Risk Identification and Risk Assessment Bikash Bhattarai

Risk Management Risk management is the process of dentifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Risk management involves three major undertakings Risk identification Risk assessment Risk control

Cont… Risk identification is the examination and documentation of the security posture of an organization’s information technology and the risks it faces. Risk assessment is the determination of the extent to which the organization’s information assets are exposed or at risk. Risk control is the application of controls to reduce the risks to an organization’s data and information systems.

Know Yourself To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it.

Know the Enemy This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.

The Roles of the Communities of Interest IT community in organization take leadership Management and users, when properly trained and kept aware of the threats the organization faces, play a part in the early detection and response process. Management must also ensure that sufficient resources (money and personnel) are allocated

Risk Identification A risk management strategy requires that information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them.

Organizational Assets People Employee Trusted(Greater authority and accountability) Other (Without special privileges ) Non-Employee (contractors and consultants, partner and strangers. Procedures IT and business standard procedures IT and business sensitive procedures. threat agent to craft an attack against the organization or that have some other content or feature that may introduce risk to the organization.

Hardware and Networking Components Data At all states (Storage, Transmit, Process) Software Applications Operating systems Security Components Hardware and Networking Components Router, Switch, Firewall, UTM, IPS/IDS etc

Attributes for People, Procedures, and Data Assets Position name/number/ID Supervisor name/number/ID Security clearance level Special skills Procedures Description Intended purpose Software/hardware/networking elements to which it is tied Location where it is stored for reference Location where it is stored for update purposes

Cont… Data Classification Owner/creator/manager Size of data structure Data structure used Online or offline Location Backup procedures

Cont… Networking Assets Name IP address MAC address Asset type Serial number Manufacturer name Manufacturer’s model or part number Software version or update revision Physical location Logical location Controlling entity

Data Classification Example

Assessing Values for Information Assets As each information asset is identified, categorized, and classified, assign a relative value. Relative values are comparative judgments made to ensure that the most valuable information assets are given the highest priority, for example: Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?

Information Asset Prioritization Critical Factor

Threat Identification Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less cumbersome, each step in the threat identification and vulnerability identification process is managed separately and then coordinated at the end.

Identify and Prioritize Threats and Threat Agents Each threat presents an unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy. Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset . In general, this process is referred to as a threat assessment.

Threat to Information Security

Threat Assessment Not all threats have the potential to affect every organization. (12th floor building and flood ?) Which threats represent the most danger to the organization’s information? Cost to recover Which of the threats would require the greatest expenditure to prevent ?

CIO Survey Report (1000)

Vulnerability Assessment Once you have identified the information assets of the organization and documented some threat assessment criteria, you can begin to review every information asset for each threat. This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. At the end of the risk identification process, a list of assets and their vulnerabilities has been developed. This list serves as the starting point for the next step in the risk management process: risk assessment.

Vulnerability Assessment of DMZ Router