Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Identification and Risk Assessment

Published byMeredith Henry Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Identification and Risk Assessment"— Presentation transcript:

1 Risk Identification and Risk Assessment
Bikash Bhattarai

2 Risk Management Risk management is the process of dentifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Risk management involves three major undertakings Risk identification Risk assessment Risk control

3 Cont… Risk identification is the examination and documentation of the security posture of an organization’s information technology and the risks it faces. Risk assessment is the determination of the extent to which the organization’s information assets are exposed or at risk. Risk control is the application of controls to reduce the risks to an organization’s data and information systems.

4

5 Know Yourself To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it.

6 Know the Enemy This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.

7 The Roles of the Communities of Interest
IT community in organization take leadership Management and users, when properly trained and kept aware of the threats the organization faces, play a part in the early detection and response process. Management must also ensure that sufficient resources (money and personnel) are allocated

8 Risk Identification A risk management strategy requires that information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them.

9

10 Organizational Assets
People Employee Trusted(Greater authority and accountability) Other (Without special privileges ) Non-Employee (contractors and consultants, partner and strangers. Procedures IT and business standard procedures IT and business sensitive procedures. threat agent to craft an attack against the organization or that have some other content or feature that may introduce risk to the organization.

11 Hardware and Networking Components
Data At all states (Storage, Transmit, Process) Software Applications Operating systems Security Components Hardware and Networking Components Router, Switch, Firewall, UTM, IPS/IDS etc

12 Attributes for People, Procedures, and Data Assets
Position name/number/ID Supervisor name/number/ID Security clearance level Special skills Procedures Description Intended purpose Software/hardware/networking elements to which it is tied Location where it is stored for reference Location where it is stored for update purposes

13 Cont… Data Classification Owner/creator/manager Size of data structure
Data structure used Online or offline Location Backup procedures

14 Cont… Networking Assets Name IP address MAC address Asset type
Serial number Manufacturer name Manufacturer’s model or part number Software version or update revision Physical location Logical location Controlling entity

15 Data Classification Example

16 Assessing Values for Information Assets
As each information asset is identified, categorized, and classified, assign a relative value. Relative values are comparative judgments made to ensure that the most valuable information assets are given the highest priority, for example: Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?

17

18 Information Asset Prioritization
Critical Factor

19 Threat Identification
Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less cumbersome, each step in the threat identification and vulnerability identification process is managed separately and then coordinated at the end.

20 Identify and Prioritize Threats and Threat Agents
Each threat presents an unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy. Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset . In general, this process is referred to as a threat assessment.

21 Threat to Information Security

22 Threat Assessment Not all threats have the potential to affect every organization. (12th floor building and flood ?) Which threats represent the most danger to the organization’s information? Cost to recover Which of the threats would require the greatest expenditure to prevent ?

23 CIO Survey Report (1000)

24 Vulnerability Assessment
Once you have identified the information assets of the organization and documented some threat assessment criteria, you can begin to review every information asset for each threat. This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. At the end of the risk identification process, a list of assets and their vulnerabilities has been developed. This list serves as the starting point for the next step in the risk management process: risk assessment.

25 Vulnerability Assessment of DMZ Router

Download ppt "Risk Identification and Risk Assessment"

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
WEEK 3 Risk Management.

WEEK 3 Risk Management.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Once we know our weaknesses, they cease to do us any harm.

Once we know our weaknesses, they cease to do us any harm.
Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.

Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Risk Management.

Risk Management.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Identifying and Assessing Risk

Risk Management Identifying and Assessing Risk
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4

CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4
Risk Management Chapter 4.

Risk Management Chapter 4.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition

Similar presentations

Ads by Google