Professional Documents
Culture Documents
ITSRM Lecture 3
ITSRM Lecture 3
ITSRM Lecture 3
Risk Management
Organized By :
Tjahjo Adiprabowo Ir, M. Eng.
Risk Assessment
2.
Risk Mitigation
3.
9 Steps Methodology
(1 of 2)
Prioritizing
Evaluating
Implementing
Risk Mitigation
1.
2.
3.
4.
(2 of 2)
Cost-Benefit Analysis
Residual Risk
Feasibility
Compatibility
User acceptance
Effectiveness
Degree of protection
Level of risk mitigation
The cost
The benefits
Management determines :
Selected control(s)
Identify :
Assign :
responsibility
Residual Risk
Introduction (1 of 2)
Comparison
Introduction (2 of 2)
Support
Prevent
Identification
Key generation
Key distribution
Key storage
Key maintenance
Security Administration
System protections
Authentication
Passwords
Personal Identification Numbers (PINs)
Emerging authentication technology that provides strong
authentication, e.g. :
Token
Smart card
Digital certificate
Authorization
Specification
Subsequent management
Of the allowed actions for a given system, e.g. :
Nonrepudiation
System accountability depends on the ability to ensure that :
prevention
detection.
Protected Communications
integrity
availability
confidentiality
of sensitive and critical information while it is in transit.
Replay
Interception
Packet sniffing
Wiretapping
eavesdropping
Transaction Privacy
Both government and private sector systems are
increasingly required to maintain the privacy of individuals.
Transaction Privacy Controls protect against loss of privacy
with respect to transactions performed by individual.
Audit
Intrusion Detection and Containment
Proof of wholeness
Restore secure state
Virus detection and Eradication
Audit
Detection of
Recovery from
Security breaches are :
Proof of wholeness
Detects
Identifies
Removes
Software viruses
Preventive
Detection
Recovery
defined
documented
maintained.
fire extinguishers
tarpaulins
dry sprinkler systems
halon fire suppression system
Assessing the implementation costs and benefits against system and data
criticality to determine the importance to the organization of implementing
the new controls, given their costs and relative impact.
2)
$ XX,XXX
Next Steps :
For example, a department determines that the cost for installing and
maintaining add-on security software for the stand-alone PC that stores its
sensitive files is not justifiable, but that administrative and physical controls
should be implemented to make physical access to that PC more difficult
(e.g., store the PC in a locked room with the key kept by the manager).
Explanation (1 of 2)
Explanation (2 of 2)
In most organizations :
Good Luck