CAS, profile picture
Uploaded byCAS
PPT, PDF6,762 views

IT Security management and risk assessment

The document discusses IT security management and risk assessment, outlining key terminology such as assets, threats, vulnerabilities, and risks. It details various approaches to security risk assessment, including baseline, informal, formal, and combined methods, and describes a structured process for detailed risk analysis involving asset identification, threat identification, vulnerability assessment, risk analysis, and control recommendations. The content emphasizes the importance of tailored assessments based on organizational needs and resources to effectively manage risks.

Embed presentation

Downloaded 260 times
IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
4 10.2 SECURITY RISK ASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
5 10.2.1 Baseline Approach  Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
7 10.2.2 Informal Approach  Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
8 10.2.3 Detailed / Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
9 10.2.4 Combined Approach  Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
11 10.3.1 Asset Identification / System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
12 10.3.2 Threat Identification  To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
13 10.3.2 a) Threat Sources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
14 10.3.3 Vulnerability Identification  Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
15 10.3.4 Analyze Risks / Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
18 Rating Consequence Expanded Definition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
21 Risk Level Description Extreme (E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT

More Related Content

PPTX
Information Security Risk Management
byNikhil Soni
 
PPTX
Security audits & compliance
byVandana Verma
 
PPTX
Security risk management
byPrachi Gulihar
 
PDF
Information Security Risk Management
byErsoy AKSOY
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
Information risk management
byAkash Saraswat
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
PPTX
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
Information Security Risk Management
byNikhil Soni
 
Security audits & compliance
byVandana Verma
 
Security risk management
byPrachi Gulihar
 
Information Security Risk Management
byErsoy AKSOY
 
1. Security and Risk Management
bySam Bowne
 
Information risk management
byAkash Saraswat
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 

What's hot

PDF
NIST cybersecurity framework
byShriya Rai
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Risk Management and Security in Strategic Planning
byKeyaan Williams
 
DOCX
The CIA Triad - Assurance on Information Security
byBharath Rao
 
PPTX
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PPTX
Cyber security
byManjushree Mashal
 
PPT
Cyber security standards
byVaughan Olufemi ACIB, AICEN, ANIM
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
Types of Threat Actors and Attack Vectors
byLearningwithRayYT
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Security architecture
byDuncan Unwin
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
NIST cybersecurity framework
byShriya Rai
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Risk Management and Security in Strategic Planning
byKeyaan Williams
 
The CIA Triad - Assurance on Information Security
byBharath Rao
 
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Cyber security
byManjushree Mashal
 
Cyber security standards
byVaughan Olufemi ACIB, AICEN, ANIM
 
INFORMATION SECURITY
byAhmed Moussa
 
Security Policies and Standards
byprimeteacher32
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Types of Threat Actors and Attack Vectors
byLearningwithRayYT
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Security architecture
byDuncan Unwin
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 

Similar to IT Security management and risk assessment

PPT
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
PPT
ch14.ppt
byFizZaShYkh
 
PPTX
Cyber Security # Lec 3
byKabul Education University
 
PPTX
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
PPTX
Hipaa risk analysis_1.4
bySISA Information Security Pvt.Ltd
 
PDF
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
PPTX
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
PPTX
Assess risks to IT security.pptx
bylochanrajdahal
 
PPTX
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
byShemse Shukre
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PPTX
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PDF
CISSP 8 Domains.pdf
bydotco
 
PDF
Machine learning methods for classification and prediction information securi...
byIAESIJAI
 
PPT
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
PDF
Ch2 cism 2014
byAladdin Dandis
 
PPT
Risk management Risk managementRisk managementRisk managementRisk managementR...
byShanmuganathan C
 
ch14.ppt00000000000000000000000000000000
byDiaaUliyan
 
ch14.ppt
byFizZaShYkh
 
Cyber Security # Lec 3
byKabul Education University
 
Risk Management & Threat Model in Cyber Security
bytulmuntahasidra082
 
Hipaa risk analysis_1.4
bySISA Information Security Pvt.Ltd
 
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
Step by-step for risk analysis and management-yaser aljohani
byyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
Assess risks to IT security.pptx
bylochanrajdahal
 
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
byShemse Shukre
 
Information Security and Risk Management.pptx
byprembasnet12
 
IT Security Bachelor in information technology.pptx
byMahmadKasimAnsari
 
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
How to assess and manage cyber risk
byStephen Cobb
 
CISSP 8 Domains.pdf
bydotco
 
Machine learning methods for classification and prediction information securi...
byIAESIJAI
 
CHAPTER 2 RISK MANAGEMENT and security.ppt
byfirehiwot8
 
Ch2 cism 2014
byAladdin Dandis
 
Risk management Risk managementRisk managementRisk managementRisk managementR...
byShanmuganathan C
 

More from CAS

PPTX
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 4
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions part 3
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 2
byCAS
 
PPT
RRB JE Stage 2 Computer and Applications Questions Part 1
byCAS
 
PPTX
Introduction to IoT Security
byCAS
 
PPTX
Introduction to research methodology
byCAS
 
PPTX
Can you solve this
byCAS
 
PPTX
Symmetric encryption and message confidentiality
byCAS
 
PPTX
Public key cryptography and message authentication
byCAS
 
PPTX
Malicious software
byCAS
 
PPTX
Legal and ethical aspects
byCAS
 
PPTX
It security controls, plans, and procedures
byCAS
 
PPTX
Intrusion detection
byCAS
 
PPTX
Human resources security
byCAS
 
PPT
Database security
byCAS
 
PPTX
Cryptographic tools
byCAS
 
PPT
Internet security association and key management protocol (isakmp)
byCAS
 
PPT
IP Security Part 2
byCAS
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
byCAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
byCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
byCAS
 
Introduction to IoT Security
byCAS
 
Introduction to research methodology
byCAS
 
Can you solve this
byCAS
 
Symmetric encryption and message confidentiality
byCAS
 
Public key cryptography and message authentication
byCAS
 
Malicious software
byCAS
 
Legal and ethical aspects
byCAS
 
It security controls, plans, and procedures
byCAS
 
Intrusion detection
byCAS
 
Human resources security
byCAS
 
Database security
byCAS
 
Cryptographic tools
byCAS
 
Internet security association and key management protocol (isakmp)
byCAS
 
IP Security Part 2
byCAS
 

Recently uploaded

PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
final.pdf
byomarbishtawi04
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 

IT Security management and risk assessment

  • 1.
    IT SECURITY MANAGEMENTAND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
  • 2.
    Content 10.1 Terminology 10.2 SecurityRisk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 3.
    3 10.1 Terminology Asset: Anythingthat has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 4.
    4 10.2 SECURITY RISKASSESSMENT  Critical component of process Else may have vulnerabilities or waste money  Ideally examine every asset verses risk Not feasible in practice  Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 5.
    5 10.2.1 Baseline Approach Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security  Implement safeguards against most common threats  Baseline recommendations and checklist documents available from various bodies  Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 6.
    6 ITSY3104 - COMPUTERSECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 7.
    7 10.2.2 Informal Approach Conduct informal, pragmatic risk analysis on organization’s IT systems  Exploits knowledge and expertise of analyst  Fairly quick and cheap  Does address some org specific issues  Some risks may be incorrectly assessed  Skewed by analysts views, varies over time  Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 8.
    8 10.2.3 Detailed /Formal Risk Analysis  Most comprehensive alternative  Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate  Costly and slow, requires expert analysts  May be a legal requirement to use  Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 9.
    9 10.2.4 Combined Approach Combines elements of other approaches  Initial baseline on all systems  Informal analysis to identify critical risks  Formal assessment on these systems  Iterated and extended over time  Better use of time and money resources  Better security earlier that evolves  May miss some risks early  Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 10.
    10 10.3 Detailed RiskAnalysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 11.
    11 10.3.1 Asset Identification/ System Characterizations  Identify assets  “Anything which needs to be protected”  Of value to organization to meet its objectives  Tangible or intangible  In practice try to identify significant assets  Draw on expertise of people in relevant areas of organization to identify key assets  Identify and interview such personnel  See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 12.
    12 10.3.2 Threat Identification To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur?  Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services:  Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability  Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 13.
    13 10.3.2 a) ThreatSources  Threats may be Natural “acts of god” Man-made and either accidental or deliberate  Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence  Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 14.
    14 10.3.3 Vulnerability Identification Identify exploitable flaws or weaknesses in organization’s IT systems or processes  Hence determine applicability and significance of threat to organization  Note need combination of threat and vulnerability to create a risk to an asset  Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 15.
    15 10.3.4 Analyze Risks/ Control Analysis  Specify likelihood of occurrence of each identified threat to asset given existing controls  Management, operational, technical processes and procedures to reduce exposure of org to some risks  Specify consequence should threat occur  Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization  In practice very hard to determine exactly  Use qualitative not quantitative, ratings for each  Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 16.
    16 10.3.5 Likelihood Determination RatingLikelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 17.
    17 10.3.6 Impact analysis/ Consequence determination Rating Consequence Expanded Definition 1 Insignificant  Result of a minor security breach in a single area.  Impact is likely to last less than several days.  Require only minor expenditure to rectify. 2 Minor  Result of security breach in one or two areas.  Impact is likely to last less than a week.  Can be rectified within project or team resources. 3 Moderate  Limited systemic security breaches.  Impact is likely to last up to 2 weeks.  Requires management intervention. 4 Major  Ongoing systemic security breach.  Impact will likely last 4-8 weeks.  Requires significant management intervention and resources.  Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 18.
    18 Rating Consequence ExpandedDefinition 5 Catastrophic  Major Systemic security breach.  Impact will last for 3 months or more.  Senior Management will be required to intervene.  Compliance costs are expected to be very substantial.  Possible criminal or disciplinary action is likely. 6 Doomsday  Multiple instances of major systemic security breaches.  Impact duration cannot be determined.  Senior management will be required to place the company under voluntary administration.  Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 19.
    19 10.3.7 Risk determination •Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 20.
    20 Consequences Likelihood Dooms day Catastrophic MajorModerate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 21.
    21 Risk Level Description Extreme(E)  Require detailed research and management.  Planning at executive / director level.  Planning and Monitoring required. High (H)  Require management attention.  Planning at senior project or team leaders.  Planning and Monitoring required. Medium (M)  Can be managed by existing specific.  Monitoring and response procedures.  Management by employees. Low (L)  Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
  • 22.
    22 10.3.8 Control Recommendation& Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT

Editor's Notes

  • #23 The results of the risk analysis process should be documented in a risk register. This should include a summary table such that shown in Table 16.5 from the text. The risks are usually sorted in decreasing order of level. This would be supported by details of how the various items were determined, including the rationale, justification, and supporting evidence used. The aim of this documentation is to provide senior management with the information they need to make appropriate decisions as how to best manage the identified risks. It also provides evidence that a formal risk assessment process has been followed if needed, and a record of decisions taken with their reasons. Once the details of potentially significant risks are determined, management needs to decide whether it needs to take action in response. This would take into account the risk profile of the organization, and its willingness to accept a certain level of risk, as determined in the initial “Establishing the Context” phase of this process. Those items with risk levels below the acceptable level would usually be accepted with no further action required. Those items with risks above this will need to be considered for treatment. Typically the risks with the higher ratings are those that need most urgently action. However, it is likely that some risks will be easier, faster, and cheaper to action than others. In the example shown, both risks were rated High. Further investigation reveals that a relatively simple and cheap treatment exists for the first risk, by tightening the router configuration to further restrict possible accesses. Treating the second risk requires the development of a full disaster recovery plan, a much slower and more costly process. Hence management would take the simple action first, to improve the organization’s overall risk profile as quickly as possible.