Professional Documents
Culture Documents
Information Security and Assurance Risk Management 1
Information Security and Assurance Risk Management 1
1
Risk Management
Risk Management
Learning Objectives
serve the needs of the entire organization and at the same time leverage the
Course Module
required in today’ s marketplaces.
To keep up with the competition, organizations must design and create safe
These settings must maintain confidentiality and privacy and assure the
integrity of organizational data— objectives that are met via the application of
examine, understand the information and systems currently in place within your
organization. To protect assets, first is to identify what they are, its value to
the organization. Assets are defined as information and system that use, store
Having identified your organization’s assets and weaknesses, it’s time to know
the enemy. This means identifying, examining, and understanding the threats
facing the organization. You must determine which threat aspects most
directly affect the security of the organization and its information assets, and
then use this information to create a list of threats, each one ranked according
organizational information;
plan for ways to protect data and information, the SDLC, knows as systems
Course Module
Risk Management
Risk management is the process of identifying risk, assessing risk, and taking
program.
mission capability by protecting the IT systems and data that support their
The head of an organizational unit must ensure that the organization has the
determine the security capabilities that their IT systems must have to provide
the desired level of mission support in the face of real-world threats. Most
Course Module
RISK ASSESSMENT
Organizations use risk assessment to determine the amount of the potential threat
and the risk associated with an IT system throughout its SDLC. The output of this
In this stage, the boundaries of the IT system are identified, along with
System-Related Information
1. Hardware
2. Software
3. System interfaces such as internal and external connectivity
4. Data and information
5. Persons who support and use the IT system
6. System mission which may include the processes performed by
the IT system
7. System and data criticality such as system’s value or importance
to an organization
8. System and data sensitivity.
Information-Gathering Techniques
system test results, system security plan5, security policies can provide
mapping tool can identify the services that run on a large group of hosts
system(s).
Course Module
Step 2 Threat Identification
Common Threat-Sources
�
Natural Threats—Floods, earthquakes, tornadoes, landslides,
Information Security and Assurance
9
Risk Management
�
Human Threats—Events that are either enabled by or caused by
Course Module
Step 3 Vulnerability Identification
Types of testing
mail relaying).
3. Penetration testing
protection schemes
Course Module
Development of Security Requirements Checklist
areas:
1. Management
2. Operational
3. Technical.
Security Criteria
Information Security and Assurance
13
Risk Management
The goal of this step is to analyze the controls that have been
Control Methods
environmental security.
Control Categories
Course Module
and authentication.
System mission
System and data criticality
System and data sensitivity.
be expressed as a function
a given vulnerability
Course Module
In this stage the process that happen from the start should be
RISK MITIGATION
reduce mission risk. Risk mitigation can be achieved through any of the
Risk Assumption. To accept the potential risk and continue operating the IT
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down the
Risk Limitation. To limit the risk by implementing controls that minimize the
This section provides top management, IT security expert with the following
rules of thumb.
Course Module
architectural designs, and administrative controls to minimize the risk of
3. When the attacker’s cost is less than the potential gain ➞ apply
attacker’s cost (e.g., use of system controls such as limiting what a system
Course Module
EVALUATION AND ASSESSMENT
This section emphasizes the good practice and need for an ongoing risk evaluation
and assessment and the factors that will lead to a successful risk management
program.
Risk management should be conducted and integrated in the SDLC for IT systems, not
because it is required by law or regulation, but because it is a good practice and supports
3. the competence of the risk assessment team, which must have the expertise to apply
the risk assessment methodology to a specific site and system, identify mission risks,
and provide cost-effective safeguards that meet the needs of the organization;
4. the awareness and cooperation of members of the use community, who must follow
procedures and comply with the implemented controls to safeguard the mission of their
organization; and
7. Plug and play (technology that enables hardware devices to be installed and
installations)
Course Module
Microsoft offers “The Ten Immutable Laws of Security”
Law #1: If a bad guy can persuade you to run his program on your computer,
Law #2: If a bad guy can alter the operating system on your computer, it’ s not
Law #3: If a bad guy has unrestricted physical access to your computer, it’ s
Law #4: If you allow a bad guy to upload programs to your Web site, it’ s not
Law #8: An out-of-date virus scanner is only marginally better than no virus
scanner at all.
Law #9: Absolute anonymity isn’ t practical, in real life or on the Web.