MIS 5206 Protection of Information Assets - Unit #4 - Risk Evaluation. MIS 5206 Protecting Information Assets

Similar documents
Risk Management FUN! Humor Me

IT Security Plan Governance and Risk Management Processes Address Cybersecurity Risks ID.GV-4

Sections of the ORSA Report

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Security Risk Management

Risk Management. CITS5501 Software Testing and Quality Assurance

Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines

Defense trees for economic evaluation of security investments Stefano Bistarelli Fabio Fioravanti Pamela Peretti

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

Risk Management. Webinar - July 2017

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Information Security Risk Management

Pillar 3 Disclosure and Policy. Stenham Asset Management (UK) Plc. ( The Firm )

Northwest Regional Data Center

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Procedure for Address Business Risk and Opportunities

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

The Components of a Sound Emerging Risk Management Framework

Nagement. Revenue Scotland. Risk Management Framework

2018 THE STATE OF RISK OVERSIGHT

Risk Management & FMEAs. By Jay P. Patel, ASQ Fellow CEO & President QPS Institute

AIA Group Limited. Terms of Reference for the Board Risk Committee

Post-Class Quiz: Information Security and Risk Management Domain

Project Risk Management

12 GeV CEBAF Upgrade. Risk Management Plan

Overview of ERM Assessment Viewpoints (June 2016) Overview

Journey of a Compliance Officer in ERM Implementation. SCCE Regional Conference September 8, Introduction

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

Risk Assessment Models for Healthcare Organizations

RISK M A N A G E M E N T P L A N

Risk Management: Assessing and Controlling Risk

We will begin the web conference shortly. When you arrive, please type the phone number from which you are calling into the chat field.

Zurich Hazard Analysis (ZHA) Introducing ZHA

RISK MANAGEMENT POLICY October 2015

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

13.1 Quantitative vs. Qualitative Analysis

PANAMA MARITIME AUTHORITY

INSE 6230 Total Quality Project Management

DRAFT 3/18/14 Financial Analysis Handbook 2014 Annual/2015 Quarterly

Indicate whether the statement is true or false.

Introduction to Risk for Project Controls

Fiduciary Risk Range of Practice - April 2012

Presented to: Eastern Idaho Chapter Project Management Institute. Presented by: Carl Lovell, PMP Contract and Technical Integration.

MODULE 5 PROJECT RISK MANAGEMENT, PROCUREMENT AND CONTRACTS

SCAF Workshop Integrated Cost and Schedule Risk Analysis. Tuesday 15th November 2016 The BAWA Centre, Filton, Bristol

College Procedure. 1. Introduction

Intro Public-Private Partnership (P3) Finance Course

CRISC. Isaca CRISC Certified in Risk and Information Systems Control Version: 1.0

AN INTRODUCTION TO RISK CONSIDERATION

Qualitative versus Quantitative Analysis. two types of assessments Qualitative and Quantitative.

Risk Management Policy

Objectives. What is Risk? But a Plan is not Reality. Positive Risks? What do we mean by Uncertainty?

Effective Risk Management, Measurement, Monitoring & Control

Understanding Enterprise Risk Management: An Overview

Comparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide

South Lanarkshire College Risk Management Policy and Procedures

6/10/2014. Chapter 9 Operating Budgets. Quiz #3 Review Break Even Homework Chapters 9 & (10 maybe) Last Homework Assignment

RISK MANAGEMENT PROFESSIONAL. 1 Powered by POeT Solvers Limited

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

Risk Management at Central Bank of Nepal

Policy Number: 040 Risk Management August 2018

Procedures for Management of Risk

RISK ANALYSIS GUIDE FOR PRIVATE INITIATIVE PROJECTS

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

The Proactive Quality Guide to. Embracing Risk

Fraud Risk Management

The Evolution of Risk Management and The Risk Management Process

2.2 For Board Members to approve the five high risks the Trust is facing:

Project Management for the Professional Professional Part 3 - Risk Analysis. Michael Bevis, JD CPPO, CPSM, PMP

Quantitative Risk Modelling, Calibration and Continuous Improvement CK UMACHI RISK MANAGEMENT ENGINEER - TIMP PACIFIC GAS & ELECTRIC

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

AMA Implementation: Where We Are and Outstanding Questions

Presenting and Understanding Risk Management

ORSA requirements: Model risk management for insurance companies

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

The Guide to Budgeting for Insider Threat Management

What Is Enterprise Risk Management?

Enterprise Risk Management

Risk Management Policy and Framework

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

Managing Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways

Project Selection Risk

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

Documentation Control. Hazard Identification, Risk Assessment and Management Procedure. (This document is linked GG/CM/007- Risk Management Policy)

Ingenious Capital Management Limited: Pillar III Disclosure

Risk Assessment for Drug Products with Device Components

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

Rolling Up Operational Risk

Risk Management Strategy Draft Copy

Qualitative Tree Risk Assessment

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Making the Jump to Risk Management. Jeff Blackmon, FBCI, CISSP, CBCP, ITIL Strategic Continuity Solutions, LLC.

Risk Analysis and Management. May 2011 ISO 14971

Senior Director, Fire Life Safety & Risk Management

White Paper. Not Just Knowledge, Know How! Artificial Intelligence for Finance!

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Risk is about something bad happening AND / OR something good not happening. Lost potential and / or lost opportunity.

Ahsan Jamal. Case Study IDENTIFYING AND MANAGING KEY RISKS IN CONSTRUCTION PROJECTS

Transcription:

MIS 5206 Protection of Information Assets - Unit #4 - Risk Evaluation

Agenda Where Role of InfoSec categorization fits Risk evaluation Who is responsible Risk management techniques Test taking tip Quiz

Information categorization and risk evaluation is the first step in information systems security A holistic and comprehensive risk management process Provides a framework for managing risk throughout the information system development lifecycle https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-37r1.pdf

Where information categorization and risk evaluation fits in information systems security NIST Risk Management Framework NIST Cybersecurity Framework

Information Categorization is part of Risk Evaluation Why is data categorization important? It focuses attention on the identification and valuation of information assets IT is the basis for access control policy and processes

Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact

Risk Evaluation - Key Components Collect Data Analyze Risk Maintain Risk Profile Identify relevant data to enable effective IT-related risk identification, analysis and reporting Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes

Risk Evaluation - Collect Data (RE-1) Goal: Ensure IT-related risks are identified, analyzed and presented in business terms Metrics: # of loss events with key characteristics not captured or measured Degree to which collected data support Visibility and understanding of the threat landscape Analyzing scenarios and reporting trends Visibility and understanding of the control state

RE-1: Collect Data Key Activities RE1.1 Establish and maintain a model for data collection RE1.2 Collect data on the operating environment RE1.3 Collect data on risk events RE1.4 Identify risk factors

Risk Evaluation - Collect Data (RE1) Existence of a documented risk data collection model # of data sources # of data items with identified risk factors Completeness of Risk event data Affected assets Impact data Threats Controls Measures of the effectiveness of controls Historical data on risk factors

Risk Evaluation - Collect Data: Governance Roles Board of directors Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Risk Officer (CRO) Enterprise Risk Committee Business Management Business Process Owner Risk Control Functions Human Resources Compliance and Audit

Risk Evaluation - Collect Data: Governance Roles

Risk Evaluation - Key Components Collect Data Analyze Risk Maintain Risk Profile Identify relevant data to enable effective IT-related risk identification, analysis and reporting Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes

Categorizing Information and Information Systems

A systematic qualitative approach to information security categorization

http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v1r1.pdf

http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v1r1.pdf

http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v1r1.pdf

How to categorize and prioritize an enterprise s data for protection?

FIPS 199: Risk event impact ratings

Question: How to approach prioritizing an enterprise s data for protection?

Remember procedure described in FIPS Pub 199 Standard for Security Categorization of Information Systems Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect Example with multiple information types: 27

1. Setup the information security categorization of Health Catalyst s product line data

Determine the overall information security categorization of the different datasets Remember the application of FIPS 199 to derive overall categorization: Synonyms: impact rating, security categorization,

Find a way to transform the ordinal FIPS 199 impact ratings to ratio data to conduct a quantitative risk analysis 30

Analyzing risk to prioritize protection Ordinal to ratio look-up table found in NIST SP 800-100 Information Security Handbook: A Guide for Managers, page 99 Transforming ordinal risk rankings to interval risk measures

Analyzing risk example

How do you assess the value of information to an organization?

Quantitative Risk Assessment Expected losses can be weighed against the costs of countermeasures and provides a basis for trading infosec costs and benefits. One simple assessment technique calculates the annual loss expectancy (ALE) as a product of the cost of a single event (single loss expectancy, SLE) and the annualized rate of occurrence (ARO) Annual Loss Expectancy = Single Loss Expectancy Annualized Rate of Occurrence NOTE: The calculation assumes total loss of an asset. If an asset retains part of its useful value, the SLE should be adjusted by an appropriate amount.

Problem How would you determine the Annual Loss Expectance (ALE) for the theft of the Dean s laptop from the Case Study Snowfall and a stolen laptop?

Annual Loss Expectancy Calculation example Note that assumptions of 5% probability and credit monitoring service for 1,000 individuals greatly influence the results

Risk management decision Decision: Mitigate expected loss of a dean s laptop through purchase of security countermeasures Avoid Accept Transfer Mitigate

Analyze Risk

But who really knows the value and impact a breach implies for the business?

Maintain Risk Profile

Where are the people who really know the value of the information and impact a breach implies for the business?

Maintain Risk Profile

Review:Risk Management Techniques Once threats and risks are identified, each risk can be managed by: 1. Avoidance 2. Acceptance 3. Transfer 4. Mitigation ( Controls )

Team Project Preparation Presentations Presentations

Team Project Context You and your team have volunteered to participate in a free community information security clinic ( ITACS Clinic ) and provide support to a under-served small local business In a prior meeting your team was introduced to a number of small businesses and community support organizations At that meeting you did a great job introducing your company and the service you are offering through the clinic One organization that attended the meeting has taken you up on your offer, and signed up to meet with you and receive intensive help from your team

Team Project Assignment Prepare and deliver a presentation to the owners/ leaders of the business that: 1. Educates them about the process you will use to help them secure their computers and data 2. Instructs them about the homework they need to do: i.e. the information you need them to prepare and bring with them to your next meeting 3. Motivates them to do their homework based on an understanding of why the information you are asking for is important to them in planning their business information security i.e. explain how you will use it

Team Project Rubric Use of: Educate Instruct Motivate

Examples of tools you learned and may consider using in your presentation

Test Taking Tip - Eliminate any probably wrong answers first - Focus on the highest likelihood answers for test taking efficiency Here s why: Some of the answers use unfamiliar terms and stand out as unlikely and can therefore be discarded immediately Some answers are clearly wrong and you can recognize them based on your familiarity with the subject The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice 50

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C 51

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Nothing seems mandatory about this scenario 52

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Maybe. 53

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Nothing about roles other than manager in the question 54

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C Distributed is not relevant to the information in the question 55

Example: Test Taking Tip The promotion manager of Northeast Electronics has been made the owner of the department s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control? A. Mandatory B. Role-Based C. Discretionary D. Distributed Answer: C 56

Quiz 57

Quiz Bonus question A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially loosing trade secrets. The countermeasures his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400. What is the associated single loss expectancy value in this scenario?

Agenda Where Role of InfoSec categorization fits Risk evaluation Who is responsible Risk management techniques Test taking tip Quiz

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback