RISK MANAGEMENT An Overview: NIPC Model

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
GSA Office of Emergency Response and Recovery Risk Based Continuity Planning Darren J. Blue, Director, Policy and Plans, Office of Emergency Response.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center
The Information Systems Audit Process
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks
SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Information Security What is Information Security?
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Risk Management for Small & Medium Sized Enterprises
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
A. Define the term risk. Business Risk – the potential for loss or failure.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
Risks and Hazards to Consider Unit 3. Visual 3.1 Unit 3 Overview This unit describes:  The importance of identifying and analyzing possible hazards that.
Headquarters U.S. Air Force
Information Systems Security
SELF-GUIDED SECURITY ASSESSMENT
Article by Caroline Moser
Headquarters U.S. Air Force
An Overview on Risk Management
Information Security, Theory and Practice.
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Chapter 8 – Administering Security
Ethics in Crisis Management
Continuity of operations planning
Cybersecurity Policies & Procedures ICA
COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
Information Security: Risk Management or Business Enablement?
I have many checklists: how do I get started with cyber security?
Command Indoctrination Operations Security DD MMM YY
The Importance of Project Risk Management
NERC Critical Infrastructure Protection Advisory Group (CIP AG)
Information Security Risk Management
Chapter 7: RISK ASSESSMENT, SECURITY SURVEYS, AND PLANNING
Cybersecurity compliance for attorneys
ITP Maturity Model Survey 2018
Cybersecurity ATD technical
Overall Classification of this Briefing is UNCLASSIFIED
SELF-GUIDED SECURITY ASSESSMENT
Effective Risk Management in Decision Making Process
Chapter 1 Key Security Terms.
Command Indoctrination Operations Security DD MMM YY
A Safety Management System (SMS) is: “A systematic approach to managing safety, including the necessary organizational structures, accountabilities,
Presentation transcript:

RISK MANAGEMENT An Overview: NIPC Model IT Security Workshop for Higher Education April 2, 2004

Movement from Risk Avoidance to Risk Management Risk Avoidance Model Focus on preventing loss or damage without reference to the degree of risk Risk Management Systematic and analytical process by which an organization identifies, reduces, and controls its potential risks and losses 9/22/2018 4-2-04, SB

What are some drivers? IT is intertwined and interdependent with critical institutional business processes Regulatory Imperatives State and federal (GLB, FERPA, HIPAA, SOX, ECPA, CFAA, USA Patriot Act, Teach Act, etc) Pace of Technological Change Centuries, decades (automobiles), now continuous Increasing sophistication of attack methods and attackers Enabling the integration and managing the risks of introducing emerging technologies 9/22/2018 4-2-04, SB

What is risk? Risk is a function of: Risk is the potential for an Assets, threats, and vulnerabilities Risk is the potential for an unwanted event to occur The higher the probability and the greater the consequences, the greater the risk Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

Risk Management Approaches Due Diligence Process Probabilistic Risk Assessment Expert-facilitated Risk Assessment Scenario-based Risk Assessment Game Theory Approaches Systems Analysis High-level Business Impact Analysis / Protection Posture Assessments Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

Risk Analysis Terms Threat Vulnerability Asset Capability and intention of an adversary to take actions that are detrimental to an organization Vulnerability Any weakness in a control or a countermeasure that can be exploited by an adversary Asset Anything of value such as people, information, hardware, software, facilities, reputation, activities, and operations 9/22/2018 4-2-04, SB

Reassessing Risk and Risk Management Decisions High-Threat, High-Consequence Almost continuous assessment with weekly updates to top management Medium-Threat, Medium-Consequence 3 to 9-month reassessment with quarterly updates to top management Low-Threat, Medium Consequence Annual reassessment and annual updates to top management 9/22/2018 4-2-04, SB

Some Common Errors in Risk Management Too much trust in existing systems and protection Downplaying insider and B2B threats Lack of attention to business risks Underestimating interdependencies and complexities Misinterpretation of statistical data Underestimating the impact of incremental changes Adopting a reactive approach to risk mgmt 9/22/2018 4-2-04, SB

A Five Step Risk Assessment Model - NIPC Asset assessment Threat assessment Vulnerability assessment Risk assessment Risk = Consequence X (Threat X Vulnerability) Countermeasures or controls identification 9/22/2018 4-2-04, SB

Risk Assessment - OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Eight Processes Organizational and Technological Views 9/22/2018 4-2-04, SB

Risk Assessment Threat Examples Key personnel Injury, death File Servers DOS attack Student data Unauthorized insider access Production facility Natural disaster 9/22/2018 4-2-04, SB

Risk Assessment Vulnerability Examples Key personnel No access controls File Servers Ineffective patch management Student data Unchecked 3rd party Production facility Weak physical access controls 9/22/2018 4-2-04, SB

What are some benefits? Cost Justification Enhanced Productivity Self Analysis: Organizational Integration Targeted Security Increased Security Awareness Baseline Security and Policy Consistency Communication 9/22/2018 4-2-04, SB

References / Contact Information “Risk Management: An Essential Guide to Protecting Critical Assets”, NIPC, 11/2002 suresh@usmd.edu 9/22/2018 4-2-04, SB

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.