Presentation is loading. Please wait.

Presentation is loading. Please wait.

RISK MANAGEMENT An Overview: NIPC Model

Similar presentations


Presentation on theme: "RISK MANAGEMENT An Overview: NIPC Model"— Presentation transcript:

1 RISK MANAGEMENT An Overview: NIPC Model
IT Security Workshop for Higher Education April 2, 2004

2 Movement from Risk Avoidance to Risk Management
Risk Avoidance Model Focus on preventing loss or damage without reference to the degree of risk Risk Management Systematic and analytical process by which an organization identifies, reduces, and controls its potential risks and losses 9/22/2018 4-2-04, SB

3 What are some drivers? IT is intertwined and interdependent with critical institutional business processes Regulatory Imperatives State and federal (GLB, FERPA, HIPAA, SOX, ECPA, CFAA, USA Patriot Act, Teach Act, etc) Pace of Technological Change Centuries, decades (automobiles), now continuous Increasing sophistication of attack methods and attackers Enabling the integration and managing the risks of introducing emerging technologies 9/22/2018 4-2-04, SB

4 What is risk? Risk is a function of: Risk is the potential for an
Assets, threats, and vulnerabilities Risk is the potential for an unwanted event to occur The higher the probability and the greater the consequences, the greater the risk Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

5 Risk Management Approaches
Due Diligence Process Probabilistic Risk Assessment Expert-facilitated Risk Assessment Scenario-based Risk Assessment Game Theory Approaches Systems Analysis High-level Business Impact Analysis / Protection Posture Assessments Stakeholder Influence - Balance stakeholder influence, expectations, and participation - IT management, HR management, VP Finance / Budget Priorities, Academic Priorities, Functional Management 9/22/2018 4-2-04, SB

6 Risk Analysis Terms Threat Vulnerability Asset
Capability and intention of an adversary to take actions that are detrimental to an organization Vulnerability Any weakness in a control or a countermeasure that can be exploited by an adversary Asset Anything of value such as people, information, hardware, software, facilities, reputation, activities, and operations 9/22/2018 4-2-04, SB

7 Reassessing Risk and Risk Management Decisions
High-Threat, High-Consequence Almost continuous assessment with weekly updates to top management Medium-Threat, Medium-Consequence 3 to 9-month reassessment with quarterly updates to top management Low-Threat, Medium Consequence Annual reassessment and annual updates to top management 9/22/2018 4-2-04, SB

8 Some Common Errors in Risk Management
Too much trust in existing systems and protection Downplaying insider and B2B threats Lack of attention to business risks Underestimating interdependencies and complexities Misinterpretation of statistical data Underestimating the impact of incremental changes Adopting a reactive approach to risk mgmt 9/22/2018 4-2-04, SB

9 A Five Step Risk Assessment Model - NIPC
Asset assessment Threat assessment Vulnerability assessment Risk assessment Risk = Consequence X (Threat X Vulnerability) Countermeasures or controls identification 9/22/2018 4-2-04, SB

10 Risk Assessment - OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation Eight Processes Organizational and Technological Views 9/22/2018 4-2-04, SB

11 Risk Assessment Threat Examples
Key personnel Injury, death File Servers DOS attack Student data Unauthorized insider access Production facility Natural disaster 9/22/2018 4-2-04, SB

12 Risk Assessment Vulnerability Examples
Key personnel No access controls File Servers Ineffective patch management Student data Unchecked 3rd party Production facility Weak physical access controls 9/22/2018 4-2-04, SB

13 What are some benefits? Cost Justification
Enhanced Productivity Self Analysis: Organizational Integration Targeted Security Increased Security Awareness Baseline Security and Policy Consistency Communication 9/22/2018 4-2-04, SB

14 References / Contact Information “Risk Management: An Essential Guide to Protecting Critical Assets”, NIPC, 11/2002 9/22/2018 4-2-04, SB


Download ppt "RISK MANAGEMENT An Overview: NIPC Model"

Similar presentations


Ads by Google