Risk Assessment = Risky Business

Slides:



Advertisements
Similar presentations
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Advertisements

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Hands on Demonstration for Testing Security in Web Applications
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
By: Ashwin Vignesh Madhu
The Information Systems Audit Process
Risk Assessment Frameworks
Vulnerability Assessments
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Application Threat Modeling Workshop
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
SEC835 Database and Web application security Information Security Architecture.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
A Framework for Automated Web Application Security Evaluation
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 11: Project Risk Management
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Project Risk Management Planning Stage
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Managing Project Risk – A simplified approach Presented by : Damian Leonard.
Defining your requirements for a successful security (and compliance
Proactive Incident Response
Information Systems Security
Summary of Changes PCI DSS V. 3.1 to V. 3.2
THINK DIFFERENT. THINK SUCCESS.
SELF-GUIDED SECURITY ASSESSMENT
Introduction and implementation OWASP Risk Rating Management
ISSeG Integrated Site Security for Grids WP2 - Methodology
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
8 Managing Risk (Premium).
Software Engineering B.Tech Ii csE Sem-II
Leverage What’s Out There
Risk Assessment Richard Newman
Combining the best of Audit and Penetration Testing
SAM GDPR Assessment <Insert partner logo here>
Software Assurance Maturity Model
Validating Your Information Security Program (ISP 3 of 3)
IS4680 Security Auditing for Compliance
Risk Analysis and HIPAA Security
Getting benefits of OWASP ASVS at initial phases
Contact Center Security Strategies
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
SELF-GUIDED SECURITY ASSESSMENT
Project Management Group
Data Security and Privacy Techniques for Modern Databases
HIPAA Security Risk Assessment (SRA)
PFMEA Summary Process Steps
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Risk Analysis Objectives Discuss the importance of Risk Analysis
Presentation transcript:

Risk Assessment = Risky Business

Pop Quiz: Which Presents a Greater Risk? The correct answer is “risk to what?” Also, Eliot is a fictional character, so the lion wins by default.

Risk Assessment “The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.”

What is risk? “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”

… in other words Risk Likelihood Impact

Where to assess risk? Scope is fundamental question: All assets or just some? Specific types of data (cardholder data, ePHI, etc.) Specific business units, processes, and workflows?

Threats vs Vulnerabilities Examples of Vulnerabilities Injection Attack Broken Authentication and Session Management Cross-Site Scripting (XSS) Broken Access Control Security Misconfiguration Examples of Threats Adversarial Discovery Adversarial Lateral Movement Execution of Adversary Code Data Collection Exfiltration of Data and Information Command and Control

What’s your process? Spreadsheets Tool specific to { healthcare | banking | etc. } GRC Suite Multiple tools

Risk Assessment Principles Don’t Repeat Yourself We like reusable pieces Convention over Configuration All assets of type x will likely have same threats, but maybe different risk score Defaults should be built to accommodate

Our Risk Assessment Process Based on Known Frameworks (PCI requirement) NIST 800-30 OCTAVE Allegro Utilize Universal Data Threats and Vulnerabilities are fed by MITRE, OWASP Controls map to frameworks (NIST 800-53, CIS Top 20) Threats, Controls, and Vulnerabilities are Universal

SynerComm Risk Assessment App Single Page App Universal Data Included Two phases Phase 1: SynerComm Audit Tool Phase 2: Self-hosted

SynerComm Risk Assessment Methodology Step 1: Establish Ranking Criteria Step 2: Determine Risk Assessment Scope Step 3: Identify Relevant Threats, Vulnerabilities, and Controls Step 4: Determine Initial Impact and Initial Risk Scores Step 5: Evaluate Control Effectiveness Step 6: Perform System and Zone Risk Assessment Step 7: Report on Risk

Step 1: Establish Ranking Criteria Consider commonly-used data types: ePHI cardholder data (CHD/PCI) PII financial data IP Data types may also include qualities: single-point of failure large data store mobile data

Step 2: Determine Risk Assessment Scope As we set scope, SynerComm will work with the client to collect three fundamental characteristics for each asset: Asset role Web server Database server Application server Firewall Removable media Data type System and zone association Grouping of assets based on common data type and/or business purpose

Step 3: Identify Relevant Threats, Vulnerabilities, and Controls SynerComm will leverage common threat information: MITRE Corporation (MITRE) Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) model Other threat events, such as non-adversarial threats SynerComm will evaluate vulnerabilities: NIST National Vulnerability Database (NVD) Common Weakness Enumeration (CWE) Open Web Application Security Project (OWASP) Top 10 SynerComm will identify control types to mitigate threat events: Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC)

Step 4: Determine Initial Impact and Initial Risk Scores SynerComm assigns relevant threats, vulnerabilities, and control types based on asset role. The initial impact for a system or zone is the sum of the asset impact values for all assigned assets. SynerComm then uses the mean initial impact score of all systems as a baseline risk score for all systems in the risk assessment. The mean impact score becomes the highest risk threshold for risk values.

Step 5: Evaluate Control Effectiveness SynerComm uses the list of control types identified in Step 3 as a basis to begin collecting and evaluating client controls. SynerComm scores the control based on: the control implementation status (not implemented, out-of-date, partially implemented, fully implemented), documentation of the control (not documented, out-of-date, full documentation), control test performance (not tested, failed test, passed test), and control function (preventive, detective, corrective, or insurance).

Step 6: Perform System and Zone Risk Assessments SynerComm uses the controls evaluated in Step 5 to derive the residual risk score. SynerComm classifies the residual risk score into risk levels. SynerComm will consider any additional threats, vulnerabilities, or controls relevant to the in-scope assets.

THANK YOU (QUESTIONS?)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.