Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com.

Published byBrett Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com."— Presentation transcript:

1 Alaa Mubaied alaa.mubaied@owasp.com
Risk Management Alaa Mubaied

2 Introduction Organizations must design and create safe environments in which business processes and procedures can function. Risk management process of identifying and controlling risks facing an organization. Risk identification process of examining the current information technology security situation in the organization. Risk control applying controls to reduce risks to an organization’s data and information systems.

3 An Overview of Risk Management
Know your organisation identify, examine, and understand the information and systems currently in place Know the enemy identify, examine, and understand threats facing the organization Information security, management and users, and information technology all must work together to manage risks that are encountered

4 Role of Risk Management
Risk management involves identifying, classifying, and prioritizing assets in the organization. A threat assessment process involves identifying and quantifying the risks facing each asset. Components of risk identification People Procedures Data Software Hardware

5 Questions to ask! - What are the resources that need protecting? - What is the value of those resources, monetary or otherwise? - What are the all the possible threats that those resources face? - What is the likelihood of those threats being realized? - What would be the impact of those threats if they were realized?

6 Components of Risk Management
Risk identification & assessment Identifying risks and assessing their potential impacts. Risk control Prioritizing, implementing, and maintaining an acceptable level of risk. Risk evaluation Continuous appraisal of the risk management process.

7 Components of Risk Management

8 Risk Identification

9 Components of Risk Identification

10 Asset Identification What are the resources or assets that need protecting? Identification of assets includes all elements of an organization’s system i.e. people, procedures, data and information, software, hardware, networking, etc. People position name/number/ID; security clearance level; special skills Procedures description; intended purpose; what elements it is tied to; storage location for reference & update Data classification; owner/creator/ manager; data structure size; data structure used; online/offline; location; backup procedures

11 Asset Identification - cont
Information Needs of organization and preferences/needs of the security and information technology communities Hardware Asset name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity Software assets Proprietary programs, company bespoke software Network assets Network components, monitoring tools, etc

12 Information Asset Valuation
What is the value of those resources/assets, monetary or otherwise? Loss of confidentiality, integrity, completeness or availability Which information asset: Is most critical to organization’s success? Generates the most revenue/profitability? Would be most expensive to replace or protect? Would be the most embarrassing or cause greatest liability if revealed?

13 Threat Assessment Identify which threats present danger to assets
represent the most danger to information requires greatest expenditure to prevent sources that might be applicable to the system How much would it cost to recover from attack? Intentional threats reside in the motivations of humans to undertake potentially harmful activities Unintentional threats are benign instances

14 Threats to Information Security

15 Vulnerability Identification
Vulnerabilities are the specific avenues which threat agents can exploit to attack an information asset Identify flaws and weaknesses that could possibly be exploited because of the threats Behavioral and attitudinal vulnerabilities Misinterpretations Coding problems Physical vulnerabilities At end of this risk identification process, a list of assets and their vulnerabilities is achieved

16 Risk Assessment

17 Risk Assessment Risk assessment evaluates the relative risk for each vulnerability Assigns a risk rating or score to each information asset The goal at this point: create a method for evaluating the relative risk of each listed vulnerability

18 Likelihood The probability that a specific vulnerability will be the object of a successful attack Assign numeric value: number between 0.1 (low) and 1.0 (high), or a number between 1 and 100 Zero not used since vulnerabilities with zero likelihood are removed from asset/vulnerability list Use a selected rating model consistently Use external references for values that have been reviewed/adjusted for your circumstances

19 Risk Determination Risk EQUALS Likelihood of vulnerability occurrence
TIMES value (or impact)‏ MINUS percentage risk already controlled PLUS an element of uncertainty

20 Documenting the Results
Final summary comprised in ranked vulnerability risk worksheet which details asset asset impact vulnerability vulnerability likelihood risk-rating factor Working document for next step in risk management process: assessing and controlling risk

21 Ranked Vulnerability Risk Worksheet

22 Risk Control

23 Risk Control Strategies
- Responses to risk Accept it and do nothing. Reduce it with security measures. Avoid it completely by withdrawing from an activity. - Must choose a strategies to control each identified risk: Accept Mitigate Defend Transfer Terminate

24 Defend Attempts to prevent exploitation of the vulnerability
Preferred approach Accomplished by countering threats removing asset vulnerabilities limiting asset access adding protective safeguards Three common methods of risk avoidance Application of policy Training and education Applying technology

25 Transfer Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

26 Mitigate Attempts to reduce impact of vulnerability exploitation through planning and preparation. Incident response plan (IRP): define the actions to take while incident is in progress . Disaster recovery plan (DRP): most common mitigation procedure. Business continuity plan (BCP): encompasses continuation of business activities if catastrophic event occurs.

27 Accept Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify cost of protection

28 Terminate Directs the organization to avoid those business activities that introduce uncontrollable risks May seek an alternate mechanism to meet customer needs

29 Risk Management Issues
Organization must define level of risk it can accept. Risk appetite defines quantity and nature of risk that organizations are willing to accept as trade-offs between perfect security and unlimited accessibility. Residual risk risk that has not been completely removed, shifted, or planned for.

30 Residual risk

31 Risk Control Practices
- Convince budget authorities to spend up to value of asset to protect from identified threat. - Final control choice may be balance of controls providing greatest value to as many asset-threat pairs as possible. - Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations.

32 Summary Risk identification Risk control Residual risk
formal process of examining and documenting risk in information systems Risk control process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components of an information system A risk management strategy enables identification, classification, and prioritization of organization’s information assets Residual risk risk remaining to the information asset even after the existing control is applied

33 Questions?

Download ppt "Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com."

Similar presentations

INFORMATION RISK MANAGEMENT

INFORMATION RISK MANAGEMENT
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Information Security Principles & Applications

Information Security Principles & Applications
Once we know our weaknesses, they cease to do us any harm.

Once we know our weaknesses, they cease to do us any harm.
Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.

Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.
Introducing Computer and Network Security

Introducing Computer and Network Security
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Risk Management.

Risk Management.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
PRINCIPLES OF INOFORMATION SECURITY

PRINCIPLES OF INOFORMATION SECURITY
CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4

CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4
Risk Management Chapter 4.

Risk Management Chapter 4.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense

Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition
Risk Management - Security

Risk Management - Security
ITC358 ICT Management and Information Security

ITC358 ICT Management and Information Security
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google