HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?

Slides:

Advertisements

Similar presentations

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

Advertisements

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

University of Florida Incident Tracking and Reporting Kathy Bergsma

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

Copyright © 2005, SAS Institute Inc. All rights reserved. Quantifying and Controlling Operational Risk with SAS OpRisk VaR Donald Erdman April 11, 2005.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

PCI: As complicated as it sounds? Gerry Lawrence CTO

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CSCE 548 Secure Software Development Security Operations.

1 CONFIDENTIAL ©2015 AIR WORLDWIDE New Approaches for Managing Cyber Risk.

South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.

ENABLING A COST/ BENEFIT ANALYSIS OF IMPLEMENTING ENCRYPTION- AT-REST USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016.

COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE

USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE

Module 7: Designing Security for Accounts and Services.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Risk Triage Rod Carney, CRISC 11/13/2014.

Business Continuity Planning 101

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company.

Information Systems Security

Maciej Pęciak Robert Dąbroś

Physical Security Governance Model

Creating a Cyber Risk Intelligence Framework

ISSeG Integrated Site Security for Grids WP2 - Methodology

Financial Technology in Cyber Risks

Cybersecurity - What’s Next? June 2017

Compliance with hardening standards

TOPIC 3 RISK MANAGEMENT.

COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR

Cyber Protections: First Step, Risk Assessment

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Security Engineering.

Measurement of Operational Risk

Catastrophe Modeling Personal Lines Perspective

RISK MANAGEMENT An Overview: NIPC Model

I have many checklists: how do I get started with cyber security?

Use of Simulation for Cyber Security Risk and Consequence Assessment

Security Threats Severity Analysis

Business Impact Analysis 101

Cybersecurity compliance for attorneys

CRITICAL INFRASTRUCTURE CYBERSECURITY

cyber insurance Tom Wilson Chief Risk Officer, Allianz SE

Security as Risk Management

Enhanced alerting and collaborative incident management

ANALYSIS REPORT OUTLINE

Delta Capita Project Contagion Risk 22nd August 2018 – Project update

Security Risk Assessment

Cybersecurity Threat Assessment

Security Risk Assessment

Risk Assessment Ali Ardalan MD, PhD Assistant Professor

Figuring out CyberSecurity Return On Investment

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Anatomy of a Common Cyber Attack

Presentation transcript:

HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR? Case Study Shared courtesy of RiskLens CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS SCOPING Understand how much risk is associated with IT hygiene RISK SCENARIO DESCRIPTION Internal systems including databases, servers and workstations ASSET(S) DESCRIPTION Confidentiality and Availability LOSS TYPE Malicious attack by cyber criminals, general hackers and internal privileged users Non-malicious incident by internal privileged users THREAT(S) DESCRIPTION CONFIDENTIAL - FAIR INSTITUTE 2016

ANALYSIS SCOPING Analysis Approach IT Hygiene Internal Threats (Malicious / Non-Malicious) External Threats (Malicious) Servers Confidentiality Events Availability Events included Databases Workstations CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS SCOPING Questions to Answer How much risk is associated with IT hygiene as a whole How much risk is associated with each asset type (server, database, workstation) How much risk is associated with confidentiality and availability What percentage of the overall risk is driven by the different actors CONFIDENTIAL - FAIR INSTITUTE 2016

ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) Analysis Minimum * Average Maximum * Current State $3.2M $14.5M $45.0M *Min represents the more probable 10th percentile of simulation results. *Max represents the more probable 90th percentile of simulation results. CONFIDENTIAL - FAIR INSTITUTE 2016

ANNUALIZED LOSS EXPOSURE (RISK) ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. ANNUALIZED LOSS EXPOSURE (RISK) 60% related to Confidentiality, 40% related to Availability CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS RESULTS Average Loss Exposure Concentrations of Risk Relevant Threats CONFIDENTIAL - FAIR INSTITUTE 2016

ANALYSIS LEVERAGED THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

Threat Event Frequency THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

ANALYSIS CONSIDERATIONS Configuration Management Consistency of authentication controls Consistency of access privileges Consistency of configuration standards Vulnerability Management Consistency or state of patch levels Additionally, estimated threat event frequency CONFIDENTIAL - FAIR INSTITUTE 2016

Threat Event Frequency THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS INPUT Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 DECISION SUPPORT / ROI DATA LOSS CONSIDERATIONS Confidentiality Estimated the amount of data stored or processed across population of assets Availability Estimated the productivity costs associated with loss of system availability THE CIO/CISO WAS ABLE TO UNDERSTAND Where this top risk issue stands among other priorities Where the team should focus next This analysis will be revisited bi-annually to assess reductions of risk associated with IT hygiene and determine the value that the team is providing to the organization. CONFIDENTIAL - FAIR INSTITUTE 2016