150 likes | 347 Views
New York Institute of Technology School of Management. MGMT 755 Security Risk Analysis. Dr. Benjamin Khoo kkhoo@nyit.edu. Chapter 3: Risk Assessment Process. 3.1 Risk = someone or something that creates or suggests a hazard 3.2 Risk Assessment Process:
E N D
New York Institute of Technology School of Management MGMT 755 Security Risk Analysis Dr. Benjamin Khoo kkhoo@nyit.edu
Chapter 3: Risk Assessment Process 3.1 Risk = someone or something that creates or suggests a hazard 3.2 Risk Assessment Process: + must support the business mission/objectives + accepted by the user community ◆ Meet with the client to determine: • what to review • kinds of risk elements to be examined • deliverables or results from the process ◆ find business friendly controls or counter-measures
Chapter 3: Risk Assessment Process 3.3 Information is an Asset Goal of an enterprisewide information security program is to determine the threat impact to information assets based on: • Integrity – information is as intended without inappropriate modification or corruption • Confidentiality – information is protected from unauthorized or accidental disclosure • Availability – Authorized users can access applications and systems when required See Table 3.1 for more specific definition.
Chapter 3: Risk Assessment Process Business manager owner determine the value of the information asset by: • cost of producing information asset • value on the open market • cost of reproducing information asset is destroyed • benefit to the enterprise • cost to the enterprise if released, altered or destroyed • repercussions to the enterprise information asset is destroyed • loss of client or customer confidence • loss of public credibility
Chapter 3: Risk Assessment Process 3.4 Risk Assessment Methodology Consists of: • assets scoped • threats identified • risk level established • possible controls selected Assets types: 1. Physical e.g. people, telecom infrastructure, hardware, software, data, information, procedures, etc. 2. Logical e.g. intellectual assets, goodwill, brand name, etc.
Chapter 3: Risk Assessment Process 3.4.1 Threat Identification threat = an indication of an impending undesirable event Sources of threat: • natural • human – accidental or deliberate • environmental See Table 3.2 for source, motivation & threat.
Chapter 3: Risk Assessment Process 3.4.1.1 Elements of Threats 3 elements of threats: • agent ⇒ catalyst • motive ⇒ causes • results ⇒ outcome Factors that impact a threat: • Geographical location – infrastructure • Facility • Your neighbors See Table 3.3
Chapter 3: Risk Assessment Process 3.4.1.2 Threat Occurrence Rates Value of Asset X Likelihood = Annual Loss Exposure (this figure can be deceiving) Likelihood of Occurrence: Natural threats === local (or National) weather centers by years Criminal activities === local law enforcement, FBI, state agencies Other threats === insurance companies Use something like Table 3.4
Chapter 3: Risk Assessment Process 3.4.1.3 Risk Level Determination ⇨ how lightly that threat is to occur 2 ways to assess: 1. establish probability without consideration for existing control e.g. initial assessment 2. establish probability taking into account the existing control e.g. assessing specific LAN, application or subnet. See Table 3.5 for probability level definitions
Chapter 3: Risk Assessment Process Before impact analysis, consider: • asset mission === from project scope • information sensitivity • asset criticality === importance to the organization Impact measure: Quantitative = loss revenue, cost of repairing the system, level of effect required to correct, etc Intangible = loss of public confidence, loss of creditability, damage to reputation, etc See Figure 3 (Probability vs Impact)
Chapter 3: Risk Assessment Process 3.4.1.4 Controls and Safeguards Identify controls to mitigate the risk to an acceptable level Control factors: • How effective is the recommended control? • Legal & regulatory requirements? • Operational impact to the organization? • Safety & reliability of the control? • Rule of thumb == cost > asset ⇒ bad ROI • Cross reference threats mitigated for each control == good ROI? Analyze the controls , see Table 3.7
Chapter 3: Risk Assessment Process Types of Controls Technical = safeguards for hardware, software, control mechanisms, identification & authentication processes, encryption tools, intrusion detection software, etc Non-technical = management & operational controls – policies, procedures, standards, personnel security, environmental control mechanisms, etc
Chapter 3: Risk Assessment Process Control Categories: • Avoidance controls = minimize risk • Assurance controls = ensure the on-going effectiveness • Detection Controls = early detection, interception & response to breaches • Recovery Controls = restore secure environment See Table 3.8 Can also map controls to enterprise – operations, applications, systems, security, etc International standard ISO 1799 (cf Table 3.11)
Chapter 3: Risk Assessment Process 3.4.1.5 Cost-Benefit Analysis Consider: • cost of implementation • operational effectiveness • additional policies needed? • additional staff needed? • cost of training, etc.