1 / 19

Risk Management a Case Study

Risk Management a Case Study. DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS. Anatomy of a Risk Assessment UK Government Case study. UK government services have gone online

seda
Download Presentation

Risk Management a Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS

  2. Anatomy of a Risk Assessment UK Government Case study • UK government services have gone online • Personal and sensitive data being propagated and populated by government departments to provide these services • Online services targeted by hackers, fraudsters, espionage • Old and new risks, threats and vulnerabilities threaten services • Departments need to identify and mitigate these risks

  3. Anatomy of Risk ManagementUK Case study • UK government policy is that any government information system used to store, process or forward any official information must be accredited before use • Objective of accreditation is to show that all relevant risks to the system have been identified and will be managed by appropriate configuration, use, maintenance, evolution and disposal • RMADS methodology applied to government systems

  4. RMADS Documents and Process

  5. RMADS Stages • Determine the Business Impact Level of the information that is held on the information system to be accredited. (Most Important) • Impacts are assessed against confidentiality, integrity and availability • Depending on the findings of that, it may be sufficient to simply comply with ISO27001. • For higher levels of impact level, an RMADS is mandatory.

  6. Impact Samples • Impacts measured against the government department and the data subject • Financial Loss due to Fraud • Reputational Loss due to service not being available. • Criminal Charges due to breach of Data Protection.

  7. Business Impact Assessment • Business Impact levels range from 0-8 • Level 1 Trivial: No further actions taken • Levels 2 and 3 Minor: No further actions taken • Level 4: Significant: Some negative effects: Acceptable risks: actions may need to be taken • Level 5: Significant: Significant negative effects: actions to be taken on case by case basis • Levels 6,7: Major risks need to be reduced or treated • Level 8: Catastrophic: Disastrous: Dealt with and reduced under all circumtances

  8. Business Impact Assessment • Confidentiality Impact Level Markings • For Confidentiality, the Impact Levels relate directly to protective markings: • Impact Levels 1 and 2 – PROTECT, • Impact Level 3 – RESTRICTED, • Impact Level 4 – CONFIDENTIAL, • Impact Level 5 – SECRET • Impact Level 6 - TOP SECRET

  9. RMADS • First Phase in developing an RMADS. • Conduct Standard 1 Technical Risk Assessment. • Catalogue the information system and generate a scope diagram. • Verify minimum assumptions to ensure that the risk assessment is accurate. • Perform Privacy Impact Assessment • Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS.

  10. Identify Threats • Asset List: What the system is made of • Threat Sources: Where is the threat coming from • Focus of Interest: The system being accredited • Threat Actors: Principle parties involved in constituting the threat

  11. Asset List • DataBase • Application • Development and Test Environments • Desktop • Government Offices • Inter connecting systems • Data Centre • Third Party Location

  12. Threat Source Samples • Organised Crime • Pressure Groups • Investigative Journalists • Terrorist Organisations

  13. Threat Actor Samples • Hacker: Altering website, Denial of service • Third Party: Inappropriate Access, Privacy Breach • Normal User: Accidental Data Loss • Privileged User: Data Confidentiality Compromise • Data Handler: Data Loss

  14. RMADS • Second Part Create the RMADS • Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence. • Develop the Security Case and Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.

  15. ISO 27001 Benchmarking • ISO 27001 Information Security Standard • Covers: Security Policy, Security Organisation, Asset Classification, Personnel Security, Physical Security, Communications and Operations Management, Access Control, Systems Development and Maintenance, Business Continuity Management, Compliance • Benchmarking involves conducting face to face review with System Architects, Administrators, Security Teams to verify compliance with the areas above

  16. Risk Treatment Plan • Risk Treatment Plan identifies what steps will be taken to resolve identified risks • It highlights who will be responsible for risk • Date for resolving risk • Status

  17. Penetration Test • Network and Application tests • Round up to identify if there is any exposure to known vulnerabilities by conducting a penetration and application test. • Review outcome • Accredit system

  18. Application Vulnerability Tests • Cross Site Scripting • Failure to Restrict URL Access

  19. End Of Session

More Related