• Like
File000170
Upcoming SlideShare
Loading in...5
×

File000170

  • 105 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
105
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module LVII - Risk Assessment
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Taxpayer Data at IRS Remains Vulnerable, GAO Warns January 13, 2009 (Computerworld) Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity. This time, the criticism comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous GAO audit. The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable. For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data. Source: http://www.computerworld.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Risk • Security Planning • Risk Management • Risk Analysis • Risk Policy • Risk Assessment • Approval to Operate (ATO) and Interim Approval to Operate (IATO) • Risk Assessment Process • Analyze Threats and Vulnerabilities of an Information System • Residual Risk • Cost/benefit Analysis • Risk Acceptance • Risk Analysts • Risk Mitigation • Role of Documentation in Reducing Risk This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Risk Assessment Process Cost/benefit Analysis Risk Acceptance Risk MitigationRisk Analysts Residual Risk Analyze Threats and Vulnerabilities of an Information System Role of Documentation in Reducing Risk Security PlanningRisk ATO and IATO Risk Management Risk Analysis Risk AssessmentRisk Policy
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations It refers to a possibility of loss resulting from a hazard, security incident, or event It adversely affects the organization’s operations and revenues Risk=(Probability of event occurring) X (Impact of event occurring)
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Planning • Risk Analysis • Roles and responsibilities of the team/personnel • Configuration of the system • Antivirus controls and Intrusion Detection • Physical Security • Network Security • Data access • Outsourcing • Policies and Procedures • Planning a Team Security planning involves: Security planning helps in managing and reducing the probability of risk
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Management Risk Management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk management involves: • Identifying risks • Analyzing risks • Developing strategies to manage identified risks • Implementing risk mitigation plans • Managing efforts accordingly
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Management Protects an organization’s information assets Protects the organization and enables to accomplish its task Minimizes the effect of risk on an organization’s assets and earning Creates a new corporation value Helps organizations to control IT security system related mission risks Allows organizations to balance the operational and financial costs of the protective measures Helps the organization’s management to identify the suitable controls for security capabilities essential for any task
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Principle of Risk Management • It is a practice of coming up with other options so that the risk in question is not realized Risk Avoidance: • It is a practice of transferring the risk in question to another entity Risk Transfer: • It includes all the procedures and practices to eliminate or considerably decrease the level of risk Risk Mitigation: • In some cases, it is vital for an organization to accept the risk present in some entities • Risk acceptance is a practice of accepting some risks Risk Acceptance:
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IT Security Risk Management • Provides information regarding “how to reduce exposure to identified risks” Risk mitigation process: • Detects the source of primary and secondary attacks Risk domains: • Provides an analysis of risk exposure to threats or vulnerabilities Risk exposure: • Provides an end-to-end method for risk mitigation Risk analysis: IT security risk management comprises:
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis • Assets (resources of an organization) • Disruptive events (disaster or threat to an organization) • Vulnerabilities (weakness of an organization) • Losses (due to the occurrence of the disaster) • Safeguards (preventive measures against vulnerabilities) It helps in analyzing five elements: Risk analysis is the method that defines procedures through which an organization can survive or reduce the probability of risks
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Business Impact Analysis (BIA) Step-by-step approach to conduct successful Business Impact Analysis (BIA): Define potential system threats and the probability at which they may occur Discover the Maximum Acceptable Outage (MAO) for each system Estimate the cost to identify and recover operations for each system Approximate the impacts such as financial, revenue, and non-revenue impacts related to each system Define the systems which are having cross dependencies Categorize each important or non-critical system as business critical system Define critical business systems operated by your organization Define gross profit and net profit generated by your organization in the year
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process Organization divides its targets by distributing the responsibilities within the team The team involves superior personnel who undertake the responsibility of considering even minute details of the project The roles and responsibilities of team members or the employees are as follows: • Checks the level of security to manage the risks • Establishes the risk management process • Ensures that the information resources meet the audit requirements and participates in all levels of employees to implement policies and procedures • Prepares disaster recovery plan for information resources to maintain it Chief Administrative Officer/Information Resources Manager:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Identifies threats and vulnerabilities • Identifies restricted, sensitive, and unrestricted information resources • Develops and maintains risk management processes, disaster recovery/ contingency planning for information, and updated security procedures Information Resources Security Officer: • Assess information and identifies the risk • Classify the information • Approve access to information for the restricted employees • Plan contingencies to recover data Owners of Information Resources: • Implements security controls determined by the owner • Provides administrative access and preventive measures to information resources Custodian:
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Ensures technical support is provided by using cost effective controls • Develops and maintains contingency plans • Develops procedures to report on monitored controls Technical Management: • Assist the other personnel to implement the security plan • Assist to update the software or hardware and brief them with the vulnerabilities • Maintain user accounts, passwords, keys, etc. Security Administrators: • Calculation of effective security control • Provides security policies, standards, and guidelines • Examines security controls that are planned and participates in risk analysis process Internal Auditor:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis and/or Vulnerability Assessment Components Vulnerability assessment is the evaluation of the current security features (personnel involvement and policies and procedures) of the organization Vulnerability assessment report provides a clear idea of the current weaknesses of an organization The questionnaires and surveys of the computer users are the important part of a vulnerability assessment Questioning the users should be based on the standards, policies, and guidelines
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Policy Risk policy is a set of ideas of what to do in particular conditions that have been approved authoritatively by a group of people, a business organization, or government • Rules of behavior for the computer system and the end results for violating those rules • Personnel and technical controls for the computer system • Methods for identifying, properly limiting, and controlling interconnections with other systems and particular methods to monitor and manage such limits • Procedures for the ongoing training of employees who are authorized access to the system • Procedures for the ongoing monitoring of the efficiency of the security controls • Provisions for continuing support if there is an interruption in the system or the system crashes Risk policy includes:
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment It is a qualitative and/or quantitative evaluation of the likelihood and consequences of a risk It is the first step in a risk management methodology The output of the risk assessment process helps to identify suitable controls for reducing or eliminating risk during the risk mitigation process
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment Identifies and prioritizes security risk to critical information assets and key business processes Determines the extent of the possible threat, vulnerability, and risk related with an IT system Determines the probability of adverse events and threats to an IT system Identifies appropriate controls for reducing or eliminating risk throughout the risk mitigation process
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approval to Operate (ATO) and Interim Approval to Operate (IATO) • It is a formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk Approval to Operate (ATO) • It is a provisional approval for a system to operate if a set of mitigating conditions require that the system be turned on even though the risk is unacceptable Interim Approval to Operate (IATO)
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment to Obtain an IATO and ATO DAA’s decision to grant IATO/ATO is based on the perception of an efficient and effective allocation of risk assessment resources at the subsystem level during development and implementation of information systems A proper risk assessment helps in assessing and evaluating level of risk, residual risks, and remedies for risks that are essential prerequisites for obtaining IATO/ATO A comprehensive risk assessment policy and infrastructure implemented in organizations ensure designated approving authorities that information systems of the organization will operate within an accepted risk level
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Methodology • Develop the risk assessment team • Set the scope of the project • Identify assets covered by the assessment • Classify potential losses • Identify threats and vulnerabilities • Identify existing controls • Analyze the data • Determine cost-effective safeguards • Generate the report Risk assessment methodology provides the following guidelines:
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Sources for Risk Assessments While assessing risk, it is important to make a decision based on the information sources, which include: • Any written information • Interviews and discussion • Direct observation • Work study techniques • Personal experience • Acts and regulations • Manufacturers’ instructions • Accident statistics • Task analysis
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Determine the likelihood Analyze the impact of threats Determine the level of risk to the IT-system Recommend the control to mitigate the identified risks Document the results
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Risk Assessment ProcessInput Output •Hardware and software •System interfaces •Data and information people •System mission •History of system attack •Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media •Reports from prior risk assessments •Any audit comments •Security requirements •Security test results •Current controls •Planned controls •System boundary •System functions •System and data sensitivity •Threat statement •List of potential vulnerabilities •List of current and planned controls
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) •Threat-source motivation •Threat capacity •Nature of vulnerability •Current controls Risk Assessment ProcessInput Output •Mission impact analysis •Asset criticality assessment •Data criticality •Data sensitivity •Likelihood of threat exploitation •Magnitude of impact •Adequacy of planned or current controls •Likelihood rating •Impact rating •Risks and associated risk levels •Recommended controls •Risk assessment report Determine the likelihood Analyze the impact of threats Determine the risk Recommend the control Document the results
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Develop Policy and Procedures for Conducting a Risk Assessment Senior management in the organization develop the policies and procedures to safeguard the IT system for their long term assignment according to their business objective They implement some controls to reduce the expected losses from attackers, intruders, and hackers: • Preventive control: • Use only certified copies of software files or data • Implement read-only access over software • Check new software with anti-virus before it is installed • Educate the users about the dangerous viruses and Trojans • Detective control: • Frequently run anti-virus software to detect infections • Implement and regulate date and time stamps of updation, modification, and user access to the operating system, server, network, Internet etc. • Corrective control: • Ensure that clean backup is maintained • Maintain a good documentation plan for backup and recovery • Run anti-virus software to eliminate infection on the IT-system
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports Once the risk assessment process is completed, the result should be documented briefly in an official report Risk assessment report is a complete report of assessment process which helps the organization’s management in making decisions on policy, procedural, budget, system operational, and management changes The report should be presented in a proper manner so that the organization’s management can easily understand the risks and assign resources to reduce or avoid potential losses
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports (cont’d) • Observation number and brief description of the observation • A conversation of the threat-source and vulnerability pair • Identification of the existing mitigating security controls • Likelihood discussion and evaluation • Impact analysis discussion and evaluation • Risk rating based on the risk-level matrix • Recommended controls or substitute options for reducing the risk The risk assessment report should include:
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Coordinate Resources to Perform a Risk Assessment Senior Management: • Responsible for mission accomplishment and apply necessary resources to develop the capabilities needed to accomplish the mission Chief Information Officer: • Responsible for the organization’s IT planning, budgeting, and performance of information security elements System and Information Owners: • Responsible for ensuring that appropriate controls are in place to address integrity, confidentiality, and availability of the IT systems Business and Functional Managers: • Responsible for business operations and IT procurement process and also take part in risk management process IT security program managers: • Responsible for organization’s security programs such as risk management IT Security Practitioners: • Responsible for suitable implementation of security requirements in their IT systems
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Plan A risk assessment plan is a document prepared by senior management to predict risks, to estimate the effectiveness, and to create response plans to mitigate them It also consists of the risk assessment matrix that is used in risk assessment process Senior management assesses the risks continually and develops plans to address them It contains an analysis of the expected risks with both high and low impact, as well as mitigation strategies to avoid the project from derailing
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System • Any incident or event with the potential to cause harm to an IT system Threat-source: • It is the potential for a specific threat-source to effectively exercise a particular vulnerability • Common threat sources: • Natural threats: • Floods, earthquakes, tornadoes, landslides, etc. • Human threats: • Unintentional acts or deliberate actions • Environmental Threats: • Long-term power failure, pollution, chemicals, etc. Threat: • It is a weakness that can be accidentally triggered or intentionally exploited Vulnerability:
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Identify and develop a list of potential threat-sources • Develop a practical estimation of the resources and potentials that may be needed to carry out an attack • Obtain known threats from the government and private sector organizations Threat Analysis:
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Develop a list of system flaws and weaknesses through site investigations, conducting interviews with employees accountable for the system, and network scanning tools • Some practical methods to gather vulnerability information: • Automated vulnerability scanning • Network mapping • Security testing and evaluation • Penetration testing Vulnerability Analysis:
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk The residual risk is the risk or danger still remaining even after the implementation of new or enhanced control Residual Risk = (Inherent Risk) X (Control Risk) • Where inherent risk = (threats x vulnerability) Reduce number of flaws or errors Add a targeted control Reduce magnitude of impact New or enhanced controls Residual risk
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Residual risk means the risk remaining after the implementation of risk control process Risk with a higher strategic impact should be effectively controlled in order to maintain the residual risk acceptable Risk with a lower strategic impact needs less risk control The level of acceptable residual risk depends on the senior management’s risk appetite and it differs for each organization
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk (cont’d) Impact of Risk Level of Risk Control (Quality level) Start Low Medium High Risk
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Policy Residual risk policy considers the economic, social, political factors in addition to risk This policy may have an effect on all sources within the category of the applicability criteria • Control equipment • Performance such as ambient concentrations, emission rates, and percent reduction • Work practices This policy may specify:
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Standard: ISO/IEC 27005:2008 ISO/IEC 27005:2008 standard provides security guidelines for information security risk management It supports the general perceptions specified in ISO/IEC 27001 It helps to successfully implement an information security based on the risk management process This standard is relevant for all types of organizations to manage accidental threats caused by the use of applications of IT systems Knowledge of concepts, procedures, models, and terminologies specified ISO/IEC 27001 and ISO/IEC 27002 is fundamental for understanding of ISO/IEC 27005:2008
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Cost/benefit analysis is conducted for each proposed control after identifying all possible controls to find out which controls are required and suitable for their conditions It can be qualitative or quantitative It helps the organization in making a decision on what risk mitigation option to use The main aim of cost/benefit analysis is to show that the costs of implementing the controls can be justified by the reduction in the level of risk For example, the organization does not want to waste $1,000 on a control to reduce a $200 risk
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis (cont’d) • Determining the impact of implementing and not implementing the new or enhanced controls • Estimating the costs of the implementation such as: • Hardware and software purchases • Reduced operational effectiveness • Cost of implementing added policies and procedures • Cost of hiring extra personnel to implement planned policies and procedures • Training and maintenance cost • Evaluating the implementation costs and profits against system and data criticality A cost-benefit analysis for enhanced controls includes:
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance According to the U.S. Government's National Information Assurance Glossary, information assurance is defined as: • “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation”
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance (cont’d) Benefits of Information Assurance: • Net Benefits = (Expected Collaboration benefits – Degraded benefits without Assurance) – Total Costs of Information Assurance Level of Collaboration Information Assets Assurance Policy (Tools, Processes, Practices) Security Risks Threats and Vulnerabilities Cost of Information Assurance Model Net Benefits Benefits
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Cost/Benefit Analysis for Information Assurance Helps to identify critical information assets and finds out the upper limit of total costs of information assurance Establishes the collaboration objectives with the security of information assets as a high priority Verifies information assurance requirements Provides a roadmap for upcoming collaborative information assurance requirements Helps to find out the cost spent on information security to deliver desired information assurance
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure Define objectives and project scope Identify project options Identify costs and benefits • Identify quantitative costs • Identify quantitative benefits • External costs and benefits • Equity and broader distributional considerations • Presenting incremental costs and benefits Discount future costs and benefits Calculate the decision criteria Sensitivity analysis Identify preferred option Prepare report • Full evaluation report • Summary reporting
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure (cont’d) Define objectives and project scope Identify project option Identify unqualified costs and benefits Identify quantified benefits Identify quantified costs Discount future costs and benefits Criteria calculate the decision criteria Undertake sensitivity tests Identify preferred option Prepare the report
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance In some cases, it is vital for the organization to accept the risk present in some entities Risk acceptance is a practice of accepting some risks based on the business decision It is a part of the risk treatment decision making process in which the organization has to decide that the system can continue with a particular risk The decision about risk acceptance is made by the organization’s committee
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance (cont’d) • Financial capacity of the organization to absorb the consequences of risk • Level of conservatism of the decision maker • Quantity of the risk inherent in the business activity normally carried out by the organization • Diversity of the business • Extent to which risk can be transferred or reduced Risk acceptability depends on:
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance Process Develop risk acceptance statement for remaining exposures: • Responsible manager prepares a statement about the acceptable risks and sends it to the higher management • The statement includes detailed information of the associated risk, loss potential, and review procedures Approve the risk acceptance statement: • After completing the risk acceptance statement, it is submitted to the corporate information risk group for review and approval and other interested parties • Corporate information risk group approved the risk acceptance after reviewing the risk acceptance statement Document results: • All the outcomes of the risk acceptance process are documented and paper copies of the risk acceptance statements are maintained
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Management’s Risk Acceptance Posture The management’s decision of risk acceptance is based on the selection from a range of alternatives Businesses take risks in the hope of resulting profits The role of the security manager is to help the management in controlling risks which are considered unacceptable by the management • Adopting alternative procedures and processes that may reduce the need for security • Buying insurance is also a way to prevent the failure of security efforts • Installing security schemes is one of the best ways to minimize risks and effects of the threats • Accepting the risks as a cost of doing business is an alternate way to manage potential losses Business risks can be dealt with by:
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment and Countermeasures Various controls are implemented in risk assessment process to reduce the mission risk such as: • Technical security controls: • This control is used to protect against given types of threats • Management security controls: • This control is used in combination with technical and operational controls and is implemented to manage and reduce the risk of loss and to protect an organization’s mission • Operational security controls: • This control is implemented by the organization in accordance with a available set of requirements and good organization practices
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysts Risk analysts identify and quantify the risks faced by an organization or business unit Estimate the financial and other impacts of adverse circumstances A risk analyst’s report contains the following points: • Summary and conclusions • Objectives and scope • Limitations, assumptions and justification of hypotheses • Description of relevant parts of the system • Analysis methodology • Hazard identification results • Models used, including assumptions and validation • Data and their sources • Risk estimation results • Sensitivity and uncertainty analysis • Discussion of results (including discussion of analytic difficulties) • References
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Mitigation Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat These may range from physical measures to financial measures Risk managers start with risk analysis, then seek to take actions to mitigate the risks Risk mitigation efforts may involve direct costs such as increased capital expenditure on incident handling and response
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk and Certification/Accredition of Information Systems Certification and accreditations ensure that the information systems are operating under an acceptable risk level which in turn helps in planning risk mitigation strategies It helps in building the trust of stakeholders on the organization and helps in mitigating intangible risks such as loss of customers and reputation Motivates organizations to deliver quality products and services
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Documentation in Reducing Risk Proper documentation of the risk analysis reduces the risk and enables people to handle the awkward situations Documentation of risk analysis is a direct input to the risk management process It helps in reviewing potential threats and vulnerabilities promptly It is a reminder about the anticipated errors that may occur while setting up the critical information systems
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations Risk management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment The residual risk is the risk or danger remaining after the implementation of new or enhanced control Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited