Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Risk Management Steve Lamb Technical Security Advisor

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Risk Management Steve Lamb Technical Security Advisor"— Presentation transcript:

1 Security Risk Management Steve Lamb Technical Security Advisor http://blogs.msdn.com/steve_lamb stephlam@microsoft.com

2 Session Prerequisites Basic understanding of network security fundamentals Basic understanding of security risk management concepts Level 300

3 Target Audience This session is primarily intended for: Systems architects and planners Members of the information security team Security and IT auditors Senior executives, business analysts, and business decision makers Consultants and partners

4 Methodology The content of this presentation is based upon Microsoft’s “Security Risk Management Guide” which is available for free download from the following URL: http://www.microsoft.com/technet/security/topics/policiesandproce dures/secrisk/default.mspx http://www.microsoft.com/technet/security/topics/policiesandproce dures/secrisk/default.mspx

5 Session Overview Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

6 Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

7 Goals of Microsoft's Security Risk Management Guide Moving customers to a proactive security posture and freeing them from a reactive frustrating process Making security measurable by showing the value of security projects Helping customers to efficiently mitigate the largest risks in their environments rather than applying scarce resources to all possible risks

8 Why Develop a Security Risk Management Process? Developing a formal security risk management process can address the following: Threat response time Regulatory compliance Infrastructure management costs Risk prioritization and management Threat response time Regulatory compliance Infrastructure management costs Risk prioritization and management Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization

9 Key factors to implementing a successful security risk management program include: An atmosphere of open communication and teamwork Organizational maturity in terms of risk management Executive sponsorship Well-defined list of risk management stakeholders A holistic view of the organization Security risk management team authority Identifying Success Factors That Are Critical to Security Risk Management

10 Comparing Approaches to Risk Management Many organizations have approached security risk management by adopting the following: The adoption of a process that reduces the risk of new vulnerabilities in your organization Proactive approach A process that responds to security events as they occur Reactive approach

11 Comparing Approaches to Risk Prioritization ApproachBenefitsDrawbacks Quantitative Risks prioritized by financial impact; assets prioritized by their financial values Results facilitate management of risk by return on security investment Results can be expressed in management-specific terminology Impact values assigned to risks are based upon subjective opinions of the participants Very time-consuming Can be extremely costly Qualitative Enables visibility and understanding of risk ranking Easier to reach consensus Not necessary to quantify threat frequency Not necessary to determine financial values of assets Insufficient granularity between important risks Difficult to justify investing in control as there is no basis for a cost-benefit analysis Results dependent upon the quality of the risk management team that is created

12 Introducing the Microsoft Security Risk Management Process Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1

13 Identifying Security Risk Management Prerequisites Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

14 Risk Management vs. Risk Assessment Risk ManagementRisk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Scheduled activity Continuous activity Alignment Aligned with budgeting cycles Not applicable

15 Communicating Risk Well-Formed Risk Statement Impact What is the impact to the business? Probability How likely is the threat given the controls? Asset What are you trying to protect? Asset What are you trying to protect? Threat What are you afraid of happening? Threat What are you afraid of happening? Vulnerability How could the threat occur? Vulnerability How could the threat occur? Mitigation What is currently reducing the risk? Mitigation What is currently reducing the risk?

16 Determining Your Organization’s Risk Management Maturity Level Publications to help you determine your organization’s risk management maturity level include: ISO Code of Practice for Information Security Management (ISO 17799) International Standards Organization Control Objectives for Information and Related Technology (CobiT) IT Governance Institute Security Self-Assessment Guide for Information Technology Systems (SP-800-26) National Institute of Standards and Technology

17 Performing a Risk Management Maturity Self-Assessment LevelState 0Non-existent 1 Ad hoc 2Repeatable 3 Defined process 4Managed 5Optimized

18 Executive Sponsor “What's important?” Executive Sponsor “What's important?” IT Group “Best control solution” IT Group “Best control solution” Information Security Group “Prioritize risks” Information Security Group “Prioritize risks” Defining Roles and Responsibilities Operate and support security solutions Design and build security solutions Define security requirements Assess risks Determine acceptable risk Measure security solutions

19 Assessing Risk Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

20 Overview of the Assessing Risk Phase Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Plan risk data gathering Gather risk data Prioritize risks Plan risk data gathering Gather risk data Prioritize risks

21 Understanding the Planning Step The primary tasks in the planning step include the following: Alignment Scoping Stakeholder acceptance Setting expectations

22 Understanding Facilitated Data Gathering Keys to successful data gathering include: Meet collaboratively with stakeholders Build support Understand the difference between discussing and interrogating Build goodwill Be prepared Meet collaboratively with stakeholders Build support Understand the difference between discussing and interrogating Build goodwill Be prepared Elements collected during facilitated data gathering include: Organizational assets Asset description Security threats Vulnerabilities Current control environment Proposed controls Organizational assets Asset description Security threats Vulnerabilities Current control environment Proposed controls

23 Identifying and Classifying Assets An asset is anything of value to the organization and can be classified as one of the following: High business impact Moderate business impact Low business impact

24 Organizing Risk Information Use the following questions as an agenda during facilitated discussions: What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future? What asset are you protecting? How valuable is the asset to the organization? What are you trying to avoid happening to the asset? How might loss or exposures occur? What is the extent of potential exposure to the asset? What are you doing today to reduce the probability or the extent of damage to the asset? What are some actions that you can take to reduce the probability in the future?

25 Estimating Asset Exposure Use the following guidelines to estimate asset exposure: Minor or no loss Low exposure Limited or moderate loss Medium exposure Severe or complete loss of the asset High exposure Exposure: The extent of potential damage to an asset

26 Estimating Probability of Threats Use the following guidelines to estimate probability for each threat and vulnerability identified: Not probable—impact not expected to occur within three years Low threat Probable—impact expected within two to three years Medium threat Likely—one or more impacts expected within one year High threat

27 Facilitating Risk Discussions The facilitated risk discussion meeting is divided into the following sections: Determining Organizational Assets and Scenarios Identifying Threats Identifying Vulnerabilities Estimating Asset Exposure Estimating Probability of Exploit and Identifying Existing Controls Meeting Summary and Next Steps Determining Organizational Assets and Scenarios Identifying Threats Identifying Vulnerabilities Estimating Asset Exposure Estimating Probability of Exploit and Identifying Existing Controls Meeting Summary and Next Steps 1 1 2 2 3 3 4 4 5 5 6 6

28 Walk-through Scenario 1: Facilitating Risk Discussions Facilitating a risk discussion meeting for Woodgrove Bank

29 Task 2: Identifying Threats: Threat of a loss of integrity to consumer financial data Task 3: Identifying Vulnerabilities: Theft of financial advisor credentials by trusted employee abuse using non-technical attacks, for example, social engineering or eavesdropping Theft of financial advisor credentials off local area network (LAN) hosts through the use of outdated security configurations Theft of financial advisor credentials off remote, or mobile, hosts as a result of outdated security configurations Theft of financial advisor credentials by trusted employee abuse using non-technical attacks, for example, social engineering or eavesdropping Theft of financial advisor credentials off local area network (LAN) hosts through the use of outdated security configurations Theft of financial advisor credentials off remote, or mobile, hosts as a result of outdated security configurations Task 4: Estimating Asset Exposure: Breach of integrity through trusted employee abuse : Damaging but not severe. Each financial advisor can only access customer data that he or she manages. Breach of integrity through credential theft on LAN hosts : May result in a severe, or high, level of damage. Breach of integrity through credential theft on mobile hosts : Could have a severe, or high, level of damage. The discussion group notes that the security configurations on remote hosts often lag behind LAN systems. Breach of integrity through trusted employee abuse : Damaging but not severe. Each financial advisor can only access customer data that he or she manages. Breach of integrity through credential theft on LAN hosts : May result in a severe, or high, level of damage. Breach of integrity through credential theft on mobile hosts : Could have a severe, or high, level of damage. The discussion group notes that the security configurations on remote hosts often lag behind LAN systems. Task 5: Identifying Existing Controls and Probability of Exploit: Agreement that their remote hosts, or mobile hosts, do not receive the same level of management as those on the LAN. Task 6: Summarizing the Risk Discussion: Risk Assessment Facilitator summarizes the discussion and highlights the assets, threats, and vulnerabilities discussed. Task 1: Determining Organizational Assets and Scenarios Task 2: Identifying Threats Task 3: Identifying Vulnerabilities Task 4: Estimating Asset Exposure Task 5: Identifying Existing Controls and Probability of Exploit Task 6: Summarizing the Risk Discussion Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project Scenario 1: Facilitating A Risk Discussion at Woodgrove Bank Task 1: Determining Organizational Assets and Scenarios: Task 1: Determining Organizational Assets and Scenarios: Interest Calculation Systems Customer Personally Identifiable Information Reputation => Consumer financial data – High Business Impact (HBI) Interest Calculation Systems Customer Personally Identifiable Information Reputation => Consumer financial data – High Business Impact (HBI) Woodgrove Bank is a consumer financial institution in the process of conducting a Security Risk Management project

30 Defining Impact Statements Impact data includes the following information: DiD = Defence in Depth Layer

31 Walk-through Scenario 2: Defining Impact Statements Defining an impact statement for Woodgrove Bank

32 Scenario 2: Defining An Impact Statement For Woodgrove Bank Asset Name Asset Class DID Level Threat Description Vulnerability Description ER (H,M, L) IR (H,M, L) Consumer financial investment data High Business Impact Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials of managed LAN client via outdated security configurations HH Consumer financial investment data High Business Impact Host Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials off managed remote client vial outdated security configurations HH Consumer financial investment data High Business Impact Data Unauthorized access to consumer data through theft of Financial Advisor credentials Theft of credentials by trusted employee abuse, via non- technical attacks. LM DID = Defence In Depth, ER = Exposure Rating, IR = Impact Rating H, M, L = High, Medium, Low

33 Understanding Risk Prioritization End of risk prioritization End of risk prioritization Detailed level risk prioritization Detailed level risk prioritization Conduct detailed-level risk prioritization Review with stakeholders Summary level risk prioritization Summary level risk prioritization Conduct summary- level risk prioritization Start risk prioritization

34 Conducting Summary-Level Risk Prioritization 1 1 High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years High. Likely—one or more impacts expected within one year Medium. Probable—impact expected within two to three years Low. Not probable—impact not expected to occur within three years 2 2 4 4 3 3 The summary-level prioritization process includes the following: Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders Determine impact level Estimate summary-level probability Complete the summary-level risk list Review with stakeholders 1 1 2 2 3 3 4 4

35 Walk-through Scenario 3: Conducting Summary-Level Risk Prioritization Conducting a summary-level risk prioritization for Woodgrove Bank

36 Task 3: Complete the Summary-Level Risk List: Trusted Employee Theft Risk : Moderate Impact * Low Probability = Low LAN Host Compromise Risk : High Impact * Medium Probability = High Remote Host Compromise Risk: High Impact * High Probability = High Enter Results in the Impact Statement spreadsheet Trusted Employee Theft Risk : Moderate Impact * Low Probability = Low LAN Host Compromise Risk : High Impact * Medium Probability = High Remote Host Compromise Risk: High Impact * High Probability = High Enter Results in the Impact Statement spreadsheet Task 2: Estimate Summary Level Probability: Trusted Employee Theft Probability: Low LAN Host Compromise Probability: Medium Remote Host Compromise Probability: High Trusted Employee Theft Probability: Low LAN Host Compromise Probability: Medium Remote Host Compromise Probability: High Task 4: Review With Stakeholders Trusted Employee abuse risk is rated as Low in the summary level risk list and does not need to graduate to the detailed level risk prioritization step LAN and remote host compromise risks are both rated as high and so are then prioritized at the detailed level Trusted Employee abuse risk is rated as Low in the summary level risk list and does not need to graduate to the detailed level risk prioritization step LAN and remote host compromise risks are both rated as high and so are then prioritized at the detailed level Task 1: Determine Impact Level Task 2: Estimate Summary Level Probability Task 3: Complete the Summary-Level Risk List Task 4: Review With Stakeholders Scenario 3: Summary-Level Risk Prioritization at Woodgrove Bank Task 1: Determine Impact Level: Trusted Employee Theft Impact : High Business Impact(HBI) asset class * Low Exposure = Moderate Impact LAN Host Compromise Impact : HBI asset class * High Exposure = High Impact Remote Host Compromise Impact: HBI asset class * High Exposure = High Impact Trusted Employee Theft Impact : High Business Impact(HBI) asset class * Low Exposure = Moderate Impact LAN Host Compromise Impact : HBI asset class * High Exposure = High Impact Remote Host Compromise Impact: HBI asset class * High Exposure = High Impact

37 Conducting Detailed-Level Risk Prioritization The following four tasks outline the process to build a detailed-level list of risks: Determine impact and exposure 1 1 Identify current controls 2 2 Determine probability of impact 3 3 Determine detailed risk level 4 4 Use the Detailed-Level Risk Prioritization template (SRJA3-Detailed Level Risk Prioritization.xls)

38 Walk-through Scenario 4: Conducting Detailed-Level Risk Prioritization Conducting a detailed-level risk prioritization for Woodgrove Bank

39 Task 2: Identify Current Controls: Financial Advisors can only access accounts they own; thus, the exposure is less than 100 percent. E-mail notices to patch or update hosts are proactively sent to all users. Antivirus and patch updates are measured and enforced on the LAN every few hours. This control reduces the time window when LAN hosts are vulnerable to attack. Financial Advisors can only access accounts they own; thus, the exposure is less than 100 percent. E-mail notices to patch or update hosts are proactively sent to all users. Antivirus and patch updates are measured and enforced on the LAN every few hours. This control reduces the time window when LAN hosts are vulnerable to attack. Task 3: Determine Probability of Impact: LAN and remote hosts: Likely that all vulnerability attributes in the High category will be seen inside and outside Woodgrove's LAN environment in the near future. Vulnerability value = 5 for both risks Control Effectiveness: LAN: Result of Control Effectiveness Questions= 1 Remote: Result of Control Effectiveness Questions= 5 Total Probability Rating: (Sum of Vulnerability and Control Effectiveness) LAN: 6 Remote: 10 LAN and remote hosts: Likely that all vulnerability attributes in the High category will be seen inside and outside Woodgrove's LAN environment in the near future. Vulnerability value = 5 for both risks Control Effectiveness: LAN: Result of Control Effectiveness Questions= 1 Remote: Result of Control Effectiveness Questions= 5 Total Probability Rating: (Sum of Vulnerability and Control Effectiveness) LAN: 6 Remote: 10 Task 4: Determine Detail Risk Level: Impact Rating * Probability Rating LAN: 8 * 6 = 48 Remote hosts: 8 * 10 = 80 Both rate an overall risk of High Impact Rating * Probability Rating LAN: 8 * 6 = 48 Remote hosts: 8 * 10 = 80 Both rate an overall risk of High Task 1: Determine Impact and Exposure Task 2: Identify Current Controls Task 3: Determine Probability of Impact Task 4: Determine Detail Risk Level Scenario 4: Detailed-Level Risk Prioritization at Woodgrove Bank Task 1: Determine Impact and Exposure: LAN Host Compromise Exposure Rating : 4 (80%) High Business Impact(HBI) = 10 Impact Rating: 10 * 80% = 8 Remote Host Compromise Exposure Rating: 4 (80%) HBI = 10 Impact Rating: 10 * 80% = 8 Impact Range = Between 7-10 which compares to High LAN Host Compromise Exposure Rating : 4 (80%) High Business Impact(HBI) = 10 Impact Rating: 10 * 80% = 8 Remote Host Compromise Exposure Rating: 4 (80%) HBI = 10 Impact Rating: 10 * 80% = 8 Impact Range = Between 7-10 which compares to High

40 Quantifying Risk The following tasks outline the process to determine the quantitative value: Input the asset value for each risk Produce the single-loss expectancy value (SLE) Determine the annual rate of occurrence (ARO) Determine the annual loss expectancy (ALE) Assign a monetary value to each asset class 1 1 2 2 3 3 4 4 5 5

41 Walk-through Scenario 5: Quantifying Risk Quantifying risk for Woodgrove Bank

42 Task 1: Assign Monetary Values to Asset Classes Task 2: Identify the Asset Value Task 3: Produce the Single Loss Expectancy Value (SLE) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 4: Determine the Annual Rate of Occurrence (ARO) Task 4: Determine the Annual Rate of Occurrence (ARO): LAN Host ARO : Leveraging the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is.5 Remote Host ARO : Leveraging the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. LAN Host ARO : Leveraging the qualitative assessment of Medium probability, the Security Risk Management Team estimates the risk to occur at least once in two years; thus, the estimated ARO is.5 Remote Host ARO : Leveraging the qualitative assessment of High probability, the Security Risk Management Team estimates the risk to occur at least once per year; thus, the estimated ARO is 1. Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 5: Determine the Annual Loss Expectancy (ALE) (SLE * ARO) Task 1: Assign Monetary Values to Asset Classes: Using 5% Materiality Guideline for valuing assets Net Income: $200 Million annually HBI Asset Class: $10 Million (200 * 5%) MBI Asset Class : $5 Million (based on past spending) LBI Asset Class : $1 Million (based on past spending) Using 5% Materiality Guideline for valuing assets Net Income: $200 Million annually HBI Asset Class: $10 Million (200 * 5%) MBI Asset Class : $5 Million (based on past spending) LBI Asset Class : $1 Million (based on past spending) Task 2: Identify the Asset Value: Consumer financial data = HBI Asset Class HBI = $10 Million Asset Value = $10 Million Consumer financial data = HBI Asset Class HBI = $10 Million Asset Value = $10 Million Scenario 5: Quantifying Risk For Woodgrove Bank High Business Impact Value = $M Exposu re Rating Exposure Factor % 5100 Asset Class 480 HBI Value $ M 360 MBI Value $ M / 2 240 LBI Value $ M / 4 120 Estimated Risk Value = Asset Class Value * Exposure Factor % = SLE Risk Description Asset Class Value Exposure Rating Exposure Value SLE AR O ALE LAN Host Risk ($ in millions) $10480%$80.5$4 Remote Host Risk ($ in millions) $10480%$81$8 Qualitative Rating Description ARO range Description Examples HighLikely>=1 Impact once or more per year MediumProbable.99 to.33 At least once every 1-3 years Low Not probable.33 At least once greater than 3 years Task 3: Produce the Single Loss Expectancy Value (SLE): 80% Exposure Value $8 SLE 4 4 Exposur e Rating $10 Asset Class Value LAN Host Risk ($ in millions) Remote Host Risk ($ in millions) Risk Description

43 Assessing Risk: Best Practices Analyze risks during the data gathering process Conduct research to build credibility for estimating probability Communicate risk in business terms Reconcile new risks with previous risks

44 Conducting Decision Support Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

45 Overview of the Decision Support Phase Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 1.Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy 1.Define functional requirements 2.Identify control solutions 3.Review solution against requirements 4.Estimate degree of risk reduction 5.Estimate cost of each solution 6.Select the risk mitigation strategy Implementing Controls 3 3

46 Identifying Output for the Decision Support Phase Key elements to gather include: Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented Decision on how to handle each risk Functional requirements Potential control solutions Risk reduction of each control solution Estimated cost of each control solution List of control solutions to be implemented

47 Considering the Decision Support Options Options for handling risk: Accepting the current risk Implementing controls to reduce risk

48 Overview of the Identifying and Comparing Controls Process Security steering committee Mitigation owner Security risk management team Identifies potential control solutions Determines types of costs Estimates level of risk reduction Final list of control solutions

49 Security risk management team Security risk management team Security steering committee Security steering committee Step 1: Define Functional Requirements Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

50 Step 2: Identify Control Solutions Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

51 Step 3: Review Solutions Against Requirements Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

52 Step 4: Estimate Degree of Risk Reduction Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy 6 6 Mitigation owner Mitigation owner Identify control solutions 2 2 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

53 Step 5: Estimate Cost of Each Solution Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions 2 2 6 6 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

54 Step 6: Select the Risk Mitigation Strategy Security risk management team Security risk management team Security steering committee Security steering committee Select the risk mitigation strategy Mitigation owner Mitigation owner Identify control solutions 2 2 6 6 Define functional requirements Define functional requirements 1 1 Estimate cost of each solution Estimate cost of each solution 5 5 Estimate degree of risk reduction Estimate degree of risk reduction 4 4 Review solutions against requirements Review solutions against requirements 3 3

55 Conducting Decision Support: Best Practices Consider assigning a security technologist to each identified risk Set reasonable expectations Build team consensus Focus on the amount of risk after the mitigation solution

56 Implementing Controls and Measuring Program Effectiveness Security Risk Management Concepts Identifying Security Risk Management Prerequisites Assessing Risk Conducting Decision Support Implementing Controls and Measuring Program Effectiveness

57 Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Seek a holistic approach Organize by defense-in-depth Seek a holistic approach Organize by defense-in-depth

58 Organizing the Control Solutions Critical success determinants to organizing control solutions include: Communication Team scheduling Resource requirements

59 Organizing by Defense-in-Depth Network Host Application Data Physical

60 Measuring Program Effectiveness Implementing Controls 3 3 Conducting Decision Support 2 2 Measuring Program Effectiveness 4 4 Assessing Risk 1 1 Develop scorecard Measure control effectiveness Develop scorecard Measure control effectiveness

61 Developing Your Organization’s Security Risk Scorecard A simple security risk scorecard organized by the defense-in-depth layers might look like this: FY05 Q1FY05 Q2FY05 Q3 FY05 Q4 PhysicalHM NetworkMM HostMM ApplicationMH DataLL Risk Levels (H, M, L)

62 Measuring Control Effectiveness Methods to measure the effectiveness of implemented controls include: Direct testing Submitting periodic compliance reports Evaluating widespread security incidents

63 Session Summary One common thread between most risk management methodologies is that each is typically based on quantitative risk management, qualitative risk management, or a combination of the two Risk assessment consists of conducting a summary-level risk prioritization, and then conducting a detailed-level risk prioritization on high-impact risks The Microsoft Security Risk Management Guide provides a number of tools and templates to assist with the entire risk management process The Microsoft defense-in-depth approach organizes controls into several broad layers that make up the defense-in-depth model Determining your organization’s maturity level will help focus on the appropriate implementation and timeframe for your risk management strategy

64 Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance

65 Event Information What’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18 th April Please complete your Evaluation Form!

66 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. http://www.microsoft.com/TwC

Download ppt "Security Risk Management Steve Lamb Technical Security Advisor"

Similar presentations

PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.
Decision Making Tools for Strategic Planning 2014 Nonprofit Capacity Conference Margo Bailey, PhD April 21, 2014 Clarify your strategic plan hierarchy.

Decision Making Tools for Strategic Planning 2014 Nonprofit Capacity Conference Margo Bailey, PhD April 21, 2014 Clarify your strategic plan hierarchy.
Copyright 2009  Develop the project charter: working with stakeholders to create the document that formally authorizes a project—the charter  Develop.

Copyright 2009  Develop the project charter: working with stakeholders to create the document that formally authorizes a project—the charter  Develop.
Security Controls – What Works

Security Controls – What Works
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia.

Security Risk Management Jamie Sharp CISSP Security Advisor Microsoft Australia.
Risk Assessment Frameworks

Risk Assessment Frameworks
Enterprise Architecture

Enterprise Architecture
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
S/W Project Management

S/W Project Management
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management

Similar presentations

Ads by Google