Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment = Risky Business

Published byKristina Lindsey Modified over 5 years ago

Similar presentations

Presentation on theme: "Risk Assessment = Risky Business"— Presentation transcript:

1 Risk Assessment = Risky Business

2 Pop Quiz: Which Presents a Greater Risk?
The correct answer is “risk to what?” Also, Eliot is a fictional character, so the lion wins by default.

3 Risk Assessment “The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.”

4 What is risk? “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”

5 … in other words Risk Likelihood Impact

6 Where to assess risk? Scope is fundamental question:
All assets or just some? Specific types of data (cardholder data, ePHI, etc.) Specific business units, processes, and workflows?

7 Threats vs Vulnerabilities
Examples of Vulnerabilities Injection Attack Broken Authentication and Session Management Cross-Site Scripting (XSS) Broken Access Control Security Misconfiguration Examples of Threats Adversarial Discovery Adversarial Lateral Movement Execution of Adversary Code Data Collection Exfiltration of Data and Information Command and Control

8 What’s your process? Spreadsheets
Tool specific to { healthcare | banking | etc. } GRC Suite Multiple tools

9 Risk Assessment Principles
Don’t Repeat Yourself We like reusable pieces Convention over Configuration All assets of type x will likely have same threats, but maybe different risk score Defaults should be built to accommodate

10 Our Risk Assessment Process
Based on Known Frameworks (PCI requirement) NIST OCTAVE Allegro Utilize Universal Data Threats and Vulnerabilities are fed by MITRE, OWASP Controls map to frameworks (NIST , CIS Top 20) Threats, Controls, and Vulnerabilities are Universal

11 SynerComm Risk Assessment App
Single Page App Universal Data Included Two phases Phase 1: SynerComm Audit Tool Phase 2: Self-hosted

12 SynerComm Risk Assessment Methodology
Step 1: Establish Ranking Criteria Step 2: Determine Risk Assessment Scope Step 3: Identify Relevant Threats, Vulnerabilities, and Controls Step 4: Determine Initial Impact and Initial Risk Scores Step 5: Evaluate Control Effectiveness Step 6: Perform System and Zone Risk Assessment Step 7: Report on Risk

13 Step 1: Establish Ranking Criteria
Consider commonly-used data types: ePHI cardholder data (CHD/PCI) PII financial data IP Data types may also include qualities: single-point of failure large data store mobile data

14 Step 2: Determine Risk Assessment Scope
As we set scope, SynerComm will work with the client to collect three fundamental characteristics for each asset: Asset role Web server Database server Application server Firewall Removable media Data type System and zone association Grouping of assets based on common data type and/or business purpose

15 Step 3: Identify Relevant Threats, Vulnerabilities, and Controls
SynerComm will leverage common threat information: MITRE Corporation (MITRE) Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) model Other threat events, such as non-adversarial threats SynerComm will evaluate vulnerabilities: NIST National Vulnerability Database (NVD) Common Weakness Enumeration (CWE) Open Web Application Security Project (OWASP) Top 10 SynerComm will identify control types to mitigate threat events: Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC)

16 Step 4: Determine Initial Impact and Initial Risk Scores
SynerComm assigns relevant threats, vulnerabilities, and control types based on asset role. The initial impact for a system or zone is the sum of the asset impact values for all assigned assets. SynerComm then uses the mean initial impact score of all systems as a baseline risk score for all systems in the risk assessment. The mean impact score becomes the highest risk threshold for risk values.

17 Step 5: Evaluate Control Effectiveness
SynerComm uses the list of control types identified in Step 3 as a basis to begin collecting and evaluating client controls. SynerComm scores the control based on: the control implementation status (not implemented, out-of-date, partially implemented, fully implemented), documentation of the control (not documented, out-of-date, full documentation), control test performance (not tested, failed test, passed test), and control function (preventive, detective, corrective, or insurance).

18 Step 6: Perform System and Zone Risk Assessments
SynerComm uses the controls evaluated in Step 5 to derive the residual risk score. SynerComm classifies the residual risk score into risk levels. SynerComm will consider any additional threats, vulnerabilities, or controls relevant to the in-scope assets.

19 THANK YOU (QUESTIONS?)

Download ppt "Risk Assessment = Risky Business"

Similar presentations

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
The Information Systems Audit Process

The Information Systems Audit Process
Risk Assessment Frameworks

Risk Assessment Frameworks
Vulnerability Assessments

Vulnerability Assessments
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.

SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google