1 / 26

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 8: Risk Management Controlling Risk. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Managing Risk (cont’d.). Figure 9-1 Residual risk. Source: Course Technology/Cengage Learning.

michaell
Télécharger la présentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 8: Risk Management Controlling Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Managing Risk (cont’d.) Figure 9-1 Residual risk Source: Course Technology/Cengage Learning

  3. Managing Risk – Risk Control • Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

  4. Risk Control Cycle Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning

  5. Cost Benefit – Asset Valuation • Asset value: replacement cost and/or income derived through the use of an asset • Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

  6. Cost Benefit – Asset Valuation • Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

  7. Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

  8. Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

  9. Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS • ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control • ALE (post-control) is the ALE examined after the control has been in place for a period of time • ACS is the annual cost of the safeguard

  10. Example of Cost-Benefit Analysis Calculation • Dropping an iPad and breaking the screen • Asset value: $700 • Exposure factor: 50% • SLE = • ARO = 25% chance of damaging • ALE (prior) = • ALE (post) = • CBA (cost of case = $30) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

  11. Example of Cost-Benefit Analysis Calculation • Unprotected customer database • Asset value: $200,000 • Exposure factor: 50% • SLE = • ARO = 75% chance of occurring • ALE (prior) = • ALE (post) = • CBA (ACS = $5,000) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

  12. Recommended Risk Control Practices • Qualitative/Quantitative Approach • Octave Methods • Microsoft Risk Management Approach • FAIR

  13. Qualitative and Hybrid Measures • Quantitative assessment • Qualitative assessment • Hybrid assessment

  14. OCTAVE Method • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method • Variations of the OCTAVE method • The original OCTAVE method • OCTAVE-S • OCTAVE-Allegro www.cert.org/octave/

  15. Microsoft Risk Management Approach • Four phases in the Microsoft InfoSec risk management process: • Assessing risk • Conducting decision support • Implementing controls • Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

  16. Microsoft Risk Management Approach Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning

  17. Factor analysis of Information Risk (FAIR) • Basic FAIR analysis is comprised of four stages: • Stage 1 - Identify scenario components • Stage 2 - Evaluate loss event frequency • Stage 3 - Evaluate probable loss magnitude(PLM) • Stage 4 - Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com

  18. FAIR (cont’d.) Figure 9-4 Factor analysis of information risk (FAIR) Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

  19. Analyzing Risk Health First Case Study

  20. Step 1: Define Assets

  21. Step 1: Define Assets Consider Consequential Financial Loss

  22. Step 1: Define Assets Consider Consequential Financial Loss

  23. HIPAA Criminal Penalties Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

  24. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation • Normal threats: Threats common to all organizations • Inherent threats: Threats particular to your specific industry • Known vulnerabilities: Previous audit reports indicate deficiencies.

  25. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

  26. Step 4: Compute Expected LossStep 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Step 5: Treat Risk Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls

More Related