SlideShare a Scribd company logo

CISSP Chapter 1 Risk Management

Download as PPTX, PDF
K
Karthikeyan Dhayalan

CISSP Chapter 1, Risk Management

Education
1 of 30
Risk Management Predict – Preempt – Protect Karthikeyan Dhayalan
Risk Management • Process of identifying and assessing risk, reducing it to an acceptable level • Risk Analysis • The process by which the goals of risk management are achieved • Includes examining an environment for risk, evaluating each threat event to its likelihood and the cost of damage, creating cost/benefit report for safeguards to present to management. • NIST 800-39 defines 3 tiers of risk management • Organizational tier – Concerned with the risk to the business as a whole • Business process tier – Deals with a major function within the organization • Information Systems tier – Addresses risk from a information system perspective
Risk Terminologies Asset •Anything that has value Threat •Any potential occurrence that may cause an undesirable outcome on the asset Threat Agent •The entity that takes advantage of the vulnerability Vulnerability •Weakness in an asset or absence/weakness in the control measure Exposure •Being susceptible to asset loss due to threat; instance of threat taking advantage of vulnerability; always measured in % Risk • Likelihood threat will exploit the vulnerability; Risk = Threat * Vulnerability*impact Safeguard • Anything that removes or reduces a vulnerability or protects against threat
Information Systems Risk Management Policy • Should be a subset of Overall Risk Management Policy • It provides the foundation and direction for organizations security and risk management process and procedures • Should address the following • Objectives of ISRM Team • Risk appetite • Formal process for Risk identification • Connection between ISRM and Organization’s strategic planning process • Roles and Responsibilities of ISRM Team • Mapping of Risk to Internal controls • Mapping of Risk to performance targets • Key indicators to monitor the effectiveness of controls
Risk Management Process • 4 Interrelated components that comprise the risk management process • Frame Risk: • Defines the context within which all risk activities takes place • Assess Risk: • Most critical aspect of the process; assessing the risks to determine mitigation strategies • Respond to Risk: • Determining the risk response options available • Monitor Risk: • Continuously monitor the effectiveness of controls against the risks as well as look for new risks.
Risk Analysis • Risk Assessment – Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement the security controls • Risk Analysis • Carried out after risk assessment; ensures security is cost-effective, relevant, timely and responsive to the threats • Helps prioritize risks and shows management the amount of resources needed to protect in a sensible manner • 4 main goals of risk analysis • Identify Assets and their values to the organization • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide cost benefit analysis of the safeguard • Risk Analysis must be supported and directed by senior management • Management must define the purpose and scope of analysis, appoint a team to carry out assessment and allocate necessary resources • Risk Analysis helps integrate the security objectives with the business objectives
1. Asset Valuation • Aspects to consider when assigning value to the assets • Cost to acquire or develop • Cost to maintain and protect • Value to owner and users • Value to adversaries • Price others are willing to pay • Cost to replace the asset if lost • Operational and production activities affect if the asset is not available • Liability issues if the asset is compromised • Usefulness and role of the asset in the organization
Asset Valuation - Benefits • Helps in performing effective cost/benefit analysis • Helps select specific countermeasures and safeguards • Determine the level of insurance coverage to purchase • Understand what exactly is at risk • Comply with legal and regulatory requirements
Identifying Vulnerability and Threats • Loss Potential • What the company will loose if a threat agent actually takes advantage of a vulnerability • Eg: data corruption, destruction, information disclosure • Delayed Loss • Its is secondary in nature and takes place well after a vulnerability is exploited • May include damage to reputation, loss of market, accrued penalties etc.
Risk Assessment Methodology • We will cover the following methodologies • NIST 800-30 • Facilitated Risk Analysis Process (FRAP) • OCTAVE • AS/NZS 4360 • Failure modes and Effects analysis (FMEA) • Fault Tree Analysis • CRAMM
NIST 800-30 • Focused on Computer systems and IT security issues • Establishes a 6 step Risk Management framework for Federal Systems • Categorize the information system • Select the security controls • Implement security controls • Assess security controls • Authorize the information system • Monitor the security controls
FRAP - Facilitated Risk Analysis Process • Focuses only on systems that really need assessing, to reduce cost and time obligations. • Stresses pre-screening activities so that RA steps are carried only on items that need it most • Used to analyse one system, application or business process at a time • It does not support the idea of calculating exploitation probability or ALE • Goal is ensure efficiency and cost effectiveness by keeping the assessment scope simple and small
OCTAVE • Intended to be used in situations where people manage and direct the risk evaluation within their organization • Relies on idea that people working in the organization are best positioned to understand Risk and what is needed to address them. • The scope of the Assessment is very wide than FRAP • The individuals perform assessment via facilitated workshops
AS/NZ 4360 • Takes a broader approach to Risk management • This risk methodology is more focussed on the health of the company from a business point of view than security • It can be used to understand the company financial, capital, human, and business decision risks
Failure Mode and Effects Analysis (FMEA) • Method of identifying (in a structured way) • Functions • Functional Failures • Cause of failure • Effects of failure • This is commonly used in product development and operational environments • Goal is to identify failure points and either fix or reduce the impact of the failure • It is used in Assurance Risk Management because of the level of detail, variables and complexity • This is not useful to detect complex failure modes involving multiple systems
Fault Tree Analysis • Most useful approach to identify failures in more complex environments and systems • An un-desired effect is taken as the root and events that can contribute to this effect are added as a tree • Some common software failures that can be explored • False alarms • Insufficient error handling • Sequencing or order • Incorrect timing outputs • Valid but not expected outputs
CRAMM • Created by UK and its automated tools are sold by Siemens • Works in three distinct stages • Define objectives • Assess risks • Identify countermeasures • It is a completely automated way of Risk Assessment
Risk Analysis Approaches
Quantitative Risk Analysis • Assigns monetary and numeric values to all elements of the Risk analysis process • More scientific or mathematical approach to Risk Assessment • Uses risk Calculations to attempt to predict the level of monetary loss, and the probability for each type of threat • The reports are fairly user friendly • However, not all elements can be quantified
Quantitative Risk Analysis – 6 Steps Assign Asset value Calculate Exposure Factor Calculate Single loss Expectancy Assess Annualized Rate of Occurrence Derive Annualized Loss Expectancy Perform Cost/Benefit Analysis of Counter measure
Key Terms in Quantitative Analysis • % loss the organization would suffer if a risk materializes • Also referred to as loss potential Exposure Factor (EF) • Cost associated with a single realized risk against a specific asset • SLE = AV * EF • It is calculated in $ value Single Loss Expectancy (SLE) • Frequency with which a specific threat will occur within a single year • Range from 0 (threat will not occur) to very large numbers • It is also known as probability determination Annualized Rate of Occurrence (ARO) • Possible yearly cost of all instances of a specific threat realized against a specific asset • ALE = SLE * ARO Annualized Loss Expectancy (ALE) • It’s the cost associated in procuring, developing, maintaining a control against a potential threat • The ACS should not exceed the ALE Annual Cost of Safeguard (ACS)
Cost Benefit Analysis • ALE before Safeguard – ALE after Safeguard – Cost of Countermeasure = Value of the safeguard to the company • If the above result is negative the safeguard is not financially reasonable to be implemented • It is also important to consider the issues of legal responsibility and prudent due care
Qualitative Risk Analysis • Uses a softer approach to Risk analysis • It does not quantify the data, does not use calculations • It is more opinion and scenario based and uses rating system • Techniques include judgement, best practices, intuition, and experience • Methods • Brainstorming, Delphi technique, storyboarding, focus groups, surveys, questionnaire, checklists, one-on-one meetings, Interviews
Qualitative Risk Analysis Methods •A group decision-making technique designed to generate a large number of creative ideas through an interactive process. Brainstorming •Delphi is based on the principle that decisions from a structured group of individuals are more accurate than those from unstructured group •The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ decision from the previous round as well as the reasons they provided for their judgments Delphi Technique •Processes are turned into panels of images depicting the process, so that it can be understood and discussed Storyboarding •Panels of users evaluate the user impact and state their likes and dislikes regarding the safeguard being evaluated Focus Groups •Used as an initial information gathering tool. Results of each survey can influence the content of other evaluation methods Surveys •Limit the responses of participants more than surveys, so they should be used later in the process Questionnaires •Used to make sure safeguards being evaluated cover all aspects of the threats Checklist
Qualitative vs Quantitative Qualitative • Requires no calculations • Involves high degree of guess work • Provides general areas and indications of risk • Does not allow Cost/benefit analysis • Based on opinions of individuals • Eliminates the opportunity to create a dollar value for Cost/benefit analysis • Hard to develop a security budget from the results Quantitative • Does more complex calculations • Mathematical and statistical calculations • Uses independently verifiable and objective metrics • Allows cost/benefit analysis • It is easier to automate • Used in Risk management performance tracking • Without automated tools, the process is very difficult • More preliminary work is needed to gather detailed information about the environment
Countermeasure/Safeguard Selection Modularity Should provide uniform protection Provide override functionality Default to least privilege Flexibility and security Should not panic users Clear distinction between user and admin Minimum human intervention Easily upgraded Auditing functionality Output should be in useable format Testable Should not introduce new compromise System and user performance
Total Risk vs Residual Risk Total Risk = Threats * Vulnerability * Asset Value Residual Risk = (Threats * Vulnerability * Asset Value) * control gaps Residual Risk = Total Risk – countermeasures
Handling Risk Reduce or Mitigate the risk • Implement safeguards to eliminate or vulnerabilities or block threats Risk Assignment or Transfer • Placement of the cost of risk to another entity Risk Acceptance • Conscious decision to live with the risk Risk Avoidance • Terminate the activity that is introducing the risk Risk Rejection or Ignore • Unacceptable response to risk is reject or ignore the risk
Control Categories Administrative control Logical control Physical control Administrative Control • Policies and procedures defined by an organization • Also referred as management controls • Focuses on personnel and business practices • Eg: policy, Hiring practice, training, Data classification. Technical control • Involves the hardware and/or software mechanisms used to manage and provide protection • Eg: firewall, password, biometric, authentication systems, IDS, routers, AV Physical Control • Physical mechanisms deployed to prevent, monitor, detect contact with systems or facilities • Eg: guards, fences, CCTV, dogs, mantraps, alarms
Karthikeyan Dhayalan

Recommended

CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 

Recommended

CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowInfosec
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPTADEPT TECHNOLOGY
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & EthicsKarthikeyan Dhayalan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureKarthikeyan Dhayalan
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 

More Related Content

What's hot

CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowInfosec
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityKarthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureKarthikeyan Dhayalan
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 

What's hot (20)

CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to knowCompTIA CySA+ certification (CS0-003) changes: Everything you need to know
CompTIA CySA+ certification (CS0-003) changes: Everything you need to know
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network Fundamental
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 

Similar to CISSP Chapter 1 Risk Management

crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxAbraraw Zerfu
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
Risk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryRisk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryMahesh shinde
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Managementmuna_ali
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...samahhamed3
 

Similar to CISSP Chapter 1 Risk Management (20)

crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Hazard analysis
Hazard analysisHazard analysis
Hazard analysis
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
 
Risk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryRisk management in pharmaceutical Industry
Risk management in pharmaceutical Industry
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Management
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 

Recently uploaded

Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 

Recently uploaded (20)

Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 

CISSP Chapter 1 Risk Management

  • 1. Risk Management Predict – Preempt – Protect Karthikeyan Dhayalan
  • 2. Risk Management • Process of identifying and assessing risk, reducing it to an acceptable level • Risk Analysis • The process by which the goals of risk management are achieved • Includes examining an environment for risk, evaluating each threat event to its likelihood and the cost of damage, creating cost/benefit report for safeguards to present to management. • NIST 800-39 defines 3 tiers of risk management • Organizational tier – Concerned with the risk to the business as a whole • Business process tier – Deals with a major function within the organization • Information Systems tier – Addresses risk from a information system perspective
  • 3. Risk Terminologies Asset •Anything that has value Threat •Any potential occurrence that may cause an undesirable outcome on the asset Threat Agent •The entity that takes advantage of the vulnerability Vulnerability •Weakness in an asset or absence/weakness in the control measure Exposure •Being susceptible to asset loss due to threat; instance of threat taking advantage of vulnerability; always measured in % Risk • Likelihood threat will exploit the vulnerability; Risk = Threat * Vulnerability*impact Safeguard • Anything that removes or reduces a vulnerability or protects against threat
  • 4. Information Systems Risk Management Policy • Should be a subset of Overall Risk Management Policy • It provides the foundation and direction for organizations security and risk management process and procedures • Should address the following • Objectives of ISRM Team • Risk appetite • Formal process for Risk identification • Connection between ISRM and Organization’s strategic planning process • Roles and Responsibilities of ISRM Team • Mapping of Risk to Internal controls • Mapping of Risk to performance targets • Key indicators to monitor the effectiveness of controls
  • 5. Risk Management Process • 4 Interrelated components that comprise the risk management process • Frame Risk: • Defines the context within which all risk activities takes place • Assess Risk: • Most critical aspect of the process; assessing the risks to determine mitigation strategies • Respond to Risk: • Determining the risk response options available • Monitor Risk: • Continuously monitor the effectiveness of controls against the risks as well as look for new risks.
  • 6. Risk Analysis • Risk Assessment – Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement the security controls • Risk Analysis • Carried out after risk assessment; ensures security is cost-effective, relevant, timely and responsive to the threats • Helps prioritize risks and shows management the amount of resources needed to protect in a sensible manner • 4 main goals of risk analysis • Identify Assets and their values to the organization • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide cost benefit analysis of the safeguard • Risk Analysis must be supported and directed by senior management • Management must define the purpose and scope of analysis, appoint a team to carry out assessment and allocate necessary resources • Risk Analysis helps integrate the security objectives with the business objectives
  • 7. 1. Asset Valuation • Aspects to consider when assigning value to the assets • Cost to acquire or develop • Cost to maintain and protect • Value to owner and users • Value to adversaries • Price others are willing to pay • Cost to replace the asset if lost • Operational and production activities affect if the asset is not available • Liability issues if the asset is compromised • Usefulness and role of the asset in the organization
  • 8. Asset Valuation - Benefits • Helps in performing effective cost/benefit analysis • Helps select specific countermeasures and safeguards • Determine the level of insurance coverage to purchase • Understand what exactly is at risk • Comply with legal and regulatory requirements
  • 9. Identifying Vulnerability and Threats • Loss Potential • What the company will loose if a threat agent actually takes advantage of a vulnerability • Eg: data corruption, destruction, information disclosure • Delayed Loss • Its is secondary in nature and takes place well after a vulnerability is exploited • May include damage to reputation, loss of market, accrued penalties etc.
  • 10. Risk Assessment Methodology • We will cover the following methodologies • NIST 800-30 • Facilitated Risk Analysis Process (FRAP) • OCTAVE • AS/NZS 4360 • Failure modes and Effects analysis (FMEA) • Fault Tree Analysis • CRAMM
  • 11. NIST 800-30 • Focused on Computer systems and IT security issues • Establishes a 6 step Risk Management framework for Federal Systems • Categorize the information system • Select the security controls • Implement security controls • Assess security controls • Authorize the information system • Monitor the security controls
  • 12. FRAP - Facilitated Risk Analysis Process • Focuses only on systems that really need assessing, to reduce cost and time obligations. • Stresses pre-screening activities so that RA steps are carried only on items that need it most • Used to analyse one system, application or business process at a time • It does not support the idea of calculating exploitation probability or ALE • Goal is ensure efficiency and cost effectiveness by keeping the assessment scope simple and small
  • 13. OCTAVE • Intended to be used in situations where people manage and direct the risk evaluation within their organization • Relies on idea that people working in the organization are best positioned to understand Risk and what is needed to address them. • The scope of the Assessment is very wide than FRAP • The individuals perform assessment via facilitated workshops
  • 14. AS/NZ 4360 • Takes a broader approach to Risk management • This risk methodology is more focussed on the health of the company from a business point of view than security • It can be used to understand the company financial, capital, human, and business decision risks
  • 15. Failure Mode and Effects Analysis (FMEA) • Method of identifying (in a structured way) • Functions • Functional Failures • Cause of failure • Effects of failure • This is commonly used in product development and operational environments • Goal is to identify failure points and either fix or reduce the impact of the failure • It is used in Assurance Risk Management because of the level of detail, variables and complexity • This is not useful to detect complex failure modes involving multiple systems
  • 16. Fault Tree Analysis • Most useful approach to identify failures in more complex environments and systems • An un-desired effect is taken as the root and events that can contribute to this effect are added as a tree • Some common software failures that can be explored • False alarms • Insufficient error handling • Sequencing or order • Incorrect timing outputs • Valid but not expected outputs
  • 17. CRAMM • Created by UK and its automated tools are sold by Siemens • Works in three distinct stages • Define objectives • Assess risks • Identify countermeasures • It is a completely automated way of Risk Assessment
  • 19. Quantitative Risk Analysis • Assigns monetary and numeric values to all elements of the Risk analysis process • More scientific or mathematical approach to Risk Assessment • Uses risk Calculations to attempt to predict the level of monetary loss, and the probability for each type of threat • The reports are fairly user friendly • However, not all elements can be quantified
  • 20. Quantitative Risk Analysis – 6 Steps Assign Asset value Calculate Exposure Factor Calculate Single loss Expectancy Assess Annualized Rate of Occurrence Derive Annualized Loss Expectancy Perform Cost/Benefit Analysis of Counter measure
  • 21. Key Terms in Quantitative Analysis • % loss the organization would suffer if a risk materializes • Also referred to as loss potential Exposure Factor (EF) • Cost associated with a single realized risk against a specific asset • SLE = AV * EF • It is calculated in $ value Single Loss Expectancy (SLE) • Frequency with which a specific threat will occur within a single year • Range from 0 (threat will not occur) to very large numbers • It is also known as probability determination Annualized Rate of Occurrence (ARO) • Possible yearly cost of all instances of a specific threat realized against a specific asset • ALE = SLE * ARO Annualized Loss Expectancy (ALE) • It’s the cost associated in procuring, developing, maintaining a control against a potential threat • The ACS should not exceed the ALE Annual Cost of Safeguard (ACS)
  • 22. Cost Benefit Analysis • ALE before Safeguard – ALE after Safeguard – Cost of Countermeasure = Value of the safeguard to the company • If the above result is negative the safeguard is not financially reasonable to be implemented • It is also important to consider the issues of legal responsibility and prudent due care
  • 23. Qualitative Risk Analysis • Uses a softer approach to Risk analysis • It does not quantify the data, does not use calculations • It is more opinion and scenario based and uses rating system • Techniques include judgement, best practices, intuition, and experience • Methods • Brainstorming, Delphi technique, storyboarding, focus groups, surveys, questionnaire, checklists, one-on-one meetings, Interviews
  • 24. Qualitative Risk Analysis Methods •A group decision-making technique designed to generate a large number of creative ideas through an interactive process. Brainstorming •Delphi is based on the principle that decisions from a structured group of individuals are more accurate than those from unstructured group •The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ decision from the previous round as well as the reasons they provided for their judgments Delphi Technique •Processes are turned into panels of images depicting the process, so that it can be understood and discussed Storyboarding •Panels of users evaluate the user impact and state their likes and dislikes regarding the safeguard being evaluated Focus Groups •Used as an initial information gathering tool. Results of each survey can influence the content of other evaluation methods Surveys •Limit the responses of participants more than surveys, so they should be used later in the process Questionnaires •Used to make sure safeguards being evaluated cover all aspects of the threats Checklist
  • 25. Qualitative vs Quantitative Qualitative • Requires no calculations • Involves high degree of guess work • Provides general areas and indications of risk • Does not allow Cost/benefit analysis • Based on opinions of individuals • Eliminates the opportunity to create a dollar value for Cost/benefit analysis • Hard to develop a security budget from the results Quantitative • Does more complex calculations • Mathematical and statistical calculations • Uses independently verifiable and objective metrics • Allows cost/benefit analysis • It is easier to automate • Used in Risk management performance tracking • Without automated tools, the process is very difficult • More preliminary work is needed to gather detailed information about the environment
  • 26. Countermeasure/Safeguard Selection Modularity Should provide uniform protection Provide override functionality Default to least privilege Flexibility and security Should not panic users Clear distinction between user and admin Minimum human intervention Easily upgraded Auditing functionality Output should be in useable format Testable Should not introduce new compromise System and user performance
  • 27. Total Risk vs Residual Risk Total Risk = Threats * Vulnerability * Asset Value Residual Risk = (Threats * Vulnerability * Asset Value) * control gaps Residual Risk = Total Risk – countermeasures
  • 28. Handling Risk Reduce or Mitigate the risk • Implement safeguards to eliminate or vulnerabilities or block threats Risk Assignment or Transfer • Placement of the cost of risk to another entity Risk Acceptance • Conscious decision to live with the risk Risk Avoidance • Terminate the activity that is introducing the risk Risk Rejection or Ignore • Unacceptable response to risk is reject or ignore the risk
  • 29. Control Categories Administrative control Logical control Physical control Administrative Control • Policies and procedures defined by an organization • Also referred as management controls • Focuses on personnel and business practices • Eg: policy, Hiring practice, training, Data classification. Technical control • Involves the hardware and/or software mechanisms used to manage and provide protection • Eg: firewall, password, biometric, authentication systems, IDS, routers, AV Physical Control • Physical mechanisms deployed to prevent, monitor, detect contact with systems or facilities • Eg: guards, fences, CCTV, dogs, mantraps, alarms