Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Risk Management

Published byRose Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Systems Risk Management"— Presentation transcript:

1 Information Systems Risk Management
CMGT 442 Information Systems Risk Management Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus

2 Objectives: Week 2 Risk Assessment (Part 1) Review Week 1: Concepts
LT Activity: Week 1 & Week 2 Article Readings Stuxnet Week 2: Components of Risk Quiz #2 Review Week 2: Questions Assignments: IDV & LT Papers Review Information Sharing Articles 2

3 Review: Information Security Services
3

4 Review: Information Assurance Services
(IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer. 4

5 Review: NIST SP 5

6 Review: NIST SP 6

7 Learning Team Activity
Activity: Review Week 1 & 2 ‘Article’ Readings 15 minutes: Read Articles 10 minutes: Answer article questions 10 minutes: Present your article to the class Submit for credit. 7

8 LT Activity: Week 1 Article Readings
Barr (2011) What special issues must be addressed for a risk management strategy that supports user-facing, web-based systems? What are the risks associated with disruption of these systems? Ledford (2012) What special issues must be considered for corporate data which are not fully digitized? What are the risks associated with the loss of this data? What recovery procedures do you recommend for these situations? 8

9 LT Activity: Week 2 Article Readings
Keston (2008) How important is enterprise identity management for reducing risk throughout the enterprise? Explain why a viable risk management strategy must include, at a minimum, a solid enterprise identity management process. Vosevich (2011) What software must be considered to provide adequate security management across the enterprise? 9

10 Future Risks Weapons in Cyberspace: Are we at war?
Cyber Crime vs. Cyber Warfare vs. Cyber Conflict 10

11 Break? This is probably time for a break…

12 Review: Risk Definition
What is Risk? thus Units for measurement: Confidentiality, Integrity, Availability Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 12

13 Defining Risk Risk is conditional, NOT independent. 13 Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 13

14 “Risk Loss Confidence”
Defining Risk Expected Value of Risk = Product of Risks Risk is never zero: “We can never be 100% confident for protection” Risk Dimension (units): confidence in the loss of ISS, C-I-A “Risk Loss Confidence” Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 14

15 Risk Behavior Risk Loss Confidence Increases through interconnections with other network enclaves (risks)! Network Enclave #1 Network Enclave #3 Network Enclave #2 15

16 Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH
Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 16

17 Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH
RiskEV = HIGH Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 17

18 Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH
RiskEV = HIGH Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 18

19 Risk Behavior: REV & RLC
Expected Value and Risk Loss Confidence vs. Cumulative Risk Product Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 19

20 Total Risk How do we quantify total risk?
- Average the risk to each Information Security Service: Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 20

21 MAC Levels

22 Classification (i.e. SECRET & higher) (i.e. PII, FOUO) (i.e. UNCLASS)

23 Risk Component: Threats
Rapid growth of Advanced Persistent Threats (APTs) Half million cases of cyber related incidents in 2012. - Is this a problem? - What about vulnerabilities associated with interconnections? - How does risk management help deal with APTs? Source: US-CERT 23

24 Risk Component: Threats
Threat – Exploitation Matrix Vulnerability Vector Exploit Type Human / User Technical / System Environmental Unintended Negligence, Ignorance, Lack of Training System Faults; Logical, Physical Natural Calamities Exposure OPSEC Violations Weak Disclosure Policy Weak Classification Guidance Poor Design Design Flaws Poor Quality Intrusion Social Engineering, Manipulation Lack of Training, Drills Malicious Software (Malware) Mis-Configurations Easiest Exploits Most Attended To Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

25 Risk Component: Vulnerabilities
What are vulnerabilities? Any flaw or weakness that can be exploited. Poorly communicated or implemented policy Improperly configured systems or controls Inadequately trained personnel

26 Risk Component: Controls / Safeguards
Controls are put in place to prevent exploitation of vulnerabilities. Cost of control should never exceed the cost of the impact (loss) with no control. How do I figure out what controls I need? Is there a comprehensive checklist I can use? - yes there is… it’s called: “DoDI ” Information Assurance Implementation

27 Risk Component: Controls / Safeguards
Control checklists exist depending on your MAC and classification of your network enclave: “DoDI ” Information Assurance Implementation checklists

28 Risk Component: Controls / Safeguards

29 Risk Component: Controls / Safeguards

30 Residual Risk Risks that remain after all of the response strategies have been implemented. CONTROL MITIGATION THREAT VULNERABILITY RESIDUAL RISK Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

31 Risk Component: Impact
Loss (negative consequence) for the organization. $ (USD) Reputation Degraded Information Security Services

32 Quantitative Risk Thresholds
Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

33 Semi-Quantitative Risk Matrix
SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood

34 Risk Concept: Exploitation & Risk
By increasing severity: Exploit Risk Severity Discovery Low (Bad) Denial Low-Medium Exposure Medium Exfiltration Medium-High Deception High Takeover Severe (Worse) Discussion: Map each exploit to a Information Security Service.

35 Risk Responses High Accept / Transfer Avoid Low Accept Severity
Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

36 Risk Responses Risk Avoidance Halt or stop activity causing risk
Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

37 Plan of Actions & Milestones (POA&M)
Non-compliant (NC) controls / findings are listed on a POA&M.

38 Information Systems Risk Components
Let’s recap: What are the components of Information Systems Risk? - Threats & Threat Agents - Vulnerabilities (Weakness) - Controls (Safeguards) - Impact How is each component important to understanding and managing risk? 38

39 Risk Component Relationship
Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY. 39

40 Break? This is probably time for a break…

41 Quiz: Week 1 10-15 minutes

42 Week 2 Review Questions 42

43 Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure 43

44 Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure 44

45 Question #2 Which of the following combinations best defines risk?
A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack. 45

46 Question #2 Which of the following combinations best defines risk?
A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack. 46

47 Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness 47

48 Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness 48

49 Question #4 What is the definition of a security exposure?
A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat 49

50 Question #4 What is the definition of a security exposure?
A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat 50

51 Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk 51

52 Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk 52

Download ppt "Information Systems Risk Management"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Vulnerability Assessments

Vulnerability Assessments
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
CMGT 442 Philip Robbins – December 5, 2012 (Week 4) University of Phoenix Mililani Campus Information Systems Risk Management.

CMGT 442 Philip Robbins – December 5, 2012 (Week 4) University of Phoenix Mililani Campus Information Systems Risk Management.

Similar presentations

Ads by Google