Security Risk Assessment Applied Risk Management July 2002.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
Service Design – Section 4.5 Service Continuity Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.
Stephen S. Yau CSE , Fall Risk Management.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks
Operational Risk Management
Risk Management. RISK RISK = the probability and severity of loss linked to hazards. RISK = the probability and severity of loss linked to hazards. The.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague,
Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.
PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Chapter 11: Project Risk Management
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Risk Management for Technology Projects Geography 463 : GIS Workshop May
Project Management By: Dr Madhu Fernando Project Risk Management
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
Alaa Mubaied Risk Management Alaa Mubaied
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
Certified Protection Officer Program. Chapter 1 Unit 1 Concepts and Theories of Asset Protection Pages 3-11.
karRKb;RKghaniP½yrbs;KMerag Project Risks Management
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Risk management Be aware. Take care. Hazards exist wherever you work. They can place you and others at risk.
Risk Identification and Risk Assessment
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
RISK MANAGEMENT FOR COMMUNITY EVENTS. Today’s Session Risk Management – why is it important? Risk Management and Risk Assessment concepts Steps in the.
Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008.
Risk Management For Project Management. What is Risk? Risk (noun): possibility of loss or injury (Merriam-Webster Dictionary)
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Headquarters U.S. Air Force
Headquarters U.S. Air Force
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Risk management Be aware. Take care.
Security Risk Analysis & Management
TOPIC 3 RISK MANAGEMENT.
Cyber Protections: First Step, Risk Assessment
Security Threats Severity Analysis
Information Security Risk Management
Must cost less than possible Impact
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Security Risk Assessment Applied Risk Management July 2002

What is Risk? Risk is: Something that creates a hazard A cost of doing business Risk can never be eliminated, merely reduced to an acceptable level

Risk Management Allocation of resources based upon informed choice To manage risk you must: Understand what must be protected Understand the hostile environment Understand the limits of your control Understand the consequences Risk can then be quantified, prioritized, and lowered to an acceptable level

The Elements of Risk Risk includes the following three elements: Asset: the entity requiring protection Threat: the event creating the hostile environment Vulnerability: a deficiency creating the hazard ( Assets may have multiple threats and vulnerabilities ) Threats exploit vulnerabilities to harm an asset

The Security Domain The security domain defines limits to organizational control The Security Domain: Is defined by physical and logical perimeter boundaries – Physical walls and fences – External router/firewall interfaces Includes assets that are by definition controllable Establishes scope of Threat Analysis

Risk Strategies Risk may be: Mitigated by the deployment of countermeasures Transferred via insurance or assignment Accepted when the cost of protection exceeds harm Strategy selection is based upon Cost Benefit Analysis

The Security Risk Assessment Applied Risk Management The Security Risk Assessment is: A method to identify and understand limits to organizational control (scope) A tool to identify organizational assets, threats, and vulnerabilities (threat analysis) A process to quantify hazards based upon probability and harm (risk prioritization) A means to justify risk management strategies and allocation of assets (cost benefit analysis)

Risk Assessment Process Define Security Domain Identify assets Identify threats Identify vulnerabilities Determine probability Determine harm Calculate risk Risk may now be managed

Assets That which is of value to the organization Tangible Assets Buildings Employees Data processing equipment Intangible Assets Intellectual property Goodwill

Threats Realistic events with potential harm Natural Threats Acts of God Accidental Threats Worker Illness Equipment Failure Intentional Threats Asset Theft Asset Tampering

Vulnerabilities The chinks in the armor Vulnerabilities may be found in: Location Skills Continuity planning Access controls Network monitoring

Probability Frequency in which threat will exploit vulnerability independent of harm Probability of each asset/threat/vulnerability combination should be quantified ProbabilityDefinitionScale NegligibleUnlikely to occur0 Very Low2-3 times every 5 years1 Low<= once per year2 Medium<= once every 6 months3 High<= once per month4 Very High=> once per month5 Extreme=> once per day6

Harm Impact if threat exploits vulnerability independent of probability Harm of each asset/threat/vulnerability combination should be quantified HarmDefinitionScale InsignificantNo impact0 MinorNo extra effort required to repair1 SignificantTangible harm / extra effort required to repair2 DamagingSignificant expenditure of resources required Damage to reputation and confidence 3 SeriousExtended outage and / or loss of connectivity Compromise of large amounts of data or service 4 GravePermanent shutdown Complete compromise 5

Risk = Probability X Harm Quantification based on both frequency and impact Risk of each asset/threat/vulnerability combination should be calculated ScaleDefinition 0NIL 1-3Low 4-7Medium 8-14High 15-19Critical 20-30Extreme

Example Matrix AssetThreatVulnerabilityProbHarmRiskControl Data CenterfloodProximity to river 05NILNot in 100 year flood plain System Administrator AbsenceLack of cross training 42HIGHNo funding. Risk accepted Web ServerDisk crashInsufficient backup 23MEDIUMDaily data backup. Spare hardware onsite Research work theftCommunication channel security 14MEDIUMData Protection Standard requires encryption for external communications. Organization Reputation Server unavailability External internet interfaces 54EXTREMEDDoS filters enabled on all external interfaces

Benefits The Security Risk Assessment will: Clarify the limits of control Quantify the threat environment Prioritize and justify business decisions Document due diligence

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.