RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

Security+ All-In-One Edition Chapter 17 – Risk Management
INFORMATION RISK MANAGEMENT
Chapter 5: Asset Classification
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
Information Systems Security Officer
Principles of Information Security, 2nd Edition1 Risk Management.
Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks
Risk Management Vs Risk avoidance William Gillette.
Risk Management Chapter 4.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
An Overview of Risk Management
TEL2813/IS2820 Security Management
Risk Management and Risk Control
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Risk Management: Controlling Risk
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Alaa Mubaied Risk Management Alaa Mubaied
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
Introduction to Information Security
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
SecSDLC Chapter 2.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Risk Identification and Risk Assessment
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Chapter 2: Personnel Security and Risk Management Concepts
CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 13 Risk Management. Chapter Objectives 1.Define risk and risk management 2.Outline key risk issues and types of risk 3.Identify concrete methods.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 9 R ISK M ANAGEMENT : C ONTROLLING R ISK Weakness is a better teacher than strength. Weakness.
Information Security Management Goes Global
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Identifying and Assessing Risk
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION RISK MANAGEMENT
TOPIC 3 RISK MANAGEMENT.
Security Management Practices
Introduction to the Federal Defense Acquisition Regulation
Must cost less than possible Impact
Cybersecurity Threat Assessment
Presentation transcript:

RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson

THE PURPOSE OF RISK MANAGEMENT Ensure overall business and business assets are safe Protect against competitive disadvantage Compliance with laws and best business practices Maintain a good public reputation

STEPS OF A RISK MANAGEMENT PLAN Step 1: Identify Risk Step 2: Assess Risk Step 3: Control Risk Steps are similar regardless of context (InfoSec, Physical Security, Financial, etc.) This presentation will focus on controlling risk within an InfoSec context

RISK IDENTIFICATION The steps to risk identification are:  Identify your organization’s information assets  Classify and categorize said assets into useful groups  Rank assets necessity to the organization To the right is a simplified example of how a company may identify risks AssetAsset Type and Subcategory Asset FunctionPriority Level (Low, Medium, High, Critical) Bob WorkerPersonnel: InfoSec Secure Networks Penetration Testing Make coffee Low Cisco UCS B460 M4 Blade Server Hardware: Networking Database Server High Customer Personally Identifiable Information (PII) Data: Confidential Information Provide information for all business transactions Critical Windows 7Software: Operating System Employee access to enterprise software Medium

RISK ASSESSMENT The steps to risk assessment are:  Identify threats and threat agents  Prioritize threats and threat agents  Assess vulnerabilities in current InfoSec plan  Determine risk of each threat R = P * V – M + U R = Risk P = Probability of threat attack V = Value of Information Asset M = Mitigation by current controls U = Uncertainty of vulnerability The table to the right combines elements of all of these in a highly simplified format Threat Agent and Threat Targeted Asset Threat Level Possible Exploits Risk (Scale of 1-5) Disgruntled Insider: Steal company information to sell Company data (i.e. Customer PII) HighAccess control credentials, knowledge of InfoSec policies, etc Fire: Burn the facility down or cause major damage Company Facility, Personnel, Equipment CriticalMishandled equipment 2.78 Hacktivists: Quality of service deviation Company Hardware/ Software LowLack of effective filtering 1.39

RISK CONTROL The steps to risk control are: Cost-Benefit Analysis (CBA) Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) Annual Loss Expectancy (ALE) Annual Cost of the Safeguard (ASG) Feasibility Analysis Organizational Feasibility Operational Feasibility Technical Feasibility Political Feasibility Risk Control Strategy Implementation

COST-BENEFIT ANALYSIS Determine what risk control strategies are cost effective Below are some common formulas used to calculate cost-benefit analysis SLE = AV * EF  AV = Asset Value, EF = Exposure factor (% of asset affected) ALE = SLE * ARO CBA = ALE (pre-control) – ALE (post- control) – ACE

FEASIBILITY ANALYSIS Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way? Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees? Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees? Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?

RISK CONTROL STRATEGIES Defense Transferal Mitigation Acceptance (Abandonment) Termination

RISK CONTROL STRATEGY: DEFENSE Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth)  Counter threats  Remove vulnerabilities from assess  Limit access to assets  Add protective safeguards

RISK CONTROL STRATEGY: TRANSFERAL Transferal: Shift risks to other areas or outside entities to handle Can include:  Purchasing insurance  Outsourcing to other organizations  Implementing service contracts with providers  Revising deployment models

RISK CONTROL STRATEGY: MITIGATION Mitigation: Creating plans and preparations to reduce the damage of threat actualization Preparation should include a:  Incidence Response Plan  Disaster Recovery Plan  Business Continuity Plan

RISK CONTROL STRATEGY: ACCEPTANCE Acceptance: Properly identifying and acknowledging risks, and choosing to not control them Appropriate when:  The cost to protect an asset or assets exceeds the cost to replace it/them  When the probability of risk is very low and the asset is of low priority  Otherwise acceptance = negligence

RISK CONTROL STRATEGY: TERMINATION Termination: Removing or discontinuing the information asset from the organization Examples include:  Equipment disposal  Discontinuing a provided service  Firing an employee

PROS AND CONS OF EACH STRATEGY Pros Defense: Preferred all round approach Transferal: Easy and effective Mitigation: Effective when all else fails Acceptance: Cheap and easy Termination: Relatively cheap and safe Cons Defense: Expensive and laborious Transferal: Dependence on external entities Mitigation: Guarantees company loss Acceptance: Rarely appropriate, unsafe Termination: Rarely appropriate, requires company loss

STANDARD APPROACHES TO RISK MANAGEMENT U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro) ISO Standard for InfoSec Risk Management NIST Risk Management Model Microsoft Risk Management Approach Jack A. Jones’ Factor Analysis of Information Risk (FAIR) Delphi Technique

RISK MANAGEMENT SOFTWARE

SOURCES M. Whitman, H. Mattford., Management of information security, Fourth Edition, Stamford, CT: Cengage Learning, 2014, p