SlideShare a Scribd company logo

Lesson 3- Fair Approach

Download as PPT, PDF
M
MLG College of Learning, Inc

Chapter 5

Education
1 of 30
Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 3 – Fair Approach to Risk Management
Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
The FAIR Approach to Risk Assessment • Identify scenario components • Evaluate loss event frequency • Evaluate probable loss magnitude • Derive and articulate risk Principles of Information Security, Fifth Edition 4
Risk Control • Involves selection of control strategies, justification of strategies to upper management, and implementation/monitoring/ongoing assessment of adopted controls • Once the ranked vulnerability risk worksheet is complete, the organization must choose one of five strategies to control each risk: – Defense – Transfer – Mitigation – Acceptance – Termination Principles of Information Security, Fifth Edition 5
Defense • Attempts to prevent exploitation of the vulnerability • Preferred approach • Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of risk avoidance: – Application of policy – Education and training – Applying technology Principles of Information Security, Fifth Edition 6
Transfer • Attempts to shift risk to other assets, processes, or organizations • If lacking, the organization should hire individuals/firms that provide security management and administration expertise. • The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks. Principles of Information Security, Fifth Edition 7
Mitigate • Attempts to reduce impact of attack rather than reduce success of attack itself • Approach includes three types of plans: – Incident response (IR) plan: define the actions to take while incident is in progress – Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process – Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs Principles of Information Security, Fifth Edition 8
Acceptance and Termination • Acceptance – Doing nothing to protect a vulnerability and accepting the outcome of its exploitation – Valid only when the particular function, service, information, or asset does not justify the cost of protection • Termination – Directs the organization to avoid business activities that introduce uncontrollable risks – May seek an alternate mechanism to meet the customer needs Principles of Information Security, Fifth Edition 9
Principles of Information Security, Fifth Edition 10
Selecting a Risk Control Strategy • Level of threat and value of asset should play a major role in the selection of strategy. • Rules of thumb on strategy selection can be applied: – When a vulnerability exists – When a vulnerability can be exploited – When attacker’s cost is less than the potential gain – When potential loss is substantial Principles of Information Security, Fifth Edition 11
Principles of Information Security, Fifth Edition 12
Justifying Controls • Before implementing one of the control strategies for a specific vulnerability, the organization must explore all consequences of vulnerability to information asset. • Several ways to determine the advantages/disadvantages of a specific control • Items that affect cost of a control or safeguard include cost of development or acquisition, training fees, implementation cost, service costs, and cost of maintenance. Principles of Information Security, Fifth Edition 13
Justifying Controls (cont’d) • Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation. • Process result is the estimate of potential loss per risk. • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) • SLE = asset value × exposure factor (EF) Principles of Information Security, Fifth Edition 14
The Cost-Benefit Analysis (CBA) Formula • CBA determines if an alternative being evaluated is worth the cost incurred to control vulnerability. – The CBA is most easily calculated using the ALE from earlier assessments, before implementation of the proposed control: • CBA = ALE(prior) – ALE(post) – ACS – ALE(prior) is the annualized loss expectancy of risk before implementation of control. – ALE(post) is the estimated ALE based on control being in place for a period of time. – ACS is the annualized cost of the safeguard. Principles of Information Security, Fifth Edition 15
Implementation, Monitoring, and Assessment of Risk Controls • The selection of the control strategy is not the end of a process. • Strategy and accompanying controls must be implemented and monitored on ongoing basis to determine effectiveness and accurately calculate the estimated residual risk. • Process continues as long as the organization continues to function. Principles of Information Security, Fifth Edition 16
Principles of Information Security, Fifth Edition 17
Quantitative Versus Qualitative Risk Control Practices • Performing the previous steps using actual values or estimates is known as quantitative assessment. • Possible to complete steps using an evaluation process based on characteristics using nonnumerical measures, called qualitative assessment • Utilizing scales rather than specific estimates relieves the organization from the difficulty of determining exact values. Principles of Information Security, Fifth Edition 18
Benchmarking and Best Practices • An alternative approach to risk management • Benchmarking: process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate • One of two measures typically used to compare practices: – Metrics-based measures, based on numerical standards – Process-based measures, more strategic and less focused on numbers Principles of Information Security, Fifth Edition 19
Benchmarking and Best Practices (cont’d) • Standard of due care: when adopting levels of security for a legal defense, the organization shows it has done what any prudent organization would do in similar circumstances. • The application of controls at or above prescribed levels and the maintenance of standards of due care show due diligence on the organization’s part. • Failure to support standard of due care or due diligence can leave the organization open to legal liability. Principles of Information Security, Fifth Edition 20
Benchmarking and Best Practices (cont’d) • Best business practices: security efforts that provide a superior level of information protection • When considering best practices for adoption in an organization, consider: – Does organization resemble identified target organization with best practice? – Are expendable resources similar? – Is organization in a similar threat environment? Principles of Information Security, Fifth Edition 21
Benchmarking and Best Practices (cont’d) • Problems with the application of benchmarking and best practices – Organizations don’t talk to each other (biggest problem). – No two organizations are identical. – Best practices are a moving target. – Researching information security benchmarks doesn’t necessarily prepare a practitioner for what to do next. Principles of Information Security, Fifth Edition 22
Benchmarking and Best Practices (cont’d) • Baselining – Performance value or metric used to compare changes in the object being measured. – In information security, baselining is the comparison of past security activities and events against an organization’s future performance. – Useful during baselining to have a guide to the overall process Principles of Information Security, Fifth Edition 23
Other Feasibility Studies • Organizational: Assesses how well the proposed IS alternatives will contribute to an organization’s efficiency, effectiveness, and overall operation • Operational: Assesses user and management acceptance and support, and the overall requirements of the organization’s stakeholders • Technical: Assesses if organization has or can acquire the technology necessary to implement and support proposed control • Political: Defines what can/cannot occur based on the consensus and relationships among communities of interest Principles of Information Security, Fifth Edition 24
Recommended Risk Control Practices • Convince budget authorities to spend up to value of asset to protect from identified threat. • Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. • Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations. Principles of Information Security, Fifth Edition 25
Documenting Results • At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk. • Another option: Document the outcome of the control strategy for each information asset- vulnerability pair as an action plan. • Risk assessment may be documented in a topic- specific report. Principles of Information Security, Fifth Edition 26
The NIST Risk Management Framework • Describes risk management as a comprehensive process requiring organizations to: – Frame risk – Assess risk – Respond to determined risk – Monitor risk on ongoing basis Principles of Information Security, Fifth Edition 27
Principles of Information Security, Fifth Edition 28
Summary • Risk identification: formal process of examining and documenting risk in information systems • Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the components of an information system • Risk identification – A risk management strategy enables identification, classification, and prioritization of organization’s information assets. – Residual risk: risk remaining to the information asset even after the existing control is applied Principles of Information Security, Fifth Edition 29
Summary (cont’d) • Risk control: Five strategies are used to control risks that result from vulnerabilities: – Defend – Transfer – Mitigate – Accept – Terminate Principles of Information Security, Fifth Edition 30

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTFred Travis
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsToño Herrera
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTFred Travis
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsToño Herrera
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414aidanc5
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Knowledge Group
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditHernan Huwyler, MBA CPA
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sMissionMode
 
Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management Continuity and Resilience
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management TrainingQuality Improvement Consulting
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comUOPCourseHelp
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 

More Related Content

What's hot

CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414aidanc5
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Knowledge Group
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditHernan Huwyler, MBA CPA
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sMissionMode
 
Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comUOPCourseHelp
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 

What's hot (20)

CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal Audit
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 

Similar to Lesson 3- Fair Approach

Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk TransferCBIZ, Inc.
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptxzeidali3
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxanitramcroberts
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Various steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazVarious steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazMDAnwarIbrahimMiraz
 

Similar to Lesson 3- Fair Approach (20)

Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Hazards and risk management
Hazards and risk managementHazards and risk management
Hazards and risk management
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docx
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Various steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazVarious steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim miraz
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 

More from MLG College of Learning, Inc

More from MLG College of Learning, Inc (20)

PC111.Lesson2
PC111.Lesson2PC111.Lesson2
PC111.Lesson2
 
PC111.Lesson1
PC111.Lesson1PC111.Lesson1
PC111.Lesson1
 
PC111-lesson1.pptx
PC111-lesson1.pptxPC111-lesson1.pptx
PC111-lesson1.pptx
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
PC 106 PPT-09.pptx
PC 106 PPT-09.pptxPC 106 PPT-09.pptx
PC 106 PPT-09.pptx
 
PC 106 PPT-07
PC 106 PPT-07PC 106 PPT-07
PC 106 PPT-07
 
PC 106 PPT-01
PC 106 PPT-01PC 106 PPT-01
PC 106 PPT-01
 
PC 106 PPT-06
PC 106 PPT-06PC 106 PPT-06
PC 106 PPT-06
 
PC 106 PPT-05
PC 106 PPT-05PC 106 PPT-05
PC 106 PPT-05
 
PC 106 Slide 04
PC 106 Slide 04PC 106 Slide 04
PC 106 Slide 04
 
PC 106 Slide no.02
PC 106 Slide no.02PC 106 Slide no.02
PC 106 Slide no.02
 
pc-106-slide-3
pc-106-slide-3pc-106-slide-3
pc-106-slide-3
 
PC 106 Slide 2
PC 106 Slide 2PC 106 Slide 2
PC 106 Slide 2
 
PC 106 Slide 1.pptx
PC 106 Slide 1.pptxPC 106 Slide 1.pptx
PC 106 Slide 1.pptx
 
Db2 characteristics of db ms
Db2 characteristics of db msDb2 characteristics of db ms
Db2 characteristics of db ms
 
Db1 introduction
Db1 introductionDb1 introduction
Db1 introduction
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 
Lesson 3.1
Lesson 3.1Lesson 3.1
Lesson 3.1
 
Lesson 1.6
Lesson 1.6Lesson 1.6
Lesson 1.6
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 

Recently uploaded

Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxAneriPatwari
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxAneriPatwari
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesVijayaLaxmi84
 

Recently uploaded (20)

Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptx
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their uses
 

Lesson 3- Fair Approach

  • 1. Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 3 – Fair Approach to Risk Management
  • 2. Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
  • 3. Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
  • 4. The FAIR Approach to Risk Assessment • Identify scenario components • Evaluate loss event frequency • Evaluate probable loss magnitude • Derive and articulate risk Principles of Information Security, Fifth Edition 4
  • 5. Risk Control • Involves selection of control strategies, justification of strategies to upper management, and implementation/monitoring/ongoing assessment of adopted controls • Once the ranked vulnerability risk worksheet is complete, the organization must choose one of five strategies to control each risk: – Defense – Transfer – Mitigation – Acceptance – Termination Principles of Information Security, Fifth Edition 5
  • 6. Defense • Attempts to prevent exploitation of the vulnerability • Preferred approach • Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of risk avoidance: – Application of policy – Education and training – Applying technology Principles of Information Security, Fifth Edition 6
  • 7. Transfer • Attempts to shift risk to other assets, processes, or organizations • If lacking, the organization should hire individuals/firms that provide security management and administration expertise. • The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks. Principles of Information Security, Fifth Edition 7
  • 8. Mitigate • Attempts to reduce impact of attack rather than reduce success of attack itself • Approach includes three types of plans: – Incident response (IR) plan: define the actions to take while incident is in progress – Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process – Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs Principles of Information Security, Fifth Edition 8
  • 9. Acceptance and Termination • Acceptance – Doing nothing to protect a vulnerability and accepting the outcome of its exploitation – Valid only when the particular function, service, information, or asset does not justify the cost of protection • Termination – Directs the organization to avoid business activities that introduce uncontrollable risks – May seek an alternate mechanism to meet the customer needs Principles of Information Security, Fifth Edition 9
  • 10. Principles of Information Security, Fifth Edition 10
  • 11. Selecting a Risk Control Strategy • Level of threat and value of asset should play a major role in the selection of strategy. • Rules of thumb on strategy selection can be applied: – When a vulnerability exists – When a vulnerability can be exploited – When attacker’s cost is less than the potential gain – When potential loss is substantial Principles of Information Security, Fifth Edition 11
  • 12. Principles of Information Security, Fifth Edition 12
  • 13. Justifying Controls • Before implementing one of the control strategies for a specific vulnerability, the organization must explore all consequences of vulnerability to information asset. • Several ways to determine the advantages/disadvantages of a specific control • Items that affect cost of a control or safeguard include cost of development or acquisition, training fees, implementation cost, service costs, and cost of maintenance. Principles of Information Security, Fifth Edition 13
  • 14. Justifying Controls (cont’d) • Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation. • Process result is the estimate of potential loss per risk. • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) • SLE = asset value × exposure factor (EF) Principles of Information Security, Fifth Edition 14
  • 15. The Cost-Benefit Analysis (CBA) Formula • CBA determines if an alternative being evaluated is worth the cost incurred to control vulnerability. – The CBA is most easily calculated using the ALE from earlier assessments, before implementation of the proposed control: • CBA = ALE(prior) – ALE(post) – ACS – ALE(prior) is the annualized loss expectancy of risk before implementation of control. – ALE(post) is the estimated ALE based on control being in place for a period of time. – ACS is the annualized cost of the safeguard. Principles of Information Security, Fifth Edition 15
  • 16. Implementation, Monitoring, and Assessment of Risk Controls • The selection of the control strategy is not the end of a process. • Strategy and accompanying controls must be implemented and monitored on ongoing basis to determine effectiveness and accurately calculate the estimated residual risk. • Process continues as long as the organization continues to function. Principles of Information Security, Fifth Edition 16
  • 17. Principles of Information Security, Fifth Edition 17
  • 18. Quantitative Versus Qualitative Risk Control Practices • Performing the previous steps using actual values or estimates is known as quantitative assessment. • Possible to complete steps using an evaluation process based on characteristics using nonnumerical measures, called qualitative assessment • Utilizing scales rather than specific estimates relieves the organization from the difficulty of determining exact values. Principles of Information Security, Fifth Edition 18
  • 19. Benchmarking and Best Practices • An alternative approach to risk management • Benchmarking: process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate • One of two measures typically used to compare practices: – Metrics-based measures, based on numerical standards – Process-based measures, more strategic and less focused on numbers Principles of Information Security, Fifth Edition 19
  • 20. Benchmarking and Best Practices (cont’d) • Standard of due care: when adopting levels of security for a legal defense, the organization shows it has done what any prudent organization would do in similar circumstances. • The application of controls at or above prescribed levels and the maintenance of standards of due care show due diligence on the organization’s part. • Failure to support standard of due care or due diligence can leave the organization open to legal liability. Principles of Information Security, Fifth Edition 20
  • 21. Benchmarking and Best Practices (cont’d) • Best business practices: security efforts that provide a superior level of information protection • When considering best practices for adoption in an organization, consider: – Does organization resemble identified target organization with best practice? – Are expendable resources similar? – Is organization in a similar threat environment? Principles of Information Security, Fifth Edition 21
  • 22. Benchmarking and Best Practices (cont’d) • Problems with the application of benchmarking and best practices – Organizations don’t talk to each other (biggest problem). – No two organizations are identical. – Best practices are a moving target. – Researching information security benchmarks doesn’t necessarily prepare a practitioner for what to do next. Principles of Information Security, Fifth Edition 22
  • 23. Benchmarking and Best Practices (cont’d) • Baselining – Performance value or metric used to compare changes in the object being measured. – In information security, baselining is the comparison of past security activities and events against an organization’s future performance. – Useful during baselining to have a guide to the overall process Principles of Information Security, Fifth Edition 23
  • 24. Other Feasibility Studies • Organizational: Assesses how well the proposed IS alternatives will contribute to an organization’s efficiency, effectiveness, and overall operation • Operational: Assesses user and management acceptance and support, and the overall requirements of the organization’s stakeholders • Technical: Assesses if organization has or can acquire the technology necessary to implement and support proposed control • Political: Defines what can/cannot occur based on the consensus and relationships among communities of interest Principles of Information Security, Fifth Edition 24
  • 25. Recommended Risk Control Practices • Convince budget authorities to spend up to value of asset to protect from identified threat. • Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. • Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations. Principles of Information Security, Fifth Edition 25
  • 26. Documenting Results • At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk. • Another option: Document the outcome of the control strategy for each information asset- vulnerability pair as an action plan. • Risk assessment may be documented in a topic- specific report. Principles of Information Security, Fifth Edition 26
  • 27. The NIST Risk Management Framework • Describes risk management as a comprehensive process requiring organizations to: – Frame risk – Assess risk – Respond to determined risk – Monitor risk on ongoing basis Principles of Information Security, Fifth Edition 27
  • 28. Principles of Information Security, Fifth Edition 28
  • 29. Summary • Risk identification: formal process of examining and documenting risk in information systems • Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the components of an information system • Risk identification – A risk management strategy enables identification, classification, and prioritization of organization’s information assets. – Residual risk: risk remaining to the information asset even after the existing control is applied Principles of Information Security, Fifth Edition 29
  • 30. Summary (cont’d) • Risk control: Five strategies are used to control risks that result from vulnerabilities: – Defend – Transfer – Mitigate – Accept – Terminate Principles of Information Security, Fifth Edition 30