SlideShare a Scribd company logo

cupdf.com_it-security-management-and-risk-assessment.pdf

A
AgusNursidik

This document outlines the process of IT security risk assessment. It discusses key terminology like assets, threats, vulnerabilities, and risks. It then describes different approaches to security risk assessment like baseline, informal, formal, and combined. The detailed risk analysis process is also explained including steps like asset identification, threat identification, vulnerability identification, risk analysis, likelihood determination, impact analysis, risk determination, and control recommendations. Specific examples are provided to illustrate each step of the risk assessment process.

Internet
1 of 22
Download to read offline
IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
4 10.2 SECURITY RISK ASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
5 10.2.1 Baseline Approach  Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
7 10.2.2 Informal Approach  Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
8 10.2.3 Detailed / Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
9 10.2.4 Combined Approach  Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
11 10.3.1 Asset Identification / System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
12 10.3.2 Threat Identification  To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
13 10.3.2 a) Threat Sources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
14 10.3.3 Vulnerability Identification  Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
15 10.3.4 Analyze Risks / Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
18 Rating Consequence Expanded Definition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
21 Risk Level Description Extreme (E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT

Recommended

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
StevenTharp2
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
Tripwire
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
Frédéric Sagez
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 

Recommended

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
StevenTharp2
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
Tripwire
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
Frédéric Sagez
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 
Ch9
Ch9Ch9
Ch9
phanleson
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
Aryan Ajmer
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
muhammad awais
 
Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
Hitachi Solutions America, Ltd.
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
mydrynan
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
Pace IT at Edmonds Community College
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
bagotjesusa
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
Ni
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
Happiest Minds Technologies
 
elkstack-161217091231.pdf
elkstack-161217091231.pdfelkstack-161217091231.pdf
elkstack-161217091231.pdf
AgusNursidik
 
1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
AgusNursidik
 

More Related Content

Similar to cupdf.com_it-security-management-and-risk-assessment.pdf

Ch9
Ch9Ch9
Ch9
phanleson
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
Aryan Ajmer
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
muhammad awais
 
Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
Hitachi Solutions America, Ltd.
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
mydrynan
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
Pace IT at Edmonds Community College
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
bagotjesusa
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
Ni
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
Happiest Minds Technologies
 

Similar to cupdf.com_it-security-management-and-risk-assessment.pdf (20)

Ch9
Ch9Ch9
Ch9
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
 
information security management
information security managementinformation security management
information security management
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 

More from AgusNursidik

elkstack-161217091231.pdf
elkstack-161217091231.pdfelkstack-161217091231.pdf
elkstack-161217091231.pdf
AgusNursidik
 
1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
AgusNursidik
 
2.ELK.pdf
2.ELK.pdf2.ELK.pdf
2.ELK.pdf
AgusNursidik
 
Prezentare_RSA.pptx
Prezentare_RSA.pptxPrezentare_RSA.pptx
Prezentare_RSA.pptx
AgusNursidik
 
UI Developer - Elasticsearch - 20200421.pptx
UI Developer - Elasticsearch - 20200421.pptxUI Developer - Elasticsearch - 20200421.pptx
UI Developer - Elasticsearch - 20200421.pptx
AgusNursidik
 
1. Network Fundamental.pptx
1. Network Fundamental.pptx1. Network Fundamental.pptx
1. Network Fundamental.pptx
AgusNursidik
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
AgusNursidik
 
2.Intro Risk.ppt
2.Intro Risk.ppt2.Intro Risk.ppt
2.Intro Risk.ppt
AgusNursidik
 
ELK_-_FWWG.pptx
ELK_-_FWWG.pptxELK_-_FWWG.pptx
ELK_-_FWWG.pptx
AgusNursidik
 

More from AgusNursidik (9)

elkstack-161217091231.pdf
elkstack-161217091231.pdfelkstack-161217091231.pdf
elkstack-161217091231.pdf
 
1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
 
2.ELK.pdf
2.ELK.pdf2.ELK.pdf
2.ELK.pdf
 
Prezentare_RSA.pptx
Prezentare_RSA.pptxPrezentare_RSA.pptx
Prezentare_RSA.pptx
 
UI Developer - Elasticsearch - 20200421.pptx
UI Developer - Elasticsearch - 20200421.pptxUI Developer - Elasticsearch - 20200421.pptx
UI Developer - Elasticsearch - 20200421.pptx
 
1. Network Fundamental.pptx
1. Network Fundamental.pptx1. Network Fundamental.pptx
1. Network Fundamental.pptx
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
2.Intro Risk.ppt
2.Intro Risk.ppt2.Intro Risk.ppt
2.Intro Risk.ppt
 
ELK_-_FWWG.pptx
ELK_-_FWWG.pptxELK_-_FWWG.pptx
ELK_-_FWWG.pptx
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 

cupdf.com_it-security-management-and-risk-assessment.pdf

  • 1. IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
  • 2. Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 3. 3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 4. 4 10.2 SECURITY RISK ASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 5. 5 10.2.1 Baseline Approach  Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 6. 6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 7. 7 10.2.2 Informal Approach  Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 8. 8 10.2.3 Detailed / Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 9. 9 10.2.4 Combined Approach  Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 10. 10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 11. 11 10.3.1 Asset Identification / System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 12. 12 10.3.2 Threat Identification  To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 13. 13 10.3.2 a) Threat Sources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 14. 14 10.3.3 Vulnerability Identification  Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 15. 15 10.3.4 Analyze Risks / Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 16. 16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 17. 17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 18. 18 Rating Consequence Expanded Definition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 19. 19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 20. 20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 21. 21 Risk Level Description Extreme (E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 22. 22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT