Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

Security+ All-In-One Edition Chapter 17 – Risk Management
Museum Presentation Intermuseum Conservation Association.
OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introducing Computer and Network Security
Project Risk Management
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Managing Risk in Information Systems Strategies for Mitigating Risk
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security Risk Assessment Applied Risk Management July 2002.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Information Systems Risk Management
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
Introduction to Information Security
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Certified Protection Officer Program. Chapter 1 Unit 1 Concepts and Theories of Asset Protection Pages 3-11.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Identifying and Assessing Risk
TOPIC 3 RISK MANAGEMENT.
Errors, Fraud, Risk Management, and Internal Controls
OSG Computer Security Plans
Security Threats Severity Analysis
The Importance of Project Risk Management
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
Cybersecurity Threat Assessment
Presentation transcript:

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie Mellon University ® CERT, CERT Coordination Center and Carnegie Mellon are registered in the U.S. Patent and Trademark Office Information Security For Technical Staff Module 2: Assets and Risk Management

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 2 Instructional Objectives Discuss the components of risk and the concepts of risk management Describe the importance of identifying and prioritizing assets Describe risk analysis techniques Identify methods of managing risks

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 3 Overview Define risk and recognize impact Assets, threats, vulnerabilities and safeguards Risk management, risk assessment and analysis

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 4 Risk Risk is the possibility of suffering a loss, destruction, modification, or denial of availability of an asset.

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 5 Risk Impact The nature of information and systems allows significant risks that may result in: Loss or compromise of critical information Loss or compromise of key technologies Loss of competitive position Loss of customer confidence Loss of trust in the organization’s computers/network system Loss of revenue Loss of life or property Loss due to monetary fine, law suit, or regulatory penalty

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 6 Understanding Risk Requires: Identifying and prioritizing assets Relating threats and vulnerabilities Performing risk analysis Recognizing risk must be managed Risk can be mitigated, but cannot be eliminated

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 7 Assets Assets and asset value Information Assets Other supporting assets Critical assets

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 8 Information Assets Information Hardware Software People

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 9 Other Supporting Assets Facilities Utilities Outsourced Services

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 10 Critical Assets Critical Assets are assets determined to have an integral relationship with the mission of the organization and its success; recognizing that each individual organization will define a different set. Examples: Intellectual property / patents / copyrights Corporate financial data Customer sales information Human resource information

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 11 Security Requirements Each [critical] asset has different requirements of confidentiality, integrity, and availability, that should be: Communicated Detailed Documented

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 12 Vulnerability: absence or weakness of a safeguard Safeguard: control or countermeasure employed to reduce risk associated with a specific threat Threat: occurrence of any event that causes an undesirable impact or loss Threats, Safeguards, and Vulnerabilities

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 13 Use exposure values to: Prioritize the order in which risks are addressed Help in deciding how to manage risks A new worm attacks vulnerable systems Web site defacement Datacenter flooded by fire protection system Calculating Risk Exposure

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 14 Calculating Risk Where Metric = $ Exposure Factor (EF) % of loss of an asset Single Loss Expectancy (SLE) EF x Value of asset in $ Annualized Rate of Occurrence (ARO) A number representing frequency of occurrence of a threat - Example: 0.0 = Never 1000 = Occurs very often Annualized Loss Expectancy (ALE) Dollar value derived from: SLE x ARO

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 15 Asset = Organization’s Intranet Web Server Simple Risk Assessment Matrix

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 16 Detailed Risk Assessment Matrix

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 17 Risk Management Risk Management is process used to identify, analyze, and mitigate the risk (comprised of threats, vulnerabilities, safeguards and assets); and provide strategies for sustaining the security requirements of an information asset.

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 18 Managing Risks Acknowledge that the risk exists, but apply no safeguard (Exposure value is within tolerance) Shift responsibility for the risk to a third party (ISP, MSSP, Insurance, etc.) Change the asset’s risk exposure (apply safeguard) Eliminate the asset’s exposure to risk, or eliminate the asset altogether Accept AvoidMitigate Transfer Risk

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 19 Risk Transference Issues Outsourcing Risk Trust dilemma Residual risk

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 20 Review Questions 1.What are the components of risk? 2.Why do we prioritize one asset over another? 3.What two properties are analyzed and calculated as part of a simple risk assessment? 4.What are a few of the items completed in a risk assessment?

© 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 21 Module Summary Assets and asset value must be understood Risk can be both qualitative and quantitative Risk management Risk can be mitigated, but never eliminated

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.