Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk management.

Similar presentations


Presentation on theme: "Risk management."— Presentation transcript:

1 Risk management

2 Risk management Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level

3 Risk management - Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). - the vulnerability is risk that could be used to endanger or cause harm to an informational asset. - the threat is anything (man made or act of nature) that has the potential to cause harm

4 The Code of practice for information security management
recommends the following during a risk assessment: 1- security policy, 2- organization of information security, 3- asset management, 4- human resources security, 5- physical and environmental security, 6- communications and operations management, 7- access control, 8- information systems acquisition, development and maintenance, 9- information security incident management, 10- business continuity management 11- regulatory compliance.

5 The risk management process consists of:-
1. Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. 2. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization. 3. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security. 4. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. 5. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. 6 .Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity

6 the types of controls in the Risk management
1-Administrative 2- Logical 3- Physical

7 1-Administrative Administrative controls (also called procedural controls)it is of approved written policies, procedures, standards and guidelines -- Administrative controls form the framework for running the business and managing people. examples of administrative controls it is the corporate security policy, password policy, hiring policies, and disciplinary policies.

8 2- Logical Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. - example of Logical controls : passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.

9 3- Physical Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. .


Download ppt "Risk management."

Similar presentations


Ads by Google