Risk assessment principles and guidelines

10,919 views

Published on

Risk assessment principles and guidelines is a presentation slides was created and presented at Mission Critical Workshop. This slides is part of Business Continuity Management (BCM) presentation which intended for professional who is responsible for BCM or Risk Assessment Program.

Published in: Economy & Finance, Business

Risk assessment principles and guidelines

  1. 1. 1 of 24
  2. 2. 2 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:07
  3. 3. 3 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:09 Introduction Abstract
  4. 4. 4 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:10 Introduction Abstract
  5. 5. 5 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:12 Introduction Objective  To ensure that IT related risks are identified, analyzed and presented in order to ensure information security for the organization.  To identify measures or controls to be taken to mitigate the risk to an acceptable level. 1 2 3 4
  6. 6. 6 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:14
  7. 7. 7 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:15 RiskManagement Generic Approach
  8. 8. 8 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:17 RiskManagement Generic Process Risk Decision Point 2 Treatment satisfactory Risk Decision Point 1 Assessmentsatisfactory Context Establishment Reduction Retention Avoidance Transfer RiskMonitoringandReview RiskAssessment Risk Treatment Reference: ISO/IEC 27005 Risk Acceptance RiskCommunication Risk Evaluation Risk Estimation Risk Identification RiskAnalysis Yes No Yes No
  9. 9. 9 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:20
  10. 10. 10 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:21 RiskAssessment Methodology
  11. 11. 11 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:24 Likelihood The goal is to identify the potential threat-sources and develop a list of system vulnerabilities that could be exploited by the potential threat-sources. RiskAssessment Likelihood Description Score Rare Rarely happen or very unlikely to happen 1 Unlikely Not seen within last 5 years or unlikely to happen 2 Moderate Seen within last 5 years but not within last year or likely to happen 3 Likely Seen within last year or very likely to happen 4 Most likely Happens on a regular basis or most likely to happen 5
  12. 12. 12 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:26 Impact Level and Scoring – Mission Critical Scenario The goal is to measure level of risk and determine the adverse impact resulting from a successful threat exercise of a vulnerability. RiskAssessment Impact Level Description Score Insignificant Impact that would not cause any exposure of information, any effects to national security, any injury, any unauthorized entry, any asset loss, or no system or operation disruption. 1 Minor Impact that would cause exposure of Restricted information, “undesirable effects” to national security, less than minor injury, undetected or delay in the detection of unauthorized entry with no asset loss or access to sensitive materials, or no system or operation disruption. 2 Major Impact that would cause exposure of Confidential information, “damage” or be “prejudicial” to national security, or harmful to national interest, national reputation, Government activities or to individual, or cause embarrassment or difficulty to administration, or give benefits to foreign powers, bringing limited financial losses to the Organization, minor injury not requiring hospitalization, undetected or delay in the detection of unauthorized entry resulting in limited access to assets or sensitive materials, or no mission impairment, or minor system and operation disruption. 3 Material Impact that would cause exposure of Secret information, “serious damage” to national security, interest and reputation, give great benefits to foreign powers, bringing significant financial losses to the Organization, severe injury to human resources, loss of valuable asset resulting from undetected or unauthorized access, unacceptable mission delays, or unacceptable system and operation disruption. 4 Catastrophic Impact that would cause exposure of Top Secret information, “exceptionally grave damage” to national security, bringing physical or financial losses to the Organization, loss of life, loss of critical assets, significant impairment of mission over extended period of time, or catastrophic or widespread loss of systems services. 5
  13. 13. 13 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:27 Risk Matrix and Impact Level RiskAssessment  Low risk  No mitigation required  Action must be taken to maintain the risk level and implemented in long-term plan  Critical risk, immediate action required  Risk mitigation is required to lower the risk to an acceptable level  Action must be taken ASAP  High risk, management attention needed.  Risk mitigation is required to lower the risk to an acceptable level  Implementation plan must be developed and included in short-term plan  Medium risk  Risk mitigation may required to maintain or reduce the risk level  Implementation plan must be developed and included in mid-term plan
  14. 14. 14 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:31 RiskAssessment Risk Treatment Process Risk Decision Point 2 Risk Decision Point 1 Risk Assessment Results Reduction Retention Avoidance Transfer Risk Treatment Options Satisfactory Assessment Residual Risk Satisfactory Treatment RiskTreatment
  15. 15. 15 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:32 RiskAssessment Risk Treatment Process – continue Risk reduction involves approaches that reduce the probability of the vulnerability being triggered or reduce the impact when the vulnerability is triggered. Reducing a risk most often involves putting in place controls. Reduce Risk retention means accepting the loss when it occurs. Risk retention is a viable strategy for small-impact risks where the cost of insuring against the risk would be greater over time than the total losses sustained. Plans should be put in place to manage the consequences of these risks if they should occur, including identifying a means of financing the risk. Risks can also be retained by default, i.e. when there is a failure to identify and/or appropriately transfer or otherwise treat risks. Retain Risk avoidance means simply not performing the activity that carries the risk. Risk avoidance can occur inappropriately if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may increase the significance of other risks or may lead to the loss of opportunities for gain. Avoidance Risk transfer means passing the risk on to another party that is willing to accept the risk, typically by contract, partnership and/or joint ventures. Insurance is an example of risk transfer using contracts. The transfer of a risk to other parties, or physical transfer to other places, will reduce the risk for the original organization, but may not diminish the overall level of risk to society. Where risks are transferred in whole or in part, the organization transferring the risk has acquired a new risk, in that the organization to which the risk has been transferred, may not manage the risk effectively. Transfer
  16. 16. 16 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:34 RiskAssessment Risk Acceptance Risk acceptance can be defined as the decision and approval by high authority party to accept the remaining risk after the treatment process is concluded. Once accepted, residual risks are considered as risks that the high authority party knowingly takes. The level and extent of accepted risks comprise one of the major parameters of the Risk Management process. In other words, the higher the accepted residual risks, the less the work involved in managing risks (and inversely). Assess Treatment Options Develop Treatment Plan Implementation Plan A number of options may be considered and applied either individually or in combination. Selection of the most appropriate option involves balancing the cost of implementing each option against the benefits derived from it. In general, the cost of managing risks needs to be commensurate with the benefits obtained. Plans should document how the chosen options shall be implemented. The treatment plan should identify responsibilities, schedules, expected outcome of treatments, budgeting, performance measures and the review process to be set in place. Implementation treatment plan should document how the chosen options shall be implemented and approve by the management and/or project sponsors.
  17. 17. 17 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:35 RiskAssessment Risk Communication Perceptions of risk can vary due to differences in assumptions, concepts and the needs, issues and concerns of stakeholders as they relate to risk or the issues under discussion. Risk communication should be carried out in order to achieve the following:  To provide assurance of the outcome of the organization's risk management.  To collect risk information.  To share the results from the risk assessment and present the risk treatment plan.  To avoid or reduce both occurrence and consequence of information security breaches due to the lack of mutual understanding among decision makers and stakeholders.  To support decision-making.  To obtain new information security knowledge.  To co-ordinate with other parties and plan responses to reduce consequences of any incident.  To give decision makers and stakeholders a sense of responsibility about risks.  To improve awareness.
  18. 18. 18 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:39 RiskAssessment Risk Communication Risks are not static. Threats, vulnerabilities, likelihood or consequences may change abruptly without any indication. Therefore constant monitoring is necessary to detect these changes This monitoring and review activities should continuously monitored and addressed (but not limited to):  New assets that have been included in the risk management scope.  Necessary modification of asset values, e.g. due to changed business requirements.  New threats that could be active both outside and inside the organization and that have not been assessed.  Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed vulnerabilities.  Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats.  Increased impact or consequences of assessed threats, vulnerabilities and risks In aggregation resulting in an unacceptable level of risk  Information security incidents.  Legal and environmental.  Impact criteria.  Risk acceptance criteria.  Necessary resources.
  19. 19. 19 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:43
  20. 20. 20 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:44 Risk Identification Example RiskAssessment No/ID Asset Owner Threat Vulnerabilities Current Control Planned Control Primary Security Concern Likelihood Impact Score A1 Central DB Ahmed – business function A Abuse of rights There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions. None Limit administrator account to at least 1 or 2 account only. N (None- repudiation) 3 5 15 A2 Web Portal A Ahmed – business function A Sabotage Ineffective user registration, deregistration and logging functionalities Syslog None I (Integrity) 1 4 4 A3 Router John – business function B Passwd cracking Network device may configured with common, default and/or weak passwords configuration. Policy and procedure None C (Confidentiality) 2 4 8
  21. 21. 21 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:45 Risk Treatment Options Example RiskAssessment No/ID Risk Treatment Justification Risk Owner A1 15 Reduce a) There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions. b) Logging management system is not sufficient to detect changes in the central DB. c) There are no database firewall implemented to monitor administrator access and activities. Ahmed – business function A A2 4 Avoid a) Implement NAC or similar security control. b) Logging management system is not sufficient to detect changes in the central DB. c) There are no database firewall implemented to monitor administrator access and activities. Ahmed – business function A A3 8 Retain a) Current default password is not an ‘easy to guess’ password. b) Last incident was 8 years back. John – business function B
  22. 22. 22 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:47 Risk Treatment Plan Example RiskAssessment No/ID Risk Treatment Plan Risk Owner Resolve By A1 15 Reduce Limit administrator account to at least 1 or 2 account only: a) Setup a test server to simulate the requirement and observe the impact to the systems. b) Develop a proper access control matrix. Ahmed – business function A ASAP 30/09/2013 A2 4 Avoid a) Replace logging management system with sufficient security control to detect changes in the central DB. b) Implement database firewall. c) Implement data integrity solution such as tripwire. Ahmed – business function A Long-term A3 8 Retain Conduct security audit, vulnerability assessment and hardening exercise. John – business function B Mid-term 01/01/2014
  23. 23. 23 of 24 Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist. haris.slash@gmail.com http://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:48 Risk Implementation Treatment Plan Example RiskAssessment No/ID Plan Risk Owner Resource Required Resolve By Expected Outcome Cost A1 Limit administrator account to at least 1 or 2 account only: a) Setup a test server to simulate the requirement and observe the impact to the systems. b) Develop a proper access control matrix. Ahmed – business function A 1 x Server administrator 1 x DB administrator 1 x Technical Security Engineer ASAP 30/09/2013 Administrator is limit to 1 or 2 account only and other users are only allow based on their roles. MYR 5k A2 a) Replace logging management system with sufficient security control to detect changes in the central DB. b) Implement database firewall. c) Implement data integrity solution such as tripwire. Ahmed – business function A 1 x Technical Security Consultant Long-term The system is effectively monitor user registration, deregistration and logging functionalities MYR 150k A3 Conduct security audit, vulnerability assessment and hardening exercise. John – business function B 1 x Technical Security Consultant 1 x Technical Security Engineer Mid-term 01/01/2014 Hardened network device, al passwords are set and comply to security policy, and password cracking attempt should be logged and monitored. MYR 200k
  24. 24. 24 of 24

×