SlideShare una empresa de Scribd logo

Security risk management

G
G Prachi

Security risk management

Tecnología
1 de 61
Security Risk Management
Table of Contents • How Much Security Do You Really Need • Risk Management • Information Security Risk Assessment • Case Studies • Risk Assessment in Practice.
Risk and Risk management • Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization • Risk management--- “Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.” • Risk assessment--- “ assessment of threats to, impact on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.”
Who is the enemy? Why do they do it? • Offenders – Crackers---mostly teenagers doing as intellectual challenge – Information system’s criminals---Espionage and/or Fraud/abuse---for a nation/company to gain a competitive advantage over its rivals – Vandals---authorized users and strangers (cracker or a criminal)---motivated by anger directed at an individual/organization/life in general
Motives of Cyber Criminal • Power assurance---to restore criminal’s self- confidence or self-worth through low-aggression means; • Power assertive---to restore criminal’s self- confidence or self-worth through moderate- to high-aggression; • Anger (retaliatory)---rage towards a person, group, institution, or a symbol • Sadistic---derive gratification from the pain/suffering of others • Profit-oriented---material or personal gain
Risk = Threats x Vulnerabilities
Types of Damage • Interruption---destroyed/unavailable services/resources • Interception---unauthorized party snooping or getting access to a resource • Modification--- unauthorized party modifying a resource • Fabrication---unauthorized party inserts a fake asset/resource
The purpose of risk management •Ensure overall business and business assets are safe •Protect against competitive disadvantage •Compliance with laws and best business practices •Maintain a good public reputation
Accountability for Risk Management • It is the responsibility of each community of interest to manage risks; each community has a role to play: – Information Security - best understands the threats and attacks that introduce risk into the organization – Management and Users – play a part in the early detection and response process - they also insure sufficient resources are allocated – Information Technology – must assist in building secure systems and operating them safely
Accountability for Risk Management • All three communities must also: – Evaluate the risk controls – Determine which control options are cost effective – Assist in acquiring or installing needed controls – Ensure that the controls remain effective Value of Assets Cost of protecting those assets
Risk Matrix RISK MATRIX IMPACT L I K E L I H O O D NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL VERY LIKELY LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE LIKELY LOW MEDIUM HIGH HIGH VERY HIGH MODERATELY LIKELY LOW LOW MEDIUM HIGH HIGH UNLIKELY LOW LOW LOW MEDIUM MEDIUM VERY UNLIKELY LOW LOW LOW LOW LOW
Steps of a risk management plan • Step 1: Identify Risk • Step 2: Assess Risk • Step 3: Control Risk • Steps are similar regardless of context (InfoSec, Physical Security, Financial, etc.) • This presentation will focus on controlling risk within an InfoSec context
Risk Identification • The steps to risk identification are: – Identify your organization’s information assets – Classify and categorize said assets into useful groups – Rank assets necessity to the organization To the right is a simplified example of how a company may identify risks
Risk Assessment • The steps to risk assessment are: – Identify threats and threat agents – Prioritize threats and threat agents – Assess vulnerabilities in current InfoSec plan – Determine risk of each threat R = P * V – M + U R = Risk P = Probability of threat attack V = Value of Information Asset M = Mitigation by current controls U = Uncertainty of vulnerability The table to the right combines elements of all of these in a highly simplified format
Risk control • The steps to risk control are: • Cost-Benefit Analysis (CBA) • Single Loss Expectancy (SLE) • Annualized Rate of Occurrence (ARO) • Annual Loss Expectancy (ALE) • Annual Cost of the Safeguard (ASG) • Feasibility Analysis • Organizational Feasibility • Operational Feasibility • Technical Feasibility • Political Feasibility • Risk Control Strategy Implementation
Cost-Benefit analysis • Determine what risk control strategies are cost effective • Below are some common formulas used to calculate cost-benefit analysis • SLE = AV * EF – AV = Asset Value, EF = Exposure factor (% of asset affected) • ALE = SLE * ARO • CBA = ALE (pre-control) – ALE (post-control) – ACE
Feasibility analysis • Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way? • Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees? • Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees? • Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?
Risk control Strategies • Defense • Transferal • Mitigation • Acceptance (Abandonment) • Termination
Risk control Strategy: defense • Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth) Counter threats Remove vulnerabilities from assess Limit access to assets Add protective safeguards
Risk control Strategy: transferal • Transferal: Shift risks to other areas or outside entities to handle • Can include: Purchasing insurance Outsourcing to other organizations Implementing service contracts with providers Revising deployment models
Risk control Strategy: Mitigation
Risk control Strategy: Acceptance Appropriate when: The cost to protect an asset or assets exceeds the cost to replace it/them When the probability of risk is very low and the asset is of low priority Otherwise acceptance = negligence
Risk control Strategy: Termination • Termination: Removing or discontinuing the information asset from the organization • Examples include: Equipment disposal Discontinuing a provided service Firing an employee
Pros and cons of each strategy Pros • Defense: Preferred all round approach • Transferal: Easy and effective • Mitigation: Effective when all else fails • Acceptance: Cheap and easy • Termination: Relatively cheap and safe Cons • Defense: Expensive and laborious • Transferal: Dependence on external entities • Mitigation: Guarantees company loss • Acceptance: Rarely appropriate, unsafe • Termination: Rarely appropriate, requires company loss
Standard approaches to risk management • U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro) • ISO 27005 Standard for InfoSec Risk Management • NIST Risk Management Model • Microsoft Risk Management Approach • Jack A. Jones’ Factor Analysis of Information Risk (FAIR) • Delphi Technique
Principles of Information Security - Chapter 3 Slide # 26 Risk Determination For the purpose of relative risk assessment: RISK = likelihood of vulnerability occurrence times value (or impact) MINUS percentage risk already controlled PLUS an element of uncertainty
Principles of Information Security - Chapter 3 Slide # 27 Access Controls • One particular application of controls is in the area of access controls • Access controls are those controls that specifically address admission of a user into a trusted area of the organization • There are a number of approaches to controlling access • Access controls can be – discretionary – mandatory – nondiscretionary
Principles of Information Security - Chapter 3 Slide # 28 Types of Access Controls • Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user • Mandatory Access Controls (MACs) are structured and coordinated with a data classification scheme, and are required • Nondiscretionary Controls are those determined by a central authority in the organization and can be based on that individual’s role
Principles of Information Security - Chapter 3 Slide # 29 Lattice-based Control • Another type of nondiscretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associated with each pair is contained • This specifies the level of access each subject has to each object • In a lattice-based control the column of attributes associated with a particular object are referred to as an access control list or ACL • The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table
Documenting Results of Risk Assessment • The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first • In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience • We should also have collected some information about the controls that are already in place
Asset Identification and Valuation • This iterative process begins with the identification of assets, including all of the elements of an organization’s system • Then, we classify and categorize the assets adding details as we dig deeper into the analysis
Components of an Information System
Hardware, Software, and Network Asset Identification • Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components • Once created, the inventory listing must be kept current, often through a tool that periodically refreshes the data SD Firewall Certificates PKI System Audits Physical Security Redundant Array of Inexpensive Drives (RAID) Uninterrupted Power Supply (UPS) SD Professional Workstation 6000 PRO Tape Backups User Training Password Protection Countermeasures System Certification and Accreditation
Hardware, Software, and Network Asset Identification • What attributes of each of these information assets should be tracked? • When deciding which information assets to track, consider including these asset attributes: – Name – IP address – MAC address – Element type – Serial number – Manufacturer name
People, Procedures, and Data Asset Identification • Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented • These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment • As these elements are identified, they should also be recorded into some reliable data handling process
Asset Information for People • For People: – Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions – Supervisor – Security clearance level – Special skills
Asset Information for Procedures • For Procedures: – Description – Intended purpose – What elements is it tied to – Where is it stored for reference – Where is it stored for update purposes
Asset Information for Data • For Data: – Classification – Owner/creator/manager – Size of data structure – Data structure used – sequential, relational – Online or offline – Where located – Backup procedures employed
Information Asset Classification • Many organizations already have a classification scheme • Examples of these kinds of classifications are: – confidential data – internal data – public data • Informal organizations may have to organize themselves to create a useable data classification model • The other side of the data classification scheme is the personnel security clearance structure
Information Asset Valuation • Each asset is categorized • Questions to assist in developing the criteria to be used for asset valuation: – Which information asset is the most critical to the success of the organization? – Which information asset generates the most revenue? – Which information asset generates the most profitability? – Which information asset would be the most expensive to replace? – Which information asset would be the most expensive to protect? – Which information asset would be the most embarrassing or cause the greatest liability if revealed?
Example Worksheet
Examples of Information Security Vulnerabilities • Information security vulnerabilities are weaknesses that expose an organization to risk. • Through employees: Social interaction, Customer interaction, Discussing work in public locations, • Through former employees---Former employees working for competitors, Former employees retaining company data, Former employees discussing company matters • Though Technology---Social networking, File sharing, Rapid technological changes, Legacy systems, Storing data on mobile devices such as mobile phones, Internet browsers • Through hardware---. Susceptibility to dust, heat and humidity, Hardware design flaws, Out of date hardware, Misconfiguration of hardware
Examples of Information Security Vulnerabilities (Cont.) • Through software---Insufficient testing, Lack of audit trail, Software bugs and design faults, Unchecked user input, Software that fails to consider human factors, Software complexity (bloatware), Software as a service (relinquishing control of data), Software vendors that go out of business or change ownership • Through Network---Unprotected network communications, Open physical connections, IPs and ports, Insecure network architecture, Unused user ids, Excessive privileges, Unnecessary jobs and scripts executing , Wifi networks • Through IT Management---Insufficient IT capacity , Missed security patches, Insufficient incident and problem management, Configuration errors and missed security notices , System operation errors • Partners and suppliers---Disruption of telecom services, Disruption of utility services such as electric, gas, water, Hardware failure, Software failure, Lost mail and courier packages, Supply disruptions, Sharing confidential data with partners and suppliers
CASE STUDY : UN Security Risk Management Process
Programme Criticality • The programme criticality framework is a common United Nations system framework for decision- making that puts in place a systematic structured approach that uses programme criticality as a way to ensure that programme activities can be balanced against security risks. • The concept of criticality means the critical impact of an activity on the population, not necessarily on the organisation.
Programme Criticality • Programme criticality assessment is mandatory in areas with residual risk levels of ‘high’ and ‘very high,’ as determined in the Security Risk Assessments (SRAs). • Primary accountability for programme criticality is with United Nations senior management at the country level.
Risk Matrix for UN programme RISK MATRIX IMPACT L I K E L I H O O D NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL VERY LIKELY LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE LIKELY LOW MEDIUM HIGH HIGH VERY HIGH MODERATELY LIKELY LOW LOW MEDIUM HIGH HIGH UNLIKELY LOW LOW LOW MEDIUM MEDIUM VERY UNLIKELY LOW LOW LOW LOW LOW
Programme Criticality A programme criticality assessment has steps as follows: • 1. Establish geographical scope and timeframe • 2. List strategic results (SRs) • 3. List UN activities/outputs (involving UN personnel) • 4. Assess contribution to strategic results • 5. Assess likelihood of implementation • 6. Evaluate activities/outputs with PC1 criteria • 7. View PC level results, form consensus within the UN system and approve final results • 8. Agree on a process to address and manage the results of the PC assessment • 9. Follow-up and review.
• There are two possible criteria for an activity to be considered a PC1 activity: – Either the activity is assessed as lifesaving (humanitarian or non-humanitarian) at scale (defined as any activity to support processes or services, including needs assessments), that would have an immediate and significant impact on mortality; or – The activity is a directed activity that receives the endorsement of the Office of the Secretary-General for this particular situation. Programme Criticality
• Risk level has no impact on programme criticality. There must be no consideration of risk level when determining PC. • Programme criticality has no impact on risk level. There must be no consideration of PC when determining risk level. Programme Criticality
Programme Criticality Maximum Acceptable Risk per Level of Programme Criticality Residual Risk Level Unacceptable Very High High Medium Low Prog Crit Level N/A PC 1 PC 2 PC 3 PC 4 Programme Criticality Framework Security Risk Assessment Balance Risk and Programme Criticality PC1 activities in High Risk Level must be certified by the Executive Head of the UN organization and approved by the USG DSS.
• Intelligence and Information Cycle. • Strategic-level Integrated Mission Planning Process. • Mission-level Integrated Planning, Coordination and implementation. • Mission Component Planning and Implementation Processes. • UN Budget Processes. • Staff Selection and Managed Mobility System. • Any other process that impacts the substance of UN security. Other Processes with Security Implications
Step 1 Setting the geographical scope and timeframe • Where will we be working and what is the timeframe for the analysis?
Step 2 Situational Analysis • What is the overall security situation in that area?
Step 3 Programme Assessment • What are the main programme goals and posture in that area?
Step 4 Threat Assessment (General & Specific) • What are the obstacles to achieving goals?
Step 5 Security Risk Assessment • How vulnerable is the Organization to these threats? • How will they affect the Organization, and which threats require the most attention?
Step 6 Security Risk Management Decisions • What can actually be done about these risks?
Step 7 Security Risk Management Implementation • Procedural and budget aspects of implementing the agreed security risk management measures.
Step 8 Acceptable Risk • Is the risk acceptable in balance with the criticality of programme activities?
Step 9 Follow up and Review • Are the measures working? • Is the assessment of risk now similar to how it was projected?

Recomendados

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 

Recomendados

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security Shreedevi Tharanidharan
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachn|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 

La actualidad más candente (20)

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Security policy
Security policySecurity policy
Security policy
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 

Similar a Security risk management

crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 

Similar a Security risk management (20)

CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 

Más de G Prachi

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security modelG Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
Program security
Program securityProgram security
Program securityG Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptographyG Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedomG Prachi
 

Más de G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Administering security
Administering securityAdministering security
Administering security
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Program security
Program securityProgram security
Program security
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 

Último

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Último (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Security risk management

  • 2. Table of Contents • How Much Security Do You Really Need • Risk Management • Information Security Risk Assessment • Case Studies • Risk Assessment in Practice.
  • 3. Risk and Risk management • Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization • Risk management--- “Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.” • Risk assessment--- “ assessment of threats to, impact on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.”
  • 4. Who is the enemy? Why do they do it? • Offenders – Crackers---mostly teenagers doing as intellectual challenge – Information system’s criminals---Espionage and/or Fraud/abuse---for a nation/company to gain a competitive advantage over its rivals – Vandals---authorized users and strangers (cracker or a criminal)---motivated by anger directed at an individual/organization/life in general
  • 5. Motives of Cyber Criminal • Power assurance---to restore criminal’s self- confidence or self-worth through low-aggression means; • Power assertive---to restore criminal’s self- confidence or self-worth through moderate- to high-aggression; • Anger (retaliatory)---rage towards a person, group, institution, or a symbol • Sadistic---derive gratification from the pain/suffering of others • Profit-oriented---material or personal gain
  • 6. Risk = Threats x Vulnerabilities
  • 7. Types of Damage • Interruption---destroyed/unavailable services/resources • Interception---unauthorized party snooping or getting access to a resource • Modification--- unauthorized party modifying a resource • Fabrication---unauthorized party inserts a fake asset/resource
  • 8. The purpose of risk management •Ensure overall business and business assets are safe •Protect against competitive disadvantage •Compliance with laws and best business practices •Maintain a good public reputation
  • 9. Accountability for Risk Management • It is the responsibility of each community of interest to manage risks; each community has a role to play: – Information Security - best understands the threats and attacks that introduce risk into the organization – Management and Users – play a part in the early detection and response process - they also insure sufficient resources are allocated – Information Technology – must assist in building secure systems and operating them safely
  • 10. Accountability for Risk Management • All three communities must also: – Evaluate the risk controls – Determine which control options are cost effective – Assist in acquiring or installing needed controls – Ensure that the controls remain effective Value of Assets Cost of protecting those assets
  • 11. Risk Matrix RISK MATRIX IMPACT L I K E L I H O O D NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL VERY LIKELY LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE LIKELY LOW MEDIUM HIGH HIGH VERY HIGH MODERATELY LIKELY LOW LOW MEDIUM HIGH HIGH UNLIKELY LOW LOW LOW MEDIUM MEDIUM VERY UNLIKELY LOW LOW LOW LOW LOW
  • 12. Steps of a risk management plan • Step 1: Identify Risk • Step 2: Assess Risk • Step 3: Control Risk • Steps are similar regardless of context (InfoSec, Physical Security, Financial, etc.) • This presentation will focus on controlling risk within an InfoSec context
  • 13. Risk Identification • The steps to risk identification are: – Identify your organization’s information assets – Classify and categorize said assets into useful groups – Rank assets necessity to the organization To the right is a simplified example of how a company may identify risks
  • 14. Risk Assessment • The steps to risk assessment are: – Identify threats and threat agents – Prioritize threats and threat agents – Assess vulnerabilities in current InfoSec plan – Determine risk of each threat R = P * V – M + U R = Risk P = Probability of threat attack V = Value of Information Asset M = Mitigation by current controls U = Uncertainty of vulnerability The table to the right combines elements of all of these in a highly simplified format
  • 15. Risk control • The steps to risk control are: • Cost-Benefit Analysis (CBA) • Single Loss Expectancy (SLE) • Annualized Rate of Occurrence (ARO) • Annual Loss Expectancy (ALE) • Annual Cost of the Safeguard (ASG) • Feasibility Analysis • Organizational Feasibility • Operational Feasibility • Technical Feasibility • Political Feasibility • Risk Control Strategy Implementation
  • 16. Cost-Benefit analysis • Determine what risk control strategies are cost effective • Below are some common formulas used to calculate cost-benefit analysis • SLE = AV * EF – AV = Asset Value, EF = Exposure factor (% of asset affected) • ALE = SLE * ARO • CBA = ALE (pre-control) – ALE (post-control) – ACE
  • 17. Feasibility analysis • Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way? • Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees? • Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees? • Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?
  • 18. Risk control Strategies • Defense • Transferal • Mitigation • Acceptance (Abandonment) • Termination
  • 19. Risk control Strategy: defense • Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth) Counter threats Remove vulnerabilities from assess Limit access to assets Add protective safeguards
  • 20. Risk control Strategy: transferal • Transferal: Shift risks to other areas or outside entities to handle • Can include: Purchasing insurance Outsourcing to other organizations Implementing service contracts with providers Revising deployment models
  • 22. Risk control Strategy: Acceptance Appropriate when: The cost to protect an asset or assets exceeds the cost to replace it/them When the probability of risk is very low and the asset is of low priority Otherwise acceptance = negligence
  • 23. Risk control Strategy: Termination • Termination: Removing or discontinuing the information asset from the organization • Examples include: Equipment disposal Discontinuing a provided service Firing an employee
  • 24. Pros and cons of each strategy Pros • Defense: Preferred all round approach • Transferal: Easy and effective • Mitigation: Effective when all else fails • Acceptance: Cheap and easy • Termination: Relatively cheap and safe Cons • Defense: Expensive and laborious • Transferal: Dependence on external entities • Mitigation: Guarantees company loss • Acceptance: Rarely appropriate, unsafe • Termination: Rarely appropriate, requires company loss
  • 25. Standard approaches to risk management • U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro) • ISO 27005 Standard for InfoSec Risk Management • NIST Risk Management Model • Microsoft Risk Management Approach • Jack A. Jones’ Factor Analysis of Information Risk (FAIR) • Delphi Technique
  • 26. Principles of Information Security - Chapter 3 Slide # 26 Risk Determination For the purpose of relative risk assessment: RISK = likelihood of vulnerability occurrence times value (or impact) MINUS percentage risk already controlled PLUS an element of uncertainty
  • 27. Principles of Information Security - Chapter 3 Slide # 27 Access Controls • One particular application of controls is in the area of access controls • Access controls are those controls that specifically address admission of a user into a trusted area of the organization • There are a number of approaches to controlling access • Access controls can be – discretionary – mandatory – nondiscretionary
  • 28. Principles of Information Security - Chapter 3 Slide # 28 Types of Access Controls • Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user • Mandatory Access Controls (MACs) are structured and coordinated with a data classification scheme, and are required • Nondiscretionary Controls are those determined by a central authority in the organization and can be based on that individual’s role
  • 29. Principles of Information Security - Chapter 3 Slide # 29 Lattice-based Control • Another type of nondiscretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associated with each pair is contained • This specifies the level of access each subject has to each object • In a lattice-based control the column of attributes associated with a particular object are referred to as an access control list or ACL • The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table
  • 30. Documenting Results of Risk Assessment • The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first • In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience • We should also have collected some information about the controls that are already in place
  • 31. Asset Identification and Valuation • This iterative process begins with the identification of assets, including all of the elements of an organization’s system • Then, we classify and categorize the assets adding details as we dig deeper into the analysis
  • 32. Components of an Information System
  • 33. Hardware, Software, and Network Asset Identification • Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components • Once created, the inventory listing must be kept current, often through a tool that periodically refreshes the data SD Firewall Certificates PKI System Audits Physical Security Redundant Array of Inexpensive Drives (RAID) Uninterrupted Power Supply (UPS) SD Professional Workstation 6000 PRO Tape Backups User Training Password Protection Countermeasures System Certification and Accreditation
  • 34. Hardware, Software, and Network Asset Identification • What attributes of each of these information assets should be tracked? • When deciding which information assets to track, consider including these asset attributes: – Name – IP address – MAC address – Element type – Serial number – Manufacturer name
  • 35. People, Procedures, and Data Asset Identification • Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented • These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment • As these elements are identified, they should also be recorded into some reliable data handling process
  • 36. Asset Information for People • For People: – Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions – Supervisor – Security clearance level – Special skills
  • 37. Asset Information for Procedures • For Procedures: – Description – Intended purpose – What elements is it tied to – Where is it stored for reference – Where is it stored for update purposes
  • 38. Asset Information for Data • For Data: – Classification – Owner/creator/manager – Size of data structure – Data structure used – sequential, relational – Online or offline – Where located – Backup procedures employed
  • 39. Information Asset Classification • Many organizations already have a classification scheme • Examples of these kinds of classifications are: – confidential data – internal data – public data • Informal organizations may have to organize themselves to create a useable data classification model • The other side of the data classification scheme is the personnel security clearance structure
  • 40. Information Asset Valuation • Each asset is categorized • Questions to assist in developing the criteria to be used for asset valuation: – Which information asset is the most critical to the success of the organization? – Which information asset generates the most revenue? – Which information asset generates the most profitability? – Which information asset would be the most expensive to replace? – Which information asset would be the most expensive to protect? – Which information asset would be the most embarrassing or cause the greatest liability if revealed?
  • 42. Examples of Information Security Vulnerabilities • Information security vulnerabilities are weaknesses that expose an organization to risk. • Through employees: Social interaction, Customer interaction, Discussing work in public locations, • Through former employees---Former employees working for competitors, Former employees retaining company data, Former employees discussing company matters • Though Technology---Social networking, File sharing, Rapid technological changes, Legacy systems, Storing data on mobile devices such as mobile phones, Internet browsers • Through hardware---. Susceptibility to dust, heat and humidity, Hardware design flaws, Out of date hardware, Misconfiguration of hardware
  • 43. Examples of Information Security Vulnerabilities (Cont.) • Through software---Insufficient testing, Lack of audit trail, Software bugs and design faults, Unchecked user input, Software that fails to consider human factors, Software complexity (bloatware), Software as a service (relinquishing control of data), Software vendors that go out of business or change ownership • Through Network---Unprotected network communications, Open physical connections, IPs and ports, Insecure network architecture, Unused user ids, Excessive privileges, Unnecessary jobs and scripts executing , Wifi networks • Through IT Management---Insufficient IT capacity , Missed security patches, Insufficient incident and problem management, Configuration errors and missed security notices , System operation errors • Partners and suppliers---Disruption of telecom services, Disruption of utility services such as electric, gas, water, Hardware failure, Software failure, Lost mail and courier packages, Supply disruptions, Sharing confidential data with partners and suppliers
  • 44. CASE STUDY : UN Security Risk Management Process
  • 45. Programme Criticality • The programme criticality framework is a common United Nations system framework for decision- making that puts in place a systematic structured approach that uses programme criticality as a way to ensure that programme activities can be balanced against security risks. • The concept of criticality means the critical impact of an activity on the population, not necessarily on the organisation.
  • 46. Programme Criticality • Programme criticality assessment is mandatory in areas with residual risk levels of ‘high’ and ‘very high,’ as determined in the Security Risk Assessments (SRAs). • Primary accountability for programme criticality is with United Nations senior management at the country level.
  • 47. Risk Matrix for UN programme RISK MATRIX IMPACT L I K E L I H O O D NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL VERY LIKELY LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE LIKELY LOW MEDIUM HIGH HIGH VERY HIGH MODERATELY LIKELY LOW LOW MEDIUM HIGH HIGH UNLIKELY LOW LOW LOW MEDIUM MEDIUM VERY UNLIKELY LOW LOW LOW LOW LOW
  • 48. Programme Criticality A programme criticality assessment has steps as follows: • 1. Establish geographical scope and timeframe • 2. List strategic results (SRs) • 3. List UN activities/outputs (involving UN personnel) • 4. Assess contribution to strategic results • 5. Assess likelihood of implementation • 6. Evaluate activities/outputs with PC1 criteria • 7. View PC level results, form consensus within the UN system and approve final results • 8. Agree on a process to address and manage the results of the PC assessment • 9. Follow-up and review.
  • 49. • There are two possible criteria for an activity to be considered a PC1 activity: – Either the activity is assessed as lifesaving (humanitarian or non-humanitarian) at scale (defined as any activity to support processes or services, including needs assessments), that would have an immediate and significant impact on mortality; or – The activity is a directed activity that receives the endorsement of the Office of the Secretary-General for this particular situation. Programme Criticality
  • 50. • Risk level has no impact on programme criticality. There must be no consideration of risk level when determining PC. • Programme criticality has no impact on risk level. There must be no consideration of PC when determining risk level. Programme Criticality
  • 51. Programme Criticality Maximum Acceptable Risk per Level of Programme Criticality Residual Risk Level Unacceptable Very High High Medium Low Prog Crit Level N/A PC 1 PC 2 PC 3 PC 4 Programme Criticality Framework Security Risk Assessment Balance Risk and Programme Criticality PC1 activities in High Risk Level must be certified by the Executive Head of the UN organization and approved by the USG DSS.
  • 52. • Intelligence and Information Cycle. • Strategic-level Integrated Mission Planning Process. • Mission-level Integrated Planning, Coordination and implementation. • Mission Component Planning and Implementation Processes. • UN Budget Processes. • Staff Selection and Managed Mobility System. • Any other process that impacts the substance of UN security. Other Processes with Security Implications
  • 53. Step 1 Setting the geographical scope and timeframe • Where will we be working and what is the timeframe for the analysis?
  • 54. Step 2 Situational Analysis • What is the overall security situation in that area?
  • 55. Step 3 Programme Assessment • What are the main programme goals and posture in that area?
  • 56. Step 4 Threat Assessment (General & Specific) • What are the obstacles to achieving goals?
  • 57. Step 5 Security Risk Assessment • How vulnerable is the Organization to these threats? • How will they affect the Organization, and which threats require the most attention?
  • 58. Step 6 Security Risk Management Decisions • What can actually be done about these risks?
  • 59. Step 7 Security Risk Management Implementation • Procedural and budget aspects of implementing the agreed security risk management measures.
  • 60. Step 8 Acceptable Risk • Is the risk acceptable in balance with the criticality of programme activities?
  • 61. Step 9 Follow up and Review • Are the measures working? • Is the assessment of risk now similar to how it was projected?