IT Threat and Risk Assessment Overview

Slides:

Advertisements

Similar presentations

Risk Management Module 3D Canada Bridges Project Management Tools Risk Management - Module 3D 1.

Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)

The Department of Energy Enterprise Risk Management Model

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

OCTAVESM Process 4 Create Threat Profiles

1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Auditing Computer Systems

Auditing Computer-Based Information Systems

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Security Controls – What Works

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

The Australian/New Zealand Standard on Risk Management

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

First Practice - Information Security Management System Implementation and ISO Certification.

SOX & ISO Protect your data and be ready to be audited!!!

Risk Assessment Frameworks

EMPLOY THE RISK MANAGEMENT PROCESS DURING JOB PLANNING and EXECUTION

Complying With The Federal Information Security Act (FISMA)

Codex Guidelines for the Application of HACCP

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Linac4 Risk Assessment Criteria and Methodology. Linac4 General Meeting – C. Rossi Definitions A risk is any event that could produce a change.

SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.

© 2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

IRS Enterprise Risk Management (ERM)

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

Engin Ali ARTAN Industrial Engineering

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

(Project) RISK MANAGEMENT PROCESS SEPTEMBER 5, 2008.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-I)

Risk Assessment: A Practical Guide to Assessing Operational Risk

International Safety Rating System

PRESENTED BY Raju. What is information security?  Information security is the process of protecting information. It protects its availability, privacy.

Safety and Security in the Field

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

SELF-GUIDED SECURITY ASSESSMENT

Monitoring and Evaluation Systems for NARS organizations in Papua New Guinea Day 4. Session 12. Risk Management.

11.3 Perform Qualitative Risk Analysis

Critical Infrastructure Protection Policy Priorities

Training Course on Integrated Management System for Regulatory Body

Libraries are in challenging times

Information Security Risk Management

Risk Analysis and HIPAA Security

Figure 3: Risk Analysis Model

Cybersecurity ATD technical

SELF-GUIDED SECURITY ASSESSMENT

Business Continuity Program Overview

Effective Risk Management in Decision Making Process

Data Security and Protection Toolkit Assurance 2018/19

Risk Analysis Objectives Discuss the importance of Risk Analysis

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

Presentation transcript:

IT Threat and Risk Assessment Overview June 6, 2014

Impact x Likelihood = Risk 2

Risk LIKELIHOOD IMPACT High Medium Low Seldom/ never Major Moderate Significant Minor Negligible http://museumsassn.bc.ca/wp-content/uploads/2013/07/BP-7-Risk-Management.pdf Based on BC Museums Best Practices Module – Risk Management, 2005 (modified) 3

Risk Assessment Threat > Impact x Likelihood = Risk > Safeguards > Residual Risk Threat: A potential act or event that could cause unauthorized access, modification, disclosure or destruction of information or IT assets. Residual Risk: The risk that remains after the implementation of recommended safeguards. Potential act or event that could cause loss Define IT security requirements Risk that remains after safeguards are implemented 4

Risk Assessment Risk assessment is a “business” exercise IT risk assessment is ideally part of the overall risk assessment of the project Risk assessment can scale Can be short and simple, or detailed and rigorous “Generic” risk assessments Can re-use assessment from similar project 5

Threat and Risk Assessment / Certification & Accreditation Steps Identify and Categorize Assets Threat and Risk Assessment Implement Certify Accredit Threat and Risk Assessment: The process of identifying and qualifying threats and risks to information and IT assets and of implementing or recommending safeguards to mitigate risks that are deemed unacceptable. Certification: To verify that the security requirements established for a particular system or service are met and that the controls and safeguards work as intended. Accreditation: To signify that management has authorized a system or service to operate and has accepted the residual risk of operating a system or service, based on the certification evidence. How critical? How sensitive? Identify safeguards, IT security requirements Implement safeguards Confirm whether safeguards are implemented Accept residual risk Project Team Project Team Project Team IT Security Coordinator Management 6

Risk Assessment Example 7

Sample Threat and Risk Assessment Worksheet Impact Likelihood Risk Safeguards Residual Risk Disk failure Major Common High Redundant disks; Backups Low Power supply failure Significant Unlikely Moderate Redundant power supplies Records misfiled Minor Employee training Non- sensitive information shared 8

Roll-out, tools and support Trial approach on a few projects Tools TRA worksheet and guide List of sample threats Integrate into regular project planning Prioritize based on sensitivity, criticality Decision records in Enterprise Assess as we go 9

Decision records in Enterprise 10

Discussion and feedback 11

References Management of Information Technology Security (MITS) Operational Security Standard: https://www.tbs-sct.gc.ca/pol/doc- eng.aspx?id=12328&section=text BC Museums Best Practices Module – Risk Management: http://museumsassn.bc.ca/wp- content/uploads/2013/07/BP-7-Risk- Management.pdf 12

Management Accountability Framework (MAF) 13