Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | bethany-walters |
View: | 43 times |
Download: | 2 times |
Dr. Benjamin [email protected]
New York Institute of TechnologyNew York Institute of TechnologySchool of ManagementSchool of Management
3.1 Risk = someone or something that creates or suggests a hazard
3.2 Risk Assessment Process:+ must support the business mission/objectives+ accepted by the user community
◆ Meet with the client to determine:1. what to review2. kinds of risk elements to be
examined3. deliverables or results from the
process
◆ find business friendly controls or counter-measures
2
3.3 Information is an Asset
Goal of an enterprisewide information security program is to determine the threat impact to information assets based on:
1. Integrity – information is as intended without inappropriate modification or corruption
2. Confidentiality – information is protected from unauthorized or accidental disclosure
3. Availability – Authorized users can access applications and systems when required
See Table 3.1 for more specific definition.
3
Business manager owner determine the value of the information asset by:cost of producing information assetvalue on the open marketcost of reproducing information asset is destroyedbenefit to the enterprisecost to the enterprise if released, altered or destroyedrepercussions to the enterprise information asset is destroyedloss of client or customer confidenceloss of public credibility
4
3.4 Risk Assessment MethodologyConsists of:
1. assets scoped2. threats identified3. risk level established4. possible controls selected
Assets types: 1. Physical e.g. people, telecom infrastructure,
hardware, software, data, information, procedures, etc.2. Logical e.g. intellectual assets, goodwill,
brand name, etc.
5
3.4.1 Threat Identificationthreat = an indication of an impending undesirable event
Sources of threat:1. natural2. human – accidental or deliberate3. environmental
See Table 3.2 for source, motivation & threat.
6
3.4.1.1 Elements of Threats3 elements of threats:
1. agent ⇒ catalyst2. motive ⇒ causes3. results ⇒ outcome
Factors that impact a threat: Geographical location – infrastructure Facility Your neighbors
See Table 3.3 7
3.4.1.2 Threat Occurrence Rates
Value of Asset X Likelihood = Annual Loss Exposure(this figure can be
deceiving)Likelihood of Occurrence:Natural threats === local (or National) weather centers
by yearsCriminal activities === local law enforcement,
FBI, state agenciesOther threats === insurance companies
Use something like Table 3.4 8
3.4.1.3 Risk Level Determination⇨ how lightly that threat is to
occur2 ways to assess:1. establish probability without consideration for existing control e.g. initial assessment2. establish probability taking into account the
existing control e.g. assessing specific LAN, application or subnet.
See Table 3.5 for probability level definitions
9
Before impact analysis, consider:1. asset mission === from project scope2. information sensitivity3. asset criticality === importance to
the organization
Impact measure:Quantitative = loss revenue, cost of repairing the system, level of effect required to correct, etcIntangible = loss of public confidence, loss of creditability, damage to reputation, etc
See Figure 3 (Probability vs Impact)
10
3.4.1.4 Controls and SafeguardsIdentify controls to mitigate the risk to an acceptable level
Control factors: How effective is the recommended control? Legal & regulatory requirements? Operational impact to the organization? Safety & reliability of the control? Rule of thumb == cost > asset ⇒ bad ROI Cross reference threats mitigated for each
control == good ROI?Analyze the controls , see Table 3.7
11
Types of ControlsTechnical = safeguards for hardware, software, control mechanisms, identification & authentication processes,
encryption tools, intrusion detection software, etc
Non-technical = management & operational controls – policies, procedures, standards, personnel security, environmental control mechanisms, etc
12
Control Categories: Avoidance controls = minimize risk Assurance controls = ensure the on-going
effectiveness Detection Controls = early detection,
interception & response to breaches
Recovery Controls = restore secure environment
See Table 3.8Can also map controls to enterprise – operations,
applications, systems, security, etcInternational standard ISO 1799 (cf Table 3.11)
13
3.4.1.5 Cost-Benefit AnalysisConsider:
• cost of implementation• operational effectiveness• additional policies needed?• additional staff needed?• cost of training, etc.
14
The End
15