SlideShare a Scribd company logo

Step by-step for risk analysis and management-yaser aljohani

Download as PPTX, PDF
Y
yaseraljohani
1 of 41
Lewis University Information Security Practicum Step-by-Step of Conducting Risk Analysis and Management to Digital Zone Corporation Spring 2013 Student’s name: Yaser Aljohani Instructor’s name: Dr. Faisal Abdullah 1
Introduction of Risk Analysis and Management • Risk analysis and management is a very significant part to any organization that wants to have a secure computing environment. • It helps organizations to improve their security against any threats or risks that could harm their sensitive information, assets, and business. 2
Digital Zone Corporation • It is an organization for computer & digital services • It provides different kinds of IT services to their customers such as, computer repair, computer upgrade, wireless/wired network setup for home or business, troubleshooting, and establish web site. • To provide services to their customer, they collect customer information such as, first name, last name, phone number, home address, and email address, and store them in their system. 3
Goals and objectives • Assets evaluation and their values: number of servers, computers, networks…etc. • Using risk assessment tools and security checklist • Finding all vulnerabilities • Finding all threats • Finding all risks 4
Goals and objectives Cont. • Finding top 5 risks • Finding all mitigations or remedies for risks and all suggestions and recommendations • Establishing Information Risk Management (IRM) policy • Establishing security awareness program for both employees and customers • Establishing Insurance and contingency plan or recovery plan 5
What is Risk Analysis? • Risk analysis is the process of analyzing and defining the dangers to businesses, individuals, and government agencies posed by potential natural and human-caused adverse events. • In IT, the report of risk analysis can be used to align company's business objectives with technology-related objectives. • The report of risk analysis can be either qualitative or quantitative. 6
What is the difference between Risk analysis and Risk management? • Risk analysis includes assess and identifying the levels of risks estimated from the known values of assets, vulnerabilities of assets, and the levels of threats. • Risk management includes selecting, identifying, and adopting of countermeasures that is justified by the identified risks to assets and the mitigation of risks to the acceptable level. 7
Why we use it and When? • We used Risk Analysis because it helps us understand risk, so that we can manage it, and minimize its disruption. • We used risk analysis when we plan projects, improving safety and managing potential risks in the workplace, preparing for events such as theft, equipment or technology failure, natural disasters, or planning for changes in our environment. 8
Where we use it and how? • We can use risk analysis in any place that have assets such as computers, servers, networks, sensitive information…. etc. • We use the Risk Analysis for many different Components such as, assets, threats, vulnerabilities, likelihoods, impacts, and safeguards 9
How to Calculate the Risk? • Two kinds of risk assessment: Quantitative risk assessment and Qualitative risk assessments. • Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies and it considered as the standard way of measuring risk in many fields. • Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defines them, and thus risk, in somewhat subjective or qualitative terms and it gives risk results of “High”, “Moderate” and “Low”. 10
Steps for Risk analysis and management 1. Systems inventory : identify all the assets that are involved in critical business processes support. 2. Threat analysis: identify the potential threats to the critical systems 3. Infrastructure vulnerability assessment: identify technology vulnerabilities that could be exploited. 11
Steps for Risk analysis and management Cont. 4. Develop the security control suggestions: link the risk management strategy recommendations to the results of the assessment. 5. Decision: act or accept (Risk management decision) 6. Monitoring and communication: management and user support are important to make the control implementation successfully. 12
Risk, Threats, and Vulnerabilities • Risk is the possible damage that could result from some current or future process/event . • Threats are defined as any act that could assist to the tampering, damaging or denial of service. • Examples of threats: Floods, Fire, Natural Disasters, Heat, Freezing, Manmade threats, Malware, Virus, Worms, Trojans, and Spyware • Vulnerability is any weakness or flaw in the design, procedures of system security, internal controls, or implementation that can be used and result in violation of the system’s security policy or a security breach. 13
Threats elements Three critical elements of threat: 1. The profile of threat- what threats and risks that could affect the asset? 2. The probability of threat- what is the threats occurrence likelihood? 3. The consequence of Threat- what would the loss of the asset effect or impact on the organization operations or its employees? 14
The Information Risk Management (IRM) policy • It explains the role of security and the acceptable level of risk • It should address the following issues: • The IRM team Objectives • What is considered as an acceptable risk • the formal processes of risk identification 15
The Information Risk Management (IRM) policy Cont. • The connection between the organization's strategic planning processes and the IRM policy • It’s roles and responsibilities • Mapping of risk to the internal controls • Mapping of risks to budgets and performance objectives • Key indicators to monitor the effectiveness of controls • The approach that would change resource allocation and staff behaviors in response to risk assessment 16
Security Checklists • There are security checklists in many different components such as, networks, computers, servers, switches, firewall, routers, copiers, workstations, scanners…etc. • Each one of these components provide recommendations that could help security specialists to find out all vulnerabilities and threats that could happen to system. • by applying all these suggested recommendations, this will reduce and mitigate all risks that could results from threats. 17
Contingency plan 1. Disaster recovery plan: It relates with the recovery that will occur on-site.(long- term service interruption) 2. Incident response plan: includes recovering from an incident, identifying, and responding .(short-term events). 3. Business continuity plan: It relates with the long- term incidents that require the organization to do the recovery to the off-site locations. (long- term service interruption) 18
Security Assurance Program • It helps both of employees and customers to understand risks and the consequences of risks and how they could avoid them. • It gives guidelines and instructions for many different elements such as, E-mail security, username and password security, acceptable use of technology, mobile devices, staying safe and secure online, remote access, network, and sensitive information. • It helps for reducing the probability of risks occurrence 19
Cycle of Risk Management • The U.S government Accounting Office has recommended for organizations a cycle of risk management activities for managing their information security risks which are as follows: 1. Conducting risk assessments for all their systems 2. Establishing information security policies and procedures that are commensurate with risk and that comprehensively address significant threats 3. Providing sufficient computer security training to their employees 20
Cycle of Risk Management Cont. 4. Testing and evaluating controls as part of their management assessments 5. Implementing documented incident handling procedures 6. Identifying and prioritizing their critical operations and assets and determine the priority for restoring these assets should a disruption in critical operations occur 21
Advantages of Risk Analysis and Management • It builds strong IT infrastructure in organization • It increases the confidence between organization and customers • It builds a good communication between management, IT department, and end users. • Customers will have a good quality of services. • It will increase profits of organization • Organization will have an Information Risk management (IRM) policy, Security Assurance Program, and Contingency plan. 22
Security Assessment Methodologies and tools 23 Nessus SAINT OCTAVE FRAP Practical Threat Analysis (PTA) Sara NIST COBRA Microsoft Baseline Security Analyzer Risk Watch Whisker
PTA- Assets 24
PTA-Vulnerabilities 25
PTA-Threats 26
PTA-Countermeasures 27
PTA-Results 28
NESSUS 29
Nessus-Scan list 30
Nessus-Vulnerabilities Summary 31
Nessus-Host Summary 32
Nessus-Filters options 33
Nessus- Result after filters 34
Nessus- Description of Vulnerability 35
Baseline Security Analyzer 36
Adjusting settings of scan 37
Scanning process 38
Result after Scan 39
Conclusion • There are three critical elements that should be considered in the risk analysis and management, which are, information confidentiality, system availability, and information integrity. 40
Thank you 41

Recommended

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 

Recommended

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-BrochurePrahlad Reddy
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-BrochureTyler Carlson
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical HackingUK Defence Cyber School
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161David Sweigert
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in ManufacturingWilliam McBorrough
 

More Related Content

What's hot

Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161David Sweigert
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 

What's hot (20)

Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161NIST Supply Chain Risk publication 800-161
NIST Supply Chain Risk publication 800-161
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 

Similar to Step by-step for risk analysis and management-yaser aljohani

Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in ManufacturingWilliam McBorrough
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...cyberprosocial
 
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docxyoroflowproduct
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Security metrics
Security metrics Security metrics
Security metrics PRAYAGRAJ11
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdfIntuitiveCloud
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfpriyanshamadhwal2
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkWilliam McBorrough
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 

Similar to Step by-step for risk analysis and management-yaser aljohani (20)

Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
Mastering Cybersecurity Risk Management: Strategies to Safeguard Your Digital...
 
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Security metrics
Security metrics Security metrics
Security metrics
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdf
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 

Step by-step for risk analysis and management-yaser aljohani

  • 1. Lewis University Information Security Practicum Step-by-Step of Conducting Risk Analysis and Management to Digital Zone Corporation Spring 2013 Student’s name: Yaser Aljohani Instructor’s name: Dr. Faisal Abdullah 1
  • 2. Introduction of Risk Analysis and Management • Risk analysis and management is a very significant part to any organization that wants to have a secure computing environment. • It helps organizations to improve their security against any threats or risks that could harm their sensitive information, assets, and business. 2
  • 3. Digital Zone Corporation • It is an organization for computer & digital services • It provides different kinds of IT services to their customers such as, computer repair, computer upgrade, wireless/wired network setup for home or business, troubleshooting, and establish web site. • To provide services to their customer, they collect customer information such as, first name, last name, phone number, home address, and email address, and store them in their system. 3
  • 4. Goals and objectives • Assets evaluation and their values: number of servers, computers, networks…etc. • Using risk assessment tools and security checklist • Finding all vulnerabilities • Finding all threats • Finding all risks 4
  • 5. Goals and objectives Cont. • Finding top 5 risks • Finding all mitigations or remedies for risks and all suggestions and recommendations • Establishing Information Risk Management (IRM) policy • Establishing security awareness program for both employees and customers • Establishing Insurance and contingency plan or recovery plan 5
  • 6. What is Risk Analysis? • Risk analysis is the process of analyzing and defining the dangers to businesses, individuals, and government agencies posed by potential natural and human-caused adverse events. • In IT, the report of risk analysis can be used to align company's business objectives with technology-related objectives. • The report of risk analysis can be either qualitative or quantitative. 6
  • 7. What is the difference between Risk analysis and Risk management? • Risk analysis includes assess and identifying the levels of risks estimated from the known values of assets, vulnerabilities of assets, and the levels of threats. • Risk management includes selecting, identifying, and adopting of countermeasures that is justified by the identified risks to assets and the mitigation of risks to the acceptable level. 7
  • 8. Why we use it and When? • We used Risk Analysis because it helps us understand risk, so that we can manage it, and minimize its disruption. • We used risk analysis when we plan projects, improving safety and managing potential risks in the workplace, preparing for events such as theft, equipment or technology failure, natural disasters, or planning for changes in our environment. 8
  • 9. Where we use it and how? • We can use risk analysis in any place that have assets such as computers, servers, networks, sensitive information…. etc. • We use the Risk Analysis for many different Components such as, assets, threats, vulnerabilities, likelihoods, impacts, and safeguards 9
  • 10. How to Calculate the Risk? • Two kinds of risk assessment: Quantitative risk assessment and Qualitative risk assessments. • Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies and it considered as the standard way of measuring risk in many fields. • Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defines them, and thus risk, in somewhat subjective or qualitative terms and it gives risk results of “High”, “Moderate” and “Low”. 10
  • 11. Steps for Risk analysis and management 1. Systems inventory : identify all the assets that are involved in critical business processes support. 2. Threat analysis: identify the potential threats to the critical systems 3. Infrastructure vulnerability assessment: identify technology vulnerabilities that could be exploited. 11
  • 12. Steps for Risk analysis and management Cont. 4. Develop the security control suggestions: link the risk management strategy recommendations to the results of the assessment. 5. Decision: act or accept (Risk management decision) 6. Monitoring and communication: management and user support are important to make the control implementation successfully. 12
  • 13. Risk, Threats, and Vulnerabilities • Risk is the possible damage that could result from some current or future process/event . • Threats are defined as any act that could assist to the tampering, damaging or denial of service. • Examples of threats: Floods, Fire, Natural Disasters, Heat, Freezing, Manmade threats, Malware, Virus, Worms, Trojans, and Spyware • Vulnerability is any weakness or flaw in the design, procedures of system security, internal controls, or implementation that can be used and result in violation of the system’s security policy or a security breach. 13
  • 14. Threats elements Three critical elements of threat: 1. The profile of threat- what threats and risks that could affect the asset? 2. The probability of threat- what is the threats occurrence likelihood? 3. The consequence of Threat- what would the loss of the asset effect or impact on the organization operations or its employees? 14
  • 15. The Information Risk Management (IRM) policy • It explains the role of security and the acceptable level of risk • It should address the following issues: • The IRM team Objectives • What is considered as an acceptable risk • the formal processes of risk identification 15
  • 16. The Information Risk Management (IRM) policy Cont. • The connection between the organization's strategic planning processes and the IRM policy • It’s roles and responsibilities • Mapping of risk to the internal controls • Mapping of risks to budgets and performance objectives • Key indicators to monitor the effectiveness of controls • The approach that would change resource allocation and staff behaviors in response to risk assessment 16
  • 17. Security Checklists • There are security checklists in many different components such as, networks, computers, servers, switches, firewall, routers, copiers, workstations, scanners…etc. • Each one of these components provide recommendations that could help security specialists to find out all vulnerabilities and threats that could happen to system. • by applying all these suggested recommendations, this will reduce and mitigate all risks that could results from threats. 17
  • 18. Contingency plan 1. Disaster recovery plan: It relates with the recovery that will occur on-site.(long- term service interruption) 2. Incident response plan: includes recovering from an incident, identifying, and responding .(short-term events). 3. Business continuity plan: It relates with the long- term incidents that require the organization to do the recovery to the off-site locations. (long- term service interruption) 18
  • 19. Security Assurance Program • It helps both of employees and customers to understand risks and the consequences of risks and how they could avoid them. • It gives guidelines and instructions for many different elements such as, E-mail security, username and password security, acceptable use of technology, mobile devices, staying safe and secure online, remote access, network, and sensitive information. • It helps for reducing the probability of risks occurrence 19
  • 20. Cycle of Risk Management • The U.S government Accounting Office has recommended for organizations a cycle of risk management activities for managing their information security risks which are as follows: 1. Conducting risk assessments for all their systems 2. Establishing information security policies and procedures that are commensurate with risk and that comprehensively address significant threats 3. Providing sufficient computer security training to their employees 20
  • 21. Cycle of Risk Management Cont. 4. Testing and evaluating controls as part of their management assessments 5. Implementing documented incident handling procedures 6. Identifying and prioritizing their critical operations and assets and determine the priority for restoring these assets should a disruption in critical operations occur 21
  • 22. Advantages of Risk Analysis and Management • It builds strong IT infrastructure in organization • It increases the confidence between organization and customers • It builds a good communication between management, IT department, and end users. • Customers will have a good quality of services. • It will increase profits of organization • Organization will have an Information Risk management (IRM) policy, Security Assurance Program, and Contingency plan. 22
  • 23. Security Assessment Methodologies and tools 23 Nessus SAINT OCTAVE FRAP Practical Threat Analysis (PTA) Sara NIST COBRA Microsoft Baseline Security Analyzer Risk Watch Whisker
  • 34. Nessus- Result after filters 34
  • 35. Nessus- Description of Vulnerability 35
  • 40. Conclusion • There are three critical elements that should be considered in the risk analysis and management, which are, information confidentiality, system availability, and information integrity. 40