• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Information systems risk assessment frame workisraf 130215042410-phpapp01

Information systems risk assessment frame workisraf 130215042410-phpapp01






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Information systems risk assessment frame workisraf 130215042410-phpapp01 Information systems risk assessment frame workisraf 130215042410-phpapp01 Presentation Transcript

    • Information Systems RiskAssessment Framework(ISRAF)(Addendum of NIST 800-39 information systems riskmanagement and revision of NIST SP 800 30 ) Prepared by S. Periyakaruppan (PK)
    • Need of Addendum/ Revision ? Ensure converged & integrated process Address the challenges in traditional approach Adaptive & Modular working model of information systems risk assessment. Improve the organizations risk based decision. Bring in value addition to business
    • Should It get transformed ? ! Why To make risk management an integral part of business and project management, IT Life cycle management. TO facilitate with practical approach to address risk. To Evolve business aligned approach. TO tailor down the model of domain agnostic approach.
    • Does it need a Model/Framework ?? Evolve descriptive process and systematic thinking. Emerging business demand and process convergence Enhance communication among functional entities. Invoke result oriented approach Predict results in the systematic model !!!!!!! ???
    • Assessing risk – What & Why To identify the potential opportunity of a probable consequence of an adverse impact due to a weakness in the information systems. To support business with risk based decision. To identify external and internal threat exposures to an organization from nation and another organization, vice versa. To monitor the on-going risk exposure of the organization. To observe the effectiveness of information security program. To assist with Metrics for information security program management. ???????
    • Assessing risks - When During architecture development –( Org,process & Information system) During functional and business systems integration. During all phases of SDLC (Systems acquisition and development life cycle) During acquisition of new security or business/function solution. During modification of mission critical/business critical systems. During third party vendor/product acquisition. During decommissioning of systems/functions/groups of the organization
    • Risk framing  Model ??? Determine the uncertainty of the risk and associated risk constraints. Define the risk tolerance and priority, and tradeoffs. Determine the set of risk factors, assessment scale and associated algorithm for combing factors Assist in precise risk communication and sketch out boundaries of information system authorization. Enhance the risk decision with appropriate information. Incorporate de-duplication in hierarchical risk management model. Determine the context of the entire risk assessment process/assessment/approach.
    • The Model/Framework Frame (CONTEXT) Tier 1 Tier 2Tier 3 The Frame work addresses comprehensive risk management function in a hierarchical approach and leverage context centric approach.
    • The Focus Assess Respond MonitorRisk Assessment is a key element of riskmanagement Risk Assessment process in modular approach. Preparation checklist. Activity checklist. Protocol to maintain appropriate result of risk assessments. Method of communicating risk results across organization.
    • Strategy/Approach
    • Risk – Key concepts Risk aggregate  consolidation of individual Tier1/Tier2/Tier3 risks in to a cumulative risks to identify relationship among risks at various levels. Threat shifting the dynamic variation on threat source in response to the perceived countermeasures. Residual risk  Tolerable risk remain post the mitigation to an exten possible to reduce the level of adverse impact to the organization. Adversarial risk Risk that has an adverse effect by adversarial threats. Adversarial threats  Threat has an intrinsic characteristics of direc adverse impact. – Ex., business operation interruption. Non-adversarial threats  Threats has no direct or immediate effect of a threat impact. – Ex., Exposure of system errors, competitive intelligence gathering.
    • Risk – Key Factors Threat Event  Possible adverse impact through a potential circumstances/event to organization from national and another organization, vice versa. Threat source The intend and the method of exploitation or attack vector. Likelihood  The Probability of a threat become reality. Vulnerability  Flaw in an information system that can lead to a potential threat. Adverse Impact  The negative consequences /damage leads to potential impact to the business / organization/ nation by the consequences of an exercised vulnerability Predisposing condition  The existing and known lack of controls/ in adequate countermeasures as part of available solution. Risk  Measure/ Unit of the extent to which an entity is threaten by a potential circumstances.
    • Assessing Risk – High Level ProcessStep -1 Step -2 Step -3 Step -4
    • Prepare for Assessment
    • Conducting Assessment Identify Threat source and Step 1 Intent,Target,Capability events Capability of adversaries Range of effects Identify vulnerabilities and pre- Step 2 Effect of existing disposing conditions controls Intentional/accidental flaw /weakness in Determine likelihood of Step 3 system/process Occurrence Depends on the degree of Step 1 and the effect Determine Magnitude of Step 4 of Step 2 Impact Result of BIA Depends on effective Step 5 BCP/DR Determine Risk MTTR/MTBF RTO/RPORisk  Combination of Step 3 andStep 4
    • Method of Risk AnalysisThreat oriented Vulnerability Asset/Impact• Identify threat source oriented Oriented and event • Identify pre-disposing • Identify• Developing Threat conditions mission/business scenario and model • Identify exploitable critical assets• Identify vulnerabilities vulnerabilities • Analyze the in context of threats • Identify threats related consequences of the to the known/open adversarial threat vulnerabilities event • Identify vulnerabilities to the threat events/scenario of critical assets with severe adverse impact.
    • Method of Risk Assessments • Objective oriented assessment • Using non-numerical values to define risk factors Qualitative • Likelihood and impact with definite value based on individual expertise • Subjective oriented approach • Using numerical values to define risk factors Quantitative • Likelihood and impact with definite number based on history of events. • Contextual analysis and result oriented approach • Using Bin values (numerical range) with uniqueSemi Quantitative meaning and context. • Likelihood and impact derived with range of numerical values with degree of unique context
    • Sample Assessment ScaleQualitative Quantitative Semi Qualitative Caution: The assessment scales and its descriptive meanings are subject to vary between organization to organization and with in organization discretion to the organizational culture and its policies and guidelines
    • Communicate Result Communicate to the Furnish evidence Determine the designated comply with appropriate method of organizational organizational policies communication stakeholders & GuidelinesFormat defined by Identify appropriate Capture appropriateorganization. authority. analysis data supportExecutive briefings Ensure right the result.Presenting information reach right Include applicableIllustrative risk figures person at right time. supporting documentsRisk Assessment  Present contextual to convey the degreeDashboards information in of resultsOut sketch the accordance with risk  Identify andorganizational strategy document the sourceprioritized risk of internal and external information.
    • Maintain Risk Posture Reconfirm the Identify Key Risk Define Frequency scope and factors of revisit assumptions• Monitor the key • Track the risk • Get the risk factors response as concurrence of• Document the required scope and variations. • Initiate the assumptions• Re-define the assessment from appropriate key risk factors when needed authorities • Communicate • Document the the results to plan of action organizational with respect to entities the risk response.
    • Applications of RiskAssessment Information Risk Strategy decisions Contribute EA design decisions IS Policy/Program/Guidance decisions Common Control/Security Standards decisions. Help risk response – Avoid/Accept/Mitigate/Transfer Investment decisions – ROSI(Returns Of Security Investments)/VAR(value at Risk)/ALE(Annual Loss Expectancy) Support EA(Enterprise Architecture) integration in to SA. Assist in business/function information continuity decisions Assist in business process resiliency requirements Contribute IS systems design decisions Supports vendor/product decisions Supports on-going system operations authorizations
    • Risk Assessment in RMF lifeCycle 1 2 6 3 5 4
    • Organizational cultural effects on Risk assessment Risk models differ based on priorities and tradeoffs with respect to the pre-disposing condition of organizational culture Determination of risk factors and valuation of risk factors to constant values or qualitative approach depends on organizational culture Determination of risk assessment approach and analysis approach depends on organizational culture. Assessment and analysis approach may vary with in organization in different tiers.