Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Published byPercival Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or."— Presentation transcript:

1 Risk Assessment and Management

2 Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or transmit organisational information enabling management to make well-informed risk management decisions to justify the expenditure (within the IT budget) assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management.

3 Risk Assessment and Management What is Risk?

4 Risk is the degree to which any of the vulnerabilities can be exploited by the threats to result in loss or damage to the asset. This is called impact Examples:  Direct loss of money (cash or credit)  Breach of legislation  Loss of goodwill/reputation  Reduction of share value  Endangering staff or confidence  Loss of business opportunity  Reduction in operational efficiency/performance  Interruption of business activity

5 Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence

6 Risk and its Value Risk is a mathematical function of threats, vulnerabilities, their probability and the impact While the threats increase with more exposure of data/systems, vulnerabilities go up with complexity of the problem The value of the assets, if exploited determine the impact Thus, risk value is a product of the value of threat, value of vulnerability, probability value and the asset value

7 This is a method by which- Risks to your organisation are identified Cost of these risks are calculated. Costs of mitigating those risks are calculated A cost benefit analysis is performed Risk Assessment

8 This helps the management- To make informed decisions relating to the security of IT assets To ensure that the relevant controls are in place Depending on the size of the organisation, part of these controls will include extra-resourcing, i.e. a dedicated Information security officer. In a medium to large organisation, there should be a security officer to continue the design and deployment of the security programme. Risk Assessment

9 The first process in the risk management methodology. Made to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. Helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process. Analyses the threats to an IT system, given the likely vulnerabilities and the controls in place Helps to determine the likelihood of a future adverse event

10 Risk Assessment The magnitude of harm that could be caused by a threat's exercise of vulnerability is known as Impact In the impact analysis, the merits and demerits of quantitative and qualitative assessments are considered We may adopt a qualitative assessment as it prioritises the risks and identifies areas for immediate improvement in addressing the vulnerabilities

11 Risk Management

12 Encompasses three processes Risk assessment Risk mitigation Risk evaluation & assessment. Risk management is the process that allows IT managers to balance the operational and economic costs of security to achieve gains in mission capability by protecting the IT systems and data that support their organisational mission.

13 Risk Management A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities Effective risk management must be totally integrated into the SDLC

14 Risk Management Process If effective, this becomes an important component of a successful IT security programme The process should not be treated primarily as a technical function carried out by the IT experts It should be treated as an essential management function Risk management is the process of identifying & assessing the risk and taking steps to reduce it to an acceptable level

15 Overall Risk Management Process Risk Increase Vulnerabilities Indicate Asset Values Threats Controls Reduce Increas e Security Needs Assets Impact on Organization Project against Exploit Expose Have Met by

16 Impact Assessment

17 The impact assessment may be made as- High: Exercise of the vulnerability may result in the highly costly loss of major tangible assets or resources significantly violate, harm, or impede an organisation's mission, reputation, or interest result in human death or serious injury

18 The impact assessment may be made as- Medium- Exercise of the vulnerability may result in the costly loss of tangible assets or resources violate, harm, or impede an organisation's mission, reputation, or interest result in human injury

19 The impact assessment may be made as- Low- Exercise of the vulnerability may result in the loss of some tangible assets or resources noticeably affect an organisation's mission, reputation, or interest.

20 Risk Determination

21 The final determination of mission risk is derived by- multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact using a matrix-table which shows how the overall risk ratings might be determined  based on inputs from the threat likelihood and threat impact categories. It is a 3 x 3 matrix of threat likelihood (High, Medium, and Low) and threat impact (High, Medium, and Low).

22 Risk-level Matrix Threat Likelihood Impact Low (10)Medium (50) High (100) High (1.0)Low 10 x 1.0=10 Medium 50 x 1.0=50 High 100 x1.0=100 Medium (0.5) Low 10 x 0.5=5 Medium 50 x 0.5=25 High 100 x 0.5=50 Low (0.1)Low 10 x 0.1=1 Low 50 x 0.1=5 Low 100 x 0.1=10

23 Using the matrix- the risk level can be identified as High, Medium or Low This in turn is a function of the likelihood and Impact This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability is exercised. This also presents actions that senior management- the mission owners, must take for each risk level

24 From the matrix, the risk is considered- High: If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. Medium: If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low: If an observation is described as low risk, the system's DM must determine whether corrective actions are still required or decide to accept the risk.

Download ppt "Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or."

Similar presentations

Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Progress on Risk Assessment......continued Ms. Albana Gjinopulli, MPA Mr. Stanislav Buchkov.

Progress on Risk Assessment......continued Ms. Albana Gjinopulli, MPA Mr. Stanislav Buchkov.
G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.

G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.

Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Operational Risk Management

Operational Risk Management
Protection Against Occupational Exposure

Protection Against Occupational Exposure
Donna Read, CRM Florida Gulf Coast ARMA Chapter February 2011.

Donna Read, CRM Florida Gulf Coast ARMA Chapter February 2011.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.

Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.

Similar presentations

Ads by Google