Principles of Information Security,

Fifth Edition

Chapter 5
Risk Management
 Learning Objectives
• Upon completion of this material, you should be
able to:
– Define risk management, risk identification, and risk
control
– Describe how risk is identified and assessed
– Describe the various risk mitigation strategy options
– Identify the categories that can be used to classify
controls

Principles of Information Security, Fifth Edition 2

 Introduction
• Organizations must design and create safe
environments in which business processes and
procedures can function.
• These environments must maintain confidentiality
and privacy and assure the integrity of an
organization’s data

Principles of Information Security, Fifth Edition 3

 Introduction
• Risk: The probability of an unwanted occurrence,
such as an adverse event or loss.
• Organizations must minimize risk to match their risk
appetite—the quantity and nature of risk they are
willing to accept.

Principles of Information Security, Fifth Edition 4

 Introduction
• Risk management: the process of identifying,
assessing, and reducing risks facing an organization.
• Its the process of identifying risk, assessing its
relative magnitude, and taking steps to reduce it to an
acceptable level.

Principles of Information Security, Fifth Edition 5

 Introduction
• Risk identification: the enumeration and
documentation of risks to an organization’s
information assets.
• Its the enumeration and documentation of risks to an
organization’s information assets.

Principles of Information Security, Fifth Edition 6

 Introduction
• Risk assessment: A determination of the extent to
which an organization’s information assets
are exposed to risk.
• Identify hazards and risk factors that have the
potential to cause harm to the organization.

Principles of Information Security, Fifth Edition 7

 Introduction
• Risk control: the application of controls that reduce
the risks to an organization’s assets to an acceptable
level.
• Its the application of controls that reduce the risks to
an organization’s information assets to an acceptable
level.

Principles of Information Security, Fifth Edition 8

 An Overview of Risk Management
• Know yourself: identify, examine, and understand
the information and systems currently in the
organization.
• Protect information assets __ information and the
information systems that use, store, and transmit
information.
• Once you know what you have, you can identify
what you are already doing to protect it.

Principles of Information Security, Fifth Edition 9

 An Overview of Risk Management
• Know the enemy: identify, examine, and
understand the threats facing the organization.
• You must determine which threat aspects most
directly affect the security of the organization
• Then use this information to create a list of
threats, according to the importance of the
information assets that it threatens.

Principles of Information Security, Fifth Edition 10

Principles of Information Security, Fifth Edition 11
 The Roles of the Communities of
Interest
• Information security, management and users, and
information technology all must work together.
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost effective
for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective

Principles of Information Security, Fifth Edition 12

 Risk Identification
• Risk management involves identifying, classifying,
and prioritizing an organization’s assets.
• A threat assessment process identifies and
quantifies the risks facing each asset.

Principles of Information Security, Fifth Edition 13

 The Roles of the Communities of
Interest
• Information security, management and users, and
information technology all must work together.
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost effective
for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective

Principles of Information Security, Fifth Edition 14

 Risk Appetite and Residual Risk
• Risk appetite: It defines the quantity and nature of
risk that organizations are willing to accept.
• Residual risk: risk that has not been completely
removed, shifted, or planned for
– The goal of information security is to bring residual risk
into line with risk appetite.

Principles of Information Security, Fifth Edition 15

Principles of Information Security, Fifth Edition 16
 Components of Risk Identification
• Plan and Organize the Process
– Begin by organizing a team with representation across all
affected groups.
– A risk can exist everywhere in the organization,
representatives will come from every department
– The team include users, managers, IT groups, and
information security groups.
– The process must then be planned, with periodic
deliverables, reviews, and presentations to management.

Principles of Information Security, Fifth Edition 17

 Components of Risk Identification
• Identifying, Inventorying, and Categorizing Assets
– Begins with the identification of all assets including
all elements of an organization’s (people,
procedures, data and information, software,
hardware, networking)
• The objective of this process is to establish
the relative priority of assets to the success of the
organization.

Principles of Information Security, Fifth Edition 18

Principles of Information Security, Fifth Edition 19
 Components of Risk Identification
• Classifying, Valuing, and Prioritizing Information
Assets.
– Most organizations further subdivide the categories
listed in Table 5-1
– Hardware category can be subdivided into servers,
networking devices, security devices and cables.
– Organizational employees are also subdivided into
employees, nonemployees and third part
– Organizational data are subdivided by using data
classification schema.

Principles of Information Security, Fifth Edition 20

 Components of Risk Identification
• Classifying, Valuing, and Prioritizing Information Assets.
– Many organizations have data classification schemes (e.g.,
confidential, internal, public data).
• Confidential: Used for the most sensitive corporate information
that must be tightly controlled, even within the company.
• Internal: Internal information is to be viewed only by corporate
employees, authorized contractors, and other third parties
• External: All information that has been approved by
management for public release.

Principles of Information Security, Fifth Edition 21

 Components of Risk Identification
• Clean desk policy
– An organizational policy that specifies that all
classified information, documents, and materials are
secured at the end of every work day.
• Dumpster diving
– An information attack that involves searching
through a target organization’s trash and recycling
bins for sensitive information.

Principles of Information Security, Fifth Edition 22

 Components of Risk Identification

Principles of Information Security, Fifth Edition 23

 Components of Risk Identification

Principles of Information Security, Fifth Edition 24

 Risk Control
• Once the project team for information security has created the
ranked vulnerability risk, the team must choose a strategy for
controlling each risk that results from these vulnerabilities.
• The five risk control strategies:
– Defense
– Transfer
– Mitigation
– Acceptance
– Termination.

Principles of Information Security, Fifth Edition 25

 Defense
• Defense control strategy: The risk control strategy that
attempts to eliminate or reduce any
remaining uncontrolled risk through the application of
additional controls and safeguards.
• This strategy is the preferred approach to controlling risk.
• The defense strategy includes three common methods:
● Application of policy
● Education and training
● Application of technology

Principles of Information Security, Fifth Edition 26

 Transfer
• Transfer control strategy: The risk control strategy
that attempts to shift residual risk to other
assets, other processes, or other organizations
• The transfer control strategy attempts to shift risk to
other organizations.
• Organization may then transfer risk associated with
management of complex systems to another
organization experienced in dealing with those risks.

Principles of Information Security, Fifth Edition 27

 Mitigation
• Attempts to reduce impact of vulnerability exploitation
through planning and preparation
• Approach includes three types of plans
– Incident response plan (IRP): define the actions to
take while incident is in progress
– Disaster recovery plan (DRP): what must be done to
recover information and vital systems immediately
after a disastrous event
– Business continuity plan (BCP): encompasses
continuation of business activities if catastrophic event
occurs
Principles of Information Security, Fifth Edition 28
 Acceptance
• Acceptance control strategy: The risk control
strategy that indicates an organization is willing
to accept the current level of residual risk
• Doing nothing to protect a vulnerability and
accepting the outcome of its exploitation
•

Principles of Information Security, Fifth Edition 29

 Termination
• Termination control strategy: The risk control
strategy that eliminates all risk associated with
an information asset by removing it from service.
• Directs the organization to avoid those business
activities that introduce uncontrollable risks
• May seek an alternate mechanism to meet
customer needs

Principles of Information Security, Fifth Edition 30

• THAT IS ALL FOR TODAY..
• ANY QUESTIONS?

Principles of Information Security, Fifth Edition 31

Principles of Information Security, Fifth Edition 32