Risk Based Security Management


Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk Based Security Management

  1. 1. Risk Based Security Management
  2. 2. Risk Based Security Management (RBSM) may be defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organizations information assets and IT infrastructure.
  4. 4. .: Many of the true assets of value are items that are intangibleand are typically not considered in technical approaches toinformation security .:THE PROBLEM
  5. 5. FRIGHT INDEXThreats to information security faced by organizations Ponemon Institute 2012
  6. 6. FRIGHT INDEX IIThe greatest rise of potential security risk within today’s IT environment Ponemon Institute 2012
  7. 7. FRIGHT INDEX IIISecurity technology categories used to thwart internal and external threats Ponemon Institute 2012
  8. 8. IDENTIFYING RISKSteps taken to identify security risks Ponemon Institute 2012
  9. 9. ADDRESSING RISKPerceived security risk by layer in the security infrastructure and the allocated level of spending Ponemon Institute 2012
  10. 10. .: The goal is not perfection but to improve our decision makingability by reducing our uncertainty .:STEPS TO RBSM
  11. 11. IDENTIFY WHAT MATTERS• How can this be achieved? »» Survey the organization and its management. »» Engage those who are responsible for business. »» Gather relevant information about the organization.
  12. 12. COLLECT DATA ON WHAT MATTERS• What kind of data can be useful to gather? »» Asset valuation »» Impact »» Threat landscapes »» Frequency and likelihood »» Vulnerabilities
  13. 13. PERFORM A RISK ASSESSMENT• Risk Assessment should: »»Create meaningful analysis of probabilities and information on the magnitude of an event and its impact; »»Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk analyses of all sizes and types.
  14. 14. PRESENT TO THE ORGANIZATION• The presentation of any risk analysis should: »» State the assets that were considered; »» The key threats to those assets; »» Assumptions that were made in the analysis »» The identified risks.
  15. 15. IDENTIFY CONTROL OBJECTIVES• A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk. »» In simple terms, control objectives are “what is it that needs to be achieved”.
  16. 16. IDENTIFY AND SELECT CONTROLS• The process of selecting controls should consider: »»What is the total cost of ownership of the control? »»How flexible is the control to changes in the organization or the elements that make up the risk?
  17. 17. IMPLEMENT CONTROLS• If the control is implemented in a way that does not support the control objectives, the risk will likely not be reduced.
  18. 18. OPERATE CONTROLS• RBSM takes an additional step that measures the effectiveness of the control itself and its operation.
  19. 19. MONITOR AND MEASURE• The measures must focus on clearly identifying changes in risks. »» Bear in mind that not all of these elements are precisely measurable. »» Attempting to measure the number of threats is problematic, but some qualitative or combination of measures can provide insight.
  20. 20. ADJUST & REPEAT»»Are there changes in the environment that canalso affect the metrics?»»Are there changes in the threats as time changes?»» Is the control being operated as intended and/orare the measures acting as indicators of controldesign and its operation?
  21. 21. .: If the risk assessment is based on relevant data then thediscourse should be rewarding, collaborative, and highlyinteractive. :.GLINTT’S APPROACH
  22. 22. RBSM Managed Services»» Creates an environment of informed choice.»» Strives to reduce uncertainty and eliminate conjecture.»» Is best achieved through a surplus of relevant data.
  23. 23. RBSM Managed Services»» Based on analysis of frequency of threats and vulnerabilities.»» Cyclical and provide an opportunity for continuous learning.»» Involve feedback loops and challenging assumptions.
  24. 24. RBSM Managed Services»» Minimize the threats, reduce frequency and/or likelihood, and reduce the vulnerabilities that make the threats viable.
  25. 25. .: A vulnerability lacks significant meaning if it is associated witha worthless asset, just as a vulnerability is highly significant if it isassociated with a highly valuable asset .:CONCLUSIONS
  26. 26. CONCLUSIONS»» Anyone undertaking this process (RBSM) should be prepared to suspend their presuppositions and not to be shocked if ideas long held as truth are refuted by the data collected and analyses performed.»» We challenge you to try our Services!
  27. 27. Q&A? Luís Martinsluis.martins@glintt.com