Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com.

Slides:



Advertisements
Similar presentations
INFORMATION RISK MANAGEMENT
Advertisements

Learning Objectives Upon completion of this material, you should be able to:
Information Security Principles & Applications
Once we know our weaknesses, they cease to do us any harm.
Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.
Introducing Computer and Network Security
Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice
Risk Management.
Risk Management Vs Risk avoidance William Gillette.
PRINCIPLES OF INOFORMATION SECURITY
CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4
Risk Management Chapter 4.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition
Risk Management - Security
ITC358 ICT Management and Information Security
SEC835 Database and Web application security Information Security Architecture.
An Overview of Risk Management
Chapter 11: Project Risk Management
TEL2813/IS2820 Security Management
Principals of Information Security, Fourth Edition
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Risk Management and Risk Control
Risk Management (Risk Identification)
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Lecture 32 Risk Management (Cont’d)
Security Architecture
TEL2813/IS2820 Security Management Risk Management: Identifying and Assessing Risk Lecture 7 Feb 17, 2005.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Slide 1 Risk Management: Identifying and Assessing Risk  “ Once we know our weakness, they cease to do us an harm” Greg Lichen.
MANAGEMENT of INFORMATION SECURITY Third Edition CHAPTER 8 RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK Once we know our weaknesses, they cease to do.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
SecSDLC Chapter 2.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Risk Identification and Risk Assessment
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
MANAGEMENT of INFORMATION SECURITY Second Edition.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Principles of Information Security, Fourth Edition
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 9 R ISK M ANAGEMENT : C ONTROLLING R ISK Weakness is a better teacher than strength. Weakness.
CS457 Introduction to Information Security Systems
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Principles of Information Security, Fourth Edition
Principles of Information Security, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
INFORMATION RISK MANAGEMENT
Risk Management Principles of Information Security, 2nd Edition
Risk Management: Principles of risk, Types of risk and Risk strategies
Principles of Information Security, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com

Introduction Organizations must design and create safe environments in which business processes and procedures can function. Risk management process of identifying and controlling risks facing an organization. Risk identification process of examining the current information technology security situation in the organization. Risk control applying controls to reduce risks to an organization’s data and information systems.

An Overview of Risk Management Know your organisation identify, examine, and understand the information and systems currently in place Know the enemy identify, examine, and understand threats facing the organization Information security, management and users, and information technology all must work together to manage risks that are encountered

Role of Risk Management Risk management involves identifying, classifying, and prioritizing assets in the organization. A threat assessment process involves identifying and quantifying the risks facing each asset. Components of risk identification People Procedures Data Software Hardware

Questions to ask! - What are the resources that need protecting? - What is the value of those resources, monetary or otherwise? - What are the all the possible threats that those resources face? - What is the likelihood of those threats being realized? - What would be the impact of those threats if they were realized?

Components of Risk Management Risk identification & assessment Identifying risks and assessing their potential impacts. Risk control Prioritizing, implementing, and maintaining an acceptable level of risk. Risk evaluation Continuous appraisal of the risk management process.

Components of Risk Management

Risk Identification

Components of Risk Identification

Asset Identification What are the resources or assets that need protecting? Identification of assets includes all elements of an organization’s system i.e. people, procedures, data and information, software, hardware, networking, etc. People position name/number/ID; security clearance level; special skills Procedures description; intended purpose; what elements it is tied to; storage location for reference & update Data classification; owner/creator/ manager; data structure size; data structure used; online/offline; location; backup procedures

Asset Identification - cont Information Needs of organization and preferences/needs of the security and information technology communities Hardware Asset name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity Software assets Proprietary programs, company bespoke software Network assets Network components, monitoring tools, etc

Information Asset Valuation What is the value of those resources/assets, monetary or otherwise? Loss of confidentiality, integrity, completeness or availability Which information asset: Is most critical to organization’s success? Generates the most revenue/profitability? Would be most expensive to replace or protect? Would be the most embarrassing or cause greatest liability if revealed?

Threat Assessment Identify which threats present danger to assets represent the most danger to information requires greatest expenditure to prevent sources that might be applicable to the system How much would it cost to recover from attack? Intentional threats reside in the motivations of humans to undertake potentially harmful activities Unintentional threats are benign instances

Threats to Information Security

Vulnerability Identification Vulnerabilities are the specific avenues which threat agents can exploit to attack an information asset Identify flaws and weaknesses that could possibly be exploited because of the threats Behavioral and attitudinal vulnerabilities Misinterpretations Coding problems Physical vulnerabilities At end of this risk identification process, a list of assets and their vulnerabilities is achieved

Risk Assessment

Risk Assessment Risk assessment evaluates the relative risk for each vulnerability Assigns a risk rating or score to each information asset The goal at this point: create a method for evaluating the relative risk of each listed vulnerability

Likelihood The probability that a specific vulnerability will be the object of a successful attack Assign numeric value: number between 0.1 (low) and 1.0 (high), or a number between 1 and 100 Zero not used since vulnerabilities with zero likelihood are removed from asset/vulnerability list Use a selected rating model consistently Use external references for values that have been reviewed/adjusted for your circumstances

Risk Determination Risk EQUALS Likelihood of vulnerability occurrence TIMES value (or impact)‏ MINUS percentage risk already controlled PLUS an element of uncertainty

Documenting the Results Final summary comprised in ranked vulnerability risk worksheet which details asset asset impact vulnerability vulnerability likelihood risk-rating factor Working document for next step in risk management process: assessing and controlling risk

Ranked Vulnerability Risk Worksheet

Risk Control

Risk Control Strategies - Responses to risk Accept it and do nothing. Reduce it with security measures. Avoid it completely by withdrawing from an activity. - Must choose a strategies to control each identified risk: Accept Mitigate Defend Transfer Terminate

Defend Attempts to prevent exploitation of the vulnerability Preferred approach Accomplished by countering threats removing asset vulnerabilities limiting asset access adding protective safeguards Three common methods of risk avoidance Application of policy Training and education Applying technology

Transfer Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

Mitigate Attempts to reduce impact of vulnerability exploitation through planning and preparation. Incident response plan (IRP): define the actions to take while incident is in progress . Disaster recovery plan (DRP): most common mitigation procedure. Business continuity plan (BCP): encompasses continuation of business activities if catastrophic event occurs.

Accept Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify cost of protection

Terminate Directs the organization to avoid those business activities that introduce uncontrollable risks May seek an alternate mechanism to meet customer needs

Risk Management Issues Organization must define level of risk it can accept. Risk appetite defines quantity and nature of risk that organizations are willing to accept as trade-offs between perfect security and unlimited accessibility. Residual risk risk that has not been completely removed, shifted, or planned for.

Residual risk

Risk Control Practices - Convince budget authorities to spend up to value of asset to protect from identified threat. - Final control choice may be balance of controls providing greatest value to as many asset-threat pairs as possible. - Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations.

Summary Risk identification Risk control Residual risk formal process of examining and documenting risk in information systems Risk control process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components of an information system A risk management strategy enables identification, classification, and prioritization of organization’s information assets Residual risk risk remaining to the information asset even after the existing control is applied

Questions?