1 / 35

IA: Week 2 Risk

Risk Management Risk Assessment Risk Mitigation Risk evaluation and re-assessment. IA: Week 2 Risk. Risk Management & SDLC. System Development Life Cycle (SDLC) ‏ Initial concept and need Development/Acquisition Implementation Operation and Maintenance Disposal.

phillipdolly
Download Presentation

IA: Week 2 Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management Risk Assessment Risk Mitigation Risk evaluation and re-assessment IA: Week 2Risk

  2. Risk Management& SDLC System Development Life Cycle (SDLC)‏ • Initial concept and need • Development/Acquisition • Implementation • Operation and Maintenance • Disposal

  3. Key Personnel forRisk Management Risk Management is a management responsibility. • Senior Management • CIO, ISSO • System owners • Information Owners • IT security folks

  4. Risk Assessment System Characterization Vulnerability Identification Threat Identification Control Analysis Likelihood Determination Risk Determination Control Recommendations Results Documentation

  5. Step 1System Characterization Gather information about the system and its role in the organization. • What information? • How to gather it?

  6. System Characterization Hardware, software, interfaces Communication channels, network configuration Data, information IT personnel System description and mission System and data criticality System and data sensitivity

  7. System Characterizationadditional information Functional requirements of the IT system Users Security policies Security architecture Information storage controls Technical controls Management controls Operational controls Physical and environmental security

  8. Information Gathering Techniques Questionnaire Interviews Corporate documents System documents Security plans, policies and procedures

  9. Step 2Vulnerability Identification “A vulnerability is a flaw or weakness in system security procedures, design, implementation of internal controls that could be exercised and result in a security breach or violation of the system's security policy.” Identifying the vulnerabilities of a system is necessary for a realistic threat analysis of a system.

  10. Methods for Vulnerability ID Security checklists and vulnerability sources System testing

  11. Sources of Vulnerability Info • Previous risk assessments • IT Audit reports • Vulnerability databases • Security advisories • Incident response reports • Vulnerability alerts • System software security analysis

  12. System Security Testing • Automated vulnerability scanning tools • Nmap, nessus • Security test and evaluation • Penetration testing

  13. Vulnerability Identification • Output • A vulnerability assessment report and vulnerability list • This report and list is updated and amended throughout the system life cycle.

  14. Step 3Threat Identification “A threat is a potential for a threat source to exercise a specific vulnerability.” “A threat source is (1) an intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.”

  15. Common Threat Sources • Natural: Floods, earthquakes, tornadoes, landslides, etc. • Environmental: Long-term power failure, pollution, chemicals, liquid leakage, fire, smoke, etc. • Human: Unintentional acts or deliberate acts • Machine: Failure, malfunction, incorrectly configured.

  16. Threat Sources • Hackers • Criminals • Terrorist • Industrial Espionage • Insiders

  17. Threat Profile A threat profile is a list of threat-sources and their associated vulnerabilities and potential harm/damage to the IT system.

  18. Step 4Control Analysis Analyze the controls that have been implemented or are planned to minimize or eliminate the likelihood of a threat's exercising a system vulnerability. Control Methods Control Categories Control Analysis Techniques

  19. Control Methods NIST • Technical Controls • Operational Controls • Management Controls HIPAA • Technical Safeguards • Physical Safeguards • Administrative Safeguards

  20. Technical Controls • Identification & Authentication • Logical control access • Audit trails • System protection

  21. Operational Controls • Personnel Security • Physical & Environmental Protection • Contingency Plan • Configuration Management • HW & SW Maintenance • Media Protection • Incident Response • Training

  22. Management Controls • Risk Assessment • Security Plan • System & Services Acquisition • Security Control Review • Processing Authorization

  23. Control Categories • Preventive Controls • Policy enforcement Access controls, encryption, authentication • Detective Controls • Warn of policy violations Intrusion detection Audit trails Checksums

  24. Control Analysis Techniques • Checklists • Security requirements lists versus security controls & design

  25. Step 5Likelihood Determination Derive a likelihood rating (probability) that a potential vulnerability may be exercised by the associated threat environment. Threat source motivation and capability Nature of vulnerability Effectiveness of current controls

  26. Likelihood Definitions Likelihood Likelihood Level Definition High The threat-source is Highly motivated and capable and existing controls are ineffective. Medium Threat-source is motivated and capable but controls may impede successful exploit. Low Threat-source lacks motivation or capability or controls are in place to prevent significantly impede exploit.

  27. Step 6Impact Analysis Determine the impact of a successful exploit of a vulnerability by a threat source. Input: System mission System and data criticality System and data sensitivity

  28. Incident Impact The adverse impact of a security incident is described in terms of : • Loss of Integrity • Loss of Availability • Loss of Confidentiality • Lost revenue • Cost of repair • Damage of intangibles

  29. Impact Metrics High: Sever or catastrophic adverse effect on organizational operations, assets or individuals. Medium: Serious adverse effect on organizational operations, assets or individuals. Low: Limited adverse effect on organizational operations, assets or individuals.

  30. Step 7Risk Determination Determine risk of a particular threat/vulnerability pair as a function of: • Likelihood of the threat source exploiting the vulnerability • Magnitude of the impact of the successful exploit • Adequacy of protective security controls for the pair

  31. Risk-Level Matrix

  32. Step 8Control Recommendations Recommend controls the reduce the level of risk to the system and/or data to an acceptable level. Considerations • Effectiveness of recommendations • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability

  33. Step 9Results Documentaiton Risk assessment report that describes each threat and vulnerability, measurement of the risk and the recommended controls for risk mitigation.

  34. Risk Mitigation • Risk Assumption Accept the potential risk • Risk Avoidance Shut down until Vulnerability is fixed • Risk Limitation Implement controls to limit risk • Risk Transference Insurance

More Related