1 / 25

Risk Assessment

InfoSec and Legal Aspects. Risk assessmentLaws governing InfoSecPrivacy. Risk Assessment. Assigns a risk rating for each assetLikelihood refers to the probability of a known vulnerability being attackedLikelihood of fire forecast from actuarial dataLikelihood of virus estimated from volume of e

abram
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Risk Assessment

    2. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy

    3. Risk Assessment Assigns a risk rating for each asset Likelihood refers to the probability of a known vulnerability being attacked Likelihood of fire forecast from actuarial data Likelihood of virus estimated from volume of email handled and number of servers in use Likelihood of a network attack estimated from the number of network addresses in use

    4. Risk Assessment How to assign value to information assets? NIST SP 800-30 contains parameters to check Critical assets are assigned the value 100 Non-critical but essential asset gets the value 50 Least critical assets get the value 1 What factors to look for in valuation? Which threats present a danger? Which threats present a significant danger? Cost to recover from an attack Threats that require maximum cost to prevent

    5. Risk Assessment Risk determination: Risk = likelihood * value – risk percentage + uncertainty Example: Asset A has vulnerability score 50 Number of vulnerabilities 1 Likelihood value 1 with no controls Data are 90% accurate Hence, Risk = 1 * 50 – 0% + 10% = 50 + 10% of (1 * 50) = 50 + 5 = 55

    6. Risk Assessment Example: Asset B has vulnerability score 100 Number of vulnerabilities 2 Likelihood value 0.5 for 1st vulnerability which addresses 50% of risk Data are 80% accurate Hence, Risk = 0.5 * 100 – 50% + 20% = 50 – (50% of 50) + (20% of 50) = 50 – 25 + 10 = 35

    7. Risk Assessment Example: Asset B has vulnerability score 100 Number of vulnerabilities 2 Likelihood value 0.1 for 2nd vulnerability with no controls Data are 80% accurate Hence, Risk = 0.1 * 100 – 0% + 20% = 10 – 0 + (20% of 10) = 10 + 2 = 12

    8. Risk Assessment The generic risks to the business are: Loss of key assets Information the network skilled people Disruption of key processes Revenue regulatory reporting

    9. Risk Factors Assess risk based on these factors: Impact Size Rate of Change Business Impact Complexity Recoverability Value Management Team Focus

    10. Definitions Civil law addresses violations of rules that result in monetary loss as well as other forms of damage caused to individuals or organizations Criminal law addresses violations that are harmful to society Tort law addresses violations by individuals that result in personal, physical, or financial injury to an individual Private law regulates relationships between an individual and an organization Public law regulates relationships between citizens

    11. Definitions Ethics is defined as socially acceptable behavior Code of conduct is a set of rules that an organization defines as acceptable

    12. Laws governing Information Security Computer Security Act Communications Assistance to Law Enforcement Act Computer Fraud and Abuse Act USA PATRIOT Act

    13. Computer Security Act Passed in 1987. Official designation PL100-235 Law gave NIST the authority over unclassified non-military government computer systems NSA originally had this power Main goals: Develop policies for federal agencies concerning computer security Develop procedures to identify vulnerabilities in computer security

    14. Computer Security Act Provide mandatory security awareness training to all federal employees dealing with sensitive information Identify all computer systems that contain sensitive information

    15. CALEA Passed in 1994 Works in conjunction with FCC regulations Telephone companies to include hardware to their switches that will facilitate tapping of conversations by law enforcement agencies Telcos are not responsible for decrypting any intercepted communication Telcos will be provided reasonable compensation for the addition of interception hardware to switches

    16. Computer Fraud and Abuse Act Originally passed in 1994 and amended in 1996 PATRIOT Act amends this act further CFAA’s main provisions relate to the following: having knowingly accessed a computer without authorization intentionally accesses a computer without authorization knowingly and with intent to defraud, accesses a protected computer without authorization Prison time of up to 10 years is possible for any violation If damage caused is below $5,000 then only criminal penalties apply and no civil penalties apply

    17. USA PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Passed in October 2001 Gives extensive powers to the federal government to suspend notification provisions of existing laws Provides authorization for information search without knowledge of the individual Law expires in December 2004, unless renewed by Congress

    18. Privacy and Ethics Information privacy Information privacy laws Federal Privacy Act of 1974 Electronic Communications Privacy Act of 1986 Communications Act of 1996 HIPAA of 1996 Computer Security Act of 1987 USA PATRIOT Act of 2001 Ethical aspects of information handling

    19. Information Privacy Privacy refers to personally identifiable information about an individual or an organization Privacy does not mean absolute freedom from observation Privacy means “state of being free from unsanctioned intrusion” Financial and medical institutions treat privacy as part of their compliance requirements Information is collected by cookies and points of sale

    20. Information Privacy Privacy is a risk management issue Ability to collect information from multiple sources and combine them in different ways have resulted in powerful databases that can shed more light than previously possible

    21. Information Privacy Laws Federal Privacy Act of 1974 Requires all government agencies from protecting the privacy information of individuals and businesses Certain agencies have exemption to release aggregate data Census Bureau National Archives Congress Comptroller General Credit agencies

    22. Information Privacy Laws Electronic Communications Privacy Act of 1986 Regulates interception of wire, electronic, and oral communications Works in conjunction with the Fourth Amendment providing protection against unlawful search and seizure

    23. Information Privacy Laws Communications Act of 1996 Regulates interstate and international communications Communications decency was part of this Act

    24. Information Privacy Laws Health Insurance Portability and Accountability Act (HIPAA) of 1996 Protect confidentiality and security of health care data Electronic signatures are allowed Patients have a right to know who have access to their information and who accessed it

    25. References NIST Risk Assessment Guide for Information Technology Systems, SP 800-30 Mike Godwin, “When copying isn’t theft,” www.eff.org/IP/phrack_riggs_neidorf_godwin.article Michael Whitman, “Enemy at the Gates: Threats to Information Security,” Communications of ACM, 2003

    26. References Financial institutions: http://www.fdic.gov/news/news/financial/1999/FIL9968a.HTML Risk Assessment Process: http://www.mc2consulting.com/riskart1.htm ISACA http://www.isaca.org/ Risk Assessment Guidelines http://www.gao.gov/special.pubs/ai99139.pdf Risk Assessment: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/02_info_security_%20risk_asst.htm

More Related