Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Audit Manager – UT System

Published byBryce Craig Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Audit Manager – UT System"— Presentation transcript:

1 IT Audit Manager – UT System
A Practical Introduction to Cyber Security Risk Management Jim Purcell IT Audit Manager – UT System THEITS 2017 This page intentionally left blank.

2 Roadmap Understanding Risk How to Perform a Simple Risk Assessment
Risk Assessment Case Study

3 Understanding Risk

4 Business, Strategy, & Risk
These three concepts definitively walk hand-in-hand Businesses are run via strategies Strategies define & inspire business operations Risk appetite & culture helps to influence strategies The three are a team and to understand which controls are appropriate for an organization, the interaction between these concepts must be understood

5 Organizations have limited financial resources
Why Manage Risk? Organizations have limited financial resources Organizations have limited personnel resources Therefore organizations must prioritize their security defenses Risk management allows organizations to: Prioritize / focus their limited financial & personnel resources Prioritize / focus defensive controls with the best return Determine which controls are not feasible in the short / long term Measure themselves for ongoing management & compliance

6 Business Purpose of Risk Management
Risk management allows businesses to accomplish the following objectives: Link business goals with assurance goals Place control decisions in the hands of business owners Determine where control deficiencies exist Prioritize where to implement additional controls Identify control categories with insufficient controls Assist the decision making process for acquiring additional controls

7 Example of Risk in Real Life
In real life we live with risk every day For example, in real life it is risky: To cross the street To take an airplane to a conference To eat lunch in an unknown restaurant To exercise & engage in athletics To not exercise & not engage in athletics To sign up for a mortgage on a home

8 Example of Risk in Business
In addition, it is also risky to engage in business activities For example, in business it is risky: To spend money to open a business To sign a contract to perform services To sell products to consumers To hire a new employee or contractor To engage with a new vendor or service provider To use technology!!

9 RISK = Threat x Vulnerability x Impact (Value, Likelihood)
Elements of Risk Threats Vulnerabilities Impact/Cost Asset Value (Criticality) Likelihood RISK = Threat x Vulnerability x Impact (Value, Likelihood)

10 Threat – Defined NIST (800-30) defines a threat as:
“The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” And a threat-source as: “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.”

11 Vulnerability – Defined
In addition, NIST (800-30) defines a vulnerability as: “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

12 Asset Value (Criticality) – Defined
Enclave definition of asset value / criticality: “The perceived or actual value of an information asset. This value can be reflected as either a financial metric (hard) or as a relative expression of worth (soft).”

13 Likelihood – Defined Encarta online definition of likelihood (in risk terms): Degree of probability: the chance of something happening Probable event: something that is likely to happen

14 RISK = Threat x Vulnerability x Impact (Value, Likelihood)
Risk “Equation” RISK = Threat x Vulnerability x Impact (Value, Likelihood) Malware example– Threat = High (not much we can do about that) Vulnerability = ??? (What controls do we have in place? Need more?) Impact = ??? (Value? – at least $300, Impact? – my laptop or CFO’s?) Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF) Annualized Loss Expectancy (ALE) = SLE x Annualized Rate of Occurrence (ARO) Justify your INFOSEC budget… $300 SLE x 100,000 (ARO) malware blocked = $30,000,000 ALE!!!

15 How to Perform a Simple Risk Assessment

16 Risk Management vs. Risk Assessment
Risk management implies a long term or continuous effort to manage risk in an organization Risk assessment implies a short term or one time event to assess the current state of risk in an organization Risk assessment includes: Evaluating assets & potential risks to those assets Risk management includes: Implementing compensating controls Monitoring control implementation

17 Simple Risk Management Process
Obtain senior executive support Define risk management / assessment methodologies Perform a risk assessment Document a risk remediation plan Implement additional controls (from remediation plan) Monitor implementation of controls Repeat the process

18 Steps in a Simple Risk Assessment
Perform an asset inventory Assign a data owner to each asset Assign a data custodian to each asset Assign value to each asset (criticality) Determine the level of threat facing each system Determine the level of vulnerability inherent in each system Determine the likelihood of threats exploiting vulnerabilities Establish levels of residual risk Make a business decision regarding each residual risk

19 Step #1: Perform Asset Inventory
The first step in this process is to perform a thorough data asset inventory Both hardware & information assets should be inventoried (with information being the focus) A good starting point is to inventory all network shares & databases running on the network

20 Steps #2-3: Data Owner & Custodian
Once a comprehensive list of data assets has been identified, a data owner & data custodian need to be associated with each asset These generally should be actual people’s names (not job roles or responsibilities) These people should be aware that they are assuming this role for a data set

21 Step #4: Assign Asset Value (Criticality)
With a list of assets, owners, & custodians in place, next asset values or criticalities should be defined This value should be determined by the data owner & the data custodian together This value should also indicate with controls are applied to the asset (via policy documentation) Values for this information is generally subjective & noted in relative terms I.e. Highly critical, critical, medium, low (or some similar, subjective rating system)

22 Step #5: Assign Threat Levels
The next step is to give a subjective value as to the level of threats facing a particular system These threats are anything with the potential to cause loss or harm to the system Data owners / custodians should assign a value within a pre-determined range of threat values I.e. Very high, high, medium, low Often times there is value in taking a team approach to this score to get as many inputs as possible

23 Sample Threat Model: Open Threat Taxonomy
Maintained by Enclave Security and distributed by the Center for Internet Security Hundreds of organizations have contributed One of the latest efforts is the release of a community threat model, the Open Threat Taxonomy (v1.1), which will be used to document and prioritize threats OTT will be used to define threats to define controls Will help standardize risk assessments, make one less paperwork step for organizations to complete

24 Microsoft STRIDE/DREAD
THREATS Spoofing identity Tampering with data. Repudiation Information disclosure Denial of service Elevation of privilege IMPACTS Damage potential: How great is the damage if the vulnerability is exploited? Reproducibility: How easy is it to reproduce the attack? Exploitability: How easy is it to launch an attack? Affected users: As a rough percentage, how many users are affected? Discoverability: How easy is it to find the vulnerability?

25 Step #6: Assign Vulnerability Levels
Next the organization should assign a vulnerability rating to the perceived weaknesses of a system Data owners / custodians should assign a value within a pre- determined range of threat values i.e. Very high, high, medium, low One approach here as well is to take a team based approach to determining the score In addition, values from vulnerability management systems could be taken into account

26 Step #7: Assign Likelihood of Exploitation
The next value to be determined is the likelihood that the weaknesses on a particular system will be exploited Data owners / custodians should assign a value within a pre- determined range of threat values I.e. Very high, high, medium, low Like many of the other ratings, this can be a subjective value, so consistency is the key

27 Verizon Data Breach Investigations Report

28 Privacy Rights Clearinghouse

29 Step #8: Evaluate Residual Risk Levels
The last score documented should therefore be residual risk levels This score should be the result of a formula which takes the previous scores as inputs to determine the results Ultimately this score will indicate the perceived level of risk facing a given data set

30 Example Risk Assessment
(leave me your and I will send you complete example)

31 Step #9: Define an Appropriate Response
Once a risk assessment is performed, an organization must decide the appropriate response Potential responses to risk are to: Ignore the risk Accept the risk Mitigate the risk Remediate the risk Transfer the risk

32 Balancing Multiple Responses
Organizations often will engage in different responses depending on the risk identified For some risks it makes sense to mitigate For other risks it makes sense to accept the risk For others still, it makes sense to transfer the risk A risk register (matrix) would make sense to track system risks, acceptable levels, and compensating control

33 Risk Assessment Case Study

34 Cyber Security Evaluation Tool (CSET)
Created by the Department of Homeland Security National Cyber Security Division (NCSD) & NIST Meant to be a “systematic & repeatable” process for performing risk assessments Questionnaire based approach to risk assessment Relies on pre-populated information assurance standards templates Produces professionally designed risk reports for business owners & executives Home page:

35 Resources Cyber Security Evaluation Tool (CSET) - The Open Threat Taxonomy - Threat Modeling - Verizon's 2016 Data Breach Investigations Report - lab/dbir/2016/ Privacy Rights Clearinghouse - Common Attack Pattern Enumeration and Classification (CAPEC™) - OGRCM3 - Open Governance, Risk and Compliance Maturity Management Methodology - CIS Critical Security Controls - Cloud Security Alliance - Shared Assessments - SANS MGT415: A Practical Introduction to Cyber Security Risk Management -

Download ppt "IT Audit Manager – UT System"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Managing Project Risk.

Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Project Risk Management

Software Project Risk Management
Risk Assessment Frameworks

Risk Assessment Frameworks
Vulnerability Assessments

Vulnerability Assessments
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Information Security Rabie A. Ramadan GUC, Cairo Room C7 -310 Lecture 2.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Security Risk Management

Security Risk Management
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,

INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Alaa Mubaied alaa.mubaied@owasp.com Risk Management Alaa Mubaied alaa.mubaied@owasp.com.

Alaa Mubaied Risk Management Alaa Mubaied
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.

Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google