risk based security management
TRANSCRIPT
![Page 1: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/1.jpg)
Risk Based Security Management
![Page 2: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/2.jpg)
Risk Based Security Management (RBSM)
may be defined as the application
of rigorous and systematic analytical techniques to the evaluation of the risks
that impact an organization's information assets and IT infrastructure.
![Page 3: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/3.jpg)
Agenda
• THE PROBLEM • STEPS TO RBSM • GLINTT’S APPROACH • CONCLUSIONS • Q & A
![Page 4: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/4.jpg)
THE PROBLEM
.: Many of the true assets of value are items that are intangible
and are typically not considered in technical approaches to
information security .:
![Page 5: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/5.jpg)
FRIGHT INDEX
Threats to information security faced by organizations
Ponemon Institute 2012
![Page 6: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/6.jpg)
FRIGHT INDEX II
The greatest rise of potential security risk within today’s IT environment
Ponemon Institute 2012
![Page 7: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/7.jpg)
FRIGHT INDEX III
Security technology categories used to thwart internal and external threats
Ponemon Institute 2012
![Page 8: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/8.jpg)
IDENTIFYING RISK
Steps taken to identify security risks
Ponemon Institute 2012
![Page 9: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/9.jpg)
ADDRESSING RISK
Perceived security risk by layer in the security infrastructure and the allocated level of spending
Ponemon Institute 2012
![Page 10: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/10.jpg)
STEPS TO RBSM
.: The goal is not perfection but to improve our decision making ability by reducing our uncertainty .:
![Page 11: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/11.jpg)
IDENTIFY WHAT MATTERS
• How can this be achieved?
»» Survey the organization and its management.
»» Engage those who are responsible for business.
»» Gather relevant information about the organization.
![Page 12: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/12.jpg)
COLLECT DATA ON WHAT MATTERS
• What kind of data can be useful to gather?
»» Asset valuation
»» Impact
»» Threat landscapes
»» Frequency and likelihood
»» Vulnerabilities
![Page 13: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/13.jpg)
PERFORM A RISK ASSESSMENT
• Risk Assessment should:
»»Create meaningful analysis of probabilities and information on the magnitude of an event and its impact;
»»Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk
analyses of all sizes and types.
![Page 14: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/14.jpg)
PRESENT TO THE ORGANIZATION
• The presentation of any risk analysis should:
»» State the assets that were considered;
»» The key threats to those assets;
»» Assumptions that were made in the analysis
»» The identified risks.
![Page 15: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/15.jpg)
IDENTIFY CONTROL OBJECTIVES
• A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk.
»» In simple terms, control objectives are “what is it that needs to be achieved”.
![Page 16: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/16.jpg)
IDENTIFY AND SELECT CONTROLS
• The process of selecting controls should consider:
»»What is the total cost of ownership
of the control?
»»How flexible is the control to changes in the organization or the elements that make up the risk?
![Page 17: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/17.jpg)
IMPLEMENT CONTROLS
• If the control is implemented in a way that does not support the control objectives, the risk will likely not be reduced.
![Page 18: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/18.jpg)
OPERATE CONTROLS
• RBSM takes an additional step that measures the effectiveness of the control itself and its operation.
![Page 19: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/19.jpg)
MONITOR AND MEASURE
• The measures must focus on clearly identifying changes in risks.
»» Bear in mind that not all of these
elements are precisely measurable.
»» Attempting to measure the number of threats is problematic, but some qualitative or combination of measures can provide insight.
![Page 20: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/20.jpg)
ADJUST & REPEAT
»»Are there changes in the environment that can also affect the metrics?
»»Are there changes in the threats as time changes?
»» Is the control being operated as intended and/or are the measures acting as indicators of control design and its operation?
![Page 21: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/21.jpg)
GLINTT’S APPROACH
.: If the risk assessment is based on relevant data then the discourse should be rewarding, collaborative, and highly interactive. :.
![Page 22: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/22.jpg)
RBSM Managed Services
»» Creates an environment of informed choice.
»» Strives to reduce
uncertainty
and eliminate conjecture.
»» Is best achieved through
a surplus of relevant data.
![Page 23: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/23.jpg)
RBSM Managed Services
»» Based on analysis of frequency of threats
and vulnerabilities.
»» Cyclical and provide an opportunity for
continuous learning.
»» Involve feedback loops and
challenging assumptions.
![Page 24: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/24.jpg)
RBSM Managed Services
»» Minimize the threats, reduce frequency
and/or likelihood, and reduce
the vulnerabilities that make the threats
viable.
![Page 25: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/25.jpg)
CONCLUSIONS
.: A vulnerability lacks significant meaning if it is associated with
a worthless asset, just as a vulnerability is highly significant if it is
associated with a highly valuable asset .:
![Page 26: Risk Based Security Management](https://reader035.vdocuments.us/reader035/viewer/2022062419/55855706d8b42a78328b4900/html5/thumbnails/26.jpg)
CONCLUSIONS
»» Anyone undertaking this process (RBSM) should be prepared to suspend their presuppositions and not to be shocked if ideas long held as truth are refuted by the data collected and analyses performed.
»» We challenge you to try our Services!