SlideShare a Scribd company logo
TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
RiskManagement I
Ray Trygstad
ITM 578 Section 071
Summer 2003
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson
students should be able to:
– Define risk management and its role in
the SecSDLC
– Describe how risk is identified
– Assess risk based on the likelihood of
occurrence and impact on an organization
– Explain fundamental aspects of
documenting risk identification and
assessment
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management
Investigate
Analyze:
Risk Identification
(Chapter 4)
Implement
Maintain
Analyze:
Risk Control
(Chapter 5)
Design
FIG URE 4-1 Risk Managagement and the Secure SDLC
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management
“If you know the enemy and know
yourself, you need not fear the result of
a hundred battles.
If you know yourself but not the
enemy, for every victory gained you
will also suffer a defeat.
If you know neither the enemy nor
yourself, you will succumb in every
battle.” (Sun Tzu)
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Know Ourselves
 First, identify, examine, and understand the
information, and systems, currently in place
 In order to protect our assets, defined here
as the information and the systems that use,
store, and transmit it, we must understand
everything about the information
 Once these aspects are examined, we can
then look at what we are already doing to
protect the information and systems from
the threats
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Know the Enemy
For information security this means
identifying, examining, and
understanding the threats that most
directly affect our organization and the
security of our organization’s
information assets
We then can use our understanding of
these aspects to create a list of threats
prioritized by importance to the
organization
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Accountability for Risk Management
 It is the responsibility of each community of
interest to manage risks; each community
has a role to play:
– Information Security - best understands the
threats and attacks that introduce risk into the
organization
– Management and Users – play a part in the early
detection and response process - they also insure
sufficient resources are allocated
– Information Technology – must assist in building
secure systems and operating them safely
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Accountability for Risk Management
All three communities must also:
– Evaluate the risk controls
– Determine which control options are cost
effective
– Assist in acquiring or installing needed
controls
– Ensure that the controls remain effective
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management Process
 Management reviews asset inventory
 The threats and vulnerabilities that have
been identified as dangerous to the asset
inventory must be reviewed and verified as
complete and current
 The potential controls and mitigation
strategies should be reviewed for
completeness
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management Process
 The cost effectiveness of each control should
be reviewed as well, and the decisions about
deployment of controls revisited
 Further, managers of all levels are
accountable on a regular schedule for
ensuring the ongoing effectiveness of every
control deployed
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Identification
A risk management strategy calls on
us to “know ourselves” by identifying,
classifying, and prioritizing the
organization’s information assets
These assets are the targets of various
threats and threat agents and our goal
is to protect them from these threats
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Threat Identification
Next comes threat identification:
– Assess the circumstances and setting of
each information asset
– Identify the vulnerabilities and begin
exploring the controls that might be
used to manage the risks
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Asset Identification and Valuation
This iterative process begins with the
identification of assets, including all of
the elements of an organization’s
system: people, procedures, data and
information, software, hardware, and
networking elements
Then, we classify and categorize the
assets adding details as we dig deeper
into the analysis
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Categorizing Components
Traditional System
Components SecDLC and risk management components
People Employees Trusted employees
Other Staff
Nonemployees People at trusted organizations
Strangers
Procedures Procedures IT and business standard procedures
IT and business sensitive procedures
Data Information Transmisison
Processing
Storage
Software Software Applications
Operating Systems
Security components
Hardware System devices and peripherals System and peripherals security devices
Networking components Intranet components
Internet or DMZ components
TABLE 4-1 Categorizing the components of an Information System
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Hardware, Software, and Network Asset Identification
Automated tools can sometimes
uncover the system elements that
make up the hardware, software, and
network components
Once created, the inventory listing
must be kept current, often through
a tool that periodically refreshes the
data
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Hardware, Software, and Network Asset Identification
 What attributes of each of these information
assets should be tracked?
 When deciding which information assets to
track, consider including these asset
attributes:
– Name
– IP address
– MAC address
– Element type
– Serial number
– Manufacturer name
– Manufacturer’s model
number or part number
– Software version, update
revision, or FCO number
– Physical location
– Logical location
– Controlling entity
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
People, Procedures, and Data Asset Identification
 Unlike the tangible hardware and
software elements already described, the
human resources, documentation, and
data information assets are not as readily
discovered and documented
 These assets should be identified,
described, and evaluated by people using
knowledge, experience, and judgment
 As these elements are identified, they
should also be recorded into some reliable
data handling process
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Asset Information for People
For People:
– Position name/number/ID – try to avoid
names and stick to identifying positions,
roles, or functions
– Supervisor
– Security clearance level
– Special skills
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Asset Information for Procedures
For Procedures:
– Description
– Intended purpose
– What elements is it tied to
– Where is it stored for reference
– Where is it stored for update purposes
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Asset Information for Data
For Data:
– Classification
– Owner/creator/manager
– Size of data structure
– Data structure used – sequential,
relational
– Online or offline
– Where located
– Backup procedures employed
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Asset Classification
 Many organizations already have a
classification scheme
 Examples of these kinds of classifications:
– confidential data
– internal data
– public data
 Informal organizations may have to organize
themselves to create a useable data
classification model
 Other side of the data classification scheme
is the personnel security clearance structure
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Asset Valuation
Each asset is categorized
Questions to assist in developing
criteria to be used for asset valuation:
– Which information asset is the most
critical to the success of the organization?
– Which information asset generates the
most revenue?
– Which information asset generates the
most profitability?
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Asset Valuation
More questions to assist in developing
criteria to be used for asset valuation:
– Which information asset would be the
most expensive to replace?
– Which information asset would be the
most expensive to protect?
– Which information asset would be the
most embarrassing or cause the greatest
liability if revealed?
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Example Worksheet
SystemName: SLSE-Commerce .
Date Evaluated: February2OO3 .
Evaluated By: D.Jones .
Information assets Data classification Impact to profitability
Information Transmitted:
EDI Document Set 1 — Logistics BOL
to outsourcer (outbound)
Confidential High
EDI Document Set 2 — Supplier orders
(Outbound)
Confidential High
EDI Document Set 2 — Supplier
fulfillment advice (inbound)
Confidential Medium
Customer order via SSL (inbound) Confidential Critical
Customer service Request via e-mail
(inbound)
Private Medium
DMZ Assets:
Edge Router Public Critical
Web server #1 — home page and core
site
Public Critical
Web server #2 — Application server Private Critical
Notes: BOL: Bill of Lading:
DMZ: Demilitarized Zone
EDI: Electronic Data Interchange
SSL: Secure Sockets LayerFIGURE 4-3 Example Worksheet for the Asset Identification of Information
Systems
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Asset Valuation
Create a weighting for each category
based on the answers to the previous
questions
Which factor is the most important to the
organization?
Once each question has been weighted,
calculating the importance of each asset
is straightforward
List the assets in order of importance
using a weighted factor analysis
worksheet
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Weighted Factor Analysis Worksheet
Information asset Criteria 1:
impact to
revenue
Criteria 2:
impact to
profitability
Criteria 3:
public image
impact
Weighted
score
Criterion Weight (1-100)
Must total 100
30 40 30
EDI Document Set 1—
Logistics BOL to outsourcer
(outbound)
0.8 0.9 0.5 75
EDI Document Set 2—
Supplier orders (outbound)
0.8 0.9 0.6 78
EDI Document Set 2—
Supplier fulfillment advice
(inbound)
0.4 0.5 0.3 41
Customer order via SSL (inbound) 1.0 1.0 1.0 100
Customer service request via
e-mail (inbound)
0.4 0.4 0.9 55
Example of a Weighted Factor Analysis WorksheetTABLE 4-2
Notes: EDI: Electronic Data Interchange
SSL: Secure Sockets Layer
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Data Classification and Management
 A variety of classification schemes are used
by corporate and military organizations
 Information owners are responsible for
classifying the information assets for which
they are responsible
 Information owners must review information
classifications periodically
 The military uses a five-level classification
scheme but most organizations do not need
the detailed level of classification used by the
military or federal agencies
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Data Classification and Management
DOD/Federal Classification Scheme
– UNCLASSIFIED
– FOR OFFICIAL USE ONLY (FOUO)
(includes Formerly Restricted Data)
– CONFIDENTIAL
– SECRET
– TOP SECRET
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Data Classification and Management
 A variety of classification schemes are used
by corporate and military organizations
 Information owners are responsible for
classifying the information assets for which
they are responsible
 Information owners must review information
classifications periodically
 The military uses a five-level classification
scheme but most organizations do not need
the detailed level of classification used by the
military or federal agencies
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Clearances
 The other side of the data classification
scheme is the personnel security clearance
structure
 Each user of data in the organization is
assigned a single level of authorization
indicating the level of classification
 Before an individual is allowed access to a
specific set of data, he or she must meet the
need-to-know requirement
 This extra level of protection ensures that
the confidentiality of information is properly
maintained
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Management of Classified Data
 Includes the storage, distribution, portability, and
destruction of classified information
– Must be clearly marked as such
– When stored, it must be unavailable to unauthorized
individuals
– When carried should be inconspicuous, as in a locked
briefcase or portfolio
 Clean desk policies require all information to be
stored in its appropriate storage container at the end
of each day
 Proper care should be taken to destroy any unneeded
copies
 Dumpster diving can prove embarrassing to the
organization
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Threat Identification
 Each of the threats identified so far has the
potential to attack any of the assets protected
 This will quickly become more complex and
overwhelm the ability to plan
 To make this part of the process manageable,
each step in the threat identification and
vulnerability identification process is
managed separately, and then coordinated at
the end of the process
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Threats to Information Security
Example Threat
Act of human error or failure Accidents, employee mistakes
Compromises to intellectual property Piracy, copyright infringement
Deliberate acts of espionage or trespass Unauthorized access and data collection
Deliberate acts of information extortion Blackmail for information disclosure
Deliberate acts of sabotage or vandalism Destruction of systems or information
Deliberate acts of theft Illegal confiscation of equipment or information
Deliberate software attacks Viruses, worms, macros, denial of service
Forces of nature Fire, flood, earthquake, lightning
Quality of service deviations from service providers Power and WAN quality of service issues
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
©2003 ACM, Inc., Included here by permission.
TABLE 4-3 Threats to Information Security
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Identify and Prioritize Threats
 Each threat must be further examined to
assess its potential to impact organization -
this is referred to as a threat assessment
 To frame the discussion of threat
assessment, address each threat with a few
questions:
– Which threats present a danger to this organization’s assets
in the given environment?
– Which threats represent the most danger to the
organization’s information?
– How much would it cost to recover from a successful attack?
– Which of these threats would require the greatest
expenditure to prevent?
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Identification
We now face the challenge of reviewing
each information asset for each threat
it faces and creating a list of the
vulnerabilities that remain viable
risks to the organization
Vulnerabilities are specific avenues
that threat agents can exploit to attack
an information asset
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Assessment Example
Vulnerability assessment of a hypothetical DMZ router
Threat Possible vulnerabilities
Deliberate software attacks  Internet protocol is vulnerable to denial of service
 Outsider IP fingerprinting activities can reveal sensitive information unless suitable
controls are implemented
Act of human error or failure  Employees or contractors may cause outage if configuration errors are made
Technical software failures or errors  Vendor-supplied routing software could fail and cause an outage
Technical hardware failures or errors  Hardware can fail and cause an outage
 Power system failures are always possible
Quality of service deviations from
service providers
 Unless suitable electrical power conditioning is provided, failure is probable over time
Deliberate acts of espionage or
trespass
 This information asset has little intrinsic value, but other assets protected by this device
could be attacked if it compromised
Deliberate theft  This information asset has little intrinsic value, but other assets protected by this device
could be attacked if it is compromised
Deliberate acts of sabotage or
vandalism
 Internet protocol is vulnerable to denial of service
 This device may be subject to defacement or cache poisoning
Technological obsolescence  If this asset is not reviewed and periodically updated, it may fall too far behind its vendor
support model to be kept in service
Forces of nature  All information assets in the organization are sub-ject to forces of nature, unless suitable
controls are provided
Compromises to intellectual property  This information asset has little intrinsic value, but other assets protected by this device
could be attacked if it is compromised
Deliberate acts of information
extortion
 This information asset has little intrinsic value, but other assets protected by this device
could be attacked if it is compromised
TABLE 4-4
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Identification
 Examine how each of the threats that are
possible or likely could be perpetrated and
list the organization’s assets and their
vulnerabilities
 The process works best when groups of
people with diverse backgrounds within the
organization work iteratively in a series of
brainstorming sessions
 At the end of the process, an information
asset / vulnerability list has been developed
– this list is the starting point for the next step,
risk assessment
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment
 We can determine the relative risk for each
of the vulnerabilities through a process
called risk assessment
 Risk assessment assigns a risk rating or
score to each specific information asset,
useful in gauging the relative risk
introduced by each vulnerable information
asset and making comparative ratings later
in the risk control process
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction to Risk Assessment
Risk Identification Estimate Factors
– Likelihood
– Value of Information Assets
– Percent of Risk Mitigated
– Uncertainty
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Determination
For the purpose of relative risk assessment:
Risk= likelihood of vulnerability
occurrence
multiplied by
value of the information asset (or
impact)
minus
percentage risk already controlled
plus
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Identify Possible Controls
For each threat and its associated
vulnerabilities that have any residual
risk, create a preliminary list of
control ideas
Residual risk is the risk that remains
to the information asset even after the
existing control has been applied
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Controls
 One particular application of controls is in
the area of access controls
 Access controls are those controls that
specifically address admission of a user into
a trusted area of the organization
 There are a number of approaches to
controlling access
 Access controls can be
– discretionary
– mandatory
– nondiscretionary
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Types of Access Controls
Discretionary Access Controls
(DAC) are implemented at the
discretion or option of the data user
Mandatory Access Controls
(MACs) are structured and
coordinated with a data classification
scheme, and are required
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Types of Access Controls
Nondiscretionary Controls are
those determined by a central
authority in the organization and can
be based on that individual’s role
(Role-Based Controls) or a specified
set of duties or tasks the individual is
assigned (Task-Based Controls) or can
be based on specified lists maintained
on subjects or objects
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Lattice-based Control
Another type of nondiscretionary
access is lattice-based control, where a
lattice structure (or matrix) is created
containing subjects and objects, and
the boundaries associated with each
pair is contained
This specifies the level of access each
subject has to each object
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Lattice-based Control
In a lattice-based control the column
of attributes associated with a
particular object are referred to as an
access control list or ACL
The row of attributes associated with
a particular subject (such as a user) is
referred to as a capabilities table
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting Results of Risk Assessment
 Goal of this process: identify the
information assets of the organization that
have specific vulnerabilities and create a
list of them, ranked for focus on those most
needing protection first
 In preparing this list we have collected and
preserved factual information about the
assets, the threats they face, and the
vulnerabilities they experience
 We should also have collected some
information about the controls that are
already in place
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction to Risk Assessment
 The process you develop for risk
identification should include designating
what function the reports will serve, who is
responsible for preparing the reports, and
who reviews them
 We do know that the ranked vulnerability
risk worksheet is the initial working
document for the next step in the risk
management process: assessing and
controlling risk
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Identification & Assessment
Deliverable Purpose
Information asset classification worksheet Assembles information about information assets
and their impact on or value to the organization
Weighted criteria analysis worksheet Assigns ranked value or impact weight to each
information asset
Ranked vulnerability risk worksheet Assigns ranked value of risk rating for each
uncontrolled asset-vulnerability pair
Risk Identification and Assessment DeliverablesTABLE 4-6
Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions!

More Related Content

What's hot

The need for security
The need for securityThe need for security
The need for security
Dhani Ahmad
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
SlideTeam
 
Security tools
Security toolsSecurity tools
Security tools
arfan shahzad
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Data Security
Data SecurityData Security
Data Security
AkNirojan
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
System security
System securitySystem security
System security
sommerville-videos
 
Data security
Data securityData security
Data security
Soumen Mondal
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Security managment risks, controls and incidents
Security managment   risks, controls and incidentsSecurity managment   risks, controls and incidents
Security managment risks, controls and incidents
Edinburgh Napier University
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 

What's hot (20)

The need for security
The need for securityThe need for security
The need for security
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
 
Security tools
Security toolsSecurity tools
Security tools
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Information Security
Information SecurityInformation Security
Information Security
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Data Security
Data SecurityData Security
Data Security
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
System security
System securitySystem security
System security
 
Data security
Data securityData security
Data security
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Security managment risks, controls and incidents
Security managment   risks, controls and incidentsSecurity managment   risks, controls and incidents
Security managment risks, controls and incidents
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 

Viewers also liked

Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
Dhani Ahmad
 
Information system
Information systemInformation system
Information system
Dhani Ahmad
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
Dhani Ahmad
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
Dhani Ahmad
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care it
Dhani Ahmad
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
Secure
SecureSecure
Secure
Dhani Ahmad
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
Dhani Ahmad
 
Security technologies
Security technologiesSecurity technologies
Security technologies
Dhani Ahmad
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
Dhani Ahmad
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
Dhani Ahmad
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
Dhani Ahmad
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
Beni Krisbiantoro
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
Trivuz ত্রিভুজ
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
Dhani Ahmad
 
Information resource management
Information resource managementInformation resource management
Information resource management
Dhani Ahmad
 
Database design
Database designDatabase design
Database design
Dhani Ahmad
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
emailharmeet
 

Viewers also liked (20)

Security policy
Security policySecurity policy
Security policy
 
Types of islamic institutions and records
Types of islamic institutions and recordsTypes of islamic institutions and records
Types of islamic institutions and records
 
Information system
Information systemInformation system
Information system
 
Physical security
Physical securityPhysical security
Physical security
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
 
Opportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysisOpportunities, threats, industry competition, and competitor analysis
Opportunities, threats, industry competition, and competitor analysis
 
Privacy & security in heath care it
Privacy & security in heath care itPrivacy & security in heath care it
Privacy & security in heath care it
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Secure
SecureSecure
Secure
 
Islamic information management
Islamic information managementIslamic information management
Islamic information management
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Security and personnel
Security and personnelSecurity and personnel
Security and personnel
 
Islamic information seeking behavior
Islamic information seeking behaviorIslamic information seeking behavior
Islamic information seeking behavior
 
Strategic planning
Strategic planningStrategic planning
Strategic planning
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
 
Islamic information management sources in islam
Islamic information management sources in islamIslamic information management sources in islam
Islamic information management sources in islam
 
Information resource management
Information resource managementInformation resource management
Information resource management
 
Database design
Database designDatabase design
Database design
 
Lecture 07 relational database management system
Lecture 07 relational database management systemLecture 07 relational database management system
Lecture 07 relational database management system
 

Similar to Risk management i

RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
joellemurphey
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
Muhammad Mazhar
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
Eliahu (Eli) Assif (Amar)
 
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
Infosec train
 
Unlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your  Ultimate SOC Career Guide - InfosectrainUnlock Your  Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - Infosectrain
infosecTrain
 
The Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center  Career GuideThe Ultimate Security Operations Center  Career Guide
The Ultimate Security Operations Center Career Guide
priyanshamadhwal2
 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide  InfosecTrain .pdfBest SOC Career Guide  InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdf
infosec train
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
cejobelle
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
Ana Meskovska
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
Karl Kispert
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdfUnlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
InfosecTrain Education
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
infosecTrain
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network  security [10 is835]-solutionIse viii-information and network  security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
Vivek Maurya
 
Incident Response
Incident ResponseIncident Response
Incident Response
MichaelRodriguesdosS1
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
SoniaCristina49
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles
LearningwithRayYT
 

Similar to Risk management i (20)

RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
 
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
𝐔𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐒𝐎𝐂 𝐂𝐚𝐫𝐞𝐞𝐫 𝐆𝐮𝐢𝐝𝐞!
 
Unlock Your Ultimate SOC Career Guide - Infosectrain
Unlock Your  Ultimate SOC Career Guide - InfosectrainUnlock Your  Ultimate SOC Career Guide - Infosectrain
Unlock Your Ultimate SOC Career Guide - Infosectrain
 
The Ultimate Security Operations Center Career Guide
The Ultimate Security Operations Center  Career GuideThe Ultimate Security Operations Center  Career Guide
The Ultimate Security Operations Center Career Guide
 
Best SOC Career Guide InfosecTrain .pdf
Best SOC Career Guide  InfosecTrain .pdfBest SOC Career Guide  InfosecTrain .pdf
Best SOC Career Guide InfosecTrain .pdf
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdfUnlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network  security [10 is835]-solutionIse viii-information and network  security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles Contrast & Compare & Contrast Information Security Roles
Contrast & Compare & Contrast Information Security Roles
 

More from Dhani Ahmad

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
Dhani Ahmad
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
Dhani Ahmad
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
Dhani Ahmad
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
Dhani Ahmad
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
Dhani Ahmad
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
Dhani Ahmad
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
Dhani Ahmad
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
Dhani Ahmad
 

More from Dhani Ahmad (11)

Strategic information system planning
Strategic information system planningStrategic information system planning
Strategic information system planning
 
Information security as an ongoing effort
Information security as an ongoing effortInformation security as an ongoing effort
Information security as an ongoing effort
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Topic 12 report & presentations
Topic 12   report & presentationsTopic 12   report & presentations
Topic 12 report & presentations
 
Topic 11 data management
Topic 11   data managementTopic 11   data management
Topic 11 data management
 
Topic 10 sample designs & procedures
Topic 10   sample designs & proceduresTopic 10   sample designs & procedures
Topic 10 sample designs & procedures
 
Topic 9 secondary data sources
Topic 9   secondary data sourcesTopic 9   secondary data sources
Topic 9 secondary data sources
 
Topic 8 questionnaire design
Topic 8   questionnaire designTopic 8   questionnaire design
Topic 8 questionnaire design
 
Topic 7 measurement in research
Topic 7   measurement in researchTopic 7   measurement in research
Topic 7 measurement in research
 

Recently uploaded

Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
RohitRoshanBengROHIT
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
paridubey2024#G05
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
ashishkumarrana9
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
OkgatoSemadi1
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
SFC Today
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
VPN Server
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Krishna L
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
Kashyap J
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
Dolphin Data Lab
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
thomaskurtha9
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
exgf28
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
cenocb
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
Sweet Potato Tec
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
ธนาพัฒน์ ลิ้มสายพรหม
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
dilbaagsingh0898
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 

Recently uploaded (20)

Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
 
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptxDraya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
Draya Michele’s Son – Kniko Howard’s Rise to Fame.pptx
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
 
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdfTop 50 Telephone Conversation Sample Examples For IT Industries.pdf
Top 50 Telephone Conversation Sample Examples For IT Industries.pdf
 
Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)Quiz Quiz Hota Hai (School Quiz 2018-19)
Quiz Quiz Hota Hai (School Quiz 2018-19)
 
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdfHow-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
How-to-Diagnose-Hard-Drives-by-DFL-DDP-2024.pdf
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Tarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy FearsTarun Gaur On Data Breaches and Privacy Fears
Tarun Gaur On Data Breaches and Privacy Fears
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 

Risk management i

  • 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 RiskManagement I Ray Trygstad ITM 578 Section 071 Summer 2003 Master of Information Technology & Management Program CenterforProfessional Development Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
  • 2. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson students should be able to: – Define risk management and its role in the SecSDLC – Describe how risk is identified – Assess risk based on the likelihood of occurrence and impact on an organization – Explain fundamental aspects of documenting risk identification and assessment
  • 3. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Management Investigate Analyze: Risk Identification (Chapter 4) Implement Maintain Analyze: Risk Control (Chapter 5) Design FIG URE 4-1 Risk Managagement and the Secure SDLC
  • 4. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Management “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” (Sun Tzu)
  • 5. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Know Ourselves  First, identify, examine, and understand the information, and systems, currently in place  In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we must understand everything about the information  Once these aspects are examined, we can then look at what we are already doing to protect the information and systems from the threats
  • 6. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY Know the Enemy For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization
  • 7. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY Accountability for Risk Management  It is the responsibility of each community of interest to manage risks; each community has a role to play: – Information Security - best understands the threats and attacks that introduce risk into the organization – Management and Users – play a part in the early detection and response process - they also insure sufficient resources are allocated – Information Technology – must assist in building secure systems and operating them safely
  • 8. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Accountability for Risk Management All three communities must also: – Evaluate the risk controls – Determine which control options are cost effective – Assist in acquiring or installing needed controls – Ensure that the controls remain effective
  • 9. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Management Process  Management reviews asset inventory  The threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current  The potential controls and mitigation strategies should be reviewed for completeness
  • 10. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Management Process  The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited  Further, managers of all levels are accountable on a regular schedule for ensuring the ongoing effectiveness of every control deployed
  • 11. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Identification A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets These assets are the targets of various threats and threat agents and our goal is to protect them from these threats
  • 12. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY Threat Identification Next comes threat identification: – Assess the circumstances and setting of each information asset – Identify the vulnerabilities and begin exploring the controls that might be used to manage the risks
  • 13. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY Asset Identification and Valuation This iterative process begins with the identification of assets, including all of the elements of an organization’s system: people, procedures, data and information, software, hardware, and networking elements Then, we classify and categorize the assets adding details as we dig deeper into the analysis
  • 14. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY Categorizing Components Traditional System Components SecDLC and risk management components People Employees Trusted employees Other Staff Nonemployees People at trusted organizations Strangers Procedures Procedures IT and business standard procedures IT and business sensitive procedures Data Information Transmisison Processing Storage Software Software Applications Operating Systems Security components Hardware System devices and peripherals System and peripherals security devices Networking components Intranet components Internet or DMZ components TABLE 4-1 Categorizing the components of an Information System
  • 15. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Hardware, Software, and Network Asset Identification Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components Once created, the inventory listing must be kept current, often through a tool that periodically refreshes the data
  • 16. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Hardware, Software, and Network Asset Identification  What attributes of each of these information assets should be tracked?  When deciding which information assets to track, consider including these asset attributes: – Name – IP address – MAC address – Element type – Serial number – Manufacturer name – Manufacturer’s model number or part number – Software version, update revision, or FCO number – Physical location – Logical location – Controlling entity
  • 17. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY People, Procedures, and Data Asset Identification  Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented  These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment  As these elements are identified, they should also be recorded into some reliable data handling process
  • 18. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Asset Information for People For People: – Position name/number/ID – try to avoid names and stick to identifying positions, roles, or functions – Supervisor – Security clearance level – Special skills
  • 19. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Asset Information for Procedures For Procedures: – Description – Intended purpose – What elements is it tied to – Where is it stored for reference – Where is it stored for update purposes
  • 20. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY Asset Information for Data For Data: – Classification – Owner/creator/manager – Size of data structure – Data structure used – sequential, relational – Online or offline – Where located – Backup procedures employed
  • 21. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Information Asset Classification  Many organizations already have a classification scheme  Examples of these kinds of classifications: – confidential data – internal data – public data  Informal organizations may have to organize themselves to create a useable data classification model  Other side of the data classification scheme is the personnel security clearance structure
  • 22. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY Information Asset Valuation Each asset is categorized Questions to assist in developing criteria to be used for asset valuation: – Which information asset is the most critical to the success of the organization? – Which information asset generates the most revenue? – Which information asset generates the most profitability?
  • 23. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Information Asset Valuation More questions to assist in developing criteria to be used for asset valuation: – Which information asset would be the most expensive to replace? – Which information asset would be the most expensive to protect? – Which information asset would be the most embarrassing or cause the greatest liability if revealed?
  • 24. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Example Worksheet SystemName: SLSE-Commerce . Date Evaluated: February2OO3 . Evaluated By: D.Jones . Information assets Data classification Impact to profitability Information Transmitted: EDI Document Set 1 — Logistics BOL to outsourcer (outbound) Confidential High EDI Document Set 2 — Supplier orders (Outbound) Confidential High EDI Document Set 2 — Supplier fulfillment advice (inbound) Confidential Medium Customer order via SSL (inbound) Confidential Critical Customer service Request via e-mail (inbound) Private Medium DMZ Assets: Edge Router Public Critical Web server #1 — home page and core site Public Critical Web server #2 — Application server Private Critical Notes: BOL: Bill of Lading: DMZ: Demilitarized Zone EDI: Electronic Data Interchange SSL: Secure Sockets LayerFIGURE 4-3 Example Worksheet for the Asset Identification of Information Systems
  • 25. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Information Asset Valuation Create a weighting for each category based on the answers to the previous questions Which factor is the most important to the organization? Once each question has been weighted, calculating the importance of each asset is straightforward List the assets in order of importance using a weighted factor analysis worksheet
  • 26. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Weighted Factor Analysis Worksheet Information asset Criteria 1: impact to revenue Criteria 2: impact to profitability Criteria 3: public image impact Weighted score Criterion Weight (1-100) Must total 100 30 40 30 EDI Document Set 1— Logistics BOL to outsourcer (outbound) 0.8 0.9 0.5 75 EDI Document Set 2— Supplier orders (outbound) 0.8 0.9 0.6 78 EDI Document Set 2— Supplier fulfillment advice (inbound) 0.4 0.5 0.3 41 Customer order via SSL (inbound) 1.0 1.0 1.0 100 Customer service request via e-mail (inbound) 0.4 0.4 0.9 55 Example of a Weighted Factor Analysis WorksheetTABLE 4-2 Notes: EDI: Electronic Data Interchange SSL: Secure Sockets Layer
  • 27. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Data Classification and Management  A variety of classification schemes are used by corporate and military organizations  Information owners are responsible for classifying the information assets for which they are responsible  Information owners must review information classifications periodically  The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies
  • 28. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Data Classification and Management DOD/Federal Classification Scheme – UNCLASSIFIED – FOR OFFICIAL USE ONLY (FOUO) (includes Formerly Restricted Data) – CONFIDENTIAL – SECRET – TOP SECRET
  • 29. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Data Classification and Management  A variety of classification schemes are used by corporate and military organizations  Information owners are responsible for classifying the information assets for which they are responsible  Information owners must review information classifications periodically  The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies
  • 30. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Security Clearances  The other side of the data classification scheme is the personnel security clearance structure  Each user of data in the organization is assigned a single level of authorization indicating the level of classification  Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement  This extra level of protection ensures that the confidentiality of information is properly maintained
  • 31. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Management of Classified Data  Includes the storage, distribution, portability, and destruction of classified information – Must be clearly marked as such – When stored, it must be unavailable to unauthorized individuals – When carried should be inconspicuous, as in a locked briefcase or portfolio  Clean desk policies require all information to be stored in its appropriate storage container at the end of each day  Proper care should be taken to destroy any unneeded copies  Dumpster diving can prove embarrassing to the organization
  • 32. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY Threat Identification  Each of the threats identified so far has the potential to attack any of the assets protected  This will quickly become more complex and overwhelm the ability to plan  To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process
  • 33. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Threats to Information Security Example Threat Act of human error or failure Accidents, employee mistakes Compromises to intellectual property Piracy, copyright infringement Deliberate acts of espionage or trespass Unauthorized access and data collection Deliberate acts of information extortion Blackmail for information disclosure Deliberate acts of sabotage or vandalism Destruction of systems or information Deliberate acts of theft Illegal confiscation of equipment or information Deliberate software attacks Viruses, worms, macros, denial of service Forces of nature Fire, flood, earthquake, lightning Quality of service deviations from service providers Power and WAN quality of service issues Technical hardware failures or errors Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies ©2003 ACM, Inc., Included here by permission. TABLE 4-3 Threats to Information Security
  • 34. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Identify and Prioritize Threats  Each threat must be further examined to assess its potential to impact organization - this is referred to as a threat assessment  To frame the discussion of threat assessment, address each threat with a few questions: – Which threats present a danger to this organization’s assets in the given environment? – Which threats represent the most danger to the organization’s information? – How much would it cost to recover from a successful attack? – Which of these threats would require the greatest expenditure to prevent?
  • 35. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Vulnerability Identification We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset
  • 36. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Vulnerability Assessment Example Vulnerability assessment of a hypothetical DMZ router Threat Possible vulnerabilities Deliberate software attacks  Internet protocol is vulnerable to denial of service  Outsider IP fingerprinting activities can reveal sensitive information unless suitable controls are implemented Act of human error or failure  Employees or contractors may cause outage if configuration errors are made Technical software failures or errors  Vendor-supplied routing software could fail and cause an outage Technical hardware failures or errors  Hardware can fail and cause an outage  Power system failures are always possible Quality of service deviations from service providers  Unless suitable electrical power conditioning is provided, failure is probable over time Deliberate acts of espionage or trespass  This information asset has little intrinsic value, but other assets protected by this device could be attacked if it compromised Deliberate theft  This information asset has little intrinsic value, but other assets protected by this device could be attacked if it is compromised Deliberate acts of sabotage or vandalism  Internet protocol is vulnerable to denial of service  This device may be subject to defacement or cache poisoning Technological obsolescence  If this asset is not reviewed and periodically updated, it may fall too far behind its vendor support model to be kept in service Forces of nature  All information assets in the organization are sub-ject to forces of nature, unless suitable controls are provided Compromises to intellectual property  This information asset has little intrinsic value, but other assets protected by this device could be attacked if it is compromised Deliberate acts of information extortion  This information asset has little intrinsic value, but other assets protected by this device could be attacked if it is compromised TABLE 4-4
  • 37. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Vulnerability Identification  Examine how each of the threats that are possible or likely could be perpetrated and list the organization’s assets and their vulnerabilities  The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions  At the end of the process, an information asset / vulnerability list has been developed – this list is the starting point for the next step, risk assessment
  • 38. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Assessment  We can determine the relative risk for each of the vulnerabilities through a process called risk assessment  Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process
  • 39. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Introduction to Risk Assessment Risk Identification Estimate Factors – Likelihood – Value of Information Assets – Percent of Risk Mitigated – Uncertainty
  • 40. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Determination For the purpose of relative risk assessment: Risk= likelihood of vulnerability occurrence multiplied by value of the information asset (or impact) minus percentage risk already controlled plus
  • 41. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Identify Possible Controls For each threat and its associated vulnerabilities that have any residual risk, create a preliminary list of control ideas Residual risk is the risk that remains to the information asset even after the existing control has been applied
  • 42. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Access Controls  One particular application of controls is in the area of access controls  Access controls are those controls that specifically address admission of a user into a trusted area of the organization  There are a number of approaches to controlling access  Access controls can be – discretionary – mandatory – nondiscretionary
  • 43. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Types of Access Controls Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user Mandatory Access Controls (MACs) are structured and coordinated with a data classification scheme, and are required
  • 44. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY Types of Access Controls Nondiscretionary Controls are those determined by a central authority in the organization and can be based on that individual’s role (Role-Based Controls) or a specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be based on specified lists maintained on subjects or objects
  • 45. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Lattice-based Control Another type of nondiscretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associated with each pair is contained This specifies the level of access each subject has to each object
  • 46. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Lattice-based Control In a lattice-based control the column of attributes associated with a particular object are referred to as an access control list or ACL The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table
  • 47. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Documenting Results of Risk Assessment  Goal of this process: identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first  In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience  We should also have collected some information about the controls that are already in place
  • 48. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 48 ILLINOIS INSTITUTE OF TECHNOLOGY Introduction to Risk Assessment  The process you develop for risk identification should include designating what function the reports will serve, who is responsible for preparing the reports, and who reviews them  We do know that the ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk
  • 49. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 49 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Identification & Assessment Deliverable Purpose Information asset classification worksheet Assembles information about information assets and their impact on or value to the organization Weighted criteria analysis worksheet Assigns ranked value or impact weight to each information asset Ranked vulnerability risk worksheet Assigns ranked value of risk rating for each uncontrolled asset-vulnerability pair Risk Identification and Assessment DeliverablesTABLE 4-6
  • 50. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 50 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions!

Editor's Notes

  1. Learning Objectives: Upon completion of this chapter you should be able to: Define risk management and its role in the SecSDLC Understand how risk is identified Assess risk based on the likelihood of occurrence and impact on an organization Grasp the fundamental aspects of documenting risk identification and assessment
  2. Introduction The Security Systems Development Life Cycle (or SecSDLC) is a process framework or methodology that can be used in a flexible fashion to assist organizations in deploying information security initiatives. Risk identification is the formal process of examining and documenting the current information technology security situation. Risk identification is conducted within the larger process of identifying and justifying risk controls, known as risk management.
  3. RISK MANAGEMENT “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” (Sun Tzu)
  4. KNOW OURSELVES First, we must identify, examine, and understand the information, and systems, currently in place. In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we have to understand everything about the information. Once we have examined these aspects, we can then look at what we are already doing to protect the information and systems from the threats.
  5. KNOW THE ENEMY Informed of our own nature, and aware of our own weaknesses, we must then know the enemy. For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets. We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization.
  6. Accountability for Risk Management It is the responsibility of each of the organization’s communities of interest to manage the risks the organization encounters. Each community of interest has a role to play. Information Security - best understand the threats and attacks that introduce risk into the organization. Management and Users – play a part in the early detection and response process. They also insure sufficient resources) are allocated Information Technology – must assist in building secure systems and operating them safely. General management, IT management, and information security management are accountable for identifying and classifying risk. All three communities of interest are also responsible for: Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Overseeing that the controls remain effective in controlling risk
  7. Accountability for Risk Management It is the responsibility of each of the organization’s communities of interest to manage the risks the organization encounters. Each community of interest has a role to play. Information Security - best understand the threats and attacks that introduce risk into the organization. Management and Users – play a part in the early detection and response process. They also insure sufficient resources) are allocated Information Technology – must assist in building secure systems and operating them safely. General management, IT management, and information security management are accountable for identifying and classifying risk. All three communities of interest are also responsible for: Evaluating the risk controls Determining which control options are cost effective for the organization Acquiring or installing the needed controls Overseeing that the controls remain effective in controlling risk
  8. Risk management process 1)The first focus of management review is asset inventory. 2)Next the threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current, and the potential controls and mitigation strategies should be reviewed for completeness.
  9. 3)The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited. 4)Further, managers of all levels are accountable on a regular schedule for insuring the ongoing effectiveness of every control deployed.
  10. Risk Identification A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets. These assets are the targets of various threats and threat agents and our goal is to protect them from these threats.
  11. Once we have gone through the process of self-examination, we then move into threat identification. We must assess the circumstances and setting of each information asset. To begin managing the risk from the vulnerabilities, we must identify those vulnerabilities and begin exploring the controls that might be used to manage the risks. We begin the process by identifying and assessing the value of our information assets.
  12. Asset Identification and Valuation This iterative process begins with the identification of assets, including all of the elements of an organization’s system: people, procedures, data and information, software, hardware and networking elements. Then, we classify and categorize the assets adding details as we dig deeper into the analysis.
  13. Hardware, Software, and Network Asset Identification Automated tools can sometimes uncover the system elements that make up the hardware, software, and network components. Once created and stored, the inventory listing must be kept current, often through a tool that periodically refreshes the data.
  14. Hardware, Software, and Network Asset Identification What attributes of each of these information assets should be tracked? When deciding which information assets to track, consider including these asset attributes: Name IP address MAC address Element Type DeviceClass = S (server) DeviceOS = W2K (windows 2000) DeviceCapacity = AS (Advanced Server) Hardware, Software, and Network Asset Identification Serial number Manufacturer Name Manufacturer’s Model Number or Part Number Software Version, Update Revision, or FCO number Physical Location Logical location Controlling Entity
  15. People, Procedures, and Data Asset Identification Unlike the tangible hardware and software elements already described, the human resources, documentation, and data information assets are not as readily discovered and documented. These assets should be identified, described, and evaluated by people using knowledge, experience, and judgment. As these elements are identified, they should also be recorded into some reliable data handling process.
  16. People, Procedures, and Data Asset Identification For People: Position name/number/ID – try to stay aware from names and stick to identifying positions, roles or functions Supervisor Security clearance level Special skills
  17. People, Procedures, and Data Asset Identification For Procedures: Description Intended purpose What elements is it tied to Where is it stored for reference Where is it stored for update purposes
  18. People, Procedures, and Data Asset Identification For Data: Classification Owner/creator/manager Size of data structure Data structure used – sequential, relational Online or offline Where located Backup procedures employed
  19. Information Asset Classification Many organizations already have a classification scheme. Examples of these kinds of classifications are confidential data, internal data, and public data. Informal organizations may have to organize themselves to create a useable data classification model. The other side of the data classification scheme is the personnel security clearance structure, identifying the level of information each individual is authorized to view, based on his need-to-know.
  20. Information Asset Valuation As each asset of the organization is assigned to its category, these questions will assist in developing the criteria to be used for asset valuation : Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the most profitability?
  21. Which information asset would be the most expensive to replace? Which information asset would be the most expensive to protect? Which information asset would be the most embarrassing or cause the greatest liability if revealed?
  22. Information Asset Valuation In order to finalize this step of the information asset identification process, each organization should create a weighting for each category based on the answers to the previous questions. Which Factor is the most important to the organization? Once each question has been weighted, calculating the importance of each asset is straightforward. The final step is to list the assets in order of importance. This can be achieved by using a weighted factor analysis worksheet.
  23. Data Classification and Management A variety of classification schemes are used by corporate and military organizations. Information owners are responsible for classifying the information assets for which they are responsible. At least once a year, information owners must review information classifications to ensure the information is still classified correctly and the appropriate access controls are in place. The U.S. Military Classification Scheme has a more complex categorization system than required by most corporations. For most information, the military uses a five-level classification scheme: Unclassified, Sensitive But Unclassified (i.e., For Official Use Only), Confidential, Secret, and Top Secret. Most organizations do not need the detailed level of classification used by the military or federal agencies. A simple scheme will allow the organization to protect its sensitive information like: Public, For official use only, Sensitive, Classified
  24. Data Classification and Management A variety of classification schemes are used by corporate and military organizations. Information owners are responsible for classifying the information assets for which they are responsible. At least once a year, information owners must review information classifications to ensure the information is still classified correctly and the appropriate access controls are in place. The U.S. Military Classification Scheme has a more complex categorization system than required by most corporations. For most information, the military uses a five-level classification scheme: Unclassified, Sensitive But Unclassified (i.e., For Official Use Only), Confidential, Secret, and Top Secret. Most organizations do not need the detailed level of classification used by the military or federal agencies. A simple scheme will allow the organization to protect its sensitive information like: Public, For official use only, Sensitive, Classified
  25. Data Classification and Management A variety of classification schemes are used by corporate and military organizations. Information owners are responsible for classifying the information assets for which they are responsible. At least once a year, information owners must review information classifications to ensure the information is still classified correctly and the appropriate access controls are in place. The U.S. Military Classification Scheme has a more complex categorization system than required by most corporations. For most information, the military uses a five-level classification scheme: Unclassified, Sensitive But Unclassified (i.e., For Official Use Only), Confidential, Secret, and Top Secret. Most organizations do not need the detailed level of classification used by the military or federal agencies. A simple scheme will allow the organization to protect its sensitive information like: Public, For official use only, Sensitive, Classified
  26. Security Clearances The other side of the data classification scheme is the personnel security clearance structure. For each user of data in the organization, a single level of authorization must be assigned, indicating the level of classification he is authorized to view. Before an individual is allowed access to a specific set of data, he must meet the need-to-know requirement. This extra level of protection ensures that the confidentiality of information is properly maintained.
  27. Management of Classified Data Requirements for the management of information include the storage, distribution, portability, and destruction of classified information. Information that has a classification designation other than unclassified or public must be clearly marked as such. When classified data is stored, it must be unavailable to unauthorized individuals. When an individual carries classified information, it should be inconspicuous, as in a locked briefcase or portfolio. The clean desk policy, which requires each employee to secure any and all information in its appropriate storage container at the end of each day. When classified information is no longer valuable or excessive copies exist, proper care should be taken to destroy any unneeded copies, through shredding, burning or transfer to an authorized document destruction service. There are those individuals who would not hesitate to engage in dumpster diving to retrieve information that could prove embarrassing or compromise the security of information in the organization.
  28. Threat Identification Each of these threats identified has the potential to attack any of the assets protected. If we assume every threat can and will attack every information asset, this will quickly become more complex and overwhelm the ability to plan. To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process.
  29. Identify And Prioritize Threats and Threat Agents Before threats can be used in the process, each threat must be further examined to assess its potential to impact the specific targeted organization. This is referred to as a threat assessment. To frame the discussion of threat assessment, address each threat with a few questions: Which threats present a danger to this organization’s assets in the given environment? Which threats represent the most danger to the organization’s information? How much would it cost to recover from a successful attack? Which of these threats would require the greatest expenditure to prevent?
  30. Vulnerability Identification We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organizations. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset.
  31. Vulnerability Identification Now, we examine how each of the threats that are possible or likely, could be perpetrated and list the organization’s assets and their vulnerabilities. The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions. At the end of the process, an information asset / vulnerability list has been developed. This list is the starting point for the next step, risk assessment.
  32. Risk Assessment We can determine the relative risk for each of the vulnerabilities through a process called risk assessment. Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process.
  33. Introduction to Risk Assessment Risk Identification Estimate Factors Likelihood Value of Information Assets Percent of Risk Mitigated Uncertainty Factors in Risk Estimation Likelihood is the overall rating of the probability of occurrence that a potential vulnerability may be exercised within the organization’s threat environment. (i.e. between 0.1 for low and 1.0 for high) Valuation of Information Assets. We can assign weighted scores for the value of each information asset to the organization. (i.e. a scale of 1 to 100, with 100 reserved for the utmost mission critical assets) Percentage of Risk Mitigated by Current Controls. If a vulnerability is fully managed by an existing control, it no longer needs to be considered for additional controls and can be set aside. If it is partially controlled, estimate what percentage of the vulnerability has been controlled. Uncertainty. It is not possible to know everything about each vulnerability and how likely it is to occur and how much impact it will have. We must apply judgment to add a factor into the equation to allow for an estimation of the uncertainty of the information
  34. Risk Determination For the purpose of relative risk assessment: risk = likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty
  35. Identify Possible Controls For each threat and its associated vulnerabilities that have any residual risk, create a preliminary list of control ideas. Residual risk is the risk that remains to the information asset even after the existing control has been applied.
  36. Access Controls One particular application of controls is in the area of access controls. Access controls are those controls that specifically address admission of a user into a trusted area of the organization. There are a number of approaches to controlling access. Access controls can be discretionary, mandatory, or non-discretionary.
  37. Types of Access Controls Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user. Mandatory Access Controls (MACs) - are structured and coordinated with a data classification scheme, and are required.
  38. Non-discretionary Controls are those determined by a central authority in the organization and can be based on that individual’s role (Role-Based Controls) or a specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be based on specified lists maintained on subjects or objects.
  39. Lattice-based Control Yet another type of non-discretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associate with each pair is contained. This specified the level of access each subject has to each object, if any.
  40. Lattice-based Control In a lattice-based control the column of attributes associated with a particular object (such as a printer) are referred to as an access control list or ACL. The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table.
  41. Documenting Results of Risk Assessment The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first. In preparing this list we have collected and preserved a wealth of factual information about the assets, the threats they face, and the vulnerabilities they experience. We should also have collected some information about the controls that are already in place.
  42. Introduction to Risk Assessment The process you develop for risk identification should include designating what function the reports will serve, who is responsible for preparing the reports, and who reviews them. We do know that the ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk.