SlideShare a Scribd company logo

Risk assessment managment and risk based audit approach

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

Risk assessment managment and risk based audit approach - Navid Kagalwalla

Education
1 of 36
1 Kiran Joshi Risk Assessment and Management & Risk Based Audit Approaches
1 2 3 4 5 6 Table of Contents • Introduction • Risk • Risk Based Audit Approaches • Keep it touch! • Risk Assessment and Calculations • Losses & Controls • Risk Management Model • Things to Consider • Risk Treatments • Types of Treatments • Methodology • How to manage the Risk? 2
Risk Impact• The Effect a Risk can have • The probability of something happening that will have an adverse impact upon any of the assets like people, plant, equipment, financials, data etc. and the impact of loss of such an asset both needs to be considered to quantify the risk. • Basis the classification then appropriate actions can be taken as per cost benefit analysis • Risk = (probability of event occurring) x (impact of the event occurring) 3
Risk Assessment – a definition •“The process of identifying the risks to system security and determining •the probability of occurrence, the resulting impact, •and additional safeguards that would mitigate this impact.”
Classification of Losses• The types of losses which can occur • Financial • Operational • Reputational • Legal 5 loss of money or decrease in financial value. loss of operational integrity of the process. loss reputation of the organization due to interruption of services . Losses means any and all Expenses, damages, losses, liabilities, judgments, fines, penalties.
The Power of PowerPoint | thepopp.com 6 • 1.Inherent risk • 2.Control risk • 3.Detection risk • Types of risk • 4.Overall audit risk • (Inherent * Control * Detection)
7
8
Risk Assessment Methodology  Step 1: System Characterization  Input: system-related info including  Hardware  Software  System interfaces  Data and information  People  System mission  Output: A good picture of system boundary, functions, criticality and sensitivity
Risk Assessment Methodology  Step 2: Threat Identification  Input:  Security violation reports  Incident reports  Data from intelligence agencies and mass media  Output: Threat statement listing potential threat- sources (natural, human, environmental) applicable to the system being evaluated
Risk Assessment Methodology  Step 3: Vulnerability Identification  Input:  System security tests (e.g. VA/penetration tests)  Audit results  Vulnerability lists/advisories  Automated Vulnerability scanning tool- Nessus, GFI, Open VAS, etc.  Security Test & Evaluation (ST & E)- Development & Execution of test plan  Security requirements checklist (contains basic security standards)  Output: List of system vulnerabilities (flaws or weaknesses) that could be exploited – Vulnerability/Threat pairs
Security Analysis Technique 12 • Ways to analyze the controls’ sufficiency • Vulnerability Assessment • Application Design Review • Source Code Review • Penetration Testing • Security Assessment & Audit • Gap Analysis
• Operational • Controlling env. like smoke, dust etc., power supply, media access & disposal, external data distribution, facility protection, humidity, temperature control etc. Vulnerability Sources 13 • Major area to be included • Technical • Communications, cryptography, discretionary access control, identification & authentication, intrusion detection, object reuse, system audit • Management • Assigning Responsibilities, support continuity, incident response capability, periodic review, risk assessment, security & technical training etc.
Risk Assessment Methodology  Step 4: Control Analysis  Input: current controls, planned controls  Control Methods – may be technical or non- technical  Control Categories – preventative or detective (e.g. audit trails)  Output: List of current and planned controls
• Technical (Logical) • Anti virus programs, password protection, firewall, ACLs, auditing etc. Types of Controls 15 • What each level means in terms of security • Physical • Locks, alarms etc. • Administrative • Policies & procedures; including personal controls such as security clearances, background checks etc.
Risk Assessment Methodology  Step 5: Likelihood Determination  Input:  Threat-source motivation & capability  Nature of the vulnerability  Existence & effectiveness of current controls  Output: Likelihood rating of High, Medium or Low
• Medium • The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Likelihood Level 17 • The Probability of Event Occurring • Low • The threat-source lacks motivation or capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised • High • The Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
Risk Assessment Methodology  Step 6: Impact Analysis  Input:  System mission  System and data criticality  System and data sensitivity  Analysis: Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability  Output: Impact Rating of High, Medium or Low
• Medium • Exercise of the vulnerability may result in (1) expensive loss of some tangible assets or resources (2) some damage to organization (3) human injury Magnitude of Impact Analysis 19 • Measuring the Impact • Low • Exercise of the vulnerability may result in (1) some loss of some tangible assets or resources (2) may affect organization’s mission, reputation or interest • High • Exercise of the vulnerability may result in (1) expensive loss of major tangible assets or resources (2) significant damage to organization (3) human death/ injury
Types of Impact Analysis 20 • Qualitative & Quantitative • Quantitative • It provides a measurement of the impacts’ magnitude • Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear • Qualitative • Prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities • Making a cost-benefit analysis of any recommended controls difficult, because it does not provide specific quantifiable measurements of the magnitude of the impacts
Risk Assessment Methodology  Step 7: Risk Determination  Input:  Likelihood of threat  Magnitude of risk  Adequacy of planned or current controls  Output:  Risk Level Matrix (Risk Level = Threat Likelihood x Threat Impact)  Risk Scale and Necessary Actions
• Medium • Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Description of Risk Level 23 • What each level means in terms of security • Low • System’s DAA must determine whether corrective actions are still required or decide to accept the risk • High • There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put into place asap.
Risk-Level Matrix Threat Likelihood Impact Low (10) Medium (50) High (100) High Low Medium High (1.0) 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium Low Medium Medium (0.5) 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low Low Low Low (0.1) 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
Risk Assessment Methodology  Step 8: Control Recommendations  Factors to consider  Effectiveness of recommended option  Legislation and regulation  Organizational policy  Operational impact  Safety and reliability  Output: Recommended controls and alternative solutions to mitigate risk
Control Recommendation 26 • Types of controls which can be recommended • Deterrent Controls • Discourage incidents • Detective Controls • Identify Incidents • Compensative Controls • Alternative controls (e.g. supervision) • Preventive Controls• Avoid incidents • Corrective Controls • Remedy/ mitigate the incidents • Recovery Controls• Restore Conditions to NORMAL
Control Matrix• Matching Type of controls with recommendations • The above table illustrates various methods which can be adopted for each of the recommendation type and control type. 27
Risk Assessment Methodology  Step 9: Results Documentation  Output: Risk Assessment Report  Presented to senior management and mission owners  Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement  Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes
Types of Risk Treatments 30 • MATR & 4T • MATR • Mitigate • Transfer • Accept • Reject • 4 T • Treat • Transfer • Tolerate • Terminate
Risk Mitigation 31 • Mitigating the risks identified • Risk Assumption • Accepting potential risk & continue operating the IT system or lower risk to acceptable level • Risk Limitation • Controls which limit the risk by using supporting, preventive detective controls • Risk Planning • Manage the risk by developing plans which prioritize, implement and manage controls • Risk Avoidance • Shout down/ forego some systems/ functions when the risks are identified. • Research & Acknowledgement• To lower the risk of loss by acknowledging the vulnerability or flaw & researching controls to correct the vulnerability • Risk Transference• Transfer the risk by using options such as insurance
Residual Risk• The Risk which we choose to accept 32 New/EnhancedControls Reduce Number of Flaws/ Errors Add a targeted control Reduce Magnitude of Impact Residual Risk
33
Risk Management Model• Anticipating Threats 34 Plan Implement Monitor ControlIdentify Access Risk Assessment
•1 • INTRODUCTION
Risk assessment managment and risk based audit approach

Recommended

Risk assessment tools and techniques
Risk assessment tools and techniquesRisk assessment tools and techniques
Risk assessment tools and techniquesAhmad Azwang Aisram Omar
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM PlanAnkit Bahuguna
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk analysis
Risk analysisRisk analysis
Risk analysisIndu Sharma Bhardwaj
 
12. Project Risk Management
12. Project Risk Management12. Project Risk Management
12. Project Risk ManagementBhuWan Khadka
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Arvind Kumar
 

Recommended

Risk assessment tools and techniques
Risk assessment tools and techniquesRisk assessment tools and techniques
Risk assessment tools and techniquesAhmad Azwang Aisram Omar
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM PlanAnkit Bahuguna
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk analysis
Risk analysisRisk analysis
Risk analysisIndu Sharma Bhardwaj
 
12. Project Risk Management
12. Project Risk Management12. Project Risk Management
12. Project Risk ManagementBhuWan Khadka
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Arvind Kumar
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachn|u - The Open Security Community
 
Risk Management
Risk ManagementRisk Management
Risk Managementrajuinstru
 
Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!Andrew Ferguson
 
risk analysis
risk analysis risk analysis
risk analysisArvind Kumar
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit ApproachSALIH AHMED ISLAM
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 
RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.Aparna Nayak
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Risk assessment
Risk assessmentRisk assessment
Risk assessmentAhmedAbdelHalimAhmed
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysisNur E Alam Siddike
 
Risk management
Risk managementRisk management
Risk managementbadar214118
 
Risk assessment techniques a critical success factor
Risk assessment techniques a critical success factorRisk assessment techniques a critical success factor
Risk assessment techniques a critical success factorPECB
 
How to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysisHow to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysisiZenBridge Consultancy Pvt. Ltd.
 
Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)Subhakanta Dhal
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment.AIR UNIVERSITY ISLAMABAD
 
Seven questions answered by process hazard analysis
Seven questions answered by process hazard analysisSeven questions answered by process hazard analysis
Seven questions answered by process hazard analysisPaul Baybutt
 
Project Risk Management
Project Risk ManagementProject Risk Management
Project Risk ManagementMartin Sillaots
 
Qualitative risk analysis
Qualitative risk analysisQualitative risk analysis
Qualitative risk analysissonali talkar
 
Project managment 10
Project managment 10Project managment 10
Project managment 10Абдулазіз Мухаммед
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 

More Related Content

What's hot

Risk Management
Risk ManagementRisk Management
Risk Managementrajuinstru
 
Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!Andrew Ferguson
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 
RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.Aparna Nayak
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Risk assessment techniques a critical success factor
Risk assessment techniques a critical success factorRisk assessment techniques a critical success factor
Risk assessment techniques a critical success factorPECB
 
How to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysisHow to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysisiZenBridge Consultancy Pvt. Ltd.
 
Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)Subhakanta Dhal
 
Seven questions answered by process hazard analysis
Seven questions answered by process hazard analysisSeven questions answered by process hazard analysis
Seven questions answered by process hazard analysisPaul Baybutt
 
Qualitative risk analysis
Qualitative risk analysisQualitative risk analysis
Qualitative risk analysissonali talkar
 

What's hot (20)

Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!Good Risk Software and Why a Spreadsheet will not DO IT!
Good Risk Software and Why a Spreadsheet will not DO IT!
 
risk analysis
risk analysis risk analysis
risk analysis
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
 
RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.RMMM-Risk Management,Mitigation and Monitoring.
RMMM-Risk Management,Mitigation and Monitoring.
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
 
Risk management
Risk managementRisk management
Risk management
 
Risk assessment techniques a critical success factor
Risk assessment techniques a critical success factorRisk assessment techniques a critical success factor
Risk assessment techniques a critical success factor
 
How to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysisHow to Prioritize Risks with Qualitative and Quantitative Risk analysis
How to Prioritize Risks with Qualitative and Quantitative Risk analysis
 
Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)Concept to risk management ( In context to Q9)
Concept to risk management ( In context to Q9)
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Seven questions answered by process hazard analysis
Seven questions answered by process hazard analysisSeven questions answered by process hazard analysis
Seven questions answered by process hazard analysis
 
Project Risk Management
Project Risk ManagementProject Risk Management
Project Risk Management
 
Qualitative risk analysis
Qualitative risk analysisQualitative risk analysis
Qualitative risk analysis
 
Project managment 10
Project managment 10Project managment 10
Project managment 10
 

Similar to Risk assessment managment and risk based audit approach

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
List of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docxList of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docxsmile790243
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...samahhamed3
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Managementmuna_ali
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)saimsoleja
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Risk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryRisk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryMahesh shinde
 

Similar to Risk assessment managment and risk based audit approach (20)

Security risk management
Security risk managementSecurity risk management
Security risk management
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
List of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docxList of Current and Planned ControlsStep 4. Contr.docx
List of Current and Planned ControlsStep 4. Contr.docx
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Management
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)ICH Q9 QUALITY RISK MANAGEMENT(QRM)
ICH Q9 QUALITY RISK MANAGEMENT(QRM)
 
Presentation on QRM_NS
Presentation on QRM_NSPresentation on QRM_NS
Presentation on QRM_NS
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Quality risk management
Quality risk managementQuality risk management
Quality risk management
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
ICH Q9.pptx
ICH Q9.pptxICH Q9.pptx
ICH Q9.pptx
 
Risk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryRisk management in pharmaceutical Industry
Risk management in pharmaceutical Industry
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 

Recently uploaded (20)

LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 

Risk assessment managment and risk based audit approach

  • 1. 1 Kiran Joshi Risk Assessment and Management & Risk Based Audit Approaches
  • 2. 1 2 3 4 5 6 Table of Contents • Introduction • Risk • Risk Based Audit Approaches • Keep it touch! • Risk Assessment and Calculations • Losses & Controls • Risk Management Model • Things to Consider • Risk Treatments • Types of Treatments • Methodology • How to manage the Risk? 2
  • 3. Risk Impact• The Effect a Risk can have • The probability of something happening that will have an adverse impact upon any of the assets like people, plant, equipment, financials, data etc. and the impact of loss of such an asset both needs to be considered to quantify the risk. • Basis the classification then appropriate actions can be taken as per cost benefit analysis • Risk = (probability of event occurring) x (impact of the event occurring) 3
  • 4. Risk Assessment – a definition •“The process of identifying the risks to system security and determining •the probability of occurrence, the resulting impact, •and additional safeguards that would mitigate this impact.”
  • 5. Classification of Losses• The types of losses which can occur • Financial • Operational • Reputational • Legal 5 loss of money or decrease in financial value. loss of operational integrity of the process. loss reputation of the organization due to interruption of services . Losses means any and all Expenses, damages, losses, liabilities, judgments, fines, penalties.
  • 6. The Power of PowerPoint | thepopp.com 6 • 1.Inherent risk • 2.Control risk • 3.Detection risk • Types of risk • 4.Overall audit risk • (Inherent * Control * Detection)
  • 7. 7
  • 8. 8
  • 9. Risk Assessment Methodology  Step 1: System Characterization  Input: system-related info including  Hardware  Software  System interfaces  Data and information  People  System mission  Output: A good picture of system boundary, functions, criticality and sensitivity
  • 10. Risk Assessment Methodology  Step 2: Threat Identification  Input:  Security violation reports  Incident reports  Data from intelligence agencies and mass media  Output: Threat statement listing potential threat- sources (natural, human, environmental) applicable to the system being evaluated
  • 11. Risk Assessment Methodology  Step 3: Vulnerability Identification  Input:  System security tests (e.g. VA/penetration tests)  Audit results  Vulnerability lists/advisories  Automated Vulnerability scanning tool- Nessus, GFI, Open VAS, etc.  Security Test & Evaluation (ST & E)- Development & Execution of test plan  Security requirements checklist (contains basic security standards)  Output: List of system vulnerabilities (flaws or weaknesses) that could be exploited – Vulnerability/Threat pairs
  • 12. Security Analysis Technique 12 • Ways to analyze the controls’ sufficiency • Vulnerability Assessment • Application Design Review • Source Code Review • Penetration Testing • Security Assessment & Audit • Gap Analysis
  • 13. • Operational • Controlling env. like smoke, dust etc., power supply, media access & disposal, external data distribution, facility protection, humidity, temperature control etc. Vulnerability Sources 13 • Major area to be included • Technical • Communications, cryptography, discretionary access control, identification & authentication, intrusion detection, object reuse, system audit • Management • Assigning Responsibilities, support continuity, incident response capability, periodic review, risk assessment, security & technical training etc.
  • 14. Risk Assessment Methodology  Step 4: Control Analysis  Input: current controls, planned controls  Control Methods – may be technical or non- technical  Control Categories – preventative or detective (e.g. audit trails)  Output: List of current and planned controls
  • 15. • Technical (Logical) • Anti virus programs, password protection, firewall, ACLs, auditing etc. Types of Controls 15 • What each level means in terms of security • Physical • Locks, alarms etc. • Administrative • Policies & procedures; including personal controls such as security clearances, background checks etc.
  • 16. Risk Assessment Methodology  Step 5: Likelihood Determination  Input:  Threat-source motivation & capability  Nature of the vulnerability  Existence & effectiveness of current controls  Output: Likelihood rating of High, Medium or Low
  • 17. • Medium • The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Likelihood Level 17 • The Probability of Event Occurring • Low • The threat-source lacks motivation or capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised • High • The Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective
  • 18. Risk Assessment Methodology  Step 6: Impact Analysis  Input:  System mission  System and data criticality  System and data sensitivity  Analysis: Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability  Output: Impact Rating of High, Medium or Low
  • 19. • Medium • Exercise of the vulnerability may result in (1) expensive loss of some tangible assets or resources (2) some damage to organization (3) human injury Magnitude of Impact Analysis 19 • Measuring the Impact • Low • Exercise of the vulnerability may result in (1) some loss of some tangible assets or resources (2) may affect organization’s mission, reputation or interest • High • Exercise of the vulnerability may result in (1) expensive loss of major tangible assets or resources (2) significant damage to organization (3) human death/ injury
  • 20. Types of Impact Analysis 20 • Qualitative & Quantitative • Quantitative • It provides a measurement of the impacts’ magnitude • Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear • Qualitative • Prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities • Making a cost-benefit analysis of any recommended controls difficult, because it does not provide specific quantifiable measurements of the magnitude of the impacts
  • 21.
  • 22. Risk Assessment Methodology  Step 7: Risk Determination  Input:  Likelihood of threat  Magnitude of risk  Adequacy of planned or current controls  Output:  Risk Level Matrix (Risk Level = Threat Likelihood x Threat Impact)  Risk Scale and Necessary Actions
  • 23. • Medium • Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Description of Risk Level 23 • What each level means in terms of security • Low • System’s DAA must determine whether corrective actions are still required or decide to accept the risk • High • There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put into place asap.
  • 24. Risk-Level Matrix Threat Likelihood Impact Low (10) Medium (50) High (100) High Low Medium High (1.0) 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium Low Medium Medium (0.5) 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low Low Low Low (0.1) 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
  • 25. Risk Assessment Methodology  Step 8: Control Recommendations  Factors to consider  Effectiveness of recommended option  Legislation and regulation  Organizational policy  Operational impact  Safety and reliability  Output: Recommended controls and alternative solutions to mitigate risk
  • 26. Control Recommendation 26 • Types of controls which can be recommended • Deterrent Controls • Discourage incidents • Detective Controls • Identify Incidents • Compensative Controls • Alternative controls (e.g. supervision) • Preventive Controls• Avoid incidents • Corrective Controls • Remedy/ mitigate the incidents • Recovery Controls• Restore Conditions to NORMAL
  • 27. Control Matrix• Matching Type of controls with recommendations • The above table illustrates various methods which can be adopted for each of the recommendation type and control type. 27
  • 28. Risk Assessment Methodology  Step 9: Results Documentation  Output: Risk Assessment Report  Presented to senior management and mission owners  Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement  Purpose: Assist decision-makers in making decisions on policy, procedural, budget and system operational and management changes
  • 29.
  • 30. Types of Risk Treatments 30 • MATR & 4T • MATR • Mitigate • Transfer • Accept • Reject • 4 T • Treat • Transfer • Tolerate • Terminate
  • 31. Risk Mitigation 31 • Mitigating the risks identified • Risk Assumption • Accepting potential risk & continue operating the IT system or lower risk to acceptable level • Risk Limitation • Controls which limit the risk by using supporting, preventive detective controls • Risk Planning • Manage the risk by developing plans which prioritize, implement and manage controls • Risk Avoidance • Shout down/ forego some systems/ functions when the risks are identified. • Research & Acknowledgement• To lower the risk of loss by acknowledging the vulnerability or flaw & researching controls to correct the vulnerability • Risk Transference• Transfer the risk by using options such as insurance
  • 32. Residual Risk• The Risk which we choose to accept 32 New/EnhancedControls Reduce Number of Flaws/ Errors Add a targeted control Reduce Magnitude of Impact Residual Risk
  • 33. 33
  • 34. Risk Management Model• Anticipating Threats 34 Plan Implement Monitor ControlIdentify Access Risk Assessment