SlideShare uma empresa Scribd logo

Information Security Risk Management

Transferir como PPTX, PDF
Nikhil Soni
Nikhil Soni

Presentation on Information Security Risk Management for Secure Software System Mtech Information Security.

Tecnologia
1 de 27
“Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
• Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.
Thank You

Recomendados

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is allPECB
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 

Recomendados

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is allPECB
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIADheeraj Kataria
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber securitySumanPramanik7
 
Information security
Information security Information security
Information security razendar79
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMANAND MURALI
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.pptbillugamma06
 

Mais conteúdo relacionado

Mais procurados

Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIADheeraj Kataria
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber securitySumanPramanik7
 
Information security
Information security Information security
Information security razendar79
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMANAND MURALI
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 

Mais procurados (20)

Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Security policy
Security policySecurity policy
Security policy
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit View
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Security policies
Security policiesSecurity policies
Security policies
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
 
Information security
Information security Information security
Information security
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
 
The need for security
The need for securityThe need for security
The need for security
 

Semelhante a Information Security Risk Management

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.pptbillugamma06
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk Management
Risk ManagementRisk Management
Risk Managementysshah
 
Week 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdfWeek 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdfJeffreyKwame1
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Risk Management.docx
Risk Management.docxRisk Management.docx
Risk Management.docxCPA Australia
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxransayo
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.pptUday Nayakwadi
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
RISK MANAGEMENT.pptx
RISK MANAGEMENT.pptxRISK MANAGEMENT.pptx
RISK MANAGEMENT.pptxssuser107f14
 

Semelhante a Information Security Risk Management (20)

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
 
Week 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdfWeek 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdf
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Risk Management.docx
Risk Management.docxRisk Management.docx
Risk Management.docx
 
Trustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
 
Risk management
Risk managementRisk management
Risk management
 
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
RISK MANAGEMENT.pptx
RISK MANAGEMENT.pptxRISK MANAGEMENT.pptx
RISK MANAGEMENT.pptx
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Information Security Risk Management

  • 1. “Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
  • 2. What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
  • 3. What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
  • 4. Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
  • 5. General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
  • 6. Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
  • 7. General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
  • 8. General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
  • 9. Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
  • 10. Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
  • 11. Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
  • 12. • Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
  • 13. Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
  • 14. Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
  • 15. Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
  • 16. Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
  • 17. Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
  • 18. Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
  • 19. Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
  • 20. Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
  • 21. Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
  • 22. Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
  • 23. Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
  • 24. Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
  • 25. Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
  • 26. Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.