Security Risk Management Paula Kiernan Ward Solutions.

Slides:



Advertisements
Similar presentations
PROJECT RISK MANAGEMENT
Advertisements

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.
Decision Making Tools for Strategic Planning 2014 Nonprofit Capacity Conference Margo Bailey, PhD April 21, 2014 Clarify your strategic plan hierarchy.
Service Design – Section 4.5 Service Continuity Management.
Security Risk Management Steve Lamb Technical Security Advisor
IT Governance Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and Agriculture.
By: Ashwin Vignesh Madhu
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
ECM Project Roles and Responsibilities
Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia.
Risk Assessment Frameworks
Runway Safety Teams (RSTs) Description and Processes Session 5 Presentation 1.
Enterprise Architecture
What is Business Analysis Planning & Monitoring?
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Security Risk Management Liping Cai 02/01/2006.
S/W Project Management
The Microsoft Office 2007 Enterprise Project Management Solution:
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management
Basics of OHSAS Occupational Health & Safety Management System
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.
Chapter 10 Contemporary Project Management Kloppenborg
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Security Risk Management
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
Centro de Estudos e Sistemas Avançados do Recife PMBOK - Chapter 4 Project Integration Management.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Management & Development of Complex Projects Course Code MS Project Management Perform Qualitative Risk Analysis Lecture # 25.
普 华 永 道 Phase 1: Project Preparation Phase 1: Project Preparation Phase Overview Phase Overview.
Integrated Risk Management Charles Yoe, PhD Institute for Water Resources 2009.
Lecture # 17 PRM 702 Project Risk Management Ghazala Amin
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
SOFTWARE PROJECT MANAGEMENT
Information Technology Planning. Overview What is IT Planning Organized planning of IT infrastructure and applications portfolios done at various levels.
1 EMS Fundamentals An Introduction to the EMS Process Roadmap AASHTO EMS Workshop.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Proventures reconnect session on Project Portfolio Management (PPM)
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Info-Tech Research Group1 Manage IT Budgets & Cost World Class Operations - Impact Workshop.
Training on Safe Hospitals in Disasters Module 3: Action Planning for “Safe Hospitals”
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
The Project Management Process Groups
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
Info-Tech Research Group1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine.
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
Information Technology Planning
Project Management PTM721S
Monitoring and Evaluation Systems for NARS organizations in Papua New Guinea Day 4. Session 12. Risk Management.
Data Architecture World Class Operations - Impact Workshop.
11.1 Plan Risk Management The process of defining how to conduct risk management activities for a project Detailed risk planning enhances the overall probability.
PMI Chapter, IT Governance, Portfolio and Project Management in State Government Chris Cruz, Chief Information Officer, California Department of Food and.
Identify the Risk of Not Doing BA
Implementation Strategy July 2002
Project Management Process Groups
IS Risk Management Framework Overview
Effective Risk Management in Decision Making Process
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Security Risk Management Paula Kiernan Ward Solutions

Session Prerequisites Basic understanding of network security fundamentals Basic understanding of security risk management concepts Level 300

Target Audience This session is primarily intended for: Systems architects and planners Members of the information security team Security and IT auditors Senior executives, business analysts, and business decision makers Consultants and partners

Session Overview Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Why Develop a Security Risk Management Process? Developing a formal security risk management process can address the following: Threat response time Regulatory compliance Infrastructure management costs Risk prioritization and management Threat response time Regulatory compliance Infrastructure management costs Risk prioritization and management Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization

Key factors to implementing a successful security risk management program include: An atmosphere of open communication and teamwork Organizational maturity in terms of risk management Executive sponsorship Well-defined list of risk management stakeholders A holistic view of the organization Security risk management team authority Identifying Success Factors That Are Critical to Security Risk Management

Comparing Approaches to Risk Management Many organizations have approached security risk management by adopting the following: The adoption of a process that reduces the risk of new vulnerabilities in your organization Proactive approach A process that responds to security events as they occur Reactive approach

Comparing Approaches to Risk Prioritization ApproachBenefitsDrawbacks Quantitative Risks prioritized by financial impact; assets prioritized by their financial values Results facilitate management of risk by return on security investment Results can be expressed in management-specific terminology Impact values assigned to risks are based upon subjective opinions of the participants Very time-consuming Can be extremely costly Qualitative Enables visibility and understanding of risk ranking Easier to reach consensus Not necessary to quantify threat frequency Not necessary to determine financial values of assets Insufficient granularity between important risks Difficult to justify investing in control as there is no basis for a cost-benefit analysis Results dependent upon the quality of the risk management team that is created

Introducing the Microsoft Security Risk Management Process Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1

Identifying Security Risk Management Prerequisites Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Risk Management vs. Risk Assessment Risk ManagementRisk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Scheduled activityContinuous activity Alignment Aligned with budgeting cycles Not applicable

Communicating Risk Well-Formed Risk Statement Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Asset What are you trying to protect? Threat What are you afraid of happening? Threat What are you afraid of happening? Vulnerability How could the threat occur? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Mitigation What is currently reducing the risk?

Determining Your Organization’s Risk Management Maturity Level Publications to help you determine your organization’s risk management maturity level include: ISO Code of Practice for Information Security Management (ISO 17799) International Standards Organization Control Objectives for Information and Related Technology (CobiT) IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP ) National Institute of Standards and Technology

Performing a Risk Management Maturity Self-Assessment LevelState 0 Non-existent 1 Ad hoc 2 Repeatable 3 Defined process 4 Managed 5 Optimized

Executive Sponsor “What's important?” Executive Sponsor “What's important?” IT Group “Best control solution” IT Group “Best control solution” Information Security Group “Prioritize risks” Information Security Group “Prioritize risks” Defining Roles and Responsibilities Operate and support security solutions Design and build security solutions Define security requirements Assess risks Determine acceptable risk Measure security solutions

Assessing Risk Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Overview of the Assessing Risk Phase Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Plan risk data gathering Gather risk data Prioritize risks Plan risk data gathering Gather risk data Prioritize risks

Understanding the Planning Step The primary tasks in the planning step include the following: Alignment Scoping Stakeholder acceptance Setting expectations

Understanding Facilitated Data Gathering Keys to successful data gathering include: Meet collaboratively with stakeholders Build support Understand the difference between discussing and interrogating Build goodwill Be prepared Meet collaboratively with stakeholders Build support Understand the difference between discussing and interrogating Build goodwill Be prepared Elements collected during facilitated data gathering include: Organizational assets Asset description Security threats Vulnerabilities Current control environment Proposed controls Organizational assets Asset description Security threats Vulnerabilities Current control environment Proposed controls

Identifying and Classifying Assets An asset is anything of value to the organization and can be classified as one of the following: High business impact Moderate business impact Low business impact

Organizing Risk Information Use the following questions as an agenda during facilitated discussions: What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future? What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future?

Estimating Asset Exposure Use the following guidelines to estimate asset exposure: Minor or no loss Low exposure Limited or moderate loss Medium exposure Severe or complete loss of the asset High exposure Exposure: The extent of potential damage to an asset

Estimating Probability of Threats Use the following guidelines to estimate probability for each threat and vulnerability identified: Not probable—impact not expected to occur within three years Low threat Probable—impact expected within two to three years Medium threat Likely—one or more impacts expected within one year High threat

Facilitating Risk Discussions The facilitated risk discussion meeting is divided into the following sections: Determining Organizational Assets and Scenarios Identifying Threats Identifying Vulnerabilities Estimating Asset Exposure Estimating Probability of Exploit and Identifying Existing Controls Meeting Summary and Next Steps Determining Organizational Assets and Scenarios Identifying Threats Identifying Vulnerabilities Estimating Asset Exposure Estimating Probability of Exploit and Identifying Existing Controls Meeting Summary and Next Steps

Defining Impact Statements Impact data includes the following information:

Understanding Risk Prioritization End of risk prioritization End of risk prioritization Detailed level risk prioritization Detailed level risk prioritization Conduct detailed-level risk prioritization Review with stakeholders Summary level risk prioritization Summary level risk prioritization Conduct summary- level risk prioritization Start risk prioritization

Conducting Summary-Level Risk Prioritization 1 1 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years The summary-level prioritization process includes the following: Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders

Conducting Detailed Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: Determine impact and exposure 1 1 Identify current controls 2 2 Determine probability of impact 3 3 Determine detailed risk level 4 4 Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)

Quantifying Risk The following tasks outline the process to determine the quantitative value: Input the asset value for each risk Produce the single-loss expectancy value (SLE) Determine the annual rate of occurrence (ARO) Determine the annual loss expectancy (ALE) Assign a monetary value to each asset class

Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks

Conducting Decision Support Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Overview of the Decision Support Phase Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy 1.Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy Implementing Controls 3 3

Identifying Output for the Decision Support Phase Key elements to gather include: Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented

Considering the Decision Support Options Options for handling risk: Accepting the current risk Implementing controls to reduce risk

Overview of the Identifying and Comparing Controls Process Security steering committee Mitigation owner Security risk management team Identifies potential control solutions Determines types of costs Estimates level of risk reduction Final list of control solutions

Security risk management team Security risk management team Security steering committee Security steering committee Step 1: Define Functional Requirements Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Step 2: Identify Control Solutions Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Step 3: Review Solutions Against Requirements Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Step 4: Estimate Degree of Risk Reduction Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Step 5: Estimate Cost of Each Solution Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Step 6: Select the Risk Mitigation Strategy Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

Conducting Decision Support: Best Practices Consider assigning a security technologist to each identified risk Set reasonable expectations Build team consensus Focus on the amount of risk after the mitigation solution

Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Seek a holistic approach Organize by defense-in-depth Seek a holistic approach Organize by defense-in-depth

Organizing the Control Solutions Critical success determinants to organizing control solutions include: Communication Team scheduling Resource requirements

Organizing by Defense-in-Depth Network Host Application Data Physical

Measuring Program Effectiveness Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Develop scorecard Measure control effectiveness Develop scorecard Measure control effectiveness

Developing Your Organization’s Security Risk Scorecard A simple security risk scorecard organized by the defense-in-depth layers might look like this: FY05 Q1FY05 Q2FY05 Q3FY05 Q4 Physical HM Network MM Host MM Application MH Data LL Risk Levels (H, M, L)

Measuring Control Effectiveness Methods to measure the effectiveness of implemented controls include: Direct testing Submitting periodic compliance reports Evaluating widespread security incidents

Session Summary One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks The Microsoft Security Risk Management Guide provides a number of tools and templates to assist with the entire risk management process The Microsoft defense-in-depth approach organizes controls into several broad layers that make up the defense-in-depth model Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy

Next Steps Find additional security training events: Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:

Questions and Answers