Presentation is loading. Please wait.

Presentation is loading. Please wait.

RISK MANAGEMENT An Overview: NIPC Model

Published byLionel Barrett Modified over 5 years ago

Similar presentations

Presentation on theme: "RISK MANAGEMENT An Overview: NIPC Model"— Presentation transcript:

1 RISK MANAGEMENT An Overview: NIPC Model
IT Security Workshop for Higher Education April 2, 2004

2 Movement from Risk Avoidance to Risk Management
Risk Avoidance Model Focus on preventing loss or damage without reference to the degree of risk Risk Management Systematic and analytical process by which an organization identifies, reduces, and controls its potential risks and losses 9/22/2018 4-2-04, SB

3 What are some drivers? IT is intertwined and interdependent with critical institutional business processes Regulatory Imperatives State and federal (GLB, FERPA, HIPAA, SOX, ECPA, CFAA, USA Patriot Act, Teach Act, etc) Pace of Technological Change Centuries, decades (automobiles), now continuous Increasing sophistication of attack methods and attackers Enabling the integration and managing the risks of introducing emerging technologies 9/22/2018 4-2-04, SB

4 What is risk? Risk is a function of: Risk is the potential for an
Assets, threats, and vulnerabilities Risk is the potential for an unwanted event to occur The higher the probability and the greater the consequences, the greater the risk Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

5 Risk Management Approaches
Due Diligence Process Probabilistic Risk Assessment Expert-facilitated Risk Assessment Scenario-based Risk Assessment Game Theory Approaches Systems Analysis High-level Business Impact Analysis / Protection Posture Assessments Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

6 Risk Analysis Terms Threat Vulnerability Asset
Capability and intention of an adversary to take actions that are detrimental to an organization Vulnerability Any weakness in a control or a countermeasure that can be exploited by an adversary Asset Anything of value such as people, information, hardware, software, facilities, reputation, activities, and operations 9/22/2018 4-2-04, SB

7 Reassessing Risk and Risk Management Decisions
High-Threat, High-Consequence Almost continuous assessment with weekly updates to top management Medium-Threat, Medium-Consequence 3 to 9-month reassessment with quarterly updates to top management Low-Threat, Medium Consequence Annual reassessment and annual updates to top management 9/22/2018 4-2-04, SB

8 Some Common Errors in Risk Management
Too much trust in existing systems and protection Downplaying insider and B2B threats Lack of attention to business risks Underestimating interdependencies and complexities Misinterpretation of statistical data Underestimating the impact of incremental changes Adopting a reactive approach to risk mgmt 9/22/2018 4-2-04, SB

9 A Five Step Risk Assessment Model - NIPC
Asset assessment Threat assessment Vulnerability assessment Risk assessment Risk = Consequence X (Threat X Vulnerability) Countermeasures or controls identification 9/22/2018 4-2-04, SB

10 Risk Assessment - OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation Eight Processes Organizational and Technological Views 9/22/2018 4-2-04, SB

11 Risk Assessment Threat Examples
Key personnel Injury, death File Servers DOS attack Student data Unauthorized insider access Production facility Natural disaster 9/22/2018 4-2-04, SB

12 Risk Assessment Vulnerability Examples
Key personnel No access controls File Servers Ineffective patch management Student data Unchecked 3rd party Production facility Weak physical access controls 9/22/2018 4-2-04, SB

13 What are some benefits? Cost Justification
Enhanced Productivity Self Analysis: Organizational Integration Targeted Security Increased Security Awareness Baseline Security and Policy Consistency Communication 9/22/2018 4-2-04, SB

14 References / Contact Information “Risk Management: An Essential Guide to Protecting Critical Assets”, NIPC, 11/2002 9/22/2018 4-2-04, SB

Download ppt "RISK MANAGEMENT An Overview: NIPC Model"

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response.

GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
The Information Systems Audit Process

The Information Systems Audit Process
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.

University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
Operations Security (OPSEC) 301-371-1050. Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Similar presentations

Ads by Google