INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Once we know our weaknesses, they cease to do us any harm.
Risk Management: Identifying and Assessing Risk Chapter 4 Once we know our weaknesses, they cease to do us any harm. -- G.C. (GEORG CHRISTOPH) LICHTENBERG.
Project Risk Management
Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze.
Principles of Information Security, 2nd Edition1 Risk Management.
Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Risk Management.
Risk Management Identifying and Assessing Risk
CMPS 319 Risk Management: Identifying and Assessing Risk Chapter 4
Risk Management Chapter 4.
Part II Project Planning © 2012 John Wiley & Sons Inc.
Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition
Risk Management - Security
ITC358 ICT Management and Information Security
Management of Information Security, 4th Edition
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
An Overview of Risk Management
Chapter 11: Project Risk Management
Principals of Information Security, Fourth Edition
Conostix S.A. Sensible defence.
Risk Management (Risk Identification)
Information Systems Risk Management
Security Risk Management
Lecture 32 Risk Management (Cont’d)
TEL2813/IS2820 Security Management Risk Management: Identifying and Assessing Risk Lecture 7 Feb 17, 2005.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Chapter 11: Project Risk Management
Management & Development of Complex Projects Course Code MS Project Management Perform Qualitative Risk Analysis Lecture # 25.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.
Slide 1 Risk Management: Identifying and Assessing Risk  “ Once we know our weakness, they cease to do us an harm” Greg Lichen.
MANAGEMENT of INFORMATION SECURITY Third Edition CHAPTER 8 RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK Once we know our weaknesses, they cease to do.
Alaa Mubaied Risk Management Alaa Mubaied
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
SOFTWARE PROJECT MANAGEMENT
Project Risk Management Planning Stage
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Risk Identification and Risk Assessment
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Risk Management Issues in Information Security Amanda Kershishnik COSC April 2007.
MANAGEMENT of INFORMATION SECURITY Second Edition.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Principles of Information Security, Fourth Edition
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Managing Project Risk – A simplified approach Presented by : Damian Leonard.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Identifying and Assessing Risk
Principles of Information Security, Fifth Edition
Identifying and Assessing Risk
OSG Computer Security Plans
CHAPTER11 Project Risk Management
The Importance of Project Risk Management
Risk Management: Principles of risk, Types of risk and Risk strategies
Principles of Information Security, Fifth Edition
Information Security Risks; All-in-One Terminology
HIPAA Security Risk Assessment (SRA)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Discretionary Access Control (DAC) Security Model The owner of an object controls who and what may access it. Access is at the owner’s discretion. Most personal computer operating systems are designed based on the DAC model

Data classification scheme/model – Data owners classify the information assets – Reviews periodically Security clearance structure – Subjects labeled by level of security clearance (privilege) – Objects labeled by level of classification/sensitivity Mandatory Access Control (MAC) Security Model

Role-based Access Control (RBAC) Security Model Nondiscretionary Controls An improvement over the mandatory access control (MAC) security model Role-based controls Task-based controls Users are given roles with this role determining access

Introduction Information security departments are created primarily to manage IT risk In any well-developed risk management program, two formal processes are at work – Risk identification and assessment – Risk control

Risk Management “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

Knowing Yourself & The Enemy Identifying, examining and understanding the information and how it is processed, stored, and transmitted Identifying, examining, and understanding the threats facing the organization’s information assets

Communities of Interest: All Play a role Information Security Information Technology Management and Users

Risk Terminology Asset & Asset valuation Threat Vulnerability Exposure Risk

Risk Terminology

Risk Identification Figure 8-1 Risk identification process Source: Course Technology/Cengage Learning

Asset Identification Identify organization’s information assets Inventory: software/hardware, and networking elements More easily tracked (automated inventory system) People, procedures, data and info May take more time / ongoing

Creating an Inventory of Information Assets Determine which attributes of each information asset should be tracked Potential asset attributes – Name, IP address – MAC address, asset type – Physical location, logical location – Controlling entity

Creating an Inventory of Information Assets (cont’d.) Identifying people, procedures and data assets Sample attributes – People - Position name/number/ID – Procedures – Description/Intended purpose – Data – Classification & Owner/creator/manager

Asset: Classifying and Categorizing Determine whether the asset categories are meaningful Inventory should also reflect each asset’s sensitivity and security priority Classification categories must be comprehensive and mutually exclusive Not one schema for all assets

Asset Valuation Assign a relative value: – As each information asset is identified, categorized, and classified Goal: assign value to encompass both tangible and intangible costs

Importance of Assets List the assets in order of importance Achieved by using a weighted factor analysis worksheet

Risk Terminology

Threat Identification Any organization typically faces a wide variety of threats

Threat Assessment Each threat presents a unique challenge to information security Each must be further examined to determine its potential to affect the targeted information asset

Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August Reprinted with permission Weighted ranks of threats to information security

Vulnerability Assessment – Review every information asset for each threat – Leads to the creation of a list of vulnerabilities that remain potential risks to the organization Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

Vulnerability Assessment Management of Information Security, 3rd ed. Table 8-4 Vulnerability assessment of a DMZ router Source: Course Technology/Cengage Learning

The TVA Worksheet At the end of the risk identification process, a list of assets and their vulnerabilities has been developed List serves as the starting point for the next step in the risk management process - risk assessment Another list prioritizes threats facing the organization based on the weighted table discussed earlier

The TVA Worksheet (cont’d.) Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

Introduction to Risk Assessment The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

Likelihood The overall rating of the probability that a specific vulnerability will be exploited Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset

Percentage of Risk Mitigated by Current Controls If a vulnerability is fully managed by an existing control, it can be set aside If it is partially controlled, estimate what percentage of the vulnerability has been controlled

Uncertainty It is not possible to know everything about every vulnerability The degree to which a current control can reduce risk is also subject to estimation error Uncertainty is an estimate made by the manager using judgment and experience

Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate Risk: [Asset Value(AV) x Likelihood(L)] – Controls(AV*L) + Uncertainty (AV*L) Risk = [50 x 1.0] – 0.0(50*1.0) + 0.1(50*1.0) = 55

Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its risk vulnerability # 2 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate Risk: [Asset Value(AV) x Likelihood(L)] – Controls(AV*L) + Uncertainty (AV*L) Risk1 = [100 x 0.5] – 0.5(100*0.5) + 0.2(100*0.5) = 35 Risk2 = [100 x 0.1] – 0.0(100*0.1) + 0.2(100*0.1) = 12

Qualitative Risk Analysis Evaluate opinions, feelings, ideas Scenarios Brainstorming Delphi technique Storyboarding Focus groups Surveys, questionnaires, checklists One-on-one meetings, interviews

Qualitative Risk Assessment For a given scope of assets, identify: Vulnerabilities Threats Threat probability (Low / medium / high) Impact (Low / medium / high) Countermeasures

Example of Qualitative Risk Assessment ThreatImpactInitial Probability Counter- measure Residual Probability Flood damage HLWater alarmsL TheftHLKey cards, surveillance, guards L Logical intrusion HMIntrusion prevention system L

Quantitative Risk Assessment Extension of a qualitative risk assessment. Metrics for each risk are: Asset value: replacement cost and/or income derived through the use of an asset Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

Quantitative Risk Assessment Metrics (cont.) Annualized Rate of Occurrence (ARO) Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? 100% SLE, ARO, ALE ? SLE = 4000 * 100% = 4,000 ARO = 10% chance of theft / year ALE = 10% * 4000 = 400

Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? 50% SLE, ARO, ALE ? SLE = $4,000 x 50% = $2,000 ARO = 25% chance of damaging / year ALE = 25% x $2,000 = $500

Qualitative vs. Quantitative

Documenting the Results of Risk Assessment Goals of the risk management process – To identify information assets and their vulnerabilities – To rank them according to the need for protection In preparing this list, a wealth of factual information about the assets and the threats they face is collected The final summarized document is the ranked vulnerability risk worksheet

Management of Information Security, 3rd ed. Table 8-9 Ranked vulnerability risk worksheet Source: Course Technology/Cengage Learning