Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identifying and Assessing Risk

Published byBarry Gardner Modified over 6 years ago

Similar presentations

Presentation on theme: "Identifying and Assessing Risk"— Presentation transcript:

1 Identifying and Assessing Risk
INFORMATION SECURITY MANAGEMENT Risk Management: Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 True Story A company suffered a catastrophic loss one night when its office burned to the ground. As the employees gathered around the charred remains the next morning, the president asked the secretary if she had been performing the daily computer backups. To his relief she replied that yes, each day before she went home she backed up all of the financial information, invoices, orders ... The president then asked the secretary to retrieve the backup so they could begin to determine their current financial status. “Well”, the secretary said, “I guess I cannot do that. You see, I put those backups in the desk drawer next to the computer in the office.” M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303

3 Risk is all around us… “Investing in stocks carries a risk …”
“Car speeding carries a risk …” “An outdate anti-virus software carries a risk …”

4 Risk Management “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

5 Risk Terminology Two steps Risk assessment Risk treatment

6 Risk Terminology Asset, Threat, Vulnerability & Risk in Info. Sec.
Two steps Risk assessment Risk treatment Asset, Threat, Vulnerability & Risk in Info. Sec.

7 Assets Two steps Risk assessment Risk treatment

8 Asset Identification http://www.misutilities.com/
Source: Course Technology/Cengage Learning

9 Importance of Assets Classifying/Categorization

10 Asset Identification: Asset Ranking
Assets should be ranked so that most valuable assets get highest priority when managing risks Questions to consider when determining asset value / rank: 1) Which info. asset is most critical to overall success of org.? Example: Amazon’s ranking assets Amazon’s network consists of regular desktops and web servers. Web servers that advertise company’s products and receive orders 24/7 - critical. Desktops used by customer service department – not so critical. Source: Course Technology/Cengage Learning

11 Asset Identification: Asset Ranking
2) Which info. asset generates most revenue? 3) Which info. asset generates highest profitability? Example: Amazon’s ranking assets At Amazon.com, some servers support book sales (resulting in highest revenue), while others support sales of beauty products (resulting in highest profit). Source: Course Technology/Cengage Learning

12 Importance of Assets Example: Weighted asset ranking (NIST SP 800-30)
Not all asset ranking questions/categories may be equally important to the company. A weighting scheme could be used to account for this …

13 Risk Terminology

14 Threat Identification

15 Threat Identification (cont’d.)
Research conducted to find the main threats facing organizations Here are the top 12 (wieghted score achieved when CIO gave top threat 5, next one 4, and so on.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

16 Risk Terminology Two steps Risk assessment Risk treatment

17 Vulnerability Assessment
Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

18 Vulnerability Assessment
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

19 Vulnerability Assessment
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

20 The TVA Worksheet Table 8-5 Sample TVA spreadsheet
Source: Course Technology/Cengage Learning

21 Risk Terminology

22 Introduction to Risk Assessment
The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

23 Risk Determination – Example 1
Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate

24 Risk Determination – Example 2
Asset B has a value of 100 and has two vulnerabilities: vulnerability #2 has a likelihood of 0.5 with a current control that addresses 50% of its risk vulnerability #3 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

25 Which asset/vulnerability to deal with first?
Rank your findings based on the Asset/Vulnerability and the largest rating are typically ranked the highest.

26 Qualitative Risk Assessment

27 Example of Qualitative Risk Assessment
Threat Impact Initial Probability Counter- measure Residual Probability Flood damage H L Water alarms Theft Key cards, surveillance, guards Logical intrusion M Intrusion prevention system

Download ppt "Identifying and Assessing Risk"

Similar presentations

Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.

Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Risk Management.

Risk Management.
Risk Management Chapter 4.

Risk Management Chapter 4.
ITC358 ICT Management and Information Security

ITC358 ICT Management and Information Security
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Risk Management (Risk Identification)

Risk Management (Risk Identification)
Lecture 32 Risk Management (Cont’d)

Lecture 32 Risk Management (Cont’d)
Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.

Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Introduction to Risk Analysis in Healthcare Farrokh Alemi Ph.D. Professor of Health Administration and Policy College of Health and Human Services, George.

Introduction to Risk Analysis in Healthcare Farrokh Alemi Ph.D. Professor of Health Administration and Policy College of Health and Human Services, George.
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,

INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.
Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.

Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.

Similar presentations

Ads by Google