Presentation is loading. Please wait.

Presentation is loading. Please wait.

HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?

Published byFranklin Frank Clark Modified over 6 years ago

Similar presentations

Presentation on theme: "HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?"— Presentation transcript:

1 HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?
Case Study Shared courtesy of RiskLens CONFIDENTIAL - FAIR INSTITUTE 2016

2 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS SCOPING Understand how much risk is associated with IT hygiene RISK SCENARIO DESCRIPTION Internal systems including databases, servers and workstations ASSET(S) DESCRIPTION Confidentiality and Availability LOSS TYPE Malicious attack by cyber criminals, general hackers and internal privileged users Non-malicious incident by internal privileged users THREAT(S) DESCRIPTION CONFIDENTIAL - FAIR INSTITUTE 2016

3 ANALYSIS SCOPING Analysis Approach IT Hygiene
Internal Threats (Malicious / Non-Malicious) External Threats (Malicious) Servers Confidentiality Events Availability Events included Databases Workstations CONFIDENTIAL - FAIR INSTITUTE 2016

4 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS SCOPING Questions to Answer How much risk is associated with IT hygiene as a whole How much risk is associated with each asset type (server, database, workstation) How much risk is associated with confidentiality and availability What percentage of the overall risk is driven by the different actors CONFIDENTIAL - FAIR INSTITUTE 2016

5 ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK)
ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) Analysis Minimum * Average Maximum * Current State $3.2M $14.5M $45.0M *Min represents the more probable 10th percentile of simulation results. *Max represents the more probable 90th percentile of simulation results. CONFIDENTIAL - FAIR INSTITUTE 2016

6 ANNUALIZED LOSS EXPOSURE (RISK)
ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. ANNUALIZED LOSS EXPOSURE (RISK) 60% related to Confidentiality, 40% related to Availability CONFIDENTIAL - FAIR INSTITUTE 2016

7 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS RESULTS Average Loss Exposure Concentrations of Risk Relevant Threats CONFIDENTIAL - FAIR INSTITUTE 2016

8 ANALYSIS LEVERAGED THE FAIR MODEL
Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

9 Threat Event Frequency
THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

10 ANALYSIS CONSIDERATIONS
Configuration Management Consistency of authentication controls Consistency of access privileges Consistency of configuration standards Vulnerability Management Consistency or state of patch levels Additionally, estimated threat event frequency CONFIDENTIAL - FAIR INSTITUTE 2016

11 Threat Event Frequency
THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

12 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS INPUT Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES CONFIDENTIAL - FAIR INSTITUTE 2016

13 CONFIDENTIAL - FAIR INSTITUTE 2016
DECISION SUPPORT / ROI DATA LOSS CONSIDERATIONS Confidentiality Estimated the amount of data stored or processed across population of assets Availability Estimated the productivity costs associated with loss of system availability THE CIO/CISO WAS ABLE TO UNDERSTAND Where this top risk issue stands among other priorities Where the team should focus next This analysis will be revisited bi-annually to assess reductions of risk associated with IT hygiene and determine the value that the team is providing to the organization. CONFIDENTIAL - FAIR INSTITUTE 2016

Download ppt "HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?"

Similar presentations

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Florida Incident Tracking and Reporting Kathy Bergsma

University of Florida Incident Tracking and Reporting Kathy Bergsma
Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.

B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Copyright © 2005, SAS Institute Inc. All rights reserved. Quantifying and Controlling Operational Risk with SAS OpRisk VaR Donald Erdman April 11, 2005.

Copyright © 2005, SAS Institute Inc. All rights reserved. Quantifying and Controlling Operational Risk with SAS OpRisk VaR Donald Erdman April 11, 2005.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 1.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.

Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.

Similar presentations

Ads by Google