1 / 34

Risk Management

CS5493. Risk Management. Risk Management. The process of identifying, assessing, prioritizing, and mitigating risks. Risk Management. An ongoing process that has a life-cycle (sustainability cycle). Risk Management. Minimize the effects of negative risks

seamus
Télécharger la présentation

Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS5493 Risk Management

  2. Risk Management The process of • identifying, • assessing, • prioritizing, and • mitigating risks

  3. Risk Management • An ongoing process that has a life-cycle • (sustainability cycle)

  4. Risk Management • Minimize the effects of negative risks • Maximize the effects of positive risks

  5. Risk Management • Asset – anything of value

  6. Risk Management • threat – anything that can exploit, obtain, damage or destroy an asset via a vulnerability intentionally or accidentally. A threat is what you wish to protect against.

  7. Risk Management • Vulnerability – weaknesses exploited by threats that compromise assets. A vulnerability is a weakness

  8. Define a Risk Equation • Risk = Threats x Vulnerabilities • Threats = frequency of an adverse event • Vulnerability = the probability that a threat will succeed. • Risk = the risk probability

  9. Risk Management • The exposure cost is the product of the risk-probability value times the loss (of the asset) in dollars. Cost = RiskProbability * AssetLoss

  10. Example (annual) • Probability of a fire in the data center resulting in a loss: 0.75% • Probability of the fire destroying all assets in the data center: 15% • Risk Probability = .0075*.15 = .001125

  11. Example (annual) • Replacement value of the data center: $750,000. • Estimated annual loss due to fire = $843.75 • (risk probability * value of the asset)

  12. Risk Identification • The process of determining the risks to assets. • Create the “risk register”

  13. Risk Register • Creation: • Brainstorming meeting to identify the risks • Surveys • Other events to collect information.

  14. Risk Register • Content • A description of each identified risk • Probability of the risk event occurring • Steps to mitigate • Rank each risk in the register • Describe the impact if the risk-event actually occurs and include the cost.

  15. Risk Register • Ranking risks • Limited budget will require dropping some perceived risks. • Concentrate on the most important issues.

  16. Risk Analysis • Qualitative • Quantitative

  17. Risk Analysis • Qualitative • Risk classification • High • Medium • Low • risk impact : how would it impact the overall business.

  18. Risk Analysis • Quantitative • Use math

  19. Risk Analysis • Quantitative • EF = Exposure Factor • SLE = Single Loss Expectancy • SLE = Asset Value x EF • ARO = annual rate of occurrence • ALE = annual loss expectancy • ALE = SLE x ARO

  20. Quantitative Risk Table

  21. Risk Response Planning • Negative Risks • Positive Risks

  22. Risk Response Planning • Responses to negative risks • Eliminate • Transfer • Mitigate • Accept

  23. Negative Risk Response • Eliminate – implies that the threat has been eliminated (probability of zero). • Transfer – insurance is used to transfer risk • Mitigate – reduce the probability of the event from occurring by taking some action. • Accept – take no additional action.

  24. Risk Response Planning • Response to positive risks • Exploit • Share • Enhance • Accept

  25. Positive Risk Response • Exploit – S-A-P is packaged and sold. • Share – finding a partner to purchase in bulk and capture a lower price. • Enhance – meeting a deadline ahead of schedule and collecting a bonus • Accept – take no action

  26. BIA • Business Impact Analysis, BIA • A formal analysis separating an organization's functions into critical and non-critical categories

  27. BIA RPO • RPO - Recovery Point Objective, • Determine the amount of asset loss that is acceptable

  28. BIA RTO • RTO - Recovery Time Objective, • The maximum allowable time to recover from asset loss.

  29. Risk Management • BIA- Business Impact Analysis • BCP- Business Continuity Plan • DRP - Disaster Recovery Plan

  30. BIA • Business Impact Analysis, • Classifying business functions and activities into critical or non-critical categories. • Determining the prerequisites to support each function/activity. • Determine the maximum amount of time each function/activity can be unavailable.

  31. BCP • BCP – Business Continuity Plan • A response plan to interruptions of critical functions • An interruption is an event that lasts for a short period and while it will result in measurable loss, is not fatal. • Creation of an IT intrusion response team

  32. DRP • DRP – Disaster Recovery Plan • A plan for responding to losses and interruptions critical to the sustainability of the enterprise. • Creation of an IT disaster response team

  33. DRP • DRP – Disaster Recovery Plan • Fire • Flood • Hurricane • Tornado • Earthquake

  34. DRP Requirements • Contact list of critical personnel • Complete inventory of physical assets • Inventory of IT software applications for critical business functions. • Data/system backups • Alternate or redundant facility planning

More Related