3600 Lecture4 Risk Management
3600 Lecture4 Risk Management
3600 Lecture4 Risk Management
Chapter 4
Risk Management
Risk identification
“The process of examining & documenting the security posture of an
organization’s information technology and the risks it faces.”
Risk assessment
“determination of the extent to which the organization’s information
assets are exposed or at risk.”
Risk control
“application of controls to reduce the risks to an organization’s data
and information systems.
Risk Management
Risk
Risk Identification Risk Control
Assessment
Know yourself
Understand the technology and systems in your organization
Know the enemy
Identify, examine, understand threats
Role of Communities of Interest
Information Security
Management and Users
Information Technology
Risk Identification Components
Asset Identification & Valuation
Threat Examples
Compromises to intellectual property Piracy, copyright infringement
Espionage or trespass Unauthorized access
Forces of nature Fire, flood, earthquake, lightning
Human error or failure Accidents, mistakes, etc
Missing, inadequate, incomplete controls Training, privacy, ineffective policy
Deviation of quality of service Power and WAN quality of service
Sabotage or vandalism Destruction of systems or information
Using info from asset identification assign weighted score for the
value
1 -100
100 – stop company operations
May use broad categories
NIST has some predefined
Problem
5 basic strategies
Defend: attempt to prevent the exploitation of the vulnerability
3 common methods
Application of policy
Education and training
Application of technology
Transfer: shift the risk to other areas or outside entities
Mitigate: Reduce the impact should the vulnerability be exploited
Planning and preparation
Early detection
Quick, efficient, and effective response
Accept: Choose to do nothing
Terminate: avoid those business activities that introduce uncontrollable risk
Selecting a Risk Control Strategy
Feasibility Studies
Explore the consequences
Cost Benefit Analysis (CBA)
Benchmarking and Best Practices
Baselining
Feasibility Studies