Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity: Risk Management

Published byDamian Lambert Modified over 7 years ago

Similar presentations

Presentation on theme: "Cybersecurity: Risk Management"— Presentation transcript:

1 Cybersecurity: Risk Management
Janica Edmonds

2 Cyber Realm Card game Created by GenCyber Duo at California State University, San Bernardino Answers??

3 4 1 2 3 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Minimization Answers Notes: #9 shows up in two places Minimization was left off the card (see top for solutions)

4 Example: Mom & Pop Shop Mom & Pop Shop
Running a touristy type business selling handmade crafts Keep accounts and business transactions records on a computer Running a website to advertise their business

5 Example: Threat Matrix
Mom & Pop Shop Threat/Asset HW SW People Data Interception Interruption Modification Fabrication What are some things that could happen to threaten the security of the Mom & Pop Shop? Form small groups of three or four Brainstorm ways of filling in the possible threats to the security of the Mom & Pop Shop 10 minutes or so Reconvene for discussion

6 Example: Application of Principles
Domain separation Layering Least privilege Information hiding Simplicity Minimization Modularization Domain separation – keep website hosting separate from accounting records Layering – levels of security Least privilege – who has access? To what? Information hiding – keeping account #s, etc. hidden. Simplicity – Minimization – least functionality needed  no online purchases? No need for certain SW Modularization – let’s add functionality  online purchases! How does that change the threat matrix?

7 Risk Management Risk assessment Risk mitigation Evaluation
Identify and evaluate risk, its impact, and recommended risk reducing activities Risk mitigation Prioritize, implement, and maintain risk reducing activities Evaluation Continual process

8 Risk Mitigation Prioritize, evaluate, and implement controls
Philosophy Risk mitigation options Philosophy Least cost approach Implement most appropriate controls Accept minimal adverse impact Risk mitigation options Risk assumption – zen-like state risk avoidance – e.g., shut down services to avoid attacks risk limitation – implement controls to mitigate threats risk planning – managing risk systematically Research and acknowledgement – identify flaws and correct them Risk transference – e.g., insurance

9 Risk Mitigation: Action Points
Action point rules of thumb Vulnerability exists? Implement assurance techniques to reduce likelihood of exercise Vulnerability can be exercised? Apply layered protection to minimize impact Attacker’s cost < potential gain? Apply protection to decrease attacker incentive Loss is too great? Apply design principles and protective measures to reduce the potential for loss

10 Security Controls Prevent, limit, deter threat-source damage to assets
Technical Management Operational

11 Technical Controls Supporting Preventive Detect and recover Supporting
Underlie most security capabilities Preventive E.g., firewalls, access control, secure communication Detect and recover Auditing, redundancy, archival, IDSs

12 Management Controls Information protection policies, guidelines & standards for operations Preventive Detection Recovery Preventive Assign security responsibility Develop and maintain security plans Implement personnel security controls such as least privilege or separation of duties Conduct security awareness & training Detection Implement personnel security controls such as background checks Periodic review of security controls Periodic system audits Ongoing risk management processes Recovery Provide for continuity of operations during emergencies and disasters Establish an incident response capability

13 Operational Controls Procedures governing the use and operation of IT systems Preventive Detection Preventive Control data media access and disposal Limit external data distribution Control SW viruses Protect computing facility (badges, biometrics, guards) Provide backup capability (power, communications, and facility) Control environment (temperature, humidity) Detection Provide physical security (cameras) Monitor environmental conditions (smoke/fire detectors)

14 Residual Risk

Download ppt "Cybersecurity: Risk Management"

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Risk Analysis COEN 250.

Risk Analysis COEN 250.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Similar presentations

Ads by Google