isaca april 21 - eric sorenson - risk presentation
Post on 15-Apr-2017
78 Views
Preview:
TRANSCRIPT
IDENTIFYING AND ANALYZING RISK IN INFORMATION SYSTEMS
ERIC SORENSON
Utah Chapter of ISACAApril 21, 2016
Identifying and Analyzing Risk In Information Systems
• Identify – establish who or what is
• Analyze – examine in detail the information for purpose
• Risk – the potential of gaining or losing something of value
• Harm from current or future event
• Threat - accidentally trigger or intentionally exploit a specific vulnerability
UNUSUAL PLOY IN ANTHEM BREACH CASE FAILS
• You may recall, ≈ 80 million records breached
• Database Administrator discovers his credentials are being used to execute a questionable query
• Someone had gained unauthorized access to their IT systems
• Health Plan Anthem Inc., makes a bold motion, “to access plaintiffs’ computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems”**
• Could the consumer be at fault?
**http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101
How is Risk Assessed?
• Identify the threats and vulnerabilities
• Analyze the impact to the organization or process, then determine the likelihood of an event
• Easy right?
Internal and External Risks Effect Decision-Making
INTERNAL EXTERNAL
• Employees
• Technology
• Security
• Compliance – legal and regulatory
• IP
• Former Employees
• Natural Disasters
• Hackers
• Vendors
• Regulators looking at compliance
How I Identify and Analyze Risk
• First• Identify threats
• Identify vulnerabilities
• Second• Relate threats to vulnerabilities
• Threat VulnerabilityPair
How I Identify and Analyze Risk (Continued)
• Define the likelihood• You have a threat, how likely is it going to occur against
the vulnerability?
Likelihood – These percentages are relative to your organization
Low 0 – 40%
Medium 41 – 75%
High 76 – 100%
How I Identify and Analyze Risk (Continued)
• What’s the Impact?• Availability
• I use the CIA triad• Confidentiality – loss leads to limited, serious, or severe
effect upon the organization• Integrity• Availability
• I categorize them by low, medium, and high
How I Identify and Analyze Risk (Continued)
• Organizational Effect?• Business Disruption – Capability how is it effected
• Financial loss – Assigned dollar amount
• Employees – Incapacitated
• I categorize them by limited, serious, and severe
How I Identify and Analyze Risk (Continued)
• “Assessing risk is determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise.” SANS Institute
• The purpose of assessing risk is to assist management in decision making on where resources should be assigned
How I Identify and Analyze Risk (Continued)
• Four strategies for managing risk• Mitigation – Most common. Fixing the flaw or a control
• Transference – Primarily financial. Another party assumes the risk
• Acceptance – We know the risk is there, so we accept it.
• Avoidance – Remove the vulnerability or even eliminate the system
How I Identify and Analyze Risk (Continued)
• In many ways, our greatest risk are employees within organizations
• Is he your employee?
How I Identify and Analyze Risk (Continued)
• COMMUNICATE• Management and employees to know and understand the risks
and how the organization will deal with risks
• I’m going to say it again, COMMUNICATE!
• Train, Train, and Train• I cannot stress enough how important training is
• Every month, test the employees
• Send out examples of attacks and what the outcome was
top related