SlideShare una empresa de Scribd logo

Outsourcing Critical Data Risk Assessment

K
karlhennessy
1 de 6
Descargar para leer sin conexión
Citadel100 Outsourcing “The Security Perspective” Keeping Your Business Always Online Page 1 of 6
Outsourcing critical data Outsourcing critical data – the security perspective The terrorist attacks of September 11, 2001 made security an urgent issue worldwide. It was an event that made many high profile companies take security from the “watchman” level to the level of senior management, playing a pro-active part in decision-making, policy and procedures. Any company that plays a role in critical infrastructure, information technology, communications, banking, power supply, etc., is seeing a new level of threat. Analysts indicate that future attacks could involve an attack on computer networks. Many organizations, including national computer networks, are adopting a managed services approach as a means to counter this growing threat. By locating critical Data in purpose built secure environments, concerns regarding unauthorized access, uninterrupted power and constant monitoring can be placed in the hands of dedicated professionals. Identification of a weakness in your company is critical and a risk assessment should be carried out at the earliest possible stage. A risk assessment identifies weaknesses in an organization and puts in place the required countermeasures to minimize the risks associated with the weakness. Simply stated, risk assessment is the systematic process by which an organization identifies, reduces, and controls its potential risks and losses. This process allows organizations to determine the magnitude and effect of the potential loss, the likelihood of such a loss actually happening, and countermeasures that could lower the probability or magnitude of loss. Many Irish companies faced with serious weaknesses in their organizations are realizing that the best option is to out-source their Data storage to a managed service provider who will provide a package that best meets their needs. Risk is the potential for an event that could have a negative impact on business to occur. Such an event can be loss of information, finances, reputation or unauthorized access to your I.T. department. The likelihood of the potentially damaging event occurring depends upon (a) threat and (b) vulnerability. (a) Threat is the potential to carry out actions that are harmful to an organization’s assets. (b) Vulnerability is any weakness that can be exploited by a rival or competitor to cause damage to an organization’s interests. The level of vulnerability, and hence level of risk, can be reduced by implementing appropriate countermeasures. An asset is anything of value (people, information, hardware, software, facilities, reputation, activities, and operations). The more critical an asset is to an organization, the greater the impact its loss would mean to business. Take for example the loss of an organization’s main server/servers. This loss would significantly reduce an organization’s ability to access data. The loss would have greater consequences if it occurred during a key business transaction or if the server was not backed up. Keeping Your Business Always Online Page 2 of 6
Outsourcing critical data Prior to beginning a risk assessment some time should be spent in preparation. Management should be consulted to identify any constraints, determine operating parameters and expectations. Management will best know what and where their assets are and their importance to the organization. The risk assessor should also identify other organizations that have a vested interest in the protection of critical elements of the organization. For example, although an organization’s Chief Technology Officer may have responsibility for his or her company’s network, department heads may also have an interest in the availability and integrity of that network. RISK ASSESSMENT VULNERABILITY Burglary Loss of power Malicious Fire damage THREAT SITE A SITE B SITE C A recent report identified a number of steps required to draw up a risk assessment. 1. Assets. Identifies and focuses on resources vital to the organizations operation. Most assets are tangible e.g., people, facilities, equipment, others are not e.g., information, processes, reputation. In a communications organization, information and automated processes may be more important than many tangible assets. Organizations need to protect sensitive information including information about the functions of the organization and its employees as well as critical processes such as power generation, environment, and financial status. For each individual resource, identify the effect that the loss, damage, or destruction of that resource would have on the organization. The overall value is based upon the severity of this effect. 2. Threat. This focuses on the opposition or events that can negatively affect the previously identified assets. The assessor must rely on data and information obtained from management interviews. The threat is considered in terms of adversaries. Common types of adversaries include business competitors, hackers, criminals, hostile intelligence services, terrorists, and others. In order to assess whether an adversary poses a threat you must determine if they have the level of intent to cause an unwanted event. Keeping Your Business Always Online Page 3 of 6
Outsourcing critical data Just as natural disasters and accidents are treated as threats even though they do not possess intent, cyber events (e.g. viruses and denial-of-service attacks) should also be treated as threats. Any organization that connects critical networks to the Internet must be aware of events in the larger world. When periods of politically motivated protests take place, such as the recent anti-war demonstrations, the infrastructure community may be attacked, physically or via the Internet, regardless of the individual organization’s involvement in the event being protested. Protesters often view multi-national companies as part of the government. Companies or banks may also be attacked as symbols of globalization. Even protests between two foreign nations can spill over into neutral states. Irelands close ties and support for the United States could be regarded as hostile towards states engaged in conflict with the U.S. or aligned nations. Because Ireland is fast becoming a multicultural nation with a large global presence, Irish organizations may suffer from attacks for any number of misguided reasons. 3. Vulnerability. Identifies and characterizes vulnerabilities related to specific assets or undesirable events. The assessor is looking for exploitable situations created by lack of adequate physical / information security, personal behavior, working practice, and insufficient security procedures. Examples of typical vulnerabilities include: • The absence of manned guarding. • Poor access controls. • Lack of updated security patches. • Unscreened employees / visitors. When designing and installing security systems organizations should not count on suppliers alone to build appropriate levels of security. An assessment provided by an independent contractor can provide the organization with an objective description of its vulnerabilities. It is essential that the company I.T. security specialist be involved in the process. This step requires the gamekeeper to take on the role of the poacher. Specifically, the assessor should begin by studying the asset and asking questions such as: “how would I get in there?” Each vulnerability, when considered against who might exploit them, and the assets they may attack, will determine the risk value. 4. Risk. This is where all of the earlier assessments (asset, threat, and vulnerability) are combined and evaluated in order to give a complete picture of the risks to an asset or group of assets. 1. What would our business impact be, if an asset is lost or harmed by an unwanted event? 2. How likely is it that an adversary will attack those identified assets? 3. What are the most likely vulnerabilities that the adversary will use to target the identified assets? By answering these questions we can begin to make an informed judgment of how “at risk” an organization is from unwanted events. We should be able to determine where the major vulnerabilities and threats lie. At this point, we should be able to determine the major physical and cyber risks as well as which of these risks require immediate attention. Keeping Your Business Always Online Page 4 of 6
Outsourcing critical data The risk assessment may lead ultimately to the conclusion that the organization in its present location can simply not meet the recommendations needed to adhere to accepted practice codes. In a world where International standards have become the guiding factor for business operating procedures, non-compliance can be a costly option. Outsourcing as a Countermeasure Option. 100 90 80 70 60 Facility 50 Power 40 30 Security 20 10 0 Present site Site 2 Site 3 The objective of a risk assessment is to provide the company with countermeasures, or groups of countermeasures, which will lower the overall risk to the asset to an acceptable level. By evaluating the effectiveness of possible countermeasures against specific adversaries, you can determine the most cost effective option. In presenting findings to a company, the risk assessor should provide at least two countermeasure packages as options. Each option should also include the expected costs. Upon conducting a cost assessment it may be found that, although initially more expensive, relocation of critical data would save money whereas option B would actually lead to loosing money, critical data and subsequent loss of public confidence. Faced with unattainable requirements regarding power supply, building management and security, the only viable option open to many companies responsible for the supply of critical services is to re-locate their main servers and information technology in a Data Centre offering instant secure access 24x7. The objective of locating in a secure facility is to lower the overall risk to the minimum level. Managed services can identify which vulnerabilities need to be addressed. By evaluating the effectiveness of possible countermeasures against specific adversaries, they will determine the most cost-effective options. Organizations that embrace an in-house approach to risk management need to constantly monitor any changes in their assets, the threat, and their vulnerabilities. As changes appear, so too the need for a new risk assessment, and recommendations for new countermeasure options. The continuous nature of risk assessment demands organizations to develop a risk-aware culture that understands, validates, and implements the security recommendations and countermeasures. New threats will emerge, some from new sources, which may be low-tech as well as high-tech. The resulting risks may appear too quickly to be addressed in a company without the services of a full time security consultant. Keeping Your Business Always Online Page 5 of 6
Outsourcing critical data Organizations outsourcing their critical Data will be free from the need to manage these new risks. Risk management is a regular process to determine the likelihood that a threat will harm a resource and to identify actions that reduce the risk and mitigate the consequences of an attack. Risk management principles recognize that while risk cannot be eliminated, enhancing protection from potential threats and constant monitoring can greatly reduce it. Keeping Your Business Always Online Page 6 of 6

Recomendados

Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 

Recomendados

Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016
AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016Ben Browning
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Research Paper
Research PaperResearch Paper
Research PaperBrian Kasha
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & ProtectMike McMillan
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017Ir. Indin Hasan ST, MT, IPM, ASEAN Eng
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
Risk assessment report
Risk assessment reportRisk assessment report
Risk assessment reportEugene Mukuka, BSc. MBA, MSc
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfdLadd Muzzy
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Monica Rivera
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfgokuforhelp
 

Más contenido relacionado

La actualidad más candente

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksAndréanne Clarke
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfdLadd Muzzy
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 

La actualidad más candente (20)

2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Research Paper
Research PaperResearch Paper
Research Paper
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
Risk assessment report
Risk assessment reportRisk assessment report
Risk assessment report
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_print
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
 

Similar a Outsourcing Critical Data Risk Assessment

Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Monica Rivera
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfgokuforhelp
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxbagotjesusa
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Riskphanleson
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uaeRishalHalid1
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryAccenture Insurance
 

Similar a Outsourcing Critical Data Risk Assessment (20)

Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )Vulnerability Assessment ( Va )
Vulnerability Assessment ( Va )
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uae
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 

Outsourcing Critical Data Risk Assessment

  • 1. Citadel100 Outsourcing “The Security Perspective” Keeping Your Business Always Online Page 1 of 6
  • 2. Outsourcing critical data Outsourcing critical data – the security perspective The terrorist attacks of September 11, 2001 made security an urgent issue worldwide. It was an event that made many high profile companies take security from the “watchman” level to the level of senior management, playing a pro-active part in decision-making, policy and procedures. Any company that plays a role in critical infrastructure, information technology, communications, banking, power supply, etc., is seeing a new level of threat. Analysts indicate that future attacks could involve an attack on computer networks. Many organizations, including national computer networks, are adopting a managed services approach as a means to counter this growing threat. By locating critical Data in purpose built secure environments, concerns regarding unauthorized access, uninterrupted power and constant monitoring can be placed in the hands of dedicated professionals. Identification of a weakness in your company is critical and a risk assessment should be carried out at the earliest possible stage. A risk assessment identifies weaknesses in an organization and puts in place the required countermeasures to minimize the risks associated with the weakness. Simply stated, risk assessment is the systematic process by which an organization identifies, reduces, and controls its potential risks and losses. This process allows organizations to determine the magnitude and effect of the potential loss, the likelihood of such a loss actually happening, and countermeasures that could lower the probability or magnitude of loss. Many Irish companies faced with serious weaknesses in their organizations are realizing that the best option is to out-source their Data storage to a managed service provider who will provide a package that best meets their needs. Risk is the potential for an event that could have a negative impact on business to occur. Such an event can be loss of information, finances, reputation or unauthorized access to your I.T. department. The likelihood of the potentially damaging event occurring depends upon (a) threat and (b) vulnerability. (a) Threat is the potential to carry out actions that are harmful to an organization’s assets. (b) Vulnerability is any weakness that can be exploited by a rival or competitor to cause damage to an organization’s interests. The level of vulnerability, and hence level of risk, can be reduced by implementing appropriate countermeasures. An asset is anything of value (people, information, hardware, software, facilities, reputation, activities, and operations). The more critical an asset is to an organization, the greater the impact its loss would mean to business. Take for example the loss of an organization’s main server/servers. This loss would significantly reduce an organization’s ability to access data. The loss would have greater consequences if it occurred during a key business transaction or if the server was not backed up. Keeping Your Business Always Online Page 2 of 6
  • 3. Outsourcing critical data Prior to beginning a risk assessment some time should be spent in preparation. Management should be consulted to identify any constraints, determine operating parameters and expectations. Management will best know what and where their assets are and their importance to the organization. The risk assessor should also identify other organizations that have a vested interest in the protection of critical elements of the organization. For example, although an organization’s Chief Technology Officer may have responsibility for his or her company’s network, department heads may also have an interest in the availability and integrity of that network. RISK ASSESSMENT VULNERABILITY Burglary Loss of power Malicious Fire damage THREAT SITE A SITE B SITE C A recent report identified a number of steps required to draw up a risk assessment. 1. Assets. Identifies and focuses on resources vital to the organizations operation. Most assets are tangible e.g., people, facilities, equipment, others are not e.g., information, processes, reputation. In a communications organization, information and automated processes may be more important than many tangible assets. Organizations need to protect sensitive information including information about the functions of the organization and its employees as well as critical processes such as power generation, environment, and financial status. For each individual resource, identify the effect that the loss, damage, or destruction of that resource would have on the organization. The overall value is based upon the severity of this effect. 2. Threat. This focuses on the opposition or events that can negatively affect the previously identified assets. The assessor must rely on data and information obtained from management interviews. The threat is considered in terms of adversaries. Common types of adversaries include business competitors, hackers, criminals, hostile intelligence services, terrorists, and others. In order to assess whether an adversary poses a threat you must determine if they have the level of intent to cause an unwanted event. Keeping Your Business Always Online Page 3 of 6
  • 4. Outsourcing critical data Just as natural disasters and accidents are treated as threats even though they do not possess intent, cyber events (e.g. viruses and denial-of-service attacks) should also be treated as threats. Any organization that connects critical networks to the Internet must be aware of events in the larger world. When periods of politically motivated protests take place, such as the recent anti-war demonstrations, the infrastructure community may be attacked, physically or via the Internet, regardless of the individual organization’s involvement in the event being protested. Protesters often view multi-national companies as part of the government. Companies or banks may also be attacked as symbols of globalization. Even protests between two foreign nations can spill over into neutral states. Irelands close ties and support for the United States could be regarded as hostile towards states engaged in conflict with the U.S. or aligned nations. Because Ireland is fast becoming a multicultural nation with a large global presence, Irish organizations may suffer from attacks for any number of misguided reasons. 3. Vulnerability. Identifies and characterizes vulnerabilities related to specific assets or undesirable events. The assessor is looking for exploitable situations created by lack of adequate physical / information security, personal behavior, working practice, and insufficient security procedures. Examples of typical vulnerabilities include: • The absence of manned guarding. • Poor access controls. • Lack of updated security patches. • Unscreened employees / visitors. When designing and installing security systems organizations should not count on suppliers alone to build appropriate levels of security. An assessment provided by an independent contractor can provide the organization with an objective description of its vulnerabilities. It is essential that the company I.T. security specialist be involved in the process. This step requires the gamekeeper to take on the role of the poacher. Specifically, the assessor should begin by studying the asset and asking questions such as: “how would I get in there?” Each vulnerability, when considered against who might exploit them, and the assets they may attack, will determine the risk value. 4. Risk. This is where all of the earlier assessments (asset, threat, and vulnerability) are combined and evaluated in order to give a complete picture of the risks to an asset or group of assets. 1. What would our business impact be, if an asset is lost or harmed by an unwanted event? 2. How likely is it that an adversary will attack those identified assets? 3. What are the most likely vulnerabilities that the adversary will use to target the identified assets? By answering these questions we can begin to make an informed judgment of how “at risk” an organization is from unwanted events. We should be able to determine where the major vulnerabilities and threats lie. At this point, we should be able to determine the major physical and cyber risks as well as which of these risks require immediate attention. Keeping Your Business Always Online Page 4 of 6
  • 5. Outsourcing critical data The risk assessment may lead ultimately to the conclusion that the organization in its present location can simply not meet the recommendations needed to adhere to accepted practice codes. In a world where International standards have become the guiding factor for business operating procedures, non-compliance can be a costly option. Outsourcing as a Countermeasure Option. 100 90 80 70 60 Facility 50 Power 40 30 Security 20 10 0 Present site Site 2 Site 3 The objective of a risk assessment is to provide the company with countermeasures, or groups of countermeasures, which will lower the overall risk to the asset to an acceptable level. By evaluating the effectiveness of possible countermeasures against specific adversaries, you can determine the most cost effective option. In presenting findings to a company, the risk assessor should provide at least two countermeasure packages as options. Each option should also include the expected costs. Upon conducting a cost assessment it may be found that, although initially more expensive, relocation of critical data would save money whereas option B would actually lead to loosing money, critical data and subsequent loss of public confidence. Faced with unattainable requirements regarding power supply, building management and security, the only viable option open to many companies responsible for the supply of critical services is to re-locate their main servers and information technology in a Data Centre offering instant secure access 24x7. The objective of locating in a secure facility is to lower the overall risk to the minimum level. Managed services can identify which vulnerabilities need to be addressed. By evaluating the effectiveness of possible countermeasures against specific adversaries, they will determine the most cost-effective options. Organizations that embrace an in-house approach to risk management need to constantly monitor any changes in their assets, the threat, and their vulnerabilities. As changes appear, so too the need for a new risk assessment, and recommendations for new countermeasure options. The continuous nature of risk assessment demands organizations to develop a risk-aware culture that understands, validates, and implements the security recommendations and countermeasures. New threats will emerge, some from new sources, which may be low-tech as well as high-tech. The resulting risks may appear too quickly to be addressed in a company without the services of a full time security consultant. Keeping Your Business Always Online Page 5 of 6
  • 6. Outsourcing critical data Organizations outsourcing their critical Data will be free from the need to manage these new risks. Risk management is a regular process to determine the likelihood that a threat will harm a resource and to identify actions that reduce the risk and mitigate the consequences of an attack. Risk management principles recognize that while risk cannot be eliminated, enhancing protection from potential threats and constant monitoring can greatly reduce it. Keeping Your Business Always Online Page 6 of 6