1 / 27

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Risk Management: Identifying and Assessing Risk. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. True Story. A company suffered a catastrophic loss one night when its office burned to the ground.

khollis
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Risk Management: Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. True Story A company suffered a catastrophic loss one night when its office burned to the ground. As the employees gathered around the charred remains the next morning, the president asked the secretary if she had been performing the daily computer backups. To his relief she replied that yes, each day before she went home she backed up all of the financial information, invoices, orders ... The president then asked the secretary to retrieve the backup so they could begin to determine their current financial status. “Well”, the secretary said, “I guess I cannot do that. You see, I put those backups in the desk drawer next to the computer in the office.” M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303

  3. Risk is all around us… “Investing in stocks carries a risk …” “Car speeding carries a risk …” “An outdate anti-virus software carries a risk …”

  4. Risk Management “The process of determining the maximumacceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

  5. Risk Terminology

  6. Risk Terminology Asset, Threat, Vulnerability & Risk in Info. Sec. http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png

  7. Assets

  8. Asset Identification http://www.misutilities.com/ Source: Course Technology/Cengage Learning

  9. Importance of Assets • Classifying/Categorization

  10. Asset Identification: Asset Ranking • Assets should be ranked so that most valuable assets get highest priority when managing risks • Questions to consider when determining asset value / rank: • 1) Which info. asset is most critical to overall success of org.? • Example: Amazon’s ranking assets Amazon’s network consists of regular desktops and web servers. • Web servers that advertise company’s products and receive orders 24/7 - critical. • Desktops used by customer service department – not so critical. Source: Course Technology/Cengage Learning

  11. Asset Identification: Asset Ranking 2) Which info. asset generates most revenue? 3) Which info. asset generates highest profitability? Example: Amazon’s ranking assets At Amazon.com, some servers support book sales (resulting in highest revenue), while others support sales of beauty products (resulting in highest profit). Source: Course Technology/Cengage Learning

  12. Importance of Assets Example: Weighted asset ranking (NIST SP 800-30) Not all asset ranking questions/categories may be equally important to the company. A weighting scheme could be used to account for this …

  13. Risk Terminology

  14. Threat Identification

  15. Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

  16. Risk Terminology

  17. Vulnerability Assessment Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  18. Vulnerability Assessment Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  19. Vulnerability Assessment Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  20. The TVA Worksheet Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

  21. Risk Terminology

  22. Introduction to Risk Assessment • The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

  23. Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate

  24. Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: • vulnerability #2 has a likelihood of 0.5 with a current control that addresses 50% of its risk • vulnerability #3 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

  25. Which asset/vulnerability to deal with first? Rank your findings based on the Asset/Vulnerability and the largest rating are typically ranked the highest.

  26. Qualitative Risk Assessment

  27. Example of Qualitative Risk Assessment

More Related