INFORMATION RISK MANAGEMENT - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

INFORMATION RISK MANAGEMENT

Description:

Title: Risk Measurement Author: Malcolm Pattinson Last modified by: Helen Ashman Created Date: 4/26/1995 4:34:16 PM Document presentation format: A4 Paper (210x297 mm) – PowerPoint PPT presentation

Number of Views:119
Avg rating:3.0/5.0
Slides: 29
Provided by: Malc75
Category:

less

Transcript and Presenter's Notes

Title: INFORMATION RISK MANAGEMENT


1
INFORMATION RISK MANAGEMENT
Todays Reference Whitman Mattord,
Management of Information Security, 2nd edition
Chapters 7 8
2
Whats the problem ?
  • Management still ask
  • How secure are we ?
  • Are our controls adequate ?
  • Do we comply with Standards?
  • Do we have the best blend of controls in place
    ?
  • How do we measure our IS security ?
  • What controls do I need ?
  • How much will controls cost ?

3
Overview
  • What is Risk Management?
  • Why is it important?
  • Risk Analysis
  • Risk Control Strategies
  • Other Risk Management Techniques
  • Summary

4
Risk Management
Extracted from Australian Standard AS/NZS
43602004
5
Why is it important?
  • Subsidiaries of large orgs. Have an obligation
    (e.g. Agencies of SA Govt.)
  • Corporate management may wish to compare these
    subsidiaries
  • Shareholders may demand a certain level of
    compliance with Standards
  • Directors have a duty of care responsibility
  • Trading partners may need you to prove your level
    of security (or they wont trade with you)

6
Managing Risk
  • The goal of information security is not to bring
    residual risk to zero, but to bring it in line
    with an organizations risk appetite

7
Residual Risk
  • When vulnerabilities have been controlled as much
    as possible, there is often remaining risk that
    has not been completely removed, shifted, or
    planned for.

8
Risk Tolerance
  • Risk tolerance (also known as risk appetite)
    defines the quantity and nature of risk that
    organizations are willing to accept, as they
    evaluate the trade-offs between perfect security
    and unlimited accessibility

9
Risk Analysis (RA)
  • Various methods
  • Qualitative
  • Quantitative
  • Software packages
  • (e.g. RiskPac, RiskCalc, CRAMM, SPAN, Courtneys
    Method, Rank-it)
  • The quantitative approach-
  • Identify IS assets
  • Identify threats to those assets
  • Estimate probability of occurrence
  • Estimate cost of impact of threat
  • Calculate Annual Loss Exposure (ALE)
  • Build a control profile to match risk profile

10
Identify Assets
  • Iterative process begins with identification of
    assets, including all elements of an
    organizations system (people, procedures, data
    and information, software, hardware, networking)
  • Assets are then classified and categorized. For
    example
  • Unclassified
  • Sensitive but unclassified
  • Confidential
  • Secret
  • Top secret

11
Identify Threats
  • Realistic threats need investigation unimportant
    threats are set aside
  • Threat assessment
  • Which threats present danger to assets?
  • Which threats represent the most danger to
    information?
  • How much would it cost to recover from attack?
  • Which threat requires greatest expenditure to
    prevent?

12
Threat Analysis
Risk Exposure (H, M, L)
Impact (H, M, L)
Probability (H, M, L)
Threat
  1. Errors omissions
  2. Data network breakdowns
  3. Software errors omissions
  4. Computer-based fraud
  5. Accidental natural disasters
  6. Equipment failure
  7. Unauthorised access
  8. Deliberate destruction of equipment
  9. Misuse of computing equipment
  10. Theft of computers
  11. Loss of key personnel
  12. Theft of information
  13. Logical sabotage
  14. Software piracy
  15. Loss of vital services

Low
Low
Low
Medium
Medium
High
Medium
Medium
Medium
High
High
High
Low
Medium
Medium
13
The Metrics
  • Annual Loss Expectancy (ALE) Threat probability
    (ARO) X Single Loss Expectancy(SLE)
  • ROI is the reduction in ALE due to the
    implementation of the control
  • Uses Courtneys Scales
  • Temptation to manufacture desired outcome

14
Courtneys Scales for calculating Annual Loss
Exposure (ALE)
  • Probability of occurrence of threat
  • Once in 100 years
  • Once in 10 years
  • Once per year
  • 10 times per year
  • 100 times per year
  • 1000 times per year
  • Impact of threat
  • 100 million
  • 10 million
  • 1 million
  • 100, 000
  • 10,000
  • 1,000

15
T H R E A T S
Risk Exposure per asset per annum
Virus Attack
Hardware Malfunction
Physical Sabotage
Input Errors
11 year 1000 1000 pa
Application Software
1000
11 year 1000 1000 pa
11 year 10000 10000 pa
11 year 10000 10000 pa
Network Server OS
21000
A SSETS
11 year 10000 10000 pa
11 year 10000 10000 pa
110 yrs 100000 10000 pa
101 year 100 1000 pa
31000
Database
IS People
Risk Exposure per threat per annum
12000
20000
1000
53000
20000
16
Benefits of RA
  • Improves awareness by involving people
  • Relate security mission to management objectives
  • Identifies assets, vulnerabilities and controls
  • Improves basis for decision
  • Helps justify expenditure for security

17
Arguments against RA
  • Not precise
  • Hard to perform
  • False sense of precision confidence
  • Never up-to-date
  • No scientific foundation
  • Not designed for small business
  • Not self assessment method

18
Risk Control Strategies
  • An organization must choose one of four basic
    strategies to control risks
  • Avoidance applying safeguards that eliminate or
    reduce the remaining uncontrolled risks for the
    vulnerability
  • Transference shifting the risk to other areas or
    to outside entities
  • Mitigation reducing the impact should the
    vulnerability be exploited
  • Acceptance understanding the consequences and
    accepting the risk without control or mitigation

19
Avoidance
  • Attempts to prevent exploitation of the
    vulnerability
  • Preferred approach accomplished through
    countering threats, removing asset
    vulnerabilities, limiting asset access, and
    adding protective safeguards
  • Three common methods of risk avoidance
  • Application of policy
  • Training and education
  • Applying technology

20
Transference
  • Control approach that attempts to shift risk to
    other assets, processes, or organizations
  • If lacking, organization should hire
    individuals/firms thatprovide security
    management and administration expertise
  • Organization may then transfer risk associated
    with management of complex systems to another
    organization experienced in dealing with those
    risks

21
Mitigation
  • Attempts to reduce impact of vulnerability
    exploitation through planning and preparation
  • Approach includes three types of plans
  • Incident response plan (IRP)
  • Disaster recovery plan (DRP)
  • Business continuity plan (BCP)

22
Acceptance
  • Doing nothing to protect a vulnerability and
    accepting the outcome of its exploitation
  • Valid only when the particular function, service,
    information, or asset does not justify cost of
    protection
  • Risk appetite describes the degree to which
    organization is willing to accept risk as
    trade-off to the expense of applying controls

23
Other RM Techniques
  • Baselining
  • Benchmarking
  • Best Practices
  • Due Care
  • Due Diligence

24
Baselining
  • Baselining is the analysis of measures against
    established standards
  • In information security, baselining is the
    comparison of security activities and events
    against the organizations future performance

25
Benchmarking
  • Benchmarking is seeking out and studying the
    practices from other organizations that produce
    the results desired, and then measuring the
    differences between the way the organizations
    conduct business
  • In the field of information security, two
    categories of benchmarks are used
  • Standards of due care and due diligence
  • Best practices

26
Best Business Practices
  • Security efforts that seek to provide a superior
    level of performance are referred to as best
    business practices
  • Best security practices are those that are among
    the best in the industry, balancing access to
    information with adequate protection, while
    maintaining a solid degree of fiscal
    responsibility

27
Due Care and Due Diligence
  • For legal reasons, an organization may be forced
    to adopt a certain minimum level of security
  • When organizations adopt levels of security for a
    legal defense, they may need to show that they
    have done what any prudent organization would do
    in similar circumstances
  • This is referred to as a standard of due care
  • Due diligence is the demonstration that the
    organization is persistent in ensuring that the
    implemented standards continue to provide the
    required level of protection

28
What you need to know
  • The risk analysis process
  • The risk analysis metrics
  • Risk control strategies
  • The terminology used in this presentation
Write a Comment
User Comments (0)
About PowerShow.com