SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.

Slides:

Advertisements

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Advertisements

Chapter 14 Fraud Risk Assessment.

Control and Accounting Information Systems

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Service Design – Section 4.5 Service Continuity Management.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

Introducing Computer and Network Security

By: Ashwin Vignesh Madhu

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Software Project Risk Management

Risk Assessment Frameworks

Risk Analysis COEN 250.

Application Threat Modeling Workshop

Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague,

Information Systems Risk Management

SEC835 Database and Web application security Information Security Architecture.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Lecture 32 Risk Management (Cont’d)

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Risk Management For the Board of The Law Society 16 February 2005.

Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Alaa Mubaied Risk Management Alaa Mubaied

Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.

SOFTWARE PROJECT MANAGEMENT

Information System Audit : © South-Asian Management Technologies Foundation Chapter 6: Risk Based Systems Audit.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.

RISK MANAGEMENT YULVI. Introduction Time Quality Cost Project Constraints Success Introduction.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Risk Management for Small & Medium Sized Enterprises

1 Project Management C53PM Session 4 Russell Taylor Staff Work-base – 1 st Floor

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.

Trinity Industries, Inc. FEI Presentation May 31, 2012.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Information Systems Security

SELF-GUIDED SECURITY ASSESSMENT

IT Threat and Risk Assessment Overview

Risk management.

ISSeG Integrated Site Security for Grids WP2 - Methodology

TOPIC 3 RISK MANAGEMENT.

COMP3357 Managing Cyber Risk

Risk Assessment = Risky Business

Risk Identification & Assessment

Must cost less than possible Impact

SELF-GUIDED SECURITY ASSESSMENT

Effective Risk Management in Decision Making Process

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

Presentation transcript:

SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O’Connor Davies, LLP Timothy M. Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member – Focus 1 Associates LLC

© 2014 Advent Software, Inc. Advent Confidential Speakers Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting Services - O’Connor Davies, LLP Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC Footer 2

© 2014 Advent Software, Inc. Advent Confidential Objectives Discuss how to perform a true cybersecurity risk assessment for your firm Learn how to develop and implement administrative, technical, and physical controls relevant to your firm’s risk exposure Establish a sound cybersecurity program based on applicable regulatory requirements and industry best practices 3

© 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Threats – Anything that can cause harm. Common Threat Sources Human - Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Natural - Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Environmental - Long-term power failure, pollution, chemicals, liquid leakage. 4

© 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Vulnerabilities – Any hardware, software or procedural weakness that can be exploited (i.e. taken advantage) by a threat. A Threat Vulnerability pair must exist in order to have RISK Risk – The probability of occurrence (likelihood) that a threat will take advantage of a vulnerability and the resulting business impact 5

© 2014 Advent Software, Inc. Advent Confidential Fundamental Components of Risk Assessment Types of Risk Assessments Qualitative – Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high Quantitative - the likelihood of occurrence of particular threats and the risks or loss associated with these particular threats are estimated and assessed according to predetermined measurement scales 6 Unless your business absolutely requires a Quantitative risk assessment, use a Qualitative approach.

© 2014 Advent Software, Inc. Advent Confidential Risk Ranking Definitions Unacceptable – Mitigation Required High – Cost Benefit Analysis Required Moderate – Possible Cost Analysis of Mitigation Low – No Analysis Required 7 When assigning values, trust your initial reaction

© 2014 Advent Software, Inc. Advent Confidential Risk Chart 8

© 2014 Advent Software, Inc. Advent Confidential Inherent Vs Residual Risk Inherent Risk – The risk associated with a threat and vulnerability pair in the absence of any controls (i.e. what is the risk posed if you don’t apply any controls) Residual Risk – The amount of risk that remains after the application of controls. 9 Understanding the Inherent Risk is key to understanding the extent of controls required to manage the Residual Risk..

© 2014 Advent Software, Inc. Advent Confidential Risk Treatment Accept - Knowingly accept the risk as it falls within the organization's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it; Reduce - Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Avoid - Do not undertake the associated business activity; Transfer – Shift the risk to another organization (e.g. through insurance or by contractual arrangements with a business partner) 10

© 2014 Advent Software, Inc. Advent Confidential Risk Management 11

© 2014 Advent Software, Inc. Advent Confidential Risk Areas to Consider 12

© 2014 Advent Software, Inc. Advent Confidential Risk Assessment Framework Industry recognized frameworks most commonly used include NIST SP rev1/sp800_30_r1.pdfhttp://csrc.nist.gov/publications/nistpubs/ rev1/sp800_30_r1.pdf OCTAVE services/octave/index.cfmhttp:// services/octave/index.cfm FAIR 13

© 2014 Advent Software, Inc. Advent Confidential Risk Assessment Framework Whatever methodology you choose, it should comprise of the following: Identify all critical information resources, including such things as servers, applications, data repositories, etc. Assign a value to those resources. Depending on the Organization’s risk assessment approach, this can be either a quantitative or qualitative value. Determine the threat and vulnerability pairs that exist to those resources. Determine the probability of occurrence and potential business impact of the corresponding threat vulnerability pair = Inherent Risk Value (risk value that exists if no controls are implemented) Identify the existing controls in place to reduce the inherent risk to an acceptable level = residual risk value 14 When mapping controls, consider both the design and operating effectiveness when determining the residual risk value.

© 2014 Advent Software, Inc. Advent Confidential Sample Modified Approach 15

© 2014 Advent Software, Inc. Advent Confidential Questions? Tom DeMayo, CISSP, CISA, CIPP, CEH, CPT, CHFI, MCSE Director, IT Audit and Consulting Services - O’Connor Davies, LLP Tim Simons, CPA, CFA, CIPM, CSCP, CFP Senior Managing Member - Focus 1 Associates LLC