SlideShare a Scribd company logo

Information Serurity Risk Assessment Basics

Download as PPT, PDF
Vidyalankar Institute of Technology
Vidyalankar Institute of Technology

Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure. Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.

1 of 44
2. Information Serurity Risk Assessment Basics
Contents What is Risk??? Information Security Assessment Overview Risk Assessment Framework Data Collection and Analysis Asset Scoping Preparation of Threat and Vulnerabilities Catalogs System Risk Computations Impact Analysis Scheme Final Risk Score
What is Risk???  Risk is a quantitative measure of the potential damage caused by a specific threat.  In other words, Risk is the potential of gaining or losing something of value.
Information Security Assessment Overview  Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.  Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
Risk Assessment Framework  A framework is a structure for supporting something else.  Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:  the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)  Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)  ISO 27000 series
National Institute of Standards and Technology's (NIST)  IT risk is defined as the risk associated with the use of information systems in an organization.  NIST recognizes that risk management is not an exact science. It is the best collective judgment of people at all ranks and functions within an organization about suitable measures to protect the organization.  The 800-39 framework recommends that senior leadership be involved in IT risk management, and that IT risk management be integrated in the design of business processes.
National Institute of Standards and Technology's (NIST)  4 components of IT Risk Management - Arrowsillustratesthe communication flow
1. Risk Frame  The risk frame establishes the context for risk management by describing the environment in which risk-based decisions are made. This clarifies to all members in the organization the various risk criteria used in the organization.  These criteria include: i. assumptions about the risks that are important, ii. responses that are considered practical, iii. levels of risk considered acceptable, iv. priorities and trade-offs when responding to risks.  Risk framing also identifies any risks that are to be managed by senior leaders/executives.
2. Risk Assessment  The risk assessment component identifies and aggregates the risks facing the organization.  Risk - a quantitative measure of the potential damage from a threat.  Risk assessment develops these quantitative estimates by identifying the threats, vulnerabilities in the organization and the harm to the organization if the threats exploit vulnerabilities.
3. Risk Response  Risk response addresses how organizations respond to risks once they are determined from risk assessments.  Risk response helps in the development of a consistent, organization-wide, response to risk that is consistent with the risk frame.  Following standard business procedures, risk response consists of i. developing alternative courses of action for responding to risk, ii. evaluating these alternatives, iii. selecting appropriate courses of action, iv. implementing risk responses based on selected courses of action.
4. Risk Monitoring  Risk monitoring evaluates the effectiveness of the organization's risk-management plan over time.  Risk monitoring involves i. verification that planned risk response measures are implemented ii. verification that planned risk responses satisfy the requirements derived from the organization's missions, business functions, regulations, and standards iii. determination of the effectiveness of risk response measures iv. identification of required changes to the risk-management plan as a result of changes in technology and the business environment.
OCTAVE  A popular initiative of the SEI is the OCTAVE methodology for information security management.  OCTAVE stands for Operationally Critical Threat, Asset, Vulnerability Evaluation.  OCTAVE uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs.
OCTAVE The three phases are: Phase 1: identifying critical assets and the threats to those assets Phase 2: identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization Phase 3: developing a practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities
OCTAVE
ISO 27000 Series  The International Standards Organization (ISO) has reserved the ISO 27000 series of standards (i.e., standards starting with the digits 27) for information security matters.  All processes follow Deming's Plan-Do-Check-Act (PDCA) model.
ISO 27000 Series  As of December 2012, this series includes six standards ranging from ISO 27001 to ISO 27006.  These standards cover the following topics:  ISO 27001: The standard that specifies the requirements for an information security management system (ISMS)  ISO 27002: The standard that specifies a set of controls to meet the requirements specified in ISO 27001  ISO 27003: Guidance for the implementation of an ISMS  ISO 27004: Measurement and metrics for an ISMS  ISO 27005: The standard for information security risk management  ISO 27006: The standard that provides guidelines for the accreditation of organizations that offer ISMS certification
Data Collection and Analysis  Data collection is by far the most rigorous and most encompassing activity in an information security risk assessment project.  “PLANNING”  It is of critical importance that the team prepare properly to ensure that data is collected in a structured manner.
Data Collection  One part of proper preparation is to decide what data collection mechanisms are going to be used.  Data collection mechanisms can be divided into two categories: Collectors, Containers.
Collectors  Collectors are simply the means to obtain data from a source.  Data Sources are -  System Profiles.  Control Profiles.  Audit Reports.  Vulnerability Assessments.  Various Information Security Events and Metrics.  Collectors are -  Document Request Lists.  Surveys.  Interviews.  Workshops.
Containers  Containers are resources where the collected data is stored.  Containers could be in the form of a database, a spreadsheet, flat files, or even paper documents.  Structuring the data means identifying the high-level data elements and encapsulating them into the container.  Structuring your data with that end result in mind will make substantiation of your findings much easier.
Data Collection Flow
Data Analysis  Analyzing information involves examining it in ways that reveal the relationships, patterns, trends, etc. that can be found within it.  The point, in terms of your evaluation, is to get an accurate assessment in order to better understand your work and its effects on those you’re concerned with, or in order to better understand the overall situation.  There are two kinds of data  Quantitative Data and  Qualitative Data.
Quantitative Data  Quantitative data are typically collected directly as numbers. For ex.  Test Scores  The frequency of specific behaviours or conditions.  Data can also be collected in forms other than numbers, and turned into quantitative data for analysis.  Quantitative data is usually subjected to statistical procedures such as calculating the mean or average number of times an event or behaviour occurs.
Quantitative Data
Qualitative Data  Unlike numbers or “hard data,” qualitative information tends to be “soft,” meaning it can’t always be reduced to something definite. That is in some ways a weakness, but it’s also a strength.  Qualitative data can sometimes be changed into numbers, usually by counting the number of times specific things occur in the course of observations or interviews, or by assigning numbers or ratings to dimensions (e.g., importance, satisfaction, ease of use).  It may also show you patterns – in behaviour, physical or social environment, or other factors – that the numbers in your quantitative data don’t.
Qualitative Data Analysis
Quantitative Data VS Qualitative Data
Asset Scoping
 One of the primary steps in performing data analysis for specific systems is to prepare threat and vulnerability catalogs.  Threats and vulnerabilities are cornerstone concepts with respect to any discussion about risk. Preparation of Threat and Vulnerabilities Catalogs
 A threat catalog is very simply a generic list of threats that are considered common information security threats.  These threats are events, sources, actions, or inactions that could potentially lead to harm of your organization’s information security assets.  As security professionals, it is tempting to just start writing down threats facing our organization based on our own knowledge. Threat Catalog
 A threat catalog is very simply a generic list of threats that are considered common information security threats.  The following is a list of threat catalogs that can be used as references:  BITS Calculator—A very comprehensive list of over 600 threats. This is freely available from the BITS website.  Microsoft Threat Model—A list of 36 threats focusing on application security risks. This is freely available from the Microsoft website. Threat Catalog
 NIST SP800-30—A high level list of 5 human threat sources with 32 corresponding threat actions. This is freely available from the NIST website.  ISO 27005—A high level list of 8 threat types with 43 corresponding threats in Annex C of the document. This document is available for a fee.  BSI Base IT Security Manual—A list of 370 threats. This is freely available from the BSI website. Threat Catalog
 The vulnerability catalog is simply a list of vulnerabilities that affect or could affect an organization.  There are two ways to go about building the catalog:  Current vulnerabilities  Hypothetical vulnerabilities Vulnerability Catalog
 The current vulnerabilities catalog should be a list of vulnerabilities currently affecting the organization.  Remember, one of the first activity is consolidating observations and findings from the various documents that were previously collected.  This listing can easily serve as your listing of current vulnerabilities. Current Vulnerability
 The hypothetical vulnerabilities catalog is a list of vulnerabilities that are unverified but could affect the organization.  These vulnerabilities can be determined based on the concerns brought up in various meetings and executive interviews and scenarios derived from the threat listings.  Why put a hypothetical vulnerability in the catalog?  A risk assessment is not an audit and just because you did not find evidence of the existence of a vulnerability, it does not mean that it does not exist.  This is consistent with the concept of risk assessments being focused on probabilities. Hypothetical Vulnerability
 It goes as follows - 1. Identify the Threats. 2. Identify the Vulnerabilities. 3. Determine the Impact. 4. Determine the Controls. 5. Determine the Likelihood. System Risk Computation
 In this activity, we will begin formulating the mechanism for computation of impact.  Impact is one of the primary components for computing risk.  An impact analysis scheme provides a means to provide a repeatable process for the calculation of impact.  In order to compute for impact, it is important to take into consideration the data elements that would illustrate the confidentiality, integrity and availability aspects of the system being assessed. Impact Analysis Scheme
Example
RISK = IMPACT × LIKELIHOOD Impact Score—This is obtained by considering the potential impact of the threat to the confidentiality, integrity, and availability of the system by assigning scores for each of them. The category with the highest impact becomes the impact score for the threat and vulnerability pair. Likelihood Score—This is obtained by assigning scores for the exposure , frequency, and control for each of the threat and vulnerability pairs. Final Risk Score
Example
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics

Recommended

1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 

Recommended

1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
Donald E. Hester
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 

More Related Content

What's hot

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
Donald E. Hester
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 

What's hot (20)

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0SOC-2 Compliance Status Report sample v10.0
SOC-2 Compliance Status Report sample v10.0
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 

Similar to Information Serurity Risk Assessment Basics

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
IJNSA Journal
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
Happiest Minds Technologies
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Editor IJCATR
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
IJERA Editor
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
cravennichole326
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
lefrancoishazlett
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
healdkathaleen
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
JinElias52
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docxCHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
Abhinav816839
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
William McBorrough
 
Week 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docxWeek 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docx
celenarouzie
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
Ivonne Yeste
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Taubenberger
TaubenbergerTaubenberger
Taubenberger
anesah
 

Similar to Information Serurity Risk Assessment Basics (20)

The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docxCHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
 
Week 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docxWeek 1Defining the Safety Management SystemSeveral years .docx
Week 1Defining the Safety Management SystemSeveral years .docx
 
IYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - FinalIYeste - Nova - ISEC695 - Final
IYeste - Nova - ISEC695 - Final
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Taubenberger
TaubenbergerTaubenberger
Taubenberger
 

Recently uploaded

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 

Recently uploaded (20)

Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 

Information Serurity Risk Assessment Basics

  • 1. 2. Information Serurity Risk Assessment Basics
  • 2. Contents What is Risk??? Information Security Assessment Overview Risk Assessment Framework Data Collection and Analysis Asset Scoping Preparation of Threat and Vulnerabilities Catalogs System Risk Computations Impact Analysis Scheme Final Risk Score
  • 3. What is Risk???  Risk is a quantitative measure of the potential damage caused by a specific threat.  In other words, Risk is the potential of gaining or losing something of value.
  • 4. Information Security Assessment Overview  Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.  Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
  • 5. Risk Assessment Framework  A framework is a structure for supporting something else.  Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:  the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)  Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)  ISO 27000 series
  • 6. National Institute of Standards and Technology's (NIST)  IT risk is defined as the risk associated with the use of information systems in an organization.  NIST recognizes that risk management is not an exact science. It is the best collective judgment of people at all ranks and functions within an organization about suitable measures to protect the organization.  The 800-39 framework recommends that senior leadership be involved in IT risk management, and that IT risk management be integrated in the design of business processes.
  • 7. National Institute of Standards and Technology's (NIST)  4 components of IT Risk Management - Arrowsillustratesthe communication flow
  • 8. 1. Risk Frame  The risk frame establishes the context for risk management by describing the environment in which risk-based decisions are made. This clarifies to all members in the organization the various risk criteria used in the organization.  These criteria include: i. assumptions about the risks that are important, ii. responses that are considered practical, iii. levels of risk considered acceptable, iv. priorities and trade-offs when responding to risks.  Risk framing also identifies any risks that are to be managed by senior leaders/executives.
  • 9. 2. Risk Assessment  The risk assessment component identifies and aggregates the risks facing the organization.  Risk - a quantitative measure of the potential damage from a threat.  Risk assessment develops these quantitative estimates by identifying the threats, vulnerabilities in the organization and the harm to the organization if the threats exploit vulnerabilities.
  • 10. 3. Risk Response  Risk response addresses how organizations respond to risks once they are determined from risk assessments.  Risk response helps in the development of a consistent, organization-wide, response to risk that is consistent with the risk frame.  Following standard business procedures, risk response consists of i. developing alternative courses of action for responding to risk, ii. evaluating these alternatives, iii. selecting appropriate courses of action, iv. implementing risk responses based on selected courses of action.
  • 11. 4. Risk Monitoring  Risk monitoring evaluates the effectiveness of the organization's risk-management plan over time.  Risk monitoring involves i. verification that planned risk response measures are implemented ii. verification that planned risk responses satisfy the requirements derived from the organization's missions, business functions, regulations, and standards iii. determination of the effectiveness of risk response measures iv. identification of required changes to the risk-management plan as a result of changes in technology and the business environment.
  • 12. OCTAVE  A popular initiative of the SEI is the OCTAVE methodology for information security management.  OCTAVE stands for Operationally Critical Threat, Asset, Vulnerability Evaluation.  OCTAVE uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs.
  • 13. OCTAVE The three phases are: Phase 1: identifying critical assets and the threats to those assets Phase 2: identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization Phase 3: developing a practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities
  • 15. ISO 27000 Series  The International Standards Organization (ISO) has reserved the ISO 27000 series of standards (i.e., standards starting with the digits 27) for information security matters.  All processes follow Deming's Plan-Do-Check-Act (PDCA) model.
  • 16. ISO 27000 Series  As of December 2012, this series includes six standards ranging from ISO 27001 to ISO 27006.  These standards cover the following topics:  ISO 27001: The standard that specifies the requirements for an information security management system (ISMS)  ISO 27002: The standard that specifies a set of controls to meet the requirements specified in ISO 27001  ISO 27003: Guidance for the implementation of an ISMS  ISO 27004: Measurement and metrics for an ISMS  ISO 27005: The standard for information security risk management  ISO 27006: The standard that provides guidelines for the accreditation of organizations that offer ISMS certification
  • 17. Data Collection and Analysis  Data collection is by far the most rigorous and most encompassing activity in an information security risk assessment project.  “PLANNING”  It is of critical importance that the team prepare properly to ensure that data is collected in a structured manner.
  • 18. Data Collection  One part of proper preparation is to decide what data collection mechanisms are going to be used.  Data collection mechanisms can be divided into two categories: Collectors, Containers.
  • 19. Collectors  Collectors are simply the means to obtain data from a source.  Data Sources are -  System Profiles.  Control Profiles.  Audit Reports.  Vulnerability Assessments.  Various Information Security Events and Metrics.  Collectors are -  Document Request Lists.  Surveys.  Interviews.  Workshops.
  • 20. Containers  Containers are resources where the collected data is stored.  Containers could be in the form of a database, a spreadsheet, flat files, or even paper documents.  Structuring the data means identifying the high-level data elements and encapsulating them into the container.  Structuring your data with that end result in mind will make substantiation of your findings much easier.
  • 22. Data Analysis  Analyzing information involves examining it in ways that reveal the relationships, patterns, trends, etc. that can be found within it.  The point, in terms of your evaluation, is to get an accurate assessment in order to better understand your work and its effects on those you’re concerned with, or in order to better understand the overall situation.  There are two kinds of data  Quantitative Data and  Qualitative Data.
  • 23. Quantitative Data  Quantitative data are typically collected directly as numbers. For ex.  Test Scores  The frequency of specific behaviours or conditions.  Data can also be collected in forms other than numbers, and turned into quantitative data for analysis.  Quantitative data is usually subjected to statistical procedures such as calculating the mean or average number of times an event or behaviour occurs.
  • 25.
  • 26. Qualitative Data  Unlike numbers or “hard data,” qualitative information tends to be “soft,” meaning it can’t always be reduced to something definite. That is in some ways a weakness, but it’s also a strength.  Qualitative data can sometimes be changed into numbers, usually by counting the number of times specific things occur in the course of observations or interviews, or by assigning numbers or ratings to dimensions (e.g., importance, satisfaction, ease of use).  It may also show you patterns – in behaviour, physical or social environment, or other factors – that the numbers in your quantitative data don’t.
  • 28.
  • 29. Quantitative Data VS Qualitative Data
  • 31.  One of the primary steps in performing data analysis for specific systems is to prepare threat and vulnerability catalogs.  Threats and vulnerabilities are cornerstone concepts with respect to any discussion about risk. Preparation of Threat and Vulnerabilities Catalogs
  • 32.  A threat catalog is very simply a generic list of threats that are considered common information security threats.  These threats are events, sources, actions, or inactions that could potentially lead to harm of your organization’s information security assets.  As security professionals, it is tempting to just start writing down threats facing our organization based on our own knowledge. Threat Catalog
  • 33.  A threat catalog is very simply a generic list of threats that are considered common information security threats.  The following is a list of threat catalogs that can be used as references:  BITS Calculator—A very comprehensive list of over 600 threats. This is freely available from the BITS website.  Microsoft Threat Model—A list of 36 threats focusing on application security risks. This is freely available from the Microsoft website. Threat Catalog
  • 34.  NIST SP800-30—A high level list of 5 human threat sources with 32 corresponding threat actions. This is freely available from the NIST website.  ISO 27005—A high level list of 8 threat types with 43 corresponding threats in Annex C of the document. This document is available for a fee.  BSI Base IT Security Manual—A list of 370 threats. This is freely available from the BSI website. Threat Catalog
  • 35.  The vulnerability catalog is simply a list of vulnerabilities that affect or could affect an organization.  There are two ways to go about building the catalog:  Current vulnerabilities  Hypothetical vulnerabilities Vulnerability Catalog
  • 36.  The current vulnerabilities catalog should be a list of vulnerabilities currently affecting the organization.  Remember, one of the first activity is consolidating observations and findings from the various documents that were previously collected.  This listing can easily serve as your listing of current vulnerabilities. Current Vulnerability
  • 37.  The hypothetical vulnerabilities catalog is a list of vulnerabilities that are unverified but could affect the organization.  These vulnerabilities can be determined based on the concerns brought up in various meetings and executive interviews and scenarios derived from the threat listings.  Why put a hypothetical vulnerability in the catalog?  A risk assessment is not an audit and just because you did not find evidence of the existence of a vulnerability, it does not mean that it does not exist.  This is consistent with the concept of risk assessments being focused on probabilities. Hypothetical Vulnerability
  • 38.  It goes as follows - 1. Identify the Threats. 2. Identify the Vulnerabilities. 3. Determine the Impact. 4. Determine the Controls. 5. Determine the Likelihood. System Risk Computation
  • 39.  In this activity, we will begin formulating the mechanism for computation of impact.  Impact is one of the primary components for computing risk.  An impact analysis scheme provides a means to provide a repeatable process for the calculation of impact.  In order to compute for impact, it is important to take into consideration the data elements that would illustrate the confidentiality, integrity and availability aspects of the system being assessed. Impact Analysis Scheme
  • 41. RISK = IMPACT × LIKELIHOOD Impact Score—This is obtained by considering the potential impact of the threat to the confidentiality, integrity, and availability of the system by assigning scores for each of them. The category with the highest impact becomes the impact score for the threat and vulnerability pair. Likelihood Score—This is obtained by assigning scores for the exposure , frequency, and control for each of the threat and vulnerability pairs. Final Risk Score

Editor's Notes

  1. • Threat—This was obtained via the threat catalog. Threat catalogs such as those from BITS, ISO27001, and NIST SP800-30 were used to build an initial list. • Vulnerability—This was obtained by building a given vulnerability catalog based on sources such as interviews, assessments, and audits identifying potential issues and weaknesses in various controls in the organization. The threat plus the vulnerability give us a threat and vulnerability pair which was structured into a table. • Impact Score—This was obtained by considering the potential impact of the threat to the confidentiality, integrity, and availability of the system by assigning scores for each of them. The category with the highest impact became the impact score for the threat and vulnerability pair. • Likelihood Score—This was obtained by assigning scores for the exposure , frequency, and control for each of the threat and vulnerability pairs.