Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Risk Management

Published byMagnus McCormick Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Systems Risk Management"— Presentation transcript:

1 Information Systems Risk Management
CMGT 442 Information Systems Risk Management Philip Robbins – November 28, 2012 (Week 3) University of Phoenix Mililani Campus

2 Objectives: Week 3 Risk Assessment (Part 2)
Review Week 1 & 2: Concepts LT Activity: Week 3 & Week 4 Article Readings Discuss Homework Assignments & Class Videos Week 3: Quantitative Risk Analysis vs. Qualitative Risk Assessments Review NIST SP Review Week 3: Questions Assignments: IDV & LT Papers Quiz #3 2

3 Learning Team Activity
Activity: Review Week 3 & 4 ‘Article’ Readings 15 minutes: Read Articles 10 minutes: Answer article questions 10 minutes: Present your article to the class Submit for credit. 3

4 LT Activity: Week 3 Article Readings
Barr (2011). Federal Business Continuity Plans - Do you think the private sector must employ something similar to the Federal Government’s Continuity of Operations Process (COOP) as an integral part of their enterprise risk management plan? Ledford (2012). FISMA - Do you think the Federal Information Security Management Act (FISMA) might provide the basis for a standard framework for enterprise risk management adaptable to the private sector? 4

5 LT Activity: Week 4 Article Readings
Ainworth (2009). The BCP Process - Might an effective risk management plan be considered a process that may restore all systems, businesses, processes, facilities, and people? Barr (2011). Good Practice for Information Security - What changes would you recommend for the Information Security Forum’s 2007 Standard? - Which of these changes must be incorporated into the enterprise’s risk management plan? 5

6 REVIEW: IDV Assignments #1 & #2
#1: Risks associated with an industry. #2: Organization that has recently been compromised. - Focus on risks from Information Systems and how we manage those risks. - This involves understanding what Information Systems are and how they work. - Risks are all around you. (Class Videos) 6

7 Break? This is probably time for a break…

8 QUICK REVIEW: Week 1 What is Information Systems Risk Management?
- Information Systems Risk Management is the process of identifying, assessing, and reducing (mitigating) risks to an acceptable level. 8

9 QUICK REVIEW: Week 2 What are the components of Information Systems Risk? - Threats & Threat Agents - Vulnerabilities (Weakness) - Controls (Safeguards) - Impact 9

10 REVIEW: MAC Levels

11 REVIEW: Classification
(i.e. SECRET & higher) (i.e. PII, FOUO) (i.e. UNCLASS)

12 REVIEW: Controls / Safeguards
Control checklists exist depending on your MAC and classification of your network enclave: “DoDI ” Information Assurance Implementation checklists

13 REVIEW: Controls / Safeguards

14 REVIEW: Control Checklists

15 REVIEW: Scorecard

16 REVIEW: Information Assurance Services
Taken from DoD 16

17 REVIEW: Plan of Actions & Milestones
Non-compliant (NC) controls / findings are listed on a POA&M.

18 REVIEW: Quantitative Risk Analysis
Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

19 REVIEW: Qualitative Risk Matrix
SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Probability (Vulnerability | Threat)

20 REVIEW: Exploitation & Severity
Risk Severity Discovery Low (Bad) Denial Low-Medium Exposure Medium Exfiltration Medium-High Deception High Takeover Severe (Worse) Discussion: Map exploitation type to an Information Security Service.

21 REVIEW: Risk Responses
Severity Exploitation Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

22 REVIEW: Risk Responses
Risk Avoidance Halt or stop activity causing risk Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

23 REVIEW: Total vs. Residual Risk
When a company chooses not to implement a safeguard (if they accept the risk) then they accept the total risk. The leftover risk after applying countermeasures is called the residual risk. No matter what controls you place to protect an asset, it will never be 100% secure. Risk is never zero, thus, there is always some form of residual risk.

24 Week 3: Risk Assessment (Part 2)
Objectives - What is Quantitative Risk Analysis? - What is Qualitative Risk Assessment? - Positives (pros) and Negatives (cons) of each. - Which method is preferred?

25 Value of Information and Assets
Risk Management It’s important to understand the value of your information and information systems. So what is my information worth? - Value can be measured both Quantitatively and Qualitatively.

26 Two Types of Approaches
Quantitative Analysis Qualitative Assessment - Tangible impacts can be measured Quantitatively in lost revenue, repair costs, or resources. - Other impacts (i.e. loss of public confidence or credibility, etc.) can be qualified in terms of High, Medium, or Low impacts.

27 Let’s start …with Quantitative analysis.
- Warning: There is MATH… much more math. =(

28 Quantitative Analysis
Quantitative analysis attempts to assign real values to all elements of the risk analysis process. - Asset value - Safeguards / Controls - Threat frequency - Probability of incident

29 Quantitative Analysis
Purely Quantitative Risk Analysis is impossible. There are always unknown values. There are always “Qualitative” values. What is the value of a reputation? …but what if you focused on Information Security Services as a unit of measurement? Quantitative analysis can be automated with software and tools. - Requires large amounts of data to be collected.

30 Quantitative Analysis: Step-by-Step
Assign value to your information. Estimate cost for each asset and threat combination. Perform a Threat Analysis – determine the probability of exploitation. Derive the overall loss potential per year. Reduce, Transfer, Avoid, or Accept the Risk.

31 Step 1: Assign Value to Assets
What is my information assets worth? - What is my costs to obtain? - How much money does an asset bring in? - What is its value to my competitors? - How much would it cost to re-create? - Are there possible legal liabilities to account for?

32 Step 2: Estimate Loss Potential
For each threat, we need to determine how much a successful compromise could cost: - Physical damage - Loss of productivity - Cost for repairs Amount of Damage - “Single Loss Expectancy” per asset and threat* Example: if you have a virus outbreak and each outbreak costs $50K in lost revenue and repair costs. Your SLE = $50K

33 Step 2: Estimate of Loss potential
When determining SLE, you may hear the term EF (exposure factor). Loss then becomes a percentage of the assets value (AV). - This is where EF comes in… SLE = AV X EF

34 Step 3: Perform a Threat Analysis
Figure out the likelihood of a threat incident. - Analyze vulnerabilities and rate of exploits. - Analyze probabilities of threats to your location and systems. - Review historical records of incidents. Annualized Rate of Occurrence (ARO) Example: If the chance of a virus outbreak in any month is = 75%, then ARO = .75 * 12 (1 year) = 9 occurrences per year

35 Step 4: Derive the ALE Derive the Annual Loss Expectancy
ALE = SLE * ARO Example: Cost of a virus outbreak is $50K (SLE) X occurrences per year (ARO) $450K cost total (ALE)

36 Step 5: Risk Response Risk Avoidance
Halt or stop activity causing risk Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk

37 Reducing Risk When deciding whether to implement controls, safeguards, or countermeasures: you SHOULD be concerned about saving costs. It doesn’t make sense to spend more to protect an asset that’s worth less! So how do we determine if it’s worth it?

38 Reducing Risk Reducing risks through controls / safeguards / countermeasures makes sense when: If the cost (per year) of a countermeasure is more than the ALE, don’t implement it.

39 Definitions The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. The ALE is calculated by multiplying the ARO by the SLE: ALE = ARO x SLE

40 Review of Quantitative Analysis
Assign value to information & assets: Asset Value (AV) Estimate: Single Loss Expectancy (SLE) Estimate: Likelihood of Threats (ARO) Calculate: Annual Loss Expectancy (ALE) Risk Response: Reduce, Transfer, Avoid or Accept.

41 Class Exercise: Quantitative Analysis
You own a data warehouse valued at $1,000,000 USD (information & infrastructure included). If the threat of a fire breaking out were to occur, it is expected that 40% of warehouse (including the data) would be damaged/lost. The chance of a fire breaking out for this type of warehouse is known to be 8% annually.

42 Let’s move on to …Qualitative assessments.

43 Qualitative Risk Assessment
Instead of assigning specific values… We walk through different scenarios, rank and prioritize based on threats and counter measures. Techniques includes: - Judgment - Best practices - Intuition (gut feelings) - Experience

44 Qualitative Assessments
Specific techniques include: - Delphi method (opinions provided anonymously) - Brainstorming - Storyboarding - Focus groups - Surveys - Questioners - Interviews / one-on-one meetings … very subjective

45 Qualitative Assessment
SEVERE HIGH MEDIUM LOW Remember this? Risk Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Compromise

46 Qualitative Assessment
Risk Severity Exploitation Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

47 Review of Q vs. Q (NIST SP 800-30)
Quantitative Advantage Provides a measurement of the impacts’ magnitude. Quantitative Disadvantage Meaning of the analysis may be unclear, requiring the results to be interpreted in a qualitative manner. Qualitative Advantage Prioritizes the risks, identifying areas for immediate improvement. Qualitative Disadvantage Does not provide specific quantifiable measurements of the impacts magnitude.

48 What is the Difference between Q vs. Q?
Quantitative Advantage Impact is quantified (measurable). Quantitative Disadvantage Analysis involves complex calculations and can be confusing and resource intensive. vs. Qualitative Advantage Impact is clear & easy to understand. Qualitative Disadvantage No unit of measure; assessment is subjective (Low-Med-High).

49 What is the Difference between Q vs. Q?
Which approach is preferred when it comes to Information Systems Risk Management? Why? - Let’s discuss…

50 Break? This is probably time for a break…

51 Quiz: Week 3 10-15 minutes

52 IDV and LT Assignments for Week #3
Laptops at UOPX - Explain your thought process behind risk management as a new information system is introduced to an existing network. Constraints involved with Information Sharing - Identify and discuss the risk components involved and possible constraints that may add to your risk. - Outlined formats are OK. 52

53 We’ll review these questions & more next week to prep
Week 3 Review Questions We’ll review these questions & more next week to prep for the final exam… 53

Download ppt "Information Systems Risk Management"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.

Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Risk Identification Chapter 6.

Risk Identification Chapter 6.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. Yau CSE , Fall Risk Management.
Session 33 Guest Speaker: Gini Van Siclen. Risk Management for Project Managers Gini Van Siclen.

Session 33 Guest Speaker: Gini Van Siclen. Risk Management for Project Managers Gini Van Siclen.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.

Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management. What is risk? You have some expected outcome –Of some event in the future Risk is the deviation of the actual future outcome from the.

Risk Management. What is risk? You have some expected outcome –Of some event in the future Risk is the deviation of the actual future outcome from the.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Information Systems Risk Management

Information Systems Risk Management
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28

Similar presentations

Ads by Google