risk management. define risk management, risk identification, and risk control understand how risk...
Post on 22-Dec-2015
244 views
TRANSCRIPT
![Page 1: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/1.jpg)
Risk Management
![Page 2: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/2.jpg)
• Define risk management, risk identification, and risk control
• Understand how risk is identified and assessed
• Assess risk based on probability of occurrence and impact on an organization
Objectives
![Page 3: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/3.jpg)
Introduction
• Risk management: process of identifying and controlling risks facing an organization
• Risk identification: process of examining an organization’s current information technology security situation
• Risk control: applying controls to reduce risks to an organizations data and information systems
![Page 4: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/4.jpg)
An Overview of Risk Management
• Know yourself: identify, examine, and understand the information and systems currently in place
• Know the enemy: identify, examine, and understand threats facing the organization
• Responsibility of each community of interest within an organization to manage risks that are encountered
![Page 5: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/5.jpg)
The Roles of the Communities of Interest
• Information security, management and users, information technology all must work together
• Management review:
– Verify completeness/accuracy of asset inventory
– Review and verify threats as well as controls and mitigation strategies
– Review cost effectiveness of each control
– Verify effectiveness of controls deployed
![Page 6: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/6.jpg)
Risk Identification
• Assets are targets of various threats and threat agents
• Risk management involves identifying organization’s assets and identifying threats/vulnerabilities
• Risk identification begins with identifying organization’s assets and assessing their value
![Page 7: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/7.jpg)
Asset Identification and Valuation
• Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)
• Assets are then classified and categorized
![Page 8: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/8.jpg)
Table 4-1 - Categorizing Components
![Page 9: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/9.jpg)
People, Procedures, and Data Asset Identification
• Human resources, documentation, and data information assets are more difficult to identify
• People with knowledge, experience, and good judgment should be assigned this task
• These assets should be recorded using reliable data-handling process
![Page 10: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/10.jpg)
People, Procedures, and Data Asset Identification (continued)
• Asset attributes for people: position name/number/ID; supervisor; security clearance level; special skills
• Asset attributes for procedures: description; intended purpose; what elements is it tied to; storage location for reference; storage location for update
![Page 11: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/11.jpg)
People, Procedures, and Data Asset Identification (continued)
• Asset attributes for data: classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed
![Page 12: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/12.jpg)
Hardware, Software, and Network Asset Identification
• What information attributes to track depends on:
– Needs of organization/risk management efforts
– Management needs of information security/information technology communities
![Page 13: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/13.jpg)
Hardware, Software, and Network Asset Identification (continued)
• Asset attributes to be considered are: name; IP address; MAC address; element type; serial number; manufacturer name; model/part number; software version; physical or logical location; controlling entity
![Page 14: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/14.jpg)
Information Asset Classification
• Many organizations have data classification schemes (e.g., confidential, internal, public data)
• Classification of components must be specific to allow determination of priority levels
• Categories must be comprehensive and mutually exclusive
![Page 15: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/15.jpg)
Information Asset Valuation
• Questions help develop criteria for asset valuation: which information asset
– is most critical to organization’s success?
– generates the most revenue/profitability?
– would be most expensive to replace or protect?
– would be the most embarrassing or cause greatest liability if revealed?
![Page 16: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/16.jpg)
Listing Assets in Order of Importance
• Create weighting for each category based on the answers to questions
• Calculate relative importance of each asset using weighted factor analysis
• List the assets in order of importance using a weighted factor analysis worksheet
![Page 17: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/17.jpg)
Data Classification and Management
• Variety of classification schemes used by corporate and military organizations
• Information owners responsible for classifying their information assets
• Information classifications must be reviewed periodically
![Page 18: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/18.jpg)
Data Classification and Management (continued)
• Most organizations do not need detailed level of classification used by military or federal agencies; however, organizations may need to classify data to provide protection
![Page 19: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/19.jpg)
Security Clearances
• Security clearance structure: each data user assigned a single level of authorization indicating classification level
• Before accessing specific set of data, employee must meet need-to-know requirement
• Extra level of protection ensures information confidentiality is maintained
![Page 20: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/20.jpg)
Management of Classified Data
• Storage, distribution, portability, and destruction of classified data
• Information not unclassified or public must be clearly marked as such
• Clean desk policy requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed
• Dumpster diving can compromise information security
![Page 21: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/21.jpg)
Threat Identification
• Realistic threats need investigation; unimportant threats are set aside
• Threat assessment:– Which threats present danger to assets?
– Which threats represent the most danger to information?
– How much would it cost to recover from attack?
– Which threat requires greatest expenditure to prevent?
![Page 22: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/22.jpg)
![Page 23: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/23.jpg)
Vulnerability Identification
• Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities
• Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities
![Page 24: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/24.jpg)
Vulnerability Identification (continued)
• Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions
• At end of risk identification process, list of assets and their vulnerabilities is achieved
![Page 25: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/25.jpg)
Risk Assessment
• Risk assessment evaluates the relative risk for each vulnerability
• Assigns a risk rating or score to each information asset
![Page 26: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/26.jpg)
Valuation of Information Assets
• Assign weighted scores for value of each asset; actual number used can vary with needs of organization
• To be effective, assign values by asking questions:– Which threats present danger to assets?
– Which threats represent the most danger to information?
– How much would it cost to recover from attack?
– Which threat requires greatest expenditure to prevent?
– which of the above questions for each asset is most important to protection of organization’s information?
![Page 27: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/27.jpg)
Risk Determination
• For the purpose of relative risk assessment, risk equals:
– Likelihood of vulnerability occurrence TIMES value (or impact)
– MINUS percentage risk already controlled
– PLUS an element of uncertainty
![Page 28: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/28.jpg)
Identify Possible Controls
• For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas
• Residual risk is risk that remains to information asset even after existing control has been applied
![Page 29: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/29.jpg)
Access Controls
• Specifically address admission of a user into a trusted area of organization
• Access controls can be:
– Mandatory
– Nondiscretionary
– Discretionary
![Page 30: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/30.jpg)
Types of Access Controls
• Mandatory access controls (MAC): give users and data owners limited control over access to information
• Nondiscretionary controls: managed by a central authority in organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls)
![Page 31: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/31.jpg)
Types of Access Controls (continued)
• Discretionary access controls (DAC): implemented at discretion or option of data user
• Lattice-based access control: variation of MAC; users assigned matrix of authorizations for areas of access
![Page 32: Risk Management. Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d7a5503460f94a5dd86/html5/thumbnails/32.jpg)
Documenting the Results of Risk Assessment
• Final summary comprised in ranked vulnerability risk worksheet
• Worksheet details asset, asset impact, vulnerability, vulnerability likelihood, and risk-rating factor
• Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk