Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 263 views

    Risk Management-Assessing and Controlling Risks

    Uploaded by

    Eswin Angel
    The document discusses risk management strategies for information systems. It describes four basic risk control strategies: avoidance, transference, mitigation, and acceptance. Avoidance seeks to prevent vulnerabilities, transference shifts risk to other assets or organizations, mitigation reduces impact through plans like disaster recovery, and acceptance does nothing to address vulnerabilities. The document also discusses how to select appropriate risk control strategies and evaluates strategies using a cost-benefit analysis.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd

    Risk Management-Assessing and Controlling Risks

    Uploaded by

    Eswin Angel
    263 views43 pages
    The document discusses risk management strategies for information systems. It describes four basic risk control strategies: avoidance, transference, mitigation, and acceptance. Avoidance seeks to prevent vulnerabilities, transference shifts risk to other assets or organizations, mitigation reduces impact through plans like disaster recovery, and acceptance does nothing to address vulnerabilities. The document also discusses how to select appropriate risk control strategies and evaluates strategies using a cost-benefit analysis.

    Original Description:

    Risk Management-Assessing and Controlling Risks

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses risk management strategies for information systems. It describes four basic risk control strategies: avoidance, transference, mitigation, and acceptance. Avoidance seeks to prevent vulnerabilities, transference shifts risk to other assets or organizations, mitigation reduces impact through plans like disaster recovery, and acceptance does nothing to address vulnerabilities. The document also discusses how to select appropriate risk control strategies and evaluates strategies using a cost-benefit analysis.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    263 views43 pages

    Risk Management-Assessing and Controlling Risks

    Uploaded by

    Eswin Angel
    The document discusses risk management strategies for information systems. It describes four basic risk control strategies: avoidance, transference, mitigation, and acceptance. Avoidance seeks to prevent vulnerabilities, transference shifts risk to other assets or organizations, mitigation reduces impact through plans like disaster recovery, and acceptance does nothing to address vulnerabilities. The document also discusses how to select appropriate risk control strategies and evaluates strategies using a cost-benefit analysis.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 43

    Risk Management: Assessing and Controlling Risk Chapter 5

    Risk Management
    Risk management is the process of identifying vulnerabilities in an organizations information systems and taking carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in the organizations information systems The primary deliverable from risk assessment was a list of documented vulnerabilities, ranked by criticality of impact

    Principles of Information Security - Chapter 5

    Slide 2

    Risk Control Strategies


    When risks from information security threats are creating a competitive disadvantage, the information technology and information security communities of interest take control of the risks Four basic strategies are used to control the risks that result from vulnerabilities:
    Apply safeguards (avoidance) Transfer the risk (transference) Reduce the impact (mitigation) Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)
    Slide 3

    Principles of Information Security - Chapter 5

    Avoidance
    Avoidance attempts to prevent the exploitation of the vulnerability This is the preferred approach, as it seeks to avoid risk in its entirety rather than dealing with it after it has been realized Accomplished through countering threats, removing vulnerabilities in assets, limiting access to assets, and/or adding protective safeguards Three areas of control:
    Policy Training and education Technology
    Principles of Information Security - Chapter 5 Slide 4

    Transference
    Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations If an organization does not already have quality security management and administration experience, it should hire individuals or firms that provide such expertise This allows the organization to transfer the risk associated with the management of these complex systems to another organization with established experience in dealing with those risks
    Principles of Information Security - Chapter 5 Slide 5

    Mitigation
    Mitigation attempts to reduce the impact of exploitation through planning and preparation Three types of plans:
    disaster recovery planning (DRP) business continuity planning (BCP) incident response planning (IRP)

    The most common of the mitigation procedures is the disaster recovery plan or DRP The actions to take while the incident is in progress are defined in the incident response plan or IRP Longer term issues are handled in the business continuity plan or BCP
    Principles of Information Security - Chapter 5 Slide 6

    Table 5-1 Mitigation Summary

    Principles of Information Security - Chapter 5

    Slide 7

    Acceptance
    Acceptance of risk is doing nothing to close a vulnerability and to accept the outcome of its exploitation Acceptance is valid only when:
    Determined the level of risk Assessed the probability of attack Estimated the potential damage Performed a thorough cost benefit analysis Evaluated controls using each appropriate feasibility Decided that the particular function, service, information, or asset did not justify the cost of protection

    Risk appetite describes the degree to which an organization is willing to accept risk as a tradeoff to the expense of applying controls
    Principles of Information Security - Chapter 5

    Slide 8

    Mitigation Strategy Selection


    The level of threat and value of the asset play a major role in the selection of strategy The following rules of thumb can be applied in selecting the preferred strategy:
    When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent this occurrence When the attackers cost is less than his/her potential gain apply protections to increase the attackers cost When potential loss is substantial, apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss
    Principles of Information Security - Chapter 5 Slide 9

    Figure 5-2 - Risk Handling Decision Points

    Principles of Information Security - Chapter 5

    Slide 10

    Principles of Information Security - Chapter 5

    Slide 11

    Categories of controls
    Controlling risk through avoidance, mitigation, or transference may be accomplished by implementing controls or safeguards One approach to selecting controls is by category:
    Control Function Architectural Layer Strategy Layer Information Security Principles
    Principles of Information Security - Chapter 5 Slide 12

    Control Function
    Controls or safeguards designed to defend the vulnerability are either preventive or detective Preventive controls stop attempts to exploit vulnerability by implementing enforcement of an organizational policy or a security principle, such as authentication or confidentiality Detective controls warn of violations of security principles, organizational policies, or attempts to exploit vulnerabilities Detective controls use techniques such as audit trails, intrusion detection, or configuration monitoring
    Principles of Information Security - Chapter 5 Slide 13

    Architectural Layer
    Some controls apply to one or more layers of an organizations technical architecture Among the architectural layer designators in common use are:
    organizational policy external networks extranets (or demilitarized zones) Intranets (WAN and LAN) network devices that interface network zones (switches, routers, firewalls, and hubs) systems (computers for mainframe, server or desktop use) applications
    Principles of Information Security - Chapter 5 Slide 14

    Strategy Layer
    Controls are sometimes classified by the risk control strategy they operate within:
    avoidance mitigation transference acceptance

    Principles of Information Security - Chapter 5

    Slide 15

    Information Security Principles


    Controls operate within one or more of the commonly accepted information security principles:
    Confidentiality Integrity Availability Authentication Authorization Accountability Privacy
    Principles of Information Security - Chapter 5 Slide 16

    Feasibility Studies and the Cost Benefit Analysis


    Before deciding on the strategy for a specific vulnerability all information about the economic and non-economic consequences of the vulnerability facing the information asset must be explored Fundamentally we are asking What are the actual and perceived advantages of implementing a control contrasted with the actual and perceived disadvantages of implementing the control?
    Principles of Information Security - Chapter 5 Slide 17

    Cost Benefit Analysis (CBA)


    The most common approach for a project of information security controls and safeguards is the economic feasibility of implementation Begins by evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised It is only common sense that an organization should not spend more to protect an asset than it is worth

    The formal process to document this is called a cost benefit analysis or an economic feasibility study

    Principles of Information Security - Chapter 5

    Slide 18

    CBA: Cost Factors


    Some of the items that impact the cost of a control or safeguard include:
    Cost of development or acquisition Training fees Cost of implementation Service costs Cost of maintenance

    Principles of Information Security - Chapter 5

    Slide 19

    CBA: Benefits
    Benefit is the value that the organization recognizes by using controls to prevent losses associated with a specific vulnerability This is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk

    Principles of Information Security - Chapter 5

    Slide 20

    CBA: Asset Valuation


    Asset valuation is the process of assigning financial value or worth to each information asset The valuation of assets involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against market loss for each set of information bearing systems or information assets There are many components to asset valuation

    Principles of Information Security - Chapter 5

    Slide 21

    CBA: Loss Estimates


    Once the worth of various assets is estimated examine the potential loss that could occur from the exploitation of vulnerability or a threat occurrence This process results in the estimate of potential loss per risk The questions that must be asked here include:
    What damage could occur, and what financial impact would it have? What would it cost to recover from the attack, in addition to the costs above? What is the single loss expectancy for each risk?
    Principles of Information Security - Chapter 5 Slide 22

    CBA: ALE & ARO


    The expected value of a loss can be stated in the following equation:
    Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) where: SLE = asset value x exposure factor (EF)

    ARO is simply how often you expect a specific type of attack to occur, per year SLE is the calculation of the value associated with the most likely loss from an attack EF is the percentage loss that would occur from a given vulnerability being exploited
    Principles of Information Security - Chapter 5 Slide 23

    CBA: Formula
    CBA is whether or not the control alternative being evaluated is worth the associated cost incurred to control the specific vulnerability While many CBA techniques exist, for our purposes, the CBA is most easily calculated using the ALE from earlier assessments CBA = ALE(prior) ALE(post) ACS Where:
    ALE prior is the Annualized Loss Expectancy of the risk before the implementation of the control ALE post is the ALE examined after the control has been in place for a period of time ACS is the Annual Cost of the Safeguard
    Principles of Information Security - Chapter 5 Slide 24

    Benchmarking
    Rather than use the financial value of information assets, review peer institutions to determine what they are doing to protect their assets (benchmarking) When benchmarking, an organization typically uses one of two measures:
    Metrics-based measures are comparisons based on numerical standards Process-based measures examine the activities performed in pursuit of its goal, rather than the specifics of how goals were attained

    Principles of Information Security - Chapter 5

    Slide 25

    Due Care/Due Diligence


    When organizations adopt levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances - this is referred to as a standard of due care Due diligence is the demonstration that the organization is diligent in ensuring that the implemented standards continue to provide the required level of protection Failure to support a standard of due care or due diligence can open an organization to legal liability
    Principles of Information Security - Chapter 5 Slide 26

    Best Business Practices


    Security efforts that provide a superior level of protection of information are referred to as best business practices Best security practices (BSPs) are security efforts that are among the best in the industry When considering best practices for adoption in your organization, consider the following:
    Does your organization resemble the identified target? Are the resources you can expend similar? Are you in a similar threat environment?

    Principles of Information Security - Chapter 5

    Slide 27

    Microsofts Ten Immutable Laws of Security


    1. If a bad guy can persuade you to run his program on your computer, its not your computer anymore 2. If a bad guy can alter the operating system on your computer, its not your computer anymore 3. If a bad guy has unrestricted physical access to your computer, its not your computer anymore 4. If you allow a bad guy to upload programs to your web site, its not your web site anymore 5. Weak passwords trump strong security
    Principles of Information Security - Chapter 5 Slide 28

    Microsofts Ten Immutable Laws of Security


    6. A machine is only as secure as the administrator is trustworthy 7. Encrypted data is only as secure as the decryption key 8. An out of date virus scanner is only marginally better than no virus scanner at all 9. Absolute anonymity isn't practical, in real life or on the web 10. Technology is not a panacea
    http://www.microsoft.com/technet/treeview/default.asp ?url=/technet/columns/security/10imlaws.asp
    Principles of Information Security - Chapter 5 Slide 29

    Problems
    The biggest problem with benchmarking in information security is that organizations dont talk to each other Another problem with benchmarking is that no two organizations are identical A third problem is that best practices are a moving target One last issue to consider is that simply knowing what was going on a few years ago, as in benchmarking, doesnt necessarily tell us what to do next
    Principles of Information Security - Chapter 5 Slide 30

    Baselining
    Baselining is the analysis of measures against established standards In information security, baselining is comparing security activities and events against the organizations future performance When baselining it is useful to have a guide to the overall process

    Principles of Information Security - Chapter 5

    Slide 31

    Organizational Feasibility
    Organizational feasibility examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization Above and beyond the impact on the bottom line, the organization must determine how the proposed alternatives contribute to the business objectives of the organization

    Principles of Information Security - Chapter 5

    Slide 32

    Operational Feasibility
    Addresses user acceptance and support, management acceptance and support, and the overall requirements of the organizations stakeholders Sometimes known as behavioral feasibility, because it measures the behavior of users One of the fundamental principles of systems development is obtaining user buy-in on a project and one of the most common methods for obtaining user acceptance and support is through user involvement obtained through three simple steps: Communicate Educate Involve
    Principles of Information Security - Chapter 5 Slide 33

    Technical Feasibility
    The project team must also consider the technical feasibilities associated with the design, implementation, and management of controls Examines whether or not the organization has or can acquire the technology necessary to implement and support the control alternatives

    Principles of Information Security - Chapter 5

    Slide 34

    Political Feasibility
    For some organizations, the most significant feasibility evaluated may be political Within organizations, political feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest The limits placed on an organizations actions or behaviors by the information security controls must fit within the realm of the possible before they can be effectively implemented, and that realm includes the availability of staff resources
    Principles of Information Security - Chapter 5 Slide 35

    Risk Management Discussion Points


    Not every organization has the collective will to manage each vulnerability through the application of controls Depending on the willingness to assume risk, each organization must define its risk appetite Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility

    Principles of Information Security - Chapter 5

    Slide 36

    Residual Risk
    When we have controlled any given vulnerability as much as we can, there is often risk that has not been completely removed or has not been completely shifted or planned for This remainder is called residual risk To express it another way,
    Residual Risk is a combined function of (1) a threat less the effect of some threat-reducing safeguards (2) a vulnerability less the effect of some vulnerability-reducing safeguards (3) an asset less the effect of some asset valuereducing safeguards.
    Principles of Information Security - Chapter 5 Slide 37

    Principles of Information Security - Chapter 5

    Slide 38

    Documenting Results
    At minimum, each information assetvulnerability pair should have a documented control strategy that clearly identifies any residual risk remaining after the proposed strategy has been executed Some organizations document the outcome of the control strategy for each information assetvulnerability pair as an action plan This action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual
    Principles of Information Security - Chapter 5 Slide 39

    Recommended Practices in Controlling Risk


    We must convince budget authorities to spend up to the value of the asset to protect a particular asset from an identified threat Each and every control or safeguard implemented will impact more than one threat-asset pair

    Principles of Information Security - Chapter 5

    Slide 40

    Qualitative Measures
    The spectrum of steps described above was performed with real numbers or best-guess estimates of real numbers - this is known as a quantitative assessment However, an organization could determine that it couldnt put specific numbers on these values Fortunately, it is possible to repeat these steps using estimates based on a qualitative assessment Instead of using specific numbers, ranges or levels of values can be developed simplifying the process
    Principles of Information Security - Chapter 5 Slide 41

    Delphi Technique
    One technique for accurately estimating scales and values is the Delphi Technique The Delphi Technique, named for the Oracle at Delphi, is a process whereby a group of individuals rate or rank a set of information The individual responses are compiled and then returned to the individuals for another iteration This process continues until the group is satisfied with the result

    Principles of Information Security - Chapter 5

    Slide 42

    Evaluation, Assessment, and Maintenance of Risk Controls


    Once a control strategy has been implemented, the effectiveness of controls should be monitored and measured on an ongoing basis to determine the effectiveness of the security controls and the accuracy of the estimate of the residual risk

    Principles of Information Security - Chapter 5

    Slide 43

    You might also like