1 / 36

COMP3357 Managing Cyber Risk

COMP3357 Managing Cyber Risk. Richard Henson University of Worcester March 2018. Week 6: Managing Information Assets & Understanding Risk. Objectives: Explain how to assess risk level for identified information assets (qualitative or quantitative)

malcala
Download Presentation

COMP3357 Managing Cyber Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3357 Managing Cyber Risk Richard Henson University of Worcester March2018

  2. Week 6:Managing Information Assets & Understanding Risk • Objectives: • Explain how to assess risk level for identified information assets (qualitative or quantitative) • Explain how risk assessment practices can be applied to information in an organisation • Explain how “controls” may be used to protect sensitive data in an organisation

  3. Measurement • Another perspective • there’s a serious hole in a wall in your house that you need to fix! • need to buy supplies, including screen, and netting or tape to cover the hole and slather the plaster stuff over • how much screen is needed? • using a tape measure… measure width and height….screening sold in rectangular pieces. • result: 29 cm x 19 cm.

  4. Measuring Tools • But is the tape measure accurate anyway? • Where does each graduation mark begin/end?

  5. Measuring Tools • How long is the shore line of the United Kingdom? • To a purist… infinity! • how come? • most are satisfied with 7760 miles…but that’s a general measure

  6. (unnecessary) Precision? • Accurate measure of shoreline (rather than coastline) would need to include • rocks, …pebbles… even grains of sand … • fact that the shoreline actually moves, sometimes slowly and sometimes quickly over time, so it has already changed! • Need several lifetimes to get it right and would need technologically advanced measurement and monitoring devices • but who really cares about that level of precision??? • 7760 miles is good enough for most people…

  7. Getting the Balance Right • Working definition of what measurement is all about… • a reduction in uncertainty! • Before we started the lecture, how many of you knew the length of the UK coastline… • Isn’t 7760 miles a better answer than “I do not know” (?)

  8. A Useful Level of Precision • Goal of measuring for risk purposes… • reducing uncertainty to a useful level of precision • What happened with the tape measure example.. • assume the units are accurate (good enough) • take some rough measures • go to the hardware store to buy a sheet of screening covering at least 29 × 19 cm

  9. Dealing with Uncertainty… • Minutiae of measurement time consuming… • save time and get on with other things…? • What do hole repair and the UK shoreline have in common? • shows we are comfortable with some uncertainty in measurement

  10. Uncertainty and Business • Principle extends to business as well • e.g. forecasting how much money the organization will spend next quarter? • Ballpark figure (i.e. educated guess) will probably do!

  11. Weather Forecasting and Business • If bad weather will clog up the roads… • products don’t get through/get through late • supply chain gets disrupted • needs a joined up approach to prioritise essential services… • Consequences for business • food, fuel shortages • threat to survival!

  12. Business Continuity Planning (BCP) • When the business anticipates bad things that could impact on them • bad weather, etc. • systems break • internal/external data breach • So important there is now and ISO standard on this • more on BCP after Easter

  13. Assets: Qualitative or Quantitative Risk? • How accurate does the risk assessment need to be? • So business can make informed decision: • EITHER accept the risk and do nothing… • OR do something about that risk before something bad happens to the business • known as mitigating the risk! • Sometimes a qualitative measure may be enough… usually something quantitative may be useful (but probably not to great precision!)

  14. Purposes of Information Risk Assessment • To identify threats to the organization : • operations, assets, people • from partner/other organizations • To decide likelihood of a breach… • dependent on how internal and external vulnerabilities identified & dealt with • potential adverse impact if threats able to exploit vulnerabilities

  15. Outcome of Risk Assessment • The end result is combines effect and likelihood • the degree and likelihood of harm occurring (quantitative) • should collectively provide a statement of “risk” • further broken down to risk of a particular information asset being breached

  16. Steps to Information Risk Assessment • What is the value of the information asset? • guesswork? H, M, L • % of value of organisation? • Use calculation!

  17. Three Steps to Management of Risk to a Data Asset… • Identify… a vulnerabilities b threats that may wish to exploit each c probability of threat d impact severity • Calculate risk score • Ascertain and establish controls for asset as necessary…

  18. Calculation of Asset Value • Difficult – factors to consider: • initial cost of the actual asset • cost to reproduce it • if damaged or stolen • value of intellectual property • price others are willing to pay for the asset • cost to protect the asset…

  19. Protection against Threats • Threat Actors: people who wish to steal an organisation’s information assets • Only effective if.. • allowed access through… • negligence (human vulnerability) • poor software/config. (technical vulnerability)

  20. Identifying… most important Information assets • Protection of each asset… • employee time and financial outlay • Focus on protecting the most valuable assets first… • need value of information asset in decision-making! • some information is so valuable it is worth spending 000s on protection

  21. Identity… Vulnerabilities • To recap… • vulnerabilities are design weaknesses in aspects of the organisation’s digital infrastructure (usually software) • lists of vulnerabilities are identified, catalogued and publicised by various agencies e.g. http://www.mitre.org • Risks caused by vulnerabilities tend to be assessed qualitatively (e.g. H. M, L)

  22. Identify… Threats • Who wants our data? • External… (internal…?) • Who is careless with our data • Internal?

  23. Work out Probability of exploitation • Ideally for each asset… • In practice only most valuable assets • however.. can be difficult to measure • Some methods go qualitative e.g. H, M. L

  24. Mitigation of Risk • Reducing risk by protecting against vulnerabilities • Can be expensive… • organisation may choose to accept that risk and hope for the best

  25. Risk Appetite • People and Organisations have their own “risk level” • decision-making depends on how risky they are • Whether they take action to mitigate… or not… • known as risk appetite • decision-making easier when likelihood is expressed as a probability

  26. Risk Assessment and ISO27001 • Two aspects to the International Standard: • ISMS (can be summarised as PDCA) • Plan • Do • Check • Act • Controls (protection against threats)

  27. Risk Assessment and IASME Governance • Still based on ISMS and many controls • Paperwork less cumbersome • Recognised standard, but less exacting • Less work, so much cheaper • Can be a stepping stone towards ISO27001…

  28. Evolving Security • IS policy should evolve, and understanding evolves… • Implementation should also evolve… Cyber Essentials (CE) CE+ ISO 27001 IASME Governance

  29. Principles underpinning ISO27001 Standard • Two main principles for organisations: • MUST take full responsibility for protecting its information assets by developing & maintaining an ISMS so it can learns from its mistakes • uses 112 security controls to ensure that all its information assets are protected to an appropriate extent

  30. ISO27001 Standard and Risk Appetite • Organisations have to: • provide a list of information assets • think about applying each of the 112 controls to its assets • Decide (accept or mitigate)… • whether to accept the risk to the asset • if not, what they will do to control (i.e. protect) the asset

  31. Risk Treatment Plan • Part of process for mitigating risk • Action indicated from the Risk Assessment of security controls… • identifies • where control needs to be applied • The nature of each identified controls • template for including this… (112 rows!)

  32. ISO27001 Assessment (1) • Starting point: • information security policy • Is it being implemented • The assessor checks that the organisation is diligently following the two principles

  33. ISO27001 Assessment (2) • The organisation has to gather/submit information (evidence) that • proves it has an ISMS implemented, regularly checked, and lessons are learned • Must also provide of an asset register for protection of each of the information assets that are “in scope” • http://www.vigilantsoftware.co.uk/blog/identifying-assets-for-conducting-an-asset-based-information-security-risk-assessment/

  34. Which Risk Assessment Tool? • Many products available… • most acceptable to ISO27001 • Many designed for large organisations • proportionately expensive! • Popular tools for the SME: • vRisk (IT Governance) etc… • e.g. freely available: • ENISA SME tool (based an OCTAVE) • Computer Weekly template: http://www.computerweekly.com/tip/A-free-risk-assessment-template-for-ISO-27001-certification

  35. ISO27001 “controls” • Very long list (112); number of categories • long laborious process to mitigate each control • organisations can decide to “not bother” (i.e. accept the risk) • however they will not get ISO27001 certification unless they give good reason for eliminating a particular control from the scope

  36. Thank you for ParticipatingQuestions?

More Related