Presentation is loading. Please wait.

Presentation is loading. Please wait.

By: Ashwin Vignesh Madhu

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "By: Ashwin Vignesh Madhu"— Presentation transcript:

1 By: Ashwin Vignesh Madhu
Risk Assessment By: Ashwin Vignesh Madhu

2 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

3 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

4 Objective Risk Assessment Process
Not unique to the IT environment Provide the desired level of mission support depending on the budget Well-structured risk management methodology

5 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

6 Introduction The process of enumerating risks
Determining their classifications Assigning probability and impact scores Associating controls with each risk

7 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

8 Risk Risk Assessment measures Risk R can be expressed as
Magnitude of the potential loss L Probability p that the loss will occur Risk R can be expressed as R = L * p (or) Risk = Impact * Likelihood

9 Risk (Cont..) Risk = PA * (1-PE) * C
PA – the likelihood of adversary attack PE - the security system effectiveness (1- PE) - the adversary success C – consequence of loss of the asset High L and low p – low L and high p Treated differently in practice Given nearly equal priority in dealing

10 Risk Management Cycle

11 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

12 RA Methodologies CCTA Risk Analysis and Management Method (CRAMM)
Consultative, Objective and Bi-functional Risk Analysis (COBRA) RuSecure Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Failure Mode and Effects Analysis (FMEA) British Standard (BS)

13 RA Methodologies (Cont..)
Methods support in Detecting critical places and parts in organization Detecting risk factors Collecting data about risk factors Evaluation and estimation of risk Generate report of risk management process

14 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

15 CRAMM

16 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

17 COBRA COBRA Two modules Support in process of evaluating risk security
COBRA Risk Consultant ISO Compliance Analyst Support in process of evaluating risk security Evaluation steps Building queries Risk evaluation Constructing reports Contains library of countermeasures

18 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

19 RuSecure

20 RuSecure

21 RuSecure

22 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

23 British Standard

24 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

25 Hierarchical Criteria Model

26 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

27 Common Failures in RA Poor executive support
High cost of implementation Untimely response Insufficient accountability Inability to qualitatively measure control environment Infrequent in assessment Inaccurate data

28 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

29 Elements of good RA Provides clear instructions
Simplifies user Response Identifies support contacts Focuses on leaders as well as executors Provides feedback to users and Risk leaders Has a broad Scope Identifies User for follow up if necessary and applicable

30 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

31 OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Effective security risk evaluation Considers both organizational and technological issues Self-directed

32 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

33 Characteristics Identify information-related assets
Focus risk analysis activities on critical assets Consider the relationships among critical assets, the threats to those assets, and vulnerabilities Evaluate risks in an operational context - how they are used to conduct an organization’s business Create a protection strategy for risk mitigation

34 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

35 OCTAVE Process

36 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

37 Criteria Principle Attribute Output
Fundamental concepts driving the nature of the evaluation, and defining the philosophy behind the evaluation process Attribute Distinctive qualities, or characteristics, of the evaluation Output Define the outcomes that an analysis team must achieve during each phase

38 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

39 Examples

40 Examples

41 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

42 OCTAVE Method Process Phase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles

43 OCTAVE Method Process Phase 2: Identify Infrastructure Vulnerabilities
Process 5: Identify Key Components Process 6: Evaluate Selected Components Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis – An organizational set of impact evaluation criteria are defined to establish the impact value Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices

44 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

45 Choosing Methods Depending on organization size
Depending on organization hierarchical structure Structured or Open-Ended Method Analysis team composition IT resources

46 Overview Common Failures in RA Objective Elements of Good RA
OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model

47 Our Methodology Policies and procedures Requirement analysis
Network Topology Categorizing the network Scanning based on categorization Analysis of vulnerabilities Use different scanning tools Penetration testing Risk strategy Mitigation of risk

48 References NIST – Risk Management Guide for Information Technology Systems 5_baca/a5_full.pdf

49 Thank You

Download ppt "By: Ashwin Vignesh Madhu"

Similar presentations

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”

Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Overview Lesson 10,11 - Software Quality Assurance

Overview Lesson 10,11 - Software Quality Assurance
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Risk Assessment Frameworks

Risk Assessment Frameworks
Lucas Phillips Anurag Nanajipuram FAILURE MODE AND EFFECT ANALYSIS.

Lucas Phillips Anurag Nanajipuram FAILURE MODE AND EFFECT ANALYSIS.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
April 3-5, 2005Security Professionals Conference - 2005 Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Similar presentations

Ads by Google