Professional Documents
Culture Documents
Principles of Information Security: Risk Management
Principles of Information Security: Risk Management
Chapter 4
Risk Management
(Lecture 5)
1
Outline
• An Overview of Risk Management
• Components of Risk Management
1. Risk Identification
– Assets Identification & Inventory
– Assets Classification , Valuation & Prioritize
2. Risk Assessment
– Threats Identification & Classification
– Vulnerabilities between Assets& threats
– Identify& quantify Asset exposure
3. Risk Control
– Selecting a Risk Control Strategy
– Justify Controls
– Implement & monitor Controls
2
Risk & Breach
Risk
• It is the probability that something unwanted will happen.
• It is the possibility of harm
• (Harm means: data lost or stolen, or is disclosed or otherwise
exposed to unauthorized people for unauthorized purposes.
which is an undesirable outcome).
• Breach:
It is a successful attack: occurrence of harm
3
An Overview of Risk Management
• Know yourself
identify, examine, and understand the information
and systems currently in place
4
Figure 4-1 Components of Risk Management 5
1- Risk Identification
• Assets
are targets of various threats and threat agents
• Risk identification
- begins with identifying organization’s assets
and assess their value.
6
Figure 4-2 Components of Risk Identification
7
Categorizing Components of information system
8
1- Risk Identification
Identify& Inventory assets
procedures
description; intended purpose; what elements
it is tied to; storage location for reference; storage
location for update
data
classification; owner/creator/ manager; data
structure size; data structure used; online/offline;
location; backup procedures employed
9
1- Risk Identification
Identify& Inventory assets
10
1- Risk Identification
Data Classification and Management
• Information classifications
1- owners
- responsible for classifying their information assets
- must be reviewed periodically
2- organizations
- do not need detailed level of classification used by
military or federal agencies; Instead
11
1- Risk Identification
Information Asset Valuation
12
1- Risk Identification
Information Asset Prioritization
13
1- Risk Identification
Threat Identification
• Threat assessment:
– Which threats present danger to assets?
14
1- Risk Identification
Vulnerabilities Identification between Assets& threats
• Vulnerabilities
are the Specific avenues threat agents that can be
exploited to attack an information asset
15
2- Risk Assessment
• Risk assessment
16
2- Risk Assessment
Likelihood
• Risk Assessment
- Measure the likelihood (The probability that a specific
vulnerability will be the object of a successful attack)
17
2- Risk Assessment
Risk Determination
18
2- Risk Assessment
Risk Determination
• Example 1
19
2- Risk Assessment
Risk Determination
20
2- Risk Assessment
Risk Determination
21
3- Risk Control
Identify Possible Controls
• Residual risk
- is risk that remains to information asset even after
existing control has been applied.
22
3- Risk Control
strategies to control each risk
23
Defend
• Defend
Attempts to prevent exploitation of the vulnerability
• Preferred approach
- accomplished through countering threats,
- removing asset vulnerabilities,
- limiting asset access, and
- adding protective safeguards
24
Transfer
• Transfer
Control approach that attempts to shift risk to other
assets, processes, or organizations
25
Mitigate
• Mitigate
Attempts to reduce impact of vulnerability through
planning and preparation
26
Accept
• Accept
- Doing nothing to protect a vulnerability and accepting
the outcome of its exploitation
27
Terminate
• Terminate
- Directs the organization to avoid those business
activities that introduce uncontrollable risks
28
Control Strategy
• Strategy of control
1. decision points,
2. feasibility strategy,
3. Cost Benefit Analysis,
4. evaluation , assessment and maintenance,
5. benchmarking & best practices and
6. baselining
29
1- Decision Points
• Feasibility Studies
- Before deciding on strategy, all information about
economic/noneconomic consequences of vulnerability
of information asset must be explored
31
3- Cost Benefit Analysis (CBA)
• CBA
- Most organizations must consider the economic feasibility of
implementing information security and controls.
32
4- Evaluation, Assessment, and Maintenance of Risk
Controls
33
5- Benchmarking and Best Practices
– Process-based measures
34
Problems with the Application of Benchmarking and Best
Practices
35
6- Baselining
36