SlideShare a Scribd company logo

Risk assessment managment and risk based audit approach

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

Risk assessment managment and risk based audit approach

Education
1 of 36
1 Kiran Joshi Risk Assessment and Management & Risk Based Audit Approaches
1 2 3 4 5 6 Table of Contents • Introduction • Risk • Risk Based Audit Approaches • Keep it touch! • Risk Assessment and Calculations • Losses & Controls • Risk Management Model • Things to Consider • Risk Treatments • Types of Treatments • Methodology • How to manage the Risk? 2
Risk Impact• The Effect a Risk can have • The probability of something happening that will have an adverse impact upon any of the assets like people, plant, equipment, financials, data etc. and the impact of loss of such an asset both needs to be considered to quantify the risk. • Basis the classification then appropriate actions can be taken as per cost benefit analysis • Risk = (probability of event occurring) x (impact of the event occurring) 3
Risk Assessment – a definition •“The process of identifying the risks to system security and determining •the probability of occurrence, the resulting impact, •and additional safeguards that would mitigate this impact.”
Classification of Losses• The types of losses which can occur • Financial • Operational • Reputational • Legal 5 loss of money or decrease in financial value. loss of operational integrity of the process. loss reputation of the organization due to interruption of services . Losses means any and all Expenses, damages, losses, liabilities, judgments, fines, penalties.
The Power of PowerPoint | thepopp.com 6 • 1.Inherent risk • 2.Control risk • 3.Detection risk • Types of risk • 4.Overall audit risk • (Inherent * Control * Detection)
7
8
Risk Assessment Methodology  Step 1: System Characterization  Input: system-related info including  Hardware  Software  System interfaces  Data and information  People  System mission  Output: A good picture of system boundary, functions, criticality and sensitivity
Risk Assessment Methodology  Step 2: Threat Identification  Input:  Security violation reports  Incident reports  Data from intelligence agencies and mass media  Output: Threat statement listing potential threat- sources (natural, human, environmental) applicable to the system being evaluated
Risk Assessment Methodology  Step 3: Vulnerability Identification  Input:  System security tests (e.g. VA/penetration tests)  Audit results  Vulnerability lists/advisories  Automated Vulnerability scanning tool- Nessus, GFI, Open VAS, etc.  Security Test & Evaluation (ST & E)- Development & Execution of test plan  Security requirements checklist (contains basic security standards)  Output: List of system vulnerabilities (flaws or weaknesses) that could be exploited – Vulnerability/Threat pairs
Security Analysis Technique 12 • Ways to analyze the controls’ sufficiency • Vulnerability Assessment • Application Design Review • Source Code Review • Penetration Testing • Security Assessment & Audit • Gap Analysis
• Operational • Controlling env. like smoke, dust etc., power supply, media access & disposal, external data distribution, facility protection, humidity, temperature control etc. Vulnerability Sources 13 • Major area to be included • Technical • Communications, cryptography, discretionary access control, identification & authentication, intrusion detection, object reuse, system audit • Management • Assigning Responsibilities, support continuity, incident response capability, periodic review, risk assessment, security & technical training etc.
Risk Assessment Methodology  Step 4: Control Analysis  Input: current controls, planned controls  Control Methods – may be technical or non- technical  Control Categories – preventative or detective (e.g. audit trails)  Output: List of current and planned controls
• Technical (Logical) • Anti virus programs, password protection, firewall, ACLs, auditing etc. Types of Controls 15 • What each level means in terms of security • Physical • Locks, alarms etc. • Administrative • Policies & procedures; including personal controls such as security clearances, background checks etc.
Risk Assessment Methodology  Step 5: Likelihood Determination  Input:  Threat-source motivation & capability  Nature of the vulnerability  Existence & effectiveness of current controls  Output: Likelihood rating of High, Medium or Low
• Medium • The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Likelihood Level 17 • The Probability of Event Occurring • Low • The threat-source lacks motivation or capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised • High • The Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
Risk Assessment Methodology  Step 6: Impact Analysis  Input:  System mission  System and data criticality  System and data sensitivity  Analysis: Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability  Output: Impact Rating of High, Medium or Low
• Medium • Exercise of the vulnerability may result in (1) expensive loss of some tangible assets or resources (2) some damage to organization (3) human injury Magnitude of Impact Analysis 19 • Measuring the Impact • Low • Exercise of the vulnerability may result in (1) some loss of some tangible assets or resources (2) may affect organization’s mission, reputation or interest • High • Exercise of the vulnerability may result in (1) expensive loss of major tangible assets or resources (2) significant damage to organization (3) human death/ injury
Types of Impact Analysis 20 • Qualitative & Quantitative • Quantitative • It provides a measurement of the impacts’ magnitude • Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear • Qualitative • Prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities • Making a cost-benefit analysis of any recommended controls difficult, because it does not provide specific quantifiable measurements of the magnitude of the impacts
Risk Assessment Methodology  Step 7: Risk Determination  Input:  Likelihood of threat  Magnitude of risk  Adequacy of planned or current controls  Output:  Risk Level Matrix (Risk Level = Threat Likelihood x Threat Impact)  Risk Scale and Necessary Actions
• Medium • Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Description of Risk Level 23 • What each level means in terms of security • Low • System’s DAA must determine whether corrective actions are still required or decide to accept the risk • High • There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put into place asap.
Risk-Level Matrix Threat Likelihood Impact Low (10) Medium (50) High (100) High Low Medium High (1.0) 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium Low Medium Medium (0.5) 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low Low Low Low (0.1) 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
Risk Assessment Methodology  Step 8: Control Recommendations  Factors to consider  Effectiveness of recommended option  Legislation and regulation  Organizational policy  Operational impact  Safety and reliability  Output: Recommended controls and alternative solutions to mitigate risk
Control Recommendation 26 • Types of controls which can be recommended • Deterrent Controls • Discourage incidents • Detective Controls • Identify Incidents • Compensative Controls • Alternative controls (e.g. supervision) • Preventive Controls• Avoid incidents • Corrective Controls • Remedy/ mitigate the incidents • Recovery Controls• Restore Conditions to NORMAL
Control Matrix• Matching Type of controls with recommendations • The above table illustrates various methods which can be adopted for each of the recommendation type and control type. 27
Risk Assessment Methodology  Step 9: Results Documentation  Output: Risk Assessment Report  Presented to senior management and mission owners  Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement  Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes
Types of Risk Treatments 30 • MATR & 4T • MATR • Mitigate • Transfer • Accept • Reject • 4 T • Treat • Transfer • Tolerate • Terminate
Risk Mitigation 31 • Mitigating the risks identified • Risk Assumption • Accepting potential risk & continue operating the IT system or lower risk to acceptable level • Risk Limitation • Controls which limit the risk by using supporting, preventive detective controls • Risk Planning • Manage the risk by developing plans which prioritize, implement and manage controls • Risk Avoidance • Shout down/ forego some systems/ functions when the risks are identified. • Research & Acknowledgement• To lower the risk of loss by acknowledging the vulnerability or flaw & researching controls to correct the vulnerability • Risk Transference• Transfer the risk by using options such as insurance
Residual Risk• The Risk which we choose to accept 32 New/EnhancedControls Reduce Number of Flaws/ Errors Add a targeted control Reduce Magnitude of Impact Residual Risk
33
Risk Management Model• Anticipating Threats 34 Plan Implement Monitor ControlIdentify Access Risk Assessment
•1 • INTRODUCTION
Risk assessment managment and risk based audit approach

Recommended

Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
Risk management
Risk managementRisk management
Risk management
baderali2141
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
International Federation of Accountants
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
Risk management
Risk managementRisk management
Risk management
Babasab Patil
 
Embedding RCSA into Strategic Planning and Business Strategy
Embedding RCSA into Strategic Planning and Business StrategyEmbedding RCSA into Strategic Planning and Business Strategy
Embedding RCSA into Strategic Planning and Business Strategy
Andrew Smart
 
Risk Management 101
Risk Management 101Risk Management 101
Risk Management 101
Wil Rickards
 

Recommended

Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Risk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation SlidesRisk Management Process And Procedures PowerPoint Presentation Slides
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
Risk management
Risk managementRisk management
Risk management
baderali2141
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
International Federation of Accountants
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
Risk management
Risk managementRisk management
Risk management
Babasab Patil
 
Embedding RCSA into Strategic Planning and Business Strategy
Embedding RCSA into Strategic Planning and Business StrategyEmbedding RCSA into Strategic Planning and Business Strategy
Embedding RCSA into Strategic Planning and Business Strategy
Andrew Smart
 
Risk Management 101
Risk Management 101Risk Management 101
Risk Management 101
Wil Rickards
 
Risk management
Risk management Risk management
Risk management
mamta bhaurya
 
Risk management
Risk managementRisk management
Risk management
Aglaia Connect
 
Security managment risks, controls and incidents
Security managment risks, controls and incidentsSecurity managment risks, controls and incidents
Security managment risks, controls and incidents
Edinburgh Napier University
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
NICSA
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
Andrew Smart
 
Risk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation SlidesRisk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation Slides
SlideTeam
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
EMAC Consulting Group
 
Enterprise Risk Management.pdf
Enterprise Risk Management.pdfEnterprise Risk Management.pdf
Enterprise Risk Management.pdf
Self Employed
 
Risk management
Risk managementRisk management
Risk management
Jubayer Alam Shoikat
 
Risk management
Risk managementRisk management
Risk management
baderali2141
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
Jorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Google–Risk Assessment Tools
Google–Risk Assessment ToolsGoogle–Risk Assessment Tools
Google–Risk Assessment Tools
Ali-Reza Khaleeli
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
Resolver Inc.
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Association for Project Management
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
FAA Safety Team Central Florida
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
NehaKamboj10
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guide
CenapSerdarolu
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
Proformative, Inc.
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 

More Related Content

What's hot

Risk management
Risk managementRisk management
Risk management
Aglaia Connect
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
Andrew Smart
 
Risk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation SlidesRisk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation Slides
SlideTeam
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
Jorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Google–Risk Assessment Tools
Google–Risk Assessment ToolsGoogle–Risk Assessment Tools
Google–Risk Assessment Tools
Ali-Reza Khaleeli
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
Proformative, Inc.
 

What's hot (20)

Risk management
Risk management Risk management
Risk management
 
Risk management
Risk managementRisk management
Risk management
 
Security managment risks, controls and incidents
Security managment risks, controls and incidentsSecurity managment risks, controls and incidents
Security managment risks, controls and incidents
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 
Managing with KPI's and KRI's
Managing with KPI's and KRI's Managing with KPI's and KRI's
Managing with KPI's and KRI's
 
Risk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation SlidesRisk Management Lifecycle Process PowerPoint Presentation Slides
Risk Management Lifecycle Process PowerPoint Presentation Slides
 
Fraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management ConsultantsFraud risk management training - Elsam Management Consultants
Fraud risk management training - Elsam Management Consultants
 
Enterprise Risk Management.pdf
Enterprise Risk Management.pdfEnterprise Risk Management.pdf
Enterprise Risk Management.pdf
 
Risk management
Risk managementRisk management
Risk management
 
Risk management
Risk managementRisk management
Risk management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
Google–Risk Assessment Tools
Google–Risk Assessment ToolsGoogle–Risk Assessment Tools
Google–Risk Assessment Tools
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
Aligning strategy decisions with risk appetite, presented by David Shearer, 1...
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guide
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
 

Similar to Risk assessment managment and risk based audit approach

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
List of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docxList of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docx
smile790243
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
Aryan Ajmer
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
Komal Zahra
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 

Similar to Risk assessment managment and risk based audit approach (20)

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Unit V - Hazard Indentification Techniques.pptx
Unit V - Hazard Indentification Techniques.pptxUnit V - Hazard Indentification Techniques.pptx
Unit V - Hazard Indentification Techniques.pptx
 
List of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docxList of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docx
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Management
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)
 
Presentation on QRM_NS
Presentation on QRM_NSPresentation on QRM_NS
Presentation on QRM_NS
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Quality risk management
Quality risk managementQuality risk management
Quality risk management
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

Risk assessment managment and risk based audit approach

  • 1. 1 Kiran Joshi Risk Assessment and Management & Risk Based Audit Approaches
  • 2. 1 2 3 4 5 6 Table of Contents • Introduction • Risk • Risk Based Audit Approaches • Keep it touch! • Risk Assessment and Calculations • Losses & Controls • Risk Management Model • Things to Consider • Risk Treatments • Types of Treatments • Methodology • How to manage the Risk? 2
  • 3. Risk Impact• The Effect a Risk can have • The probability of something happening that will have an adverse impact upon any of the assets like people, plant, equipment, financials, data etc. and the impact of loss of such an asset both needs to be considered to quantify the risk. • Basis the classification then appropriate actions can be taken as per cost benefit analysis • Risk = (probability of event occurring) x (impact of the event occurring) 3
  • 4. Risk Assessment – a definition •“The process of identifying the risks to system security and determining •the probability of occurrence, the resulting impact, •and additional safeguards that would mitigate this impact.”
  • 5. Classification of Losses• The types of losses which can occur • Financial • Operational • Reputational • Legal 5 loss of money or decrease in financial value. loss of operational integrity of the process. loss reputation of the organization due to interruption of services . Losses means any and all Expenses, damages, losses, liabilities, judgments, fines, penalties.
  • 6. The Power of PowerPoint | thepopp.com 6 • 1.Inherent risk • 2.Control risk • 3.Detection risk • Types of risk • 4.Overall audit risk • (Inherent * Control * Detection)
  • 7. 7
  • 8. 8
  • 9. Risk Assessment Methodology  Step 1: System Characterization  Input: system-related info including  Hardware  Software  System interfaces  Data and information  People  System mission  Output: A good picture of system boundary, functions, criticality and sensitivity
  • 10. Risk Assessment Methodology  Step 2: Threat Identification  Input:  Security violation reports  Incident reports  Data from intelligence agencies and mass media  Output: Threat statement listing potential threat- sources (natural, human, environmental) applicable to the system being evaluated
  • 11. Risk Assessment Methodology  Step 3: Vulnerability Identification  Input:  System security tests (e.g. VA/penetration tests)  Audit results  Vulnerability lists/advisories  Automated Vulnerability scanning tool- Nessus, GFI, Open VAS, etc.  Security Test & Evaluation (ST & E)- Development & Execution of test plan  Security requirements checklist (contains basic security standards)  Output: List of system vulnerabilities (flaws or weaknesses) that could be exploited – Vulnerability/Threat pairs
  • 12. Security Analysis Technique 12 • Ways to analyze the controls’ sufficiency • Vulnerability Assessment • Application Design Review • Source Code Review • Penetration Testing • Security Assessment & Audit • Gap Analysis
  • 13. • Operational • Controlling env. like smoke, dust etc., power supply, media access & disposal, external data distribution, facility protection, humidity, temperature control etc. Vulnerability Sources 13 • Major area to be included • Technical • Communications, cryptography, discretionary access control, identification & authentication, intrusion detection, object reuse, system audit • Management • Assigning Responsibilities, support continuity, incident response capability, periodic review, risk assessment, security & technical training etc.
  • 14. Risk Assessment Methodology  Step 4: Control Analysis  Input: current controls, planned controls  Control Methods – may be technical or non- technical  Control Categories – preventative or detective (e.g. audit trails)  Output: List of current and planned controls
  • 15. • Technical (Logical) • Anti virus programs, password protection, firewall, ACLs, auditing etc. Types of Controls 15 • What each level means in terms of security • Physical • Locks, alarms etc. • Administrative • Policies & procedures; including personal controls such as security clearances, background checks etc.
  • 16. Risk Assessment Methodology  Step 5: Likelihood Determination  Input:  Threat-source motivation & capability  Nature of the vulnerability  Existence & effectiveness of current controls  Output: Likelihood rating of High, Medium or Low
  • 17. • Medium • The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Likelihood Level 17 • The Probability of Event Occurring • Low • The threat-source lacks motivation or capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised • High • The Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
  • 18. Risk Assessment Methodology  Step 6: Impact Analysis  Input:  System mission  System and data criticality  System and data sensitivity  Analysis: Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability  Output: Impact Rating of High, Medium or Low
  • 19. • Medium • Exercise of the vulnerability may result in (1) expensive loss of some tangible assets or resources (2) some damage to organization (3) human injury Magnitude of Impact Analysis 19 • Measuring the Impact • Low • Exercise of the vulnerability may result in (1) some loss of some tangible assets or resources (2) may affect organization’s mission, reputation or interest • High • Exercise of the vulnerability may result in (1) expensive loss of major tangible assets or resources (2) significant damage to organization (3) human death/ injury
  • 20. Types of Impact Analysis 20 • Qualitative & Quantitative • Quantitative • It provides a measurement of the impacts’ magnitude • Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear • Qualitative • Prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities • Making a cost-benefit analysis of any recommended controls difficult, because it does not provide specific quantifiable measurements of the magnitude of the impacts
  • 21.
  • 22. Risk Assessment Methodology  Step 7: Risk Determination  Input:  Likelihood of threat  Magnitude of risk  Adequacy of planned or current controls  Output:  Risk Level Matrix (Risk Level = Threat Likelihood x Threat Impact)  Risk Scale and Necessary Actions
  • 23. • Medium • Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Description of Risk Level 23 • What each level means in terms of security • Low • System’s DAA must determine whether corrective actions are still required or decide to accept the risk • High • There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put into place asap.
  • 24. Risk-Level Matrix Threat Likelihood Impact Low (10) Medium (50) High (100) High Low Medium High (1.0) 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium Low Medium Medium (0.5) 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low Low Low Low (0.1) 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
  • 25. Risk Assessment Methodology  Step 8: Control Recommendations  Factors to consider  Effectiveness of recommended option  Legislation and regulation  Organizational policy  Operational impact  Safety and reliability  Output: Recommended controls and alternative solutions to mitigate risk
  • 26. Control Recommendation 26 • Types of controls which can be recommended • Deterrent Controls • Discourage incidents • Detective Controls • Identify Incidents • Compensative Controls • Alternative controls (e.g. supervision) • Preventive Controls• Avoid incidents • Corrective Controls • Remedy/ mitigate the incidents • Recovery Controls• Restore Conditions to NORMAL
  • 27. Control Matrix• Matching Type of controls with recommendations • The above table illustrates various methods which can be adopted for each of the recommendation type and control type. 27
  • 28. Risk Assessment Methodology  Step 9: Results Documentation  Output: Risk Assessment Report  Presented to senior management and mission owners  Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement  Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes
  • 29.
  • 30. Types of Risk Treatments 30 • MATR & 4T • MATR • Mitigate • Transfer • Accept • Reject • 4 T • Treat • Transfer • Tolerate • Terminate
  • 31. Risk Mitigation 31 • Mitigating the risks identified • Risk Assumption • Accepting potential risk & continue operating the IT system or lower risk to acceptable level • Risk Limitation • Controls which limit the risk by using supporting, preventive detective controls • Risk Planning • Manage the risk by developing plans which prioritize, implement and manage controls • Risk Avoidance • Shout down/ forego some systems/ functions when the risks are identified. • Research & Acknowledgement• To lower the risk of loss by acknowledging the vulnerability or flaw & researching controls to correct the vulnerability • Risk Transference• Transfer the risk by using options such as insurance
  • 32. Residual Risk• The Risk which we choose to accept 32 New/EnhancedControls Reduce Number of Flaws/ Errors Add a targeted control Reduce Magnitude of Impact Residual Risk
  • 33. 33
  • 34. Risk Management Model• Anticipating Threats 34 Plan Implement Monitor ControlIdentify Access Risk Assessment