Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Threat and Risk Assessment Overview

Published byConstance Maxwell Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Threat and Risk Assessment Overview"— Presentation transcript:

1 IT Threat and Risk Assessment Overview
June 6, 2014

2 Impact x Likelihood = Risk
2

3 Risk LIKELIHOOD IMPACT High Medium Low Seldom/ never Major Moderate
Significant Minor Negligible Based on BC Museums Best Practices Module – Risk Management, 2005 (modified) 3

4 Risk Assessment Threat > Impact x Likelihood = Risk > Safeguards > Residual Risk Threat: A potential act or event that could cause unauthorized access, modification, disclosure or destruction of information or IT assets. Residual Risk: The risk that remains after the implementation of recommended safeguards. Potential act or event that could cause loss Define IT security requirements Risk that remains after safeguards are implemented 4

5 Risk Assessment Risk assessment is a “business” exercise
IT risk assessment is ideally part of the overall risk assessment of the project Risk assessment can scale Can be short and simple, or detailed and rigorous “Generic” risk assessments Can re-use assessment from similar project 5

6 Threat and Risk Assessment / Certification & Accreditation Steps
Identify and Categorize Assets Threat and Risk Assessment Implement Certify Accredit Threat and Risk Assessment: The process of identifying and qualifying threats and risks to information and IT assets and of implementing or recommending safeguards to mitigate risks that are deemed unacceptable. Certification: To verify that the security requirements established for a particular system or service are met and that the controls and safeguards work as intended. Accreditation: To signify that management has authorized a system or service to operate and has accepted the residual risk of operating a system or service, based on the certification evidence. How critical? How sensitive? Identify safeguards, IT security requirements Implement safeguards Confirm whether safeguards are implemented Accept residual risk Project Team Project Team Project Team IT Security Coordinator Management 6

7 Risk Assessment Example
7

8 Sample Threat and Risk Assessment Worksheet
Impact Likelihood Risk Safeguards Residual Risk Disk failure Major Common High Redundant disks; Backups Low Power supply failure Significant Unlikely Moderate Redundant power supplies Records misfiled Minor Employee training Non- sensitive information shared 8

9 Roll-out, tools and support
Trial approach on a few projects Tools TRA worksheet and guide List of sample threats Integrate into regular project planning Prioritize based on sensitivity, criticality Decision records in Enterprise Assess as we go 9

10 Decision records in Enterprise
10

11 Discussion and feedback
11

12 References Management of Information Technology Security (MITS) Operational Security Standard: eng.aspx?id=12328&section=text BC Museums Best Practices Module – Risk Management: content/uploads/2013/07/BP-7-Risk- Management.pdf 12

13 Management Accountability Framework (MAF)
13

Download ppt "IT Threat and Risk Assessment Overview"

Similar presentations

Risk Management Module 3D Canada Bridges Project Management Tools Risk Management - Module 3D 1.

Risk Management Module 3D Canada Bridges Project Management Tools Risk Management - Module 3D 1.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
The Department of Energy Enterprise Risk Management Model

The Department of Energy Enterprise Risk Management Model
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
1 PER-005 Update Impact on Operators System Operator Conference April 17-19 and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.

1 PER-005 Update Impact on Operators System Operator Conference April and May 1-3, 2012 Columbia, SC Margaret Stambach Manager, Training Services.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.

Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management

Similar presentations

Ads by Google