Download - Risk Identification and Risk Assessment
![Page 1: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/1.jpg)
Risk Identification and Risk AssessmentBikash Bhattarai
![Page 2: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/2.jpg)
Risk Management •Risk management is the process of
dentifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
•Risk management involves three major undertakings
Risk identification Risk assessment Risk control
![Page 3: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/3.jpg)
Cont… •Risk identification is the examination and
documentation of the security posture of an organization’s information technology and the risks it faces.
•Risk assessment is the determination of the extent to which the organization’s information assets are exposed or at risk.
•Risk control is the application of controls to reduce the risks to an organization’s data and information systems.
![Page 4: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/4.jpg)
![Page 5: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/5.jpg)
Know Yourself•To protect assets, which are defined here
as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible.
•Once you know what you have, you can identify what you are already doing to protect it.
![Page 6: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/6.jpg)
Know the Enemy•This means identifying, examining, and
understanding the threats facing the organization.
•You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.
![Page 7: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/7.jpg)
The Roles of the Communities of Interest•IT community in organization take
leadership•Management and users, when properly
trained and kept aware of the threats the organization faces, play a part in the early detection and response process.
•Management must also ensure that sufficient resources (money and personnel) are allocated
![Page 8: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/8.jpg)
Risk Identification•A risk management strategy requires that
information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them.
![Page 9: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/9.jpg)
![Page 10: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/10.jpg)
Organizational Assets• People
▫Employee Trusted(Greater authority and accountability) Other (Without special privileges )
▫Non-Employee (contractors and consultants, partner and strangers.
• Procedures ▫IT and business standard procedures▫IT and business sensitive procedures.
threat agent to craft an attack against the organization or that have some other content or feature that may introduce risk to the organization.
![Page 11: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/11.jpg)
•Data▫At all states (Storage, Transmit, Process)
•Software▫Applications▫Operating systems▫Security Components
•Hardware and Networking Components ▫Router, Switch, Firewall, UTM, IPS/IDS etc
![Page 12: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/12.jpg)
Attributes for People, Procedures, and Data Assets• People
▫ Position name/number/ID ▫ Supervisor name/number/ID ▫ Security clearance level ▫ Special skills
• Procedures ▫ Description ▫ Intended purpose ▫ Software/hardware/networking elements to which it is tied ▫ Location where it is stored for reference ▫ Location where it is stored for update purposes
![Page 13: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/13.jpg)
Cont…•Data
▫Classification ▫Owner/creator/manager ▫Size of data structure ▫Data structure used ▫Online or offline ▫Location ▫Backup procedures
![Page 14: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/14.jpg)
Cont…• Networking Assets
▫Name▫IP address▫MAC address▫Asset type▫Serial number▫Manufacturer name▫Manufacturer’s model or part number▫Software version or update revision▫Physical location▫Logical location▫Controlling entity
![Page 15: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/15.jpg)
Data Classification Example
![Page 16: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/16.jpg)
Assessing Values for Information Assets• As each information asset is identified, categorized, and
classified, assign a relative value.• Relative values are comparative judgments made to ensure
that the most valuable information assets are given the highest priority, for example:▫ Which information asset is the most critical to the success of
the organization?▫ Which information asset generates the most revenue?▫ Which information asset generates the highest profitability?▫ Which information asset is the most expensive to replace?▫ Which information asset is the most expensive to protect?▫ Which information asset’s loss or compromise would be the
most embarrassing or cause the greatest liability?
![Page 17: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/17.jpg)
![Page 18: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/18.jpg)
Information Asset Prioritization
Critical Factor
![Page 19: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/19.jpg)
Threat Identification•Any organization typically faces a wide
variety of threats.•If you assume that every threat can and
will attack every information asset, then the project scope becomes too complex.
•To make the process less cumbersome, each step in the threat identification and vulnerability identification process is managed separately and then coordinated at the end.
![Page 20: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/20.jpg)
Identify and Prioritize Threats and Threat Agents• Each threat presents an unique challenge to
information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy.
• Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset .
• In general, this process is referred to as a threat assessment.
![Page 21: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/21.jpg)
Threat to Information Security
![Page 22: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/22.jpg)
Threat Assessment •Not all threats have the potential to affect
every organization. (12th floor building and flood ?)
•Which threats represent the most danger to the organization’s information?
•Cost to recover •Which of the threats would require the
greatest expenditure to prevent ?
![Page 23: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/23.jpg)
CIO Survey Report (1000)
![Page 24: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/24.jpg)
Vulnerability Assessment• Once you have identified the information assets of the
organization and documented some threat assessment criteria, you can begin to review every information asset for each threat.
• This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization.
• Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset.
• At the end of the risk identification process, a list of assets and their vulnerabilities has been developed.
• This list serves as the starting point for the next step in the risk management process: risk assessment.
![Page 25: Risk Identification and Risk Assessment](https://reader033.vdocuments.us/reader033/viewer/2022050812/5a4d1b197f8b9ab0599929c0/html5/thumbnails/25.jpg)
Vulnerability Assessment of DMZ Router