statement for Woodgrove Bank

13 Scenario 2: Defining An Impact Statement For Woodgrove Bank Asset Name Asset Class DID Level Threat Description Vulnerability Description ER (H,M,L) IR (H,M,L) Consumer financial investment data HBIHost Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials of managed LAN client via outdated security configurations HH Consumer financial investment data HBIHost Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials off managed remote client vial outdated security configurations HH Consumer financial investment data HBIData Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials by trusted employee abuse, via non- technical attacks. LM

14 Understanding Risk Prioritization End of risk prioritization End of risk prioritization Detailed level risk prioritization Detailed level risk prioritization Conduct detailed-level risk prioritization Review with stakeholders Summary level risk prioritization Summary level risk prioritization Conduct summary- level risk prioritization Start risk prioritization

15 Conducting Summary-Level Risk Prioritization 1 1 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years The summary-level prioritization process includes the following: Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders

16 Walk-through Scenario 3: Conducting Summary- Level Risk Prioritization Conducting a summary-level risk prioritization for Woodgrove Bank

17

18

19

20

21 Conducting Detailed Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: Determine impact and exposure 1 1 Identify current controls 2 2 Determine probability of impact 3 3 Determine detailed risk level 4 4 Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)

22 Walk-through Scenario 4: Conducting Detailed- Level Risk Prioritization Conducting a detailed-level risk prioritization for Woodgrove Bank

23

24

25

26

27 Quantifying Risk The following tasks outline the process to determine the quantitative value: Input the asset value for each risk Produce the single-loss expectancy value (SLE) Determine the annual rate of occurrence (ARO) Determine the annual loss expectancy (ALE) Assign a monetary value to each asset class

28 Walk-through Scenario 5: Quantifying Risk Quantifying risk for Woodgrove Bank

29 Scenario 5: Quantifying Risk For Woodgrove Bank Task 1: Assign Monetary Values to Asset Classes: Using 5% Materiality Guideline for valuing assets Net Income: $200 Million annually HBI Asset Class: $10 Million (200 * 5%) MBI Asset Class : $5 Million (based on past spending) LBI Asset Class : $1 Million (based on past spending) Using 5% Materiality Guideline for valuing assets Net Income: $200 Million annually HBI Asset Class: $10 Million (200 * 5%) MBI Asset Class : $5 Million (based on past spending) LBI Asset Class : $1 Million (based on past spending) Task 2: Identify the Asset Value: Consumer financial data = HBI Asset Class HBI = $10 Million Asset Value = $10 Million Consumer financial data = HBI Asset Class HBI = $10 Million Asset Value = $10 Million Task 3: Produce the Single Loss Expectancy Value (SLE): 80% Exposure Value $8 SLE 4 4 Exposure Rating $10 Asset Class Value LAN Host Risk ($ in millions) Remote Host Risk ($ in millions) Risk Description High Business Impact Value = $M Exposure Rating Exposure Factor % 5100 Asset Class 480 HBI Value$ M360 MBI Value$ M / 2240 LBI Value$ M / 4120 Estimated Risk Value =Asset Class Value * Exposure Factor % = SLE Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Risk Description Asset Class Value Exposure Rating Exposure Value SLEAROALE LAN Host Risk ($ in millions) $10480%$80.5$4 Remote Host Risk ($ in millions) $10480%$81 Task 4: Determine the Annual Rate of Occurrence (ARO): LAN Host ARO : Leveraging the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is.5 Remote Host ARO : Leveraging the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. LAN Host ARO : Leveraging the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is.5 Remote Host ARO : Leveraging the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. Qualitative RatingDescriptionARO rangeDescription Examples HighLikely>=1Impact once or more per year MediumProbable.99 to.33At least once every 1-3 years LowNot probable.33At least once greater than 3 years Task 1: Assign Monetary Values to Asset Classes Task 2: Identify the Asset Value Task 3: Produce the Single Loss Expectancy Value (SLE) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 4: Determine the Annual Rate of Occurrence (ARO)

30 Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks

31 Conducting Decision Support Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

32 Overview of the Decision Support Phase Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy 1.Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy Implementing Controls 3 3

33 Identifying Output for the Decision Support Phase Key elements to gather include: Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented

34 Considering the Decision Support Options Options for handling risk: Accepting the current risk Implementing controls to reduce risk

35 Overview of the Identifying and Comparing Controls Process Security steering committee Mitigation owner Security risk management team Identifies potential control solutions Determines types of costs Estimates level of risk reduction Final list of control solutions

36 Security risk management team Security risk management team Security steering committee Security steering committee Step 1: Define Functional Requirements Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

37 Step 2: Identify Control Solutions Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

38 Step 3: Review Solutions Against Requirements Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

39 Step 4: Estimate Degree of Risk Reduction Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

40 Step 5: Estimate Cost of Each Solution Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

41 Step 6: Select the Risk Mitigation Strategy Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

42 Conducting Decision Support: Best Practices Consider assigning a security technologist to each identified risk Set reasonable expectations Build team consensus Focus on the amount of risk after the mitigation solution

43 Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

44 Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Seek a holistic approach Organize by defense-in-depth Seek a holistic approach Organize by defense-in-depth

45 Organizing the Control Solutions Critical success determinants to organizing control solutions include: Communication Team scheduling Resource requirements

46 Organizing by Defense-in-Depth Network Host Application Data Physical

47 Measuring Program Effectiveness Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Develop scorecard Measure control effectiveness Develop scorecard Measure control effectiveness

48 Developing Your Organization’s Security Risk Scorecard A simple security risk scorecard organized by the defense-in-depth layers might look like this: FY05 Q1FY05 Q2FY05 Q3FY05 Q4 Physical HM Network MM Host MM Application MH Data LL Risk Levels (H, M, L)

49 Measuring Control Effectiveness Methods to measure the effectiveness of implemented controls include: Direct testing Submitting periodic compliance reports Evaluating widespread security incidents

50 Session Summary One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks The Microsoft Security Risk Management Guide provides a number of tools and templates to assist with the entire risk management process The Microsoft defense-in-depth approach organizes controls into several broad layers that make up the defense-in-depth model Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy

51 Next Steps Find additional security training events: Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:

52 Questions and Answers


Download ppt "Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico."

Similar presentations


Ads by Google