SlideShare a Scribd company logo
1 of 26
Download to read offline
Review of Enterprise Security Risk
Management
Rand W. Hirt CISSP, CISA
Sr. Systems Security Specialist
Let’s start with the basics…
Let’s define Risk (from a security perspective):
Risk = Likelihood of an occurrence of adverse event
(probability) x impact of the adverse event should
it occur (value).
Thus, the measure of Risk is product of threat,
vulnerability and asset values.
Risk Management concept
Therefore, Risk Management is defined:
RM = the identification, selection and adoption of
countermeasures to mitigate identified risks to
assets and the reduction of those risks to
acceptable levels, as determined by key
stakeholders and executive management.
Risk Management, cont.
Once Risk levels have been determined, Risk is
treated in one of several ways:
• Risk Acceptance (accept as is or decide proposed controls are too
expensive)
• Risk Transfer (i.e. insurance or outsourcing)
• Risk Mitigation (apply further controls/countermeasures)
Risk Management, cont.
Once Risk has been identified and mitigated to
acceptable levels, continuous monitoring of the
Enterprise will provide assurance that the
Company’s Risk posture will remain consistent
and that any new risks introduced into the
environment can be identified, rated and mitigated
to acceptable levels.
Risk Management, cont.
The process looks like this:
ISO/IEC Guide 73 Risk
Management - Vocabulary - Guidelines
Risk Management vs.
Risk Assessment
Risk Assessment is a means to an end to the overall
objective of the Risk Management process:
Risk Management Risk Assessment
Goal Manage risks across business to acceptable level Identify and prioritize risks
Cycle Overall program across all phases Single phase of risk management program
Schedule Ongoing As needed
Alignment Aligned with budgeting cycles N/A
Risk Assessment approaches
There are two primary methods to approach
Risk Assessments:
• Quantitative
(calculate objective numeric values to derive a cost/benefit analysis)
• Qualitative
(calculate relative values not tied to actual financial values for cost/benefit)
Approach to Assessing Risk, cont.
Advantages/Disadvantages of either approach:
Quantitative Qualitative
Benefits • Risks are prioritized by financial impact; assets are
prioritized by financial values.
• Results facilitate management of risk by return on
security investment.
• Results can be expressed in management-specific
terminology (for example, monetary values and
probability expressed as a specific percentage).
• Accuracy tends to increase over time as the organization
builds historic record of data while gaining experience.
• Enables visibility and understanding of risk ranking.
• Easier to reach consensus.
• Not necessary to quantify threat frequency.
• Not necessary to determine financial values of assets.
• Easier to involve people who are not experts on
security or computers.
Drawbacks • Impact values assigned to risks are based on subjective
opinions of participants.
• Process to reach credible results and consensus is very
time consuming.
• Calculations can be complex and time consuming.
• Results are presented in monetary terms only, and they
may be difficult for non-technical people to interpret.
• Process requires expertise, so participants cannot be
easily coached through it.
• Insufficient differentiation between important risks.
• Difficult to justify investing in control implementation
because there is no basis for a cost-benefit analysis.
• Results are dependent upon the quality of the risk
management team that is created.
Attributes of an effective Risk
Assessment methodology
• Should result in a explicit definition of objectives and contain
explicit steps and supporting templates to assist in that goal.
• Should provide explicit definitions of what Security risk is, vs. Project
risk, Business risk, etc.
• Should be aimed at modeling and documenting risks qualitatively.
• Should be able to use both ratio and ordinal scale risk rankings to
prioritize risks reliably.
• Should use to concept of utility loss to rank the loss associated with
risk.
• Should have operational guidance and training support and a tutorial
available, along with templates and examples.
So, which approach will we use?
• The Microsoft Security Risk Management process uses
a Hybrid approach that joins the best of both traditional
approaches.
– Uses a Qualitative approach to assess over-all risk.
– Uses a Quantitative approach (if desired) to assess the High
Impact assets within the Organization.
• Faster than traditional Quantitative approach.
• Yields more detailed and justifiable results that executives
want over a traditional Qualitative approach.
• Meets most, if not all, of the desired qualities of an
effective Risk Assessment methodology.
• The MSRM Guide was reviewed by participants from
major corporations (Siemens, BofA) for writing, developing
and testing, including NIST for comments that were
incorporated into the guide.
Risk Management - Phases
Microsoft’s approach to RM
Standard’s PDCA approach
Looks consistent with stated PDCA approach:
The Risk Assessment Process
(High Level)
The 5 Step process for the Risk Assessment:
1. Determine Scope of Assessment
- Budget, Boundaries, Objectives, etc.
- What assets are trying to protect?
2. Gather Information
- Questionnaires directed at specific groups/project members
- Acquiring information from specific areas
Administrative (policies, training, organization, etc)
Technical (controls, configurations, pen tests, etc.)
Physical (procedures, observations, etc.)
3. Assess Risk
- Asset valuation/criticality
- Threat/Vulnerability mapping
- Calculating risk
- Obtaining consensus
4. Recommend Controls
- What’s the cost?
- What’s the effectiveness (preventative, detective, corrective)
- Are there unintended consequences of the proposed solution?
5. Determine Residual Risk
- It is at an acceptable level?
- What are the trade-offs, if any, and are they acceptable to implement?
The Risk Assessment Process
(Lower Level)
Step 1 – Determine Scope of Assessment
• Enterprise vs. project/system
• Budget and/or deadlines to consider
• Identify Stakeholders to the Assessment
• Identifying the Assets that are relative to the Assessment
• Develop a step by step plan to address these concerns
The Risk Assessment Process
(Lower Level)
Step 2 – Gathering Information
• Use of questionnaires can help speed-up process
• Data gathering involves three main areas:
1. Administrative areas
a. Policies
b. Procedures
c. Staff interviews
2. Technical areas
a. Configurations (Architecture/Design)
b. Current controls (i.e. Hardening, Patching, etc.)
c. Targeted Vulnerability/Penetration testing
3. Physical areas
a. Procedures and Safeguards (HA, Fault Tolerance, etc.)
b. Access control (physical)
c. Documentation (BCP and DR processes)
The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk
The object is to arrive at a well-formed Risk Statement. We do this as follows:
Ex: A Hacker (Threat Agent) may exploit known vulnerabilities (Vulnerability) in the remote authentication
protocol (Vulnerability Target) to disrupt (Policy violated) remote authentication (Asset exposed).
The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk
The specific steps to arrive at a well-formed Risk Statement:
• Classify Assets
• Low Business Impact (LBI) - public information, high-level information
• Medium Business Impact (MBI) - Network designs, employee lists, purchase order info.
• High Business Impact (HBI) - Financial data, PII, SSNs, medical record info.
• Define Threats and Vulnerabilities
• Threat Agents
• Identify current Vulnerabilities
• Calculate Asset Exposure (Impact)
• Low exposure (minor or no loss)
• Medium exposure (limited or moderate loss)
• High exposure (severe or complete loss)
• Estimate the Threat Probability
• Low (Not probable - not expected to occur within 3 years)
• Medium (Probable - expected to occur with 2-3 years)
• High (Likely - one or more occurrences within 1 year)
The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk (cont.)
We can do a finer-grained analysis on High Value Assets:
The Risk Assessment Process
(Lower Level)
Step 3 – Assessing Risk (cont.)
Which results in a finer-grained result:
The Risk Assessment Process
(Lower Level)
Step 4 – Recommend Controls
1. Identify Functional Requirements
• Need to define objectives of control
2. Identify Control Solutions
• Organizational controls (separation of duties, etc.)
• Operational controls (physical protections, etc.)
• Technological controls (Authentication, Access control, etc.)
3. Review Solution vs. Requirements
• Does it meet the Functional requirements
• Are there unintended consequences of the proposed solution?
4. Estimating Degree of Risk Reduction
• Will it stop the Threat Agent, or detect an Exploit?
5. Estimating the Solution Cost
• Acquisition, Implementation, On-going, Training, Productivity, etc.
6. Selecting the Risk Mitigation Solution
The Risk Assessment Process
(Lower Level)
Step 5 – Determine Residual Risk
• Does the proposed Solution reduce Risk to an acceptable
level?
• Are there trade-offs to the proposed Solution, and if so, are
they acceptable to implement?
• Would Management rather Transfer or Assign the Residual
Risk?
The Risk Assessment Process,
cont.
• Final recommendations
– Risk mitigation, transfer or acceptance
– Document final decisions on Risk treatment
• Report to Upper Management
– Communicate Risk decisions
– Align with Security Risk Scorecard
The Risk Assessment Process,
cont.
• Measure Control Effectiveness
– Use of audit / verification tools
– Review of logs
• Reassess New and Changed Assets for Risks
– Review and update previous assessments
– Review any Architectural changes for overall impact to
the Organization Risk posture
Steps going forward
• Solidify the Risk Management Framework.
• Build out the processes, guidance, templates and
training to make the process real.
• Identify RM application to assist in process.
• Identify further steps, timeline, etc.
Questions?

More Related Content

What's hot

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides SlideTeam
 
Business Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesBusiness Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesSlideTeam
 
Risk strategies presentation
Risk strategies presentationRisk strategies presentation
Risk strategies presentationRaven Morgan
 
Kuala Lumpur - PMI Global Congress 2009 - Risk Management
Kuala Lumpur - PMI Global Congress 2009 - Risk ManagementKuala Lumpur - PMI Global Congress 2009 - Risk Management
Kuala Lumpur - PMI Global Congress 2009 - Risk ManagementTorsten Koerting
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting ServicesePlus
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixRisk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixEtQ, Inc.
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 

What's hot (20)

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Business Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation SlidesBusiness Risk Analysis PowerPoint Presentation Slides
Business Risk Analysis PowerPoint Presentation Slides
 
Risk management
Risk managementRisk management
Risk management
 
Risk strategies presentation
Risk strategies presentationRisk strategies presentation
Risk strategies presentation
 
Kuala Lumpur - PMI Global Congress 2009 - Risk Management
Kuala Lumpur - PMI Global Congress 2009 - Risk ManagementKuala Lumpur - PMI Global Congress 2009 - Risk Management
Kuala Lumpur - PMI Global Congress 2009 - Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
Project Risk Management
Project Risk ManagementProject Risk Management
Project Risk Management
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Risk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk MatrixRisk Assessment: Creating a Risk Matrix
Risk Assessment: Creating a Risk Matrix
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 

Similar to Review of Enterprise Security Risk Management

Project Risk Management
 Project Risk Management Project Risk Management
Project Risk ManagementHayat Denzi
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfMUST
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Outsourcing Risk Management
Outsourcing Risk ManagementOutsourcing Risk Management
Outsourcing Risk ManagementPECB
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system• Product quality review (PQR) • Qu...Introduction to quality management system• Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...samahhamed3
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enVyacheslav Guzovsky
 
Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 

Similar to Review of Enterprise Security Risk Management (20)

Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1  Risk ManagementCISSP Chapter 1  Risk Management
CISSP Chapter 1 Risk Management
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Project Risk Management
 Project Risk Management Project Risk Management
Project Risk Management
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdf
 
Risk Analysis.pdf
Risk Analysis.pdfRisk Analysis.pdf
Risk Analysis.pdf
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Outsourcing Risk Management
Outsourcing Risk ManagementOutsourcing Risk Management
Outsourcing Risk Management
 
Session 18 -2 PMP 4th edition
Session 18 -2  PMP 4th editionSession 18 -2  PMP 4th edition
Session 18 -2 PMP 4th edition
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system• Product quality review (PQR) • Qu...Introduction to quality management system• Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Rmp
RmpRmp
Rmp
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_en
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 

Review of Enterprise Security Risk Management

  • 1. Review of Enterprise Security Risk Management Rand W. Hirt CISSP, CISA Sr. Systems Security Specialist
  • 2. Let’s start with the basics… Let’s define Risk (from a security perspective): Risk = Likelihood of an occurrence of adverse event (probability) x impact of the adverse event should it occur (value). Thus, the measure of Risk is product of threat, vulnerability and asset values.
  • 3. Risk Management concept Therefore, Risk Management is defined: RM = the identification, selection and adoption of countermeasures to mitigate identified risks to assets and the reduction of those risks to acceptable levels, as determined by key stakeholders and executive management.
  • 4. Risk Management, cont. Once Risk levels have been determined, Risk is treated in one of several ways: • Risk Acceptance (accept as is or decide proposed controls are too expensive) • Risk Transfer (i.e. insurance or outsourcing) • Risk Mitigation (apply further controls/countermeasures)
  • 5. Risk Management, cont. Once Risk has been identified and mitigated to acceptable levels, continuous monitoring of the Enterprise will provide assurance that the Company’s Risk posture will remain consistent and that any new risks introduced into the environment can be identified, rated and mitigated to acceptable levels.
  • 6. Risk Management, cont. The process looks like this: ISO/IEC Guide 73 Risk Management - Vocabulary - Guidelines
  • 7. Risk Management vs. Risk Assessment Risk Assessment is a means to an end to the overall objective of the Risk Management process: Risk Management Risk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all phases Single phase of risk management program Schedule Ongoing As needed Alignment Aligned with budgeting cycles N/A
  • 8. Risk Assessment approaches There are two primary methods to approach Risk Assessments: • Quantitative (calculate objective numeric values to derive a cost/benefit analysis) • Qualitative (calculate relative values not tied to actual financial values for cost/benefit)
  • 9. Approach to Assessing Risk, cont. Advantages/Disadvantages of either approach: Quantitative Qualitative Benefits • Risks are prioritized by financial impact; assets are prioritized by financial values. • Results facilitate management of risk by return on security investment. • Results can be expressed in management-specific terminology (for example, monetary values and probability expressed as a specific percentage). • Accuracy tends to increase over time as the organization builds historic record of data while gaining experience. • Enables visibility and understanding of risk ranking. • Easier to reach consensus. • Not necessary to quantify threat frequency. • Not necessary to determine financial values of assets. • Easier to involve people who are not experts on security or computers. Drawbacks • Impact values assigned to risks are based on subjective opinions of participants. • Process to reach credible results and consensus is very time consuming. • Calculations can be complex and time consuming. • Results are presented in monetary terms only, and they may be difficult for non-technical people to interpret. • Process requires expertise, so participants cannot be easily coached through it. • Insufficient differentiation between important risks. • Difficult to justify investing in control implementation because there is no basis for a cost-benefit analysis. • Results are dependent upon the quality of the risk management team that is created.
  • 10. Attributes of an effective Risk Assessment methodology • Should result in a explicit definition of objectives and contain explicit steps and supporting templates to assist in that goal. • Should provide explicit definitions of what Security risk is, vs. Project risk, Business risk, etc. • Should be aimed at modeling and documenting risks qualitatively. • Should be able to use both ratio and ordinal scale risk rankings to prioritize risks reliably. • Should use to concept of utility loss to rank the loss associated with risk. • Should have operational guidance and training support and a tutorial available, along with templates and examples.
  • 11. So, which approach will we use? • The Microsoft Security Risk Management process uses a Hybrid approach that joins the best of both traditional approaches. – Uses a Qualitative approach to assess over-all risk. – Uses a Quantitative approach (if desired) to assess the High Impact assets within the Organization. • Faster than traditional Quantitative approach. • Yields more detailed and justifiable results that executives want over a traditional Qualitative approach. • Meets most, if not all, of the desired qualities of an effective Risk Assessment methodology. • The MSRM Guide was reviewed by participants from major corporations (Siemens, BofA) for writing, developing and testing, including NIST for comments that were incorporated into the guide.
  • 12. Risk Management - Phases Microsoft’s approach to RM
  • 13. Standard’s PDCA approach Looks consistent with stated PDCA approach:
  • 14. The Risk Assessment Process (High Level) The 5 Step process for the Risk Assessment: 1. Determine Scope of Assessment - Budget, Boundaries, Objectives, etc. - What assets are trying to protect? 2. Gather Information - Questionnaires directed at specific groups/project members - Acquiring information from specific areas Administrative (policies, training, organization, etc) Technical (controls, configurations, pen tests, etc.) Physical (procedures, observations, etc.) 3. Assess Risk - Asset valuation/criticality - Threat/Vulnerability mapping - Calculating risk - Obtaining consensus 4. Recommend Controls - What’s the cost? - What’s the effectiveness (preventative, detective, corrective) - Are there unintended consequences of the proposed solution? 5. Determine Residual Risk - It is at an acceptable level? - What are the trade-offs, if any, and are they acceptable to implement?
  • 15. The Risk Assessment Process (Lower Level) Step 1 – Determine Scope of Assessment • Enterprise vs. project/system • Budget and/or deadlines to consider • Identify Stakeholders to the Assessment • Identifying the Assets that are relative to the Assessment • Develop a step by step plan to address these concerns
  • 16. The Risk Assessment Process (Lower Level) Step 2 – Gathering Information • Use of questionnaires can help speed-up process • Data gathering involves three main areas: 1. Administrative areas a. Policies b. Procedures c. Staff interviews 2. Technical areas a. Configurations (Architecture/Design) b. Current controls (i.e. Hardening, Patching, etc.) c. Targeted Vulnerability/Penetration testing 3. Physical areas a. Procedures and Safeguards (HA, Fault Tolerance, etc.) b. Access control (physical) c. Documentation (BCP and DR processes)
  • 17. The Risk Assessment Process (Lower Level) Step 3 – Assessing Risk The object is to arrive at a well-formed Risk Statement. We do this as follows: Ex: A Hacker (Threat Agent) may exploit known vulnerabilities (Vulnerability) in the remote authentication protocol (Vulnerability Target) to disrupt (Policy violated) remote authentication (Asset exposed).
  • 18. The Risk Assessment Process (Lower Level) Step 3 – Assessing Risk The specific steps to arrive at a well-formed Risk Statement: • Classify Assets • Low Business Impact (LBI) - public information, high-level information • Medium Business Impact (MBI) - Network designs, employee lists, purchase order info. • High Business Impact (HBI) - Financial data, PII, SSNs, medical record info. • Define Threats and Vulnerabilities • Threat Agents • Identify current Vulnerabilities • Calculate Asset Exposure (Impact) • Low exposure (minor or no loss) • Medium exposure (limited or moderate loss) • High exposure (severe or complete loss) • Estimate the Threat Probability • Low (Not probable - not expected to occur within 3 years) • Medium (Probable - expected to occur with 2-3 years) • High (Likely - one or more occurrences within 1 year)
  • 19. The Risk Assessment Process (Lower Level) Step 3 – Assessing Risk (cont.) We can do a finer-grained analysis on High Value Assets:
  • 20. The Risk Assessment Process (Lower Level) Step 3 – Assessing Risk (cont.) Which results in a finer-grained result:
  • 21. The Risk Assessment Process (Lower Level) Step 4 – Recommend Controls 1. Identify Functional Requirements • Need to define objectives of control 2. Identify Control Solutions • Organizational controls (separation of duties, etc.) • Operational controls (physical protections, etc.) • Technological controls (Authentication, Access control, etc.) 3. Review Solution vs. Requirements • Does it meet the Functional requirements • Are there unintended consequences of the proposed solution? 4. Estimating Degree of Risk Reduction • Will it stop the Threat Agent, or detect an Exploit? 5. Estimating the Solution Cost • Acquisition, Implementation, On-going, Training, Productivity, etc. 6. Selecting the Risk Mitigation Solution
  • 22. The Risk Assessment Process (Lower Level) Step 5 – Determine Residual Risk • Does the proposed Solution reduce Risk to an acceptable level? • Are there trade-offs to the proposed Solution, and if so, are they acceptable to implement? • Would Management rather Transfer or Assign the Residual Risk?
  • 23. The Risk Assessment Process, cont. • Final recommendations – Risk mitigation, transfer or acceptance – Document final decisions on Risk treatment • Report to Upper Management – Communicate Risk decisions – Align with Security Risk Scorecard
  • 24. The Risk Assessment Process, cont. • Measure Control Effectiveness – Use of audit / verification tools – Review of logs • Reassess New and Changed Assets for Risks – Review and update previous assessments – Review any Architectural changes for overall impact to the Organization Risk posture
  • 25. Steps going forward • Solidify the Risk Management Framework. • Build out the processes, guidance, templates and training to make the process real. • Identify RM application to assist in process. • Identify further steps, timeline, etc.