1 / 17

Risk management

Gain insight into risk management strategies with the wisdom of Sun Tzu. Learn to identify, assess, and control risks to protect your organization and assets.

jlamar
Télécharger la présentation

Risk management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg

  2. Risk management and Sun Tzu… • “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu • Know Yourself • Know the Enemy

  3. Whatis risk management? • Risk Management consist of identifying and controlling the risks facing an organization Risk Management Risk Identification Risk Control Risk Assessment Selecting Strategy Inventory Assets Justifying Controls Classifying Assets Identifying Threats

  4. Outline 1. Risk Identification 2. Risk Assessment 3. Risk Control Strategies

  5. Risk Identification Plan and organize the process 2) - Asset Identification - Information Asset Classification Categorize system components 3) - Information Asset Valuation - Listing Assets in Order of Importance - Data Classification and Management Inventory/ Categorize assets Identify threats Specify vulnerable assets 4) - Identify and Prioritize Threats 5) - Vulnerability Identification

  6. Risk Assessment • Assess a risk: to assign a risk rating or score to each information asset • Risk estimation Factors of risk: Dico: to mitigate= atténuer Uncertainty of current knowledge of the vulnerability Likelihood of the occurrence of vulnerabilities Value of information asset Percentage of risk mitigated by current controls + *

  7. Risk Assessment • Example of risk estimation • Asset A vulnerability is rated at 55 • 55= (50*1)-[(50*1)*0]+[(50*1)*0,1] • Asset B vulnerability is rated at 35

  8. Risk Assessment • Documenting the Results of Risk Management • Ranked vulnerability risk worksheet

  9. Risk Control Stategies • Avoidance • Transference • Mitigation • Incident Response Plan • Disaster Response Plan • Business Continuity Plan • Acceptance

  10. Selecting a Risk Control Strategy • selecting one of the four risk control strategies for each vulnerability • the level of threat and the value of the asset play a major role in strategy selection Once a control strategy has been implemented, it should be monitored and measured a cyclical process to ensure that risk are controlled.

  11. Feasibility Studies & CBA (Cost Benefit Analysis) (1) Aim: used to determine the costs associated with protecting an asset An organization should not spend more to protect an asset then the asset is worth • Items that affect the cost of a control - Cost of development & acquisition of software, hardware and services - Training fees - Cost of implementation (install, configure, test) - Service costs (maintenance & upgrade)

  12. Feasibility Studies & CBA (Cost Benefit Analysis) (2) • Benefit = the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. • Asset valuation = the process of assigning financial value or worth to each information asset. E.g.1: cost to replace a network switch – simple to determine E.g.2: the dollar value of the loss in market share if information on new product offerings is released prematurely

  13. Risk Assessment & CBA • Single Loss Expectancy SLE = Asset Value x Exposure Factor Website value: 1.000.000 euros , Exposure factor = 10% SLE= 100.000 euros • Annualized Loss Expectancy ALE = SLE x ARO ARO= 0.5 ALE= 100.000 x 0.5 = 50.000 euros • Cost Benefit Analysis (CBA) CBA= ALE(prior)- ALE(post) - ACS

  14. Benchmarking • alternative method to the economic feasibility analysis that seeks out and studies the practices used in other organizations that produce the results desired in an organization. Measures to compare practices: • metric-based: comparisons based on numerical standards • process-based : less focused on numbers and more strategic Two categories of benchmarks are used in InfoSec: • standards of due care & due diligence • best practices

  15. Applying Best Practices & Benchmarking • Does the organization resemble the identified target organization with the best practice under consideration? • Does the organization face similar challenges as the target? • Is its organizational structure similar to the target’s? • Are the resources the organization can expend similar to those identified with the best practice? • No two organizations are identical; • Best practices are a moving target; • Security is a managerial problem, not a technical one.

  16. Delphi Technique What? - Technique for accurately estimating scales and values How? • By a group who rates or ranks a set of information. • Responses are complied and returned for a new iteration Final: entire group is satisfies with the result • Quantitative assessment – actual values or estimates • Qualitative assessment – no numeric values, scales (A-Z, 0-10, low, medium, high, very high)

  17. Conclusion “Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business viability.” (F. Avolio, “Best Practices in Network Security”)

More Related