80 likes | 247 Views
Information Security Risk Assessment. 1. Required by law and policyHIPAAGLBAPCI DSSFERPAState laws. IT Risk Assessments are Different. ERM ? COSOFocuses on internal controlsIT Security Risk Assessments ? NIST 800-30Focus on asset or system. NIST 800-30 ? Stages. STEP 1: SYSTEM CHARACTERIZ
E N D
1. Information Security Risk Assessments
2. Information Security Risk Assessment Required by law and policy
HIPAA
GLBA
PCI DSS
FERPA
State laws
3. IT Risk Assessments are Different ERM – COSO
Focuses on internal controls
IT Security Risk Assessments – NIST 800-30
Focus on asset or system
4. NIST 800-30 – Stages STEP 1: SYSTEM CHARACTERIZATION
STEP 2: THREAT IDENTIFICATION
STEP 3: VULNERABILITY IDENTIFICATION
STEP 4: CONTROL ANALYSIS
STEP 5: LIKELIHOOD DETERMINATION
STEP 6: IMPACT ANALYSIS
STEP 7: RISK DETERMINATION
STEP 8: CONTROL RECOMMENDATIONS
STEP 9: RESULTS DOCUMENTATION
5. Basic IT Risk Assessment Identify asset
Identify the system’s threats and associated vulnerabilities
For each threat/vulnerability pair, determine the severity of impact and the likelihood of the vulnerability exploit occurring
Risk level is the product of the likelihood of occurrence and the impact severity
Once risk level is determined, identify safeguards
Remaining risk is determined after the recommended safeguard is implemented. given existing security controls.
given existing security controls.
6. Challenges:Problems with Definitions
7. Challenges:Lack of reliable/current data Limited data on risk factors
Some costs are inherently difficult to quantify
Impossible to precisely estimate the related indirect costs
Information quickly out of date
Changes in technology
such as the possible loss of productivity that may result when new controls are implemented; and
Changes in technology such as improvements in tools available to would-be intruders.such as the possible loss of productivity that may result when new controls are implemented; and
Changes in technology such as improvements in tools available to would-be intruders.
8. Questions?Contact me at:pbuechley@utsystem.edu