Risk management.

Slides:

Advertisements

Similar presentations

Security Presented by: Mark Davis & Shahein Moussavi.

Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

Information Security Policies and Standards

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

Introducing Computer and Network Security

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.

Unit # 3: Information Security and Risk Management

Lecture 11 Reliability and Security in IT infrastructure.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Session 3 – Information Security Policies

Introduction to Network Defense

AUDITING INFORMATION SYSTEMS SECURITY. AUDIT OF LOGICAL ACCESS USE OF TECHNIQUES FOR TESTING SECURITY USE OF INVESTIGATION TECHNIQUES.

SEC835 Database and Web application security Information Security Architecture.

Evolving IT Framework Standards (Compliance and IT)

G53SEC Computer Security Introduction to G53SEC 1.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

What does “secure” mean? Protecting Valuables

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Information Systems Security Operations Security Domain #9.

CREATE THE DIFFERENCE Data and Information (Special thanks to Janet Francis for this presentation)

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Information Security What is Information Security?

Management of Change ► The health, safety, security, environmental, technical and other impacts of temporary and permanent changes are formally assessed,

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Viewing Information Systems Security. The basic objectives of Information Security are the same as the basic objectives of EDP auditing. They are: 1.To.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,

McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.

Chap1: Is there a Security Problem in Computing?.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

Information Technology Network and Security. Networking In the world of computers, networking is the practice of linking two or more computing devices.

IAEA International Atomic Energy Agency Functional and Security Domains Presented by:

Module 5: Designing Physical Security for Network Resources

Information Security Management Goes Global

Cybersecurity: Risk Management

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

I have many checklists: how do I get started with cyber security?

Chapter 7: RISK ASSESSMENT, SECURITY SURVEYS, AND PLANNING

Data integrity and security

INFORMATION SYSTEMS SECURITY and CONTROL

Objectives Telecommunications and Network Physical and Personnel

Physical Security.

Mohammad Alauthman Computer Security Mohammad Alauthman

In the attack index…what number is your Company?

Presentation transcript:

Risk management

Risk management Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level

Risk management - Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). - the vulnerability is risk that could be used to endanger or cause harm to an informational asset. - the threat is anything (man made or act of nature) that has the potential to cause harm

The Code of practice for information security management recommends the following during a risk assessment: 1- security policy, 2- organization of information security, 3- asset management, 4- human resources security, 5- physical and environmental security, 6- communications and operations management, 7- access control, 8- information systems acquisition, development and maintenance, 9- information security incident management, 10- business continuity management 11- regulatory compliance.

The risk management process consists of:- 1. Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. 2. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization. 3. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security. 4. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. 5. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. 6 .Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity

the types of controls in the Risk management 1-Administrative 2- Logical 3- Physical

1-Administrative Administrative controls (also called procedural controls)it is of approved written policies, procedures, standards and guidelines -- Administrative controls form the framework for running the business and managing people. examples of administrative controls it is the corporate security policy, password policy, hiring policies, and disciplinary policies.

2- Logical Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. - example of Logical controls : passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.

3- Physical Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. .