Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.

Published byIlene Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology."— Presentation transcript:

1 Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology

2 Visual 1. 2 Course Overview n Risk Management Definition n Risk Management Terminology n Risk Management Issues n Process and Methodology for Conducting Risk Management

3 Visual 1. 3 ISSO Strategic Goals, Objectives, and Actions n Defining and institutionalizing risk management for ISSO and their customers –Define the process –Get management support –Educate the workforce –Practice risk management

4 Visual 1. 4 Objective 1 n At the end of this part of Lesson 1, you will be able to describe what Risk Management is the elements of the Risk Management Process

5 Visual 1. 5 Security Management n Managing the risks to an organization’s mission

6 Visual 1. 6 Risk Defined n “The combination of events harmful to an entity’s desired state of affairs, the chance that the events will take place, and the consequences of their occurrence, as a function of time.” NSA Corporate Plan for INFOSEC Action, April 1996

7 Visual 1. 7 Management Defined n The art or manner of controlling the movement or behavior of something n To have charge of; direct; conduct; administer New World Dictionary of the American Language

8 Visual 1. 8 Risk Management n “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.” National Information Systems Security Glossary, NSTISSI No. 4009 and AFR 205-16, AFR 700-10

9 Visual 1. 9 Risk Management - Simply Put Risk Management - Simply Put n Determine what your risks are and then decide on a course of action to deal with those risks.

10 Visual 1. 10 Aim of Risk Management n To aid managers strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks Balance Sheet Risk Costs Countermeasure Costs

11 Visual 1. 11 Elements of the Risk Management Process n Risk Assessment –Mission/Impact Analysis –Identification of Critical Assets –Threat Analysis –Attack/Vulnerability Analysis n Risk Mitigation –Countermeasures Development n Risk Decision –Management’s Selection of Countermeasures for Implementation

12 Visual 1. 12 Objective 2 n At the end of this part of Lesson 1, you will be able to match risk management terms with their definitions.

13 Visual 1. 13 Risk Assessment n A study of threats and vulnerabilities, the theoretical effectiveness of present security mechanisms, and the potential impact of these factors on an organization’s ability to perform its mission

14 Visual 1. 14 Critical Asset n Something that when disclosed, modified, destroyed, or misused will cause harmful consequences to the organization or its goals and mission, or will provide an undesired and unintended benefit to someone

15 Visual 1. 15 Critical Asset Examples n Information n People n Software n Hardware n Facilities n etc.

16 Visual 1. 16 Threat n The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission

17 Visual 1. 17 Threat Examples n Adversarial –Terrorists –Foreign States –Disgruntled Employees –Criminals –Recreational Hackers –Commercial Competitors n Non-Adversarial –Nature –Unintentional Human Acts

18 Visual 1. 18 Attack n A well-defined set of actions by the threat (an active agent) that, if successful, would damage a critical asset -- cause an undesirable state of affairs -- resulting in harm to an organization’s ability to perform its mission

19 Visual 1. 19 Vulnerability n A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity

20 Visual 1. 20 Vulnerability Examples n Inadequate password management n Easy access to a facility n Weak cryptography n Software flaw n Open port SECURITY

21 Visual 1. 21 Consequence n The harmful result of a successful attack, degrading an organization’s ability to perform its mission

22 Visual 1. 22 Consequence Examples n Harm to organization mission –Loss of information confidentiality –Loss of information integrity –Loss of availability of information or system functions –Inability to correctly authenticate sender of information –Inability to verify receipt of information by the recipient –Inability to verify receipt of information by the intended recipient

23 Visual 1. 23 Risk Mitigation Actions or countermeasures we can take to lessen risk –Affect threat agent or their capabilities –Eliminate or limit our vulnerabilities

24 Visual 1. 24 Countermeasure Examples n Fix known exploitable software flaws n Enforce operational procedures n Provide encryption capability n Improve physical security n Disconnect unreliable networks n Train system administrators n Install virus scanning software

25 Visual 1. 25 Risk Management Decision n Determination by management or command to –take specific actions that will mitigate risk to mission, or –reject countermeasure recommendations and accept risk to mission

26 Visual 1. 26 Residual Risk n That portion of risk that remains –Management decides to accept risk –Unconsidered threat factors –Unconsidered vulnerabilities –Incorrect conclusions

Download ppt "Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Risk Analysis COEN 250.

Risk Analysis COEN 250.
Risk Management October 1998. What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks.

Risk Management October What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.

Similar presentations

Ads by Google