Risk Management: Principles of risk, Types of risk and Risk strategies by Erlan Bakiev, Ph.D.
About … Risk Management
Risk Management “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” 知己知彼,百戰不貽;不知彼而知己,一勝一負;不知彼不知己,每戰必敗。 (Sun Tzu) RISK MANAGEMENT “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” (Sun Tzu)
Know Ourselves First, we must identify, examine, and understand the information, and systems, currently in place In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we have to understand everything about the information Once we have examined these aspects, we can then look at what we are already doing to protect the information and systems from the threats KNOW OURSELVES First, we must identify, examine, and understand the information, and systems, currently in place. In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we have to understand everything about the information. Once we have examined these aspects, we can then look at what we are already doing to protect the information and systems from the threats.
Know the Enemy For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization KNOW THE ENEMY Informed of our own nature, and aware of our own weaknesses, we must then know the enemy. For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets. We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization.
What is Risk Management? Who uses Risk Management? How is Risk Management used?
What is Risk Management? Good management practice Process steps that enable improvement in decision making A logical and systematic approach Identifying opportunities Avoiding or minimising losses
What is Risk Management? Risk Management is the name given to a logical and systematic method of identifying, analysing, treating and monitoring the risks involved in any activity or process.
What is Risk Management? Risk Management is a methodology that helps managers make best use of their available resources
Who uses Risk Management? Risk Management practices are widely used in public and the private sectors, covering a wide range of activities or operations. These include: Finance and Investment Insurance Health Care Public Institutions Governments
Who uses Risk Management? Effective Risk Management is a recognised and valued skill. Educational institutions have formal study courses and award degrees in Risk Management. The Risk Management process is well established. (International RM process standards.)
Risk Management is now an integral part of business planning. Who uses Risk Management? Risk Management is now an integral part of business planning.
How is Risk Management used? There are 7 steps in the RM process The Risk Management process steps are a generic guide for any organisation, regardless of the type of business, activity or function.
Establish the context Identify the risks Analyse the risks The basic process steps are: Establish the context Identify the risks Analyse the risks Evaluate the risks Treat the risks
Communication & consultation ‘Risk’ is dynamic and subject to constant change, so the process includes continuing: Monitoring and review and Communication & consultation
Establish the context Communicate & consult The Risk Management process: Establish the context The strategic and organisational context in which risk management will take place. For example, the nature of your business, the risks inherent in your business and your priorities. Communicate & consult
Identify the risks Monitor and review Communicate & consult The Risk Management process: Identify the risks Defining types of risk, for instance, ‘Strategic’ risks to the goals and objectives of the organisation. Identifying the stakeholders, (i.e.,who is involved or affected). Past events, future developments. Monitor and review Communicate & consult
Analyse the risks Monitor and review Communicate & consult The Risk Management process: Analyse the risks How likely is the risk event to happen? (Probability and frequency?) What would be the impact, cost or consequences of that event occurring? (Economic, political, social?) Monitor and review Communicate & consult
Evaluate the risks Monitor and review Communicate & consult The Risk Management process: Evaluate the risks Rank the risks according to management priorities, by risk category and rated by likelihood and possible cost or consequence. Determine inherent levels of risk. Monitor and review Communicate & consult
The Risk Management process: Treat the risks Develop and implement a plan with specific counter-measures to address the identified risks. Consider: Priorities (Strategic and operational) Resources (human, financial and technical) Risk acceptance, (i.e., low risks)
Treat the risks Monitor and review Communicate & consult The Risk Management process: Treat the risks Document your risk management plan and describe the reasons behind selecting the risk and for the treatment chosen. Record allocated responsibilities, monitoring or evaluation processes, and assumptions on residual risk. Monitor and review Communicate & consult
Monitor and review Communicate & consult The Risk Management process: Monitor and review In identifying, prioritising and treating risks, organisations make assumptions and decisions based on situations that are subject to change, (e.g., the business environment, trading patterns, or government policies). Risk Management policies and decisions must be regularly reviewed. Communicate & consult
Monitor and review Communicate & consult The Risk Management process: Monitor and review Risk Managers must monitor activities and processes to determine the accuracy of planning assumptions and the effectiveness of the measures taken to treat the risk. Methods can include data evaluation, audit, compliance measurement. Communicate & consult
Communication & consultation The Risk Management process: Establish the context Identify the risks Communication & consultation Analyse the risks Monitoring and review Evaluate the risks Treat the risks
Accountability for Risk Management It is the responsibility of each community of interest to manage risks; each community has a role to play: Information Security - best understands the threats and attacks that introduce risk into the organization Management and Users – play a part in the early detection and response process - they also insure sufficient resources are allocated Information Technology – must assist in building secure systems and operating them safely Accountability for Risk Management It is the responsibility of each of the organization’s communities of interest to manage the risks the organization encounters. Each community of interest has a role to play. Information Security - best understand the threats and attacks that introduce risk into the organization. Management and Users – play a part in the early detection and response process. They also insure sufficient resources) are allocated Information Technology – must assist in building secure systems and operating them safely. General management, IT management, and information security management are accountable for identifying and classifying risk. All three communities of interest are also responsible for: Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Overseeing that the controls remain effective in controlling risk
Accountability for Risk Management All three communities must also: Evaluate the risk controls Determine which control options are cost effective Assist in acquiring or installing needed controls Ensure that the controls remain effective Accountability for Risk Management It is the responsibility of each of the organization’s communities of interest to manage the risks the organization encounters. Each community of interest has a role to play. Information Security - best understand the threats and attacks that introduce risk into the organization. Management and Users – play a part in the early detection and response process. They also insure sufficient resources) are allocated Information Technology – must assist in building secure systems and operating them safely. General management, IT management, and information security management are accountable for identifying and classifying risk. All three communities of interest are also responsible for: Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Overseeing that the controls remain effective in controlling risk
Risk Management Process Management reviews asset inventory The threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current The potential controls and mitigation strategies should be reviewed for completeness The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited Further, managers of all levels are accountable on a regular schedule for ensuring the ongoing effectiveness of every control deployed Risk management process 1) The first focus of management review is asset inventory. 2) Next the threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current, and the potential controls and mitigation strategies should be reviewed for completeness. 3) The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited. 4) Further, managers of all levels are accountable on a regular schedule for insuring the ongoing effectiveness of every control deployed.
Risk Identification A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets These assets are the targets of various threats and threat agents and our goal is to protect them from these threats Next comes threat identification: Assess the circumstances and setting of each information asset Identify the vulnerabilities and begin exploring the controls that might be used to manage the risks Risk Identification A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets. These assets are the targets of various threats and threat agents and our goal is to protect them from these threats. Once we have gone through the process of self-examination, we then move into threat identification. We must assess the circumstances and setting of each information asset. To begin managing the risk from the vulnerabilities, we must identify those vulnerabilities and begin exploring the controls that might be used to manage the risks. We begin the process by identifying and assessing the value of our information assets.
Asset Identification and Valuation This iterative process begins with the identification of assets, including all of the elements of an organization’s system: people, procedures, data and information, software, hardware, and networking elements Then, we classify and categorize the assets adding details as we dig deeper into the analysis Asset Identification and Valuation This iterative process begins with the identification of assets, including all of the elements of an organization’s system: people, procedures, data and information, software, hardware and networking elements. Then, we classify and categorize the assets adding details as we dig deeper into the analysis.
People, Procedures, and Data Asset Identification Unlike the tangible hardware and software elements, the human resources, documentation, and data information assets are not as readily discovered and documented These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment As these elements are identified, they should also be recorded into some reliable data handling process People, Procedures, and Data Asset Identification Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented. These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment. As these elements are identified, they should also be recorded into some reliable data handling process.
Asset Information for People Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions Supervisor Security clearance level Special skills People, Procedures, and Data Asset Identification For People: Position name/number/ID – try to stay aware from names and stick to identifying positions, roles or functions Supervisor Security clearance level Special skills
Asset Information for Procedures Description Intended purpose What elements is it tied to Where is it stored for reference Where is it stored for update purposes People, Procedures, and Data Asset Identification For Procedures: Description Intended purpose What elements is it tied to Where is it stored for reference Where is it stored for update purposes
Asset Information for Data Classification Owner/creator/manager Size of data structure Data structure used – sequential, relational Online or offline Where located Backup procedures employed People, Procedures, and Data Asset Identification For Data: Classification Owner/creator/manager Size of data structure Data structure used – sequential, relational Online or offline Where located Backup procedures employed
Hardware, Software, and Network Asset Identification What attributes of each of these information assets should be tracked? When deciding which information assets to track, consider including these asset attributes: Name IP address MAC address Element type Serial number Manufacturer name Manufacturer’s model number or part number Software version, update revision, or FCO number Physical location Logical location Controlling entity Hardware, Software, and Network Asset Identification What attributes of each of these information assets should be tracked? When deciding which information assets to track, consider including these asset attributes: Name IP address MAC address Element Type DeviceClass = S (server) DeviceOS = W2K (windows 2000) DeviceCapacity = AS (Advanced Server) Serial number Manufacturer Name Manufacturer’s Model Number or Part Number Software Version, Update Revision, or FCO number Physical Location Logical location Controlling Entity Principles of Information Security - Chapter 4
Hardware, Software, and Network Asset Identification Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components Once created, the inventory listing must be kept current, often through a tool that periodically refreshes the data Hardware, Software, and Network Asset Identification Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components. Once created and stored, the inventory listing must be kept current, often through a tool that periodically refreshes the data. Principles of Information Security - Chapter 4