Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Risk in Information Systems Strategies for Mitigating Risk

Published byDelphia Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing Risk in Information Systems Strategies for Mitigating Risk"— Presentation transcript:

1 Managing Risk in Information Systems Strategies for Mitigating Risk
Lesson 5 Strategies for Mitigating Risk

2 Learning Objectives Describe concepts for planning risk mitigation throughout an organization. Describe concepts for implementing a risk mitigation plan.

3 Key Concepts Identifying the scope of a risk management plan
Best practices for planning risk mitigation Ways to prioritize risk management requirements Developing an organizational risk mitigation plan Best practices for implementing a risk mitigation plan

4 DISCOVER: CONCEPTS

5 Strategies of Risk Mitigation
Identify the cost of risk mitigation Determine loss if threat exploits vulnerability Conduct business impact analysis (BIA) Calculate maximum acceptable outage (MAO) Establish service level agreements Develop disaster recovery plan (DRP) National Institute of Standard and Technology Risk can be eliminated from the organization but at a high cost. Cost is an important factor of risk management. Before we can look at risk we must first know what will be lost if a threat exploits a vulnerability, which will result in a loss to an organization. To do this a risk assessment must be undertaken starting with an asset inventory, followed by a business impact analysis (BIA). The maximum acceptable outage (MAO) must also be calculated. Service level agreements and operational level agreements must be drawn up. Mission critical applications must be identified and disaster recovery plan (DRP’s) need to be developed. Many template are available to accomplish this National Institute of Standard and Technology(NIST) has many relating to organizational risk.

6 Scope of Risk Management
Critical business operations Customer service delivery Mission-critical business systems, applications, and data access Seven domains of a typical IT infrastructure Information systems security gap

7 Compliance Issues CIPA requires a TPM
Children's Internet Protection Act (CIPA) requires that K-12 schools and libraries in the United States use Internet filters and implement other measures to protect children from harmful online content as a condition for federal funding. It was signed into law on December 21, 2000, and was found to be constitutional by the United States Supreme Court on June 23, Other laws may require other controls

8 Creating a Risk Mitigation Plan
Complete a risk assessment Identify costs Perform cost-benefit analysis (CBA) Implement plan

9 Creating a Risk Mitigation Plan
High-level review of risk assessment Identify and evaluate relevant threats Identify and evaluate relevant vulnerabilities Identify and evaluate countermeasures Develop mitigating recommendations

10 Reviewing Risk Assessment Countermeasures
In-place countermeasures Planned countermeasures Approved countermeasures Overlapping countermeasures

11 Calculating Costs Initial purchase Facility Installation Training

12 Calculating Costs Look for hidden costs
Is extra power required to eliminate a single point of failure?

13 Time to Implement Simple configurations can be implemented in a shorter time period

14 Time to Implement Complex configurations More planning and time

15 DISCOVER: PROCESS 15

16 Identifying Critical Business Functions (CBFs)
Making a purchase

17 Identifying CBFs Receiving funds

18 Identifying CBFs Shipping products

19 Performing a Cost-Benefit Analysis
Identify losses you expect before, or without, a countermeasure Identify the losses you expect after implementing the countermeasure Calculating projected benefits: Loss Before Countermeasure ─ Loss After Countermeasure = Projected Benefits Determining value of countermeasure: Projected Benefits ─ Cost of Countermeasure = Countermeasure Value

20 DISCOVER: ROLES 20

21 Key Roles Involved with a Risk Management Plan
Chief executive officer (CEO) Chief operating officer (COO) Chief financial officer (CFO) Data owners and custodians IT management Human resources (HR) professionals Industry-specific management Corporate legal department Auditors

22 DISCOVER: CONTEXT 22

23 Risk Within the Seven Domains
User Domain— Risk here is a failure to follow or develop user policies relating to acceptable use policy (AUP) or Polices Workstation Domain— Risk here is a failure to follow or develop policies regarding the use of computing devices Local Area Network (LAN ) Domain—The risk involved here include the lack of controls placed on the LAN environment LAN-to-WAN Domain—A big risk here is the lack of controls on the organizations firewall or lack of controls in the demilitarized zone (DMZ) Remote Access Domain— Risk with access controls Wide-Area Network (WAN Domain)— Risk from a weak virtual private network (VPN) policy or controls System/Application Domain— Lack of controls placed on applications or systems

24 Risk Mitigation Best Practices
Review historical documentation Although risks change, many of the threats and vulnerabilities will be the same Include both a narrow and broad focus Identify specific risks and mitigation strategies and broaden the focus to include the entire organization

25 Risk Mitigation Best Practices
Ensure that governing laws are identified If you don’t know what laws apply, you won’t be in compliance Redo RAs when a control changes If a control changes, the original RA is no longer valid Include a cost-benefit analysis CBAs provide justification for controls and help determine their value

26 Implementing a Risk Mitigation Plan
Stay within budget Ensure costs calculated accurately Stay on schedule Use tools to manage project

27 DISCOVER: RATIONALE 27

28 Prioritizing and Analyzing Risk
Cost associated with the loss of a business component or process Loss of customer confidence Lack of compliance Lack of insurance to mitigate or transfer risk

29 Monitoring Implementation
Use project management tools

30 Summary Identifying the scope of a risk management plan
Best practices for planning risk mitigation Ways to prioritize risk management requirements Developing an organizational risk mitigation plan Best practices for implementing a risk mitigation plan

31 4/17/2017 OPTIONAL SLIDES

32 Assessing How Security Countermeasures/Safeguards Can Assist with Risk Mitigation
Controls are implemented at a point in time to reduce the risks at that time A control will attempt to mitigate risk by: Reducing the impact of threats to an acceptable level Reducing a vulnerability to an acceptable level Risk assessment (RA) is a point-in-time assessment

33 Identifying Risk Mitigation and Risk Reduction Elements
Account management controls Access controls Physical access Personnel policies Security awareness and training

34 Operational Impact Tradeoff with security:
The more secure a system, the harder it is to use The easier it is to use, the less secure it is Firewall implicit deny philosophy

35 Prioritizing Risk Elements

36 Following Up on the Risk Mitigation Plan
Ensure countermeasures are implemented POAM Ensure security gaps have been closed

Download ppt "Managing Risk in Information Systems Strategies for Mitigating Risk"

Similar presentations

How Will it Help Me Do My Job?

How Will it Help Me Do My Job?
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Managing Risk in Information Systems Lesson.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
High-Level Assessment Month Year

High-Level Assessment Month Year
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.

Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.
Information Technology Service Management

Information Technology Service Management

Similar presentations

Ads by Google