SlideShare uma empresa Scribd logo

IT Security management and risk assessment

Transferir como PPT, PDF
CAS
CAS

Terminology Security Risk Assessment Detailed Risk Analysis Process Asset Identification / System Characterizations Threat Identification Vulnerability Identification Analyze Risks / Control Analysis Likelihood Determination Impact analysis / Consequence determination Risk determination Control Recommendation & Result Documentation

Tecnologia
1 de 22
IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
4 10.2 SECURITY RISK ASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
5 10.2.1 Baseline Approach  Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
7 10.2.2 Informal Approach  Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
8 10.2.3 Detailed / Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
9 10.2.4 Combined Approach  Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
11 10.3.1 Asset Identification / System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
12 10.3.2 Threat Identification  To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
13 10.3.2 a) Threat Sources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
14 10.3.3 Vulnerability Identification  Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
15 10.3.4 Analyze Risks / Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
18 Rating Consequence Expanded Definition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
21 Risk Level Description Extreme (E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT

Recomendados

Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 

Recomendados

Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityANGIEPAEZ304
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 

Mais conteúdo relacionado

Mais procurados

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mais procurados (20)

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Information security
Information securityInformation security
Information security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 

Semelhante a IT Security management and risk assessment

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanTripwire
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...CompTIA
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxbagotjesusa
 

Semelhante a IT Security management and risk assessment (20)

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Ch9
Ch9Ch9
Ch9
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
 
information security management
information security managementinformation security management
information security management
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
 

Mais de CAS

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4CAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1CAS
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodologyCAS
 
Can you solve this
Can you solve thisCan you solve this
Can you solve thisCAS
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authenticationCAS
 
Malicious software
Malicious softwareMalicious software
Malicious softwareCAS
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Database security
Database securityDatabase security
Database securityCAS
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic toolsCAS
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)CAS
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2CAS
 

Mais de CAS (20)

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodology
 
Can you solve this
Can you solve thisCan you solve this
Can you solve this
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Database security
Database securityDatabase security
Database security
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Último (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

IT Security management and risk assessment

  • 1. IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
  • 2. Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 3. 3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 4. 4 10.2 SECURITY RISK ASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 5. 5 10.2.1 Baseline Approach  Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 6. 6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 7. 7 10.2.2 Informal Approach  Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 8. 8 10.2.3 Detailed / Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 9. 9 10.2.4 Combined Approach  Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 10. 10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 11. 11 10.3.1 Asset Identification / System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 12. 12 10.3.2 Threat Identification  To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 13. 13 10.3.2 a) Threat Sources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 14. 14 10.3.3 Vulnerability Identification  Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 15. 15 10.3.4 Analyze Risks / Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 16. 16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 17. 17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 18. 18 Rating Consequence Expanded Definition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 19. 19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 20. 20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 21. 21 Risk Level Description Extreme (E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 22. 22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT

Notas do Editor

  1. The results of the risk analysis process should be documented in a risk register. This should include a summary table such that shown in Table 16.5 from the text. The risks are usually sorted in decreasing order of level. This would be supported by details of how the various items were determined, including the rationale, justification, and supporting evidence used. The aim of this documentation is to provide senior management with the information they need to make appropriate decisions as how to best manage the identified risks. It also provides evidence that a formal risk assessment process has been followed if needed, and a record of decisions taken with their reasons. Once the details of potentially significant risks are determined, management needs to decide whether it needs to take action in response. This would take into account the risk profile of the organization, and its willingness to accept a certain level of risk, as determined in the initial “Establishing the Context” phase of this process. Those items with risk levels below the acceptable level would usually be accepted with no further action required. Those items with risks above this will need to be considered for treatment. Typically the risks with the higher ratings are those that need most urgently action. However, it is likely that some risks will be easier, faster, and cheaper to action than others. In the example shown, both risks were rated High. Further investigation reveals that a relatively simple and cheap treatment exists for the first risk, by tightening the router configuration to further restrict possible accesses. Treating the second risk requires the development of a full disaster recovery plan, a much slower and more costly process. Hence management would take the simple action first, to improve the organization’s overall risk profile as quickly as possible.