1 / 34

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 8: Risk Management Controlling Risk. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Introduction.

tino
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 8: Risk Management Controlling Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Introduction • To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function

  3. Risk Control Strategies • Choose one of four basic strategies: • Avoidance • Transference • Mitigation • Acceptance

  4. Avoidance • The risk control strategy that attempts to prevent the exploitation of the vulnerability • Examples

  5. Transference • The control approach that attempts to shift the risk to other assets, other processes, or other organizations • Examples

  6. Mitigation • The control approach that attempts to reduce the damage caused by exploitation of vulnerability • Using planning and preparation • Depends upon the ability to detect and respond to an attack as quickly as possible • Types of Mitigation Plans

  7. Acceptance • Do nothing to protect an information asset • To accept the loss when it occurs

  8. Managing Risk • Risk appetite (also known as risk tolerance) • The reasoned approach to risk is one that balances the expense(in terms of finance and the usability of information assets) against the possible losses if exploited

  9. Managing Risk – Residual Risk • Residual Risk is a combined function of: • Threats, vulnerabilities and assets, less the effects of the safeguards in place • Goal of information security is not to bring residual risk to zero

  10. Managing Risk – Residual Risk • Once a control strategy has been selected and implemented: • The effectiveness of controls should be monitored and measured on an ongoing basis • determines effectiveness and accuracy of the residual risk estimate

  11. Managing Risk (cont’d.) Figure 9-1 Residual risk Source: Course Technology/Cengage Learning

  12. Managing Risk – Risk Control • Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

  13. Risk Acceptance Figure 9-2 Risk-handling action points Source: Course Technology/Cengage Learning

  14. Risk Control Cycle Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning

  15. Feasibility and Cost-Benefit Analysis • There are a number of ways to determine the advantage or disadvantage of a specific control • The primary means are based on the value of the information assets that it is designed to protect • Economic feasibility • Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised

  16. Cost-Benefit Analysis:Cost • Factors that affect the cost of a safeguard • Cost of development or acquisition of hardware, software, and services • Training fees • Cost of implementation • Service and maintenance costs

  17. Cost-Benefit Analysis:Benefit The value to the organization of using controls to prevent losses associated with a specific vulnerability

  18. Cost-Benefit Analysis:Asset Valuation The process of assigning financial value or worth to each information asset Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation

  19. Cost-Benefit Analysis:Asset Valuation • An organization must be able to place a dollar value on each information asset it owns • Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence

  20. Cost-Benefit Analysis Calculation • CBA determines whether or not a control alternative is worth its associated cost • CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time

  21. Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS • ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control • ALE (post-control) is the ALE examined after the control has been in place for a period of time • ACS is the annual cost of the safeguard

  22. Example of Cost-Benefit Analysis Calculation • Dropping an iPad and breaking the screen • Asset value: $700 • Exposure factor: 50% • SLE = $700 x 50% = $350 • ARO = 25% chance of damaging • ALE (prior) = 25% x $350 = $87.50 • ALE (post) = 5% x $350 = $17.50 • CBA (cost of case = $30) • CBA = ALE(prior) – ALE(post) – ACS • CBA = 87.50 – 17.50 – 30.00 = $40

  23. Example of Cost-Benefit Analysis Calculation • Unprotected customer database • Asset value: $200,000 • Exposure factor: 50% • SLE = $200,000 x 50% = $50,000 • ARO = 75% chance of occurring • ALE (prior) = 75% x $200,000 = $50,000 • ALE (post) = 10% x $200,000 = $20,000 • CBA (ACS = $5,000) • CBA = ALE(prior) – ALE(post) – ACS • CBA = $50,000 – $20,000 – $5,000 = $25,000

  24. Other Methods of Establishing Feasibility • Organizational feasibility analysis • Operational feasibility • Technical feasibility • Political feasibility

  25. Alternatives to Feasibility Analysis • Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations • Baseline

  26. Risk Management and Employees “Only two things are finite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein Types of Employees and Security Knowledge • Those who know • Those who don’t • Those who think they know but don’t

  27. Recommended Risk Control Practices • Organizations typically look for a more straightforward method of implementing controls • This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability

  28. Recommended Risk Control Practices • Qualitative/Quantitative Approach • Octave Methods • Microsoft Risk Management Approach • FAIR

  29. Qualitative and Hybrid Measures • Quantitative assessment • Qualitative assessment • Hybrid assessment

  30. OCTAVE Method • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method • Variations of the OCTAVE method • The original OCTAVE method • OCTAVE-S • OCTAVE-Allegro www.cert.org/octave/

  31. Microsoft Risk Management Approach • Four phases in the Microsoft InfoSec risk management process: • Assessing risk • Conducting decision support • Implementing controls • Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

  32. Microsoft Risk Management Approach Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning

  33. Factor analysis of Information Risk (FAIR) • Basic FAIR analysis is comprised of four stages: • Stage 1 - Identify scenario components • Stage 2 - Evaluate loss event frequency • Stage 3 - Evaluate probable loss magnitude(PLM) • Stage 4 - Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com

  34. FAIR (cont’d.) Figure 9-4 Factor analysis of information risk (FAIR) Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

More Related