SlideShare a Scribd company logo
1 of 38
Download to read offline
CNIT 160:
Cybersecurity
Responsibilities
3. Information Risk
Management

Part 2

Pages 114 - 126
Topics
• Part 1 (p. 102 - 115)
• Risk Management Concepts
• Implementing a Risk Management Program
• Part 2 (p. 114 - 125)
• The Risk Management Life Cycle
• Part 3 (p. 125 - 158)
• The Risk Management Life Cycle
• Part 4 (p. 158 - 182)
• Operational Risk Management
The Risk Management
Life Cycle
• Cyclical, iterative process to
• Acquire, analyze, and treat risks
• Formally defined in policy and process
documents
• Defining scope, roles and responsibilities,
workflow, business rules, and business
records
The Risk Management
Life Cycle
• Several frameworks and standards
• Risk assessments
The Risk Management
Life Cycle
The Risk Management
Process
• Scope definition
• Asset identification and valuation
• Risk appetite
• Risk identification
• Risk assessment
• Vulnerability assessment
• Threat advisory
• Risk analysis
The Risk Management
Process
• Risk analysis
• Probability of event occurrence
• Impact of event occurrence
• Mitigation
• Recommendation
The Risk Management
Process
• Risk treatment
• Accept
• Mitigate
• Transfer
• Avoid
• Risk communication
Risk Avoidance
Risk Register
• List of identified risks, with
• Description
• Level and type
• Risk treatment decisions
• Also called a risk ledger
Ch 3b-1
Risk Management
Methodologies
• NIST SP 800-39 "Managing Information
Security Risk: Organization, Mission, and
Information, System View"
• NIST SP 800-30 "Guide for Conducting Risk
Assessments"
• ISO/IEC 27005
• Factor Analysis of Information Risk (FAIR)
NIST SP 800-39
"Managing Information Security Risk:
Organization, Mission, and
Information, System View"
NIST SP 800-39
• Multilevel risk management
• Information systems level
• Mission/business process level
• Overall organization level
• Risks are communicated upward
• Risk awareness and risk decisions are
communicated downward
NIST SP 800-39
NIST SP 800-39
• Risk management process
• Step 1: Risk framing
• Step 2: Risk assessment
• Step 3: Risk response
• Step 4: Risk monitoring
NIST SP 800-39
NIST SP 800-30
"Guide for Conducting
Risk Assessments"
NIST SP 800-30
• Standard methodology for conducting a
risk assessment
• Quite structured
• A number of worksheets recording
• Threats and vulnerabilities
• Probability of occurrence
• Impact
NIST SP 800-30
• Steps for conducting a risk assessment
• Step 1: Prepare for assessment
• Determine purpose, scope, and
• Source of threat, vulnerability, and
impact information
• MIST 800-30 has example lists
NIST SP 800-30
• Step 2:
Conduct
assessment
• A. Identify
threat
sources and
events
NIST SP 800-30
• B. Identify vulnerabilities and predisposing
conditions
NIST SP 800-30
• C. Determine likelihood of occurrence
NIST SP 800-30
• D. Determine magnitude of impact
NIST SP 800-30
• E. Determine risk
NIST SP 800-30
• Step 3: Communicate results
• Step 4: Maintain assessment
• Monitor risk factors
ISO/IEC 27005
ISO/IEC 27005
• International standard
• Defines a structured approach
• To risk assessments and risk management
ISO/IEC 27005
• Step 1: Establish context
• Scope, purpose
• Criteria for evaluating risk, impact
• Risk acceptance criteria
• Logistical plan
ISO/IEC 27005
• Step 2: Risk assessment
• Asset identification
• Threat identification
• Control identification
• Vulnerability identification
• Consequences identification
ISO/IEC 27005
• Step 3: Risk evaluation
• Step 4: Risk treatment
• Risk reduction (also called mitigation)
• Risk retention (also called acceptance)
• Risk avoidance
• Risk transfer
• Residual risk remains
ISO/IEC 27005
Step 5: Risk
communication
ISO/IEC 27005
Step 6: Risk
monitoring
and review
Factor Analysis of
Information Risk (FAIR)
FAIR
• An analysis method for
• Factors that contribute to risk
• Probability of threat occurrence
• Estimation of loss
FAIR
• Six types of loss
• Productivity
• Response
• Replacement
• Fines and judgments
• Competitive advantage
• Reputation
FAIR
• Ways a threat agent acts upon an asset
• Access
• Misuse
• Disclose
• Modify
• Deny use
Ch 3b-2

More Related Content

What's hot

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsSam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)Sam Bowne
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementSam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 -  Asset SecurityCISSP - Chapter 2 -  Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3  - System security architectureCISSP - Chapter 3  - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
project managmnet
project managmnetproject managmnet
project managmnetdarshan942
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 

What's hot (20)

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 -  Asset SecurityCISSP - Chapter 2 -  Asset Security
CISSP - Chapter 2 - Asset Security
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3  - System security architectureCISSP - Chapter 3  - System security architecture
CISSP - Chapter 3 - System security architecture
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
project managmnet
project managmnetproject managmnet
project managmnet
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 

Similar to CNIT 160: Ch 3b: The Risk Management Life Cycle

Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment KateKazhan
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY   THROUGH    SAFETY MANAGAMENT PLAN –  office p...Ppt for IMPROVEMENT OF SAFETY   THROUGH    SAFETY MANAGAMENT PLAN –  office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...AMIT SAHU
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –AMIT SAHU
 
Quality Risk Management
Quality Risk ManagementQuality Risk Management
Quality Risk ManagementRuchir Shah
 
Risk management - A short course
Risk management  - A short courseRisk management  - A short course
Risk management - A short courseMalcolm Peart
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfMUST
 

Similar to CNIT 160: Ch 3b: The Risk Management Life Cycle (20)

Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
10- PMP Training - Risk Management
10- PMP Training - Risk Management 10- PMP Training - Risk Management
10- PMP Training - Risk Management
 
ICH Q9 Quality Risk Management
ICH Q9 Quality Risk ManagementICH Q9 Quality Risk Management
ICH Q9 Quality Risk Management
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY   THROUGH    SAFETY MANAGAMENT PLAN –  office p...Ppt for IMPROVEMENT OF SAFETY   THROUGH    SAFETY MANAGAMENT PLAN –  office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –
 
Quality Risk Management
Quality Risk ManagementQuality Risk Management
Quality Risk Management
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
Risk management - A short course
Risk management  - A short courseRisk management  - A short course
Risk management - A short course
 
Rmp
RmpRmp
Rmp
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Project managment 10
Project managment  10Project managment  10
Project managment 10
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdf
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Climbers and Creepers used in landscaping
Climbers and Creepers used in landscapingClimbers and Creepers used in landscaping
Climbers and Creepers used in landscapingDr. M. Kumaresan Hort.
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project researchCaitlinCummins3
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文中 央社
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...EADTU
 
The Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver &  Gallbladder (Anatomy & Physiology).pptxThe Liver &  Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptxVishal Singh
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxMarlene Maheu
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhleson0603
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFVivekanand Anglo Vedic Academy
 
How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17Celine George
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxneillewis46
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxAdelaideRefugio
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportDenish Jangid
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...Nguyen Thanh Tu Collection
 
Scopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsScopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsISCOPE Publication
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppCeline George
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...Gary Wood
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi RajagopalEADTU
 

Recently uploaded (20)

Including Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdfIncluding Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdf
 
Climbers and Creepers used in landscaping
Climbers and Creepers used in landscapingClimbers and Creepers used in landscaping
Climbers and Creepers used in landscaping
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
The Liver & Gallbladder (Anatomy & Physiology).pptx
The Liver &  Gallbladder (Anatomy & Physiology).pptxThe Liver &  Gallbladder (Anatomy & Physiology).pptx
The Liver & Gallbladder (Anatomy & Physiology).pptx
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptx
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 
How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17
 
Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"Mattingly "AI & Prompt Design: Named Entity Recognition"
Mattingly "AI & Prompt Design: Named Entity Recognition"
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 
Scopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsScopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS Publications
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge App
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopal
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA!                    .VAMOS CUIDAR DO NOSSO PLANETA!                    .
VAMOS CUIDAR DO NOSSO PLANETA! .
 

CNIT 160: Ch 3b: The Risk Management Life Cycle

  • 1. CNIT 160: Cybersecurity Responsibilities 3. Information Risk Management Part 2 Pages 114 - 126
  • 2. Topics • Part 1 (p. 102 - 115) • Risk Management Concepts • Implementing a Risk Management Program • Part 2 (p. 114 - 125) • The Risk Management Life Cycle • Part 3 (p. 125 - 158) • The Risk Management Life Cycle • Part 4 (p. 158 - 182) • Operational Risk Management
  • 3. The Risk Management Life Cycle • Cyclical, iterative process to • Acquire, analyze, and treat risks • Formally defined in policy and process documents • Defining scope, roles and responsibilities, workflow, business rules, and business records
  • 4. The Risk Management Life Cycle • Several frameworks and standards • Risk assessments
  • 6. The Risk Management Process • Scope definition • Asset identification and valuation • Risk appetite • Risk identification • Risk assessment • Vulnerability assessment • Threat advisory • Risk analysis
  • 7. The Risk Management Process • Risk analysis • Probability of event occurrence • Impact of event occurrence • Mitigation • Recommendation
  • 8. The Risk Management Process • Risk treatment • Accept • Mitigate • Transfer • Avoid • Risk communication
  • 10. Risk Register • List of identified risks, with • Description • Level and type • Risk treatment decisions • Also called a risk ledger
  • 12. Risk Management Methodologies • NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View" • NIST SP 800-30 "Guide for Conducting Risk Assessments" • ISO/IEC 27005 • Factor Analysis of Information Risk (FAIR)
  • 13. NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View"
  • 14. NIST SP 800-39 • Multilevel risk management • Information systems level • Mission/business process level • Overall organization level • Risks are communicated upward • Risk awareness and risk decisions are communicated downward
  • 17. • Risk management process • Step 1: Risk framing • Step 2: Risk assessment • Step 3: Risk response • Step 4: Risk monitoring NIST SP 800-39
  • 18. NIST SP 800-30 "Guide for Conducting Risk Assessments"
  • 19. NIST SP 800-30 • Standard methodology for conducting a risk assessment • Quite structured • A number of worksheets recording • Threats and vulnerabilities • Probability of occurrence • Impact
  • 20. NIST SP 800-30 • Steps for conducting a risk assessment • Step 1: Prepare for assessment • Determine purpose, scope, and • Source of threat, vulnerability, and impact information • MIST 800-30 has example lists
  • 21. NIST SP 800-30 • Step 2: Conduct assessment • A. Identify threat sources and events
  • 22. NIST SP 800-30 • B. Identify vulnerabilities and predisposing conditions
  • 23. NIST SP 800-30 • C. Determine likelihood of occurrence
  • 24. NIST SP 800-30 • D. Determine magnitude of impact
  • 25. NIST SP 800-30 • E. Determine risk
  • 26. NIST SP 800-30 • Step 3: Communicate results • Step 4: Maintain assessment • Monitor risk factors
  • 28. ISO/IEC 27005 • International standard • Defines a structured approach • To risk assessments and risk management
  • 29. ISO/IEC 27005 • Step 1: Establish context • Scope, purpose • Criteria for evaluating risk, impact • Risk acceptance criteria • Logistical plan
  • 30. ISO/IEC 27005 • Step 2: Risk assessment • Asset identification • Threat identification • Control identification • Vulnerability identification • Consequences identification
  • 31. ISO/IEC 27005 • Step 3: Risk evaluation • Step 4: Risk treatment • Risk reduction (also called mitigation) • Risk retention (also called acceptance) • Risk avoidance • Risk transfer • Residual risk remains
  • 32. ISO/IEC 27005 Step 5: Risk communication
  • 33. ISO/IEC 27005 Step 6: Risk monitoring and review
  • 35. FAIR • An analysis method for • Factors that contribute to risk • Probability of threat occurrence • Estimation of loss
  • 36. FAIR • Six types of loss • Productivity • Response • Replacement • Fines and judgments • Competitive advantage • Reputation
  • 37. FAIR • Ways a threat agent acts upon an asset • Access • Misuse • Disclose • Modify • Deny use