Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Analysis COEN 250.

Published byAlberta Harmon Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Analysis COEN 250."— Presentation transcript:

1 Risk Analysis COEN 250

2 Risk Management Risk Management consists of Risk Management allows
Risk Assessment Risk Mitigation Risk Evaluation and Assessment Risk Management allows Balance operational and economic costs of protective measures

3 Risk Management and System Development Life Cycle
Phase 1 – Initiation Need for IT system is expressed, scope is documented Identified risks are for Developing system requirements Including security requirements Security strategy of operations Phase 2 – Development or Acquisition IT system is Designed, Purchased, Programmed, Developed Risks identified during this phase are used to Support security analyses of system Might lead to architecture and design trade-offs during development

4 Risk Management and System Development Life Cycle
Phase 3 – Implementation System features are configured, enabled, tested, verified Risk management supports assessment of system implementation against requirements and modeled operational environment Phase 4 – Operation or Maintenance System performs its functions Typically: modification on an ongoing basis Risk Management activities: System reauthorization / reaccreditation Periodic Triggered by changes in system Triggered by changes in operational production environment

5 Risk Management and System Development Life Cycle
Phase 5 – Disposal Disposition of Information Hardware Software Activities Moving Archiving Discarding Destroying Sanitizing Risk management: Ensure proper disposal of software and hardware Proper handling of residual data System migration conducted securely and systematically

6 Risk Management and System Development Life Cycle
Risk management is management responsibility Senior management Ensures effective application of necessary resources to develop mission capabilities Need to asses and incorporate results of risk management into decision making process Chief Information Officer (CIO) Responsible for planning, budgeting, and performance of IT Includes Information Security components Systems and Information Owners Responsible for ensuring existence of proper controls Have to approve and sign off to changes in IT system Need to understand role of risk management

7 Risk Management and System Development Life Cycle
Business and Functional Managers Have authority and responsibility to make trade-off decisions Need to be involved in risk management Information System Security Officer (ISSO) Responsible for security program, including risk management Play leading role for methodology of risk management Act as consultant to senior management IT Security Practitioners Responsible for proper implementation Must support risk management process to identify new potential risks Must implement new security controls Security Awareness Trainers Proper use of systems is instrumental in risk mitigation and IT resource protection Must understand risk management Must incorporate risk assessment into training programs

8 Risk Assessment Risk depends on
Likelihood of a given threat-source exercising a particular potential vulnerability Resulting impact of the adverse event

9 Hypothetical 2003 Example Polish hacker upset at Polish control of Multinational Division Central South Iraq His hacker group wants to attack Finds out runs Apache Runs old version of OpenSSL vulnerable to a buffer overflow attack Bejtlich: The Tao of Network Security Monitoring

10 Hypothetical 2003 Example Factor Description Assessment Rationale
Threat and his buddies 5/5 Has capability and intention Vulnerability Unpatched OpenSLL process Vuln. gives root access. No countermeasures deployed Asset Value Military spends more than $10,000 annually 4/5 Damage to Polish prestige, costs of web server Risk Loss of integrity and control of web server and site 100/125 Bejtlich: The Tao of Network Security Monitoring

11 Hypothetical 2003 Example Polish military does not know but knows about its exposure Needs to know about vulnerability Risk assessment changes dramatically once vulnerability is recognized

12 Vulnerability  Threat
February 2002 SNMP vulnerability SNMP widespread network management tool. Potentially affected most network devices. However, NO exploits were discovered.

13 Vulnerability  Threat
Windows RPC vulnerability of 2003 Dozens of exploits Blaster worm caused > $ damage

14

15 Risk Assessment Step 1: System Characterization
Collect system related information Hardware Software Connectivity Data and information Users and support System mission System and data criticality and sensitivity

16 Risk Assessment Step 2: Threat Identification
Threat Source Identification Natural events: Floods, fires, earthquakes, … Human threats: Unintentional acts Deliberate actions Consider motivations and actions Environmental threats Long-term power failure, pollution, chemicals, liquid leakage

17 Risk Assessment Step 3: Vulnerability Identification
Varies on SDLC phase Sources Previous risk assessment documents IT system audits and logs Vulnerability lists (NIST I-CAT, CERT, SANS, SecurityFocus.com) Security advisories Vendor advisories System software security analyses

18 Risk Assessment Step 3: Vulnerability Identification Security Testing
Automated vulnerability scanning tools Penetration testing Security Test and Evaluation (ST&E) Develop a test plan Test Effectiveness of security controls See NIST SP

19 Risk Assessment Step 3: Vulnerability Identification
Develop a Security Requirements Checklist Management Security Assignment of responsibilities Continuity of support Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Separation of duties System authorization and reauthorization System or application security plan

20 Risk Assessment Step 3: Vulnerability Identification
Develop a Security Requirements Checklist Operational Security Control of air-borne contaminants Controls to ensure the quality of the electrical power supply Data media access and disposal External data distribution and labeling Facility protection (e.g., computer room, data center, office) Humidity control Temperature control Workstations, laptops, and stand-alone personal computers

21 Risk Assessment Step 3: Vulnerability Identification
Develop a Security Requirements Checklist Technical Security Communications (e.g., dial-in, system interconnection, routers) Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit

22 Risk Assessment Step 3: Vulnerability Identification
Outcome: A list of system vulnerabilities that could be exercised by a potential threat source

23 Risk Assessment Control Analysis Control Methods Technical methods
Safeguards built into computer hardware, software, firmware Nontechnical methods Management and operational controls Security policies Operational procedures Personnel security Physical security Environmental security

24 Risk Assessment Control Categories Preventive controls
Detective controls

25 Risk Assessment Control Analysis Output:
Compare security requirements checklist to validate security (non)-compliance Output: List of current or planned controls

26 Risk Assessment Step 5: Likelihood determination Governing factors
Threat source motivation and capability Nature of vulnerability Existence and effectiveness of current controls Assign likelihood levels

27 Risk Assessment Step 6: Impact Analysis Requires
System mission System and data criticality System and data sensitivity Can typically be described in Loss of integrity Loss of availability Loss of confidentiality

28 Risk Assessment Step 6: Impact Analysis
Can be done quantitatively or qualitatively

29 Risk Assessment Step 7: Risk determination Risk Level Matrix
Composed of threat likelihood and impact Determines risk scale Risk Scale Used to determine and prioritize activities

30 Risk Assessment Control Recommendations
Reduce risks to data and system to acceptable level Base evaluation on Effectiveness Legislation and regulation Organizational policy Operational impact Safety and reliability Perform cost benefit analysis

31 Risk Assessment Step 9: Result Documentation Risk assessment report
Describes threats and vulnerabilities Measures risk Provides recommendations for control implementation

32 Risk Mitigation Prioritizing Evaluating Implementing
Appropriate risk-reducing controls

33 Risk Mitigation Options Risk Assumption Risk Avoidance Risk Limitation
To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability Risk Planning To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

34 Risk Mitigation

35 Risk Mitigation Control Implementation Prioritize Actions
Evaluate Recommended Control Options Conduct Cost-Benefit Analysis Select Control Assign Responsibility Develop a Safeguard Implementation Plan Implement Selected Control(s)

Download ppt "Risk Analysis COEN 250."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Control and Accounting Information Systems

Control and Accounting Information Systems
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
7.2 System Development Life Cycle (SDLC)

7.2 System Development Life Cycle (SDLC)
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google