Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,

Published byDamian Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,"— Presentation transcript:

1 INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Introduction Information security departments are created primarily to manage IT risk In any well-developed risk management program, two formal processes are at work – Risk identification and assessment – Risk control

3 Risk Management “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

4 Knowing Yourself & The Enemy Identifying, examining and understanding the information and how it is processed, stored, and transmitted Identifying, examining, and understanding the threats facing the organization’s information assets

5 Communities of Interest: All Play a role Information Security Information Technology Management and Users

6 Risk Terminology Asset & Asset valuation Threat Vulnerability Exposure Risk

7 Risk Terminology

8 Asset Identification Identify organization’s information assets Inventory: software/hardware, and networking elements More easily tracked (automated inventory system) People, procedures, data and info May take more time / ongoing

9 Creating an Inventory of Information Assets Determine which attributes of each information asset should be tracked Potential asset attributes – Name, IP address – MAC address, asset type – Physical location, logical location – Controlling entity

10 Creating an Inventory of Information Assets (cont’d.) Identifying people, procedures and data assets Sample attributes – People - Position name/number/ID – Procedures – Description/Intended purpose – Data – Classification & Owner/creator/manager

11 Asset: Classifying and Categorizing Determine whether the asset categories are meaningful Inventory should also reflect each asset’s sensitivity and security priority Classification categories must be comprehensive and mutually exclusive Not one schema for all assets

12 Asset Valuation Assign a relative value: – As each information asset is identified, categorized, and classified Goal: assign value to encompass both tangible and intangible costs

13 Importance of Assets List the assets in order of importance Achieved by using a weighted factor analysis worksheet

14 Risk Terminology

15 Threat Identification Any organization typically faces a wide variety of threats

16 Threat Assessment Each threat presents a unique challenge to information security Each must be further examined to determine its potential to affect the targeted information asset

17 Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

18 Vulnerability Assessment – Review every information asset for each threat – Leads to the creation of a list of vulnerabilities that remain potential risks to the organization Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

19 Vulnerability Assessment Management of Information Security, 3rd ed. Table 8-4 Vulnerability assessment of a DMZ router Source: Course Technology/Cengage Learning

20 The TVA Worksheet (cont’d.) Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

21 Introduction to Risk Assessment The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

22 Likelihood The overall rating of the probability that a specific vulnerability will be exploited Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset

23 Percentage of Risk Mitigated by Current Controls If a vulnerability is fully managed by an existing control, it can be set aside If it is partially controlled, estimate what percentage of the vulnerability has been controlled

24 Uncertainty It is not possible to know everything about every vulnerability The degree to which a current control can reduce risk is also subject to estimation error Uncertainty is an estimate made by the manager using judgment and experience

25 Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate

26 Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its risk vulnerability # 2 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

27 Example of Qualitative Risk Assessment ThreatImpactInitial Probability Counter- measure Residual Probability Flood damage HLWater alarmsL TheftHLKey cards, surveillance, guards L Logical intrusion HMIntrusion prevention system L

28 Quantitative Risk Assessment Extension of a qualitative risk assessment. Metrics for each risk are: Asset value: replacement cost and/or income derived through the use of an asset Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

29 Quantitative Risk Assessment Metrics (cont.) Annualized Rate of Occurrence (ARO) Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

30 Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

31 Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

Download ppt "INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Once we know our weaknesses, they cease to do us any harm.

Once we know our weaknesses, they cease to do us any harm.
Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.

Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.
Project Risk Management

Project Risk Management
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Risk Management.

Risk Management.
Risk Management Identifying and Assessing Risk

Risk Management Identifying and Assessing Risk
CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4

CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4
Risk Management Chapter 4.

Risk Management Chapter 4.
Introduction to Network Defense

Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition
Risk Management - Security

Risk Management - Security
ITC358 ICT Management and Information Security

ITC358 ICT Management and Information Security
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Similar presentations

Ads by Google