Security Risk Management

Similar documents
Comparison of Risk Analysis Methods: Mehari, Magerit, NIST and Microsoft s Security Management Guide

4.1 Risk Assessment and Treatment Assessing Security Risks

Risk Management: Assessing and Controlling Risk

Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines

Indicate whether the statement is true or false.

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Introduction to ISO Key Points and Benefits

Information security management systems

Post-Class Quiz: Information Security and Risk Management Domain

The Risk Assessment Executives Are Begging For. Presentation Overview. Terminology

Risk Management at Central Bank of Nepal

Break the Risk Paradigms - Overhauling Your Risk Program

IT Security Plan Governance and Risk Management Processes Address Cybersecurity Risks ID.GV-4

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Understanding Enterprise Risk Management: An Overview

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

An Overview of ISO/IEC 27001:2013 Implementation

Strategic Security Management: Risk Assessments in the Environment of Care. Karim H. Vellani, CPP, CSC

Risk Management Policy

Chapter 7: Risk. Incorporating risk management. What is risk and risk management?

DRAFT SAINT LUCIA NATIONAL STANDARD DNS/ISO 31000: 2009 RISK MANAGEMENT PRINCIPLES AND GUIDELINES (ISO 31000: 2009, IDT) Stage 40 Enquiry Stage

Allen D. Becker MMA, , ITILv3. Risk Management. Allen D. Becker - MMA, PMP, ITILv3 Sr. Security Consultant Business Development Specialist

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

HIPAA SECURITY RISK ANALYSIS

AN INTRODUCTION TO RISK CONSIDERATION

Zurich Hazard Analysis (ZHA) Introducing ZHA

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

HITRUST Third Party Assurance (TPA) Risk Triage Methodology

Risk Management Policy

Energize Your Enterprise Risk Management

Information Security Risk Management

Risk Management Policy and Framework

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

A Practical Framework for Assessing Emerging Risks

The Proactive Quality Guide to. Embracing Risk

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

Garfield County NHMP:

Procedures for Management of Risk

NYISO Capital Budgeting Process. Draft 01/13/03

Risk Assessment Process. Information Security

RISK ASSESSMENT GUIDELINE

Operational Risk Management

LOCAL HAZARD MITIGATION PLAN UPDATE CHECKLIST

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Risk Management Policy

MIS 5206 Protection of Information Assets - Unit #4 - Risk Evaluation. MIS 5206 Protecting Information Assets

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

ANTI-FRAUD CODE CONTENTS INTRODUCTION GOAL CORPORATE REFERENCE FRAMEWORK CONCEPTUAL FRAMEWORK ACTION FRAMEWORK GOVERNANCE STRUCTURE

Project Theft Management,

Policy Number: 040 Risk Management August 2018

For the PMP Exam using PMBOK Guide 5 th Edition. PMI, PMP, PMBOK Guide are registered trade marks of Project Management Institute, Inc.

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

Enterprise Risk Management Program

Risk Management Framework

Cost Risk Assessment Building Success and Avoiding Surprises Ken L. Smith, PE, CVS

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

How to Compile and Maintain a Risk Register

Township of Perry Strategic Asset Management Policy

Project Management in ICT. Prof. Dr. Harald Wehnes

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

2015 HCCA Compliance Institute Sunday, April 19, 2015 (9AM 12AM) Session P7. The Wonderful NIST ! Guide for Conducting Risk Assessments

Sections of the ORSA Report

Risk Management FUN! Humor Me

Section Defining Risk Management. 11. Principles of Risk Management

Risk Management Policy Adopted by:

Northwest Regional Data Center

Presented to: Eastern Idaho Chapter Project Management Institute. Presented by: Carl Lovell, PMP Contract and Technical Integration.

Risk Management & FMEAs. By Jay P. Patel, ASQ Fellow CEO & President QPS Institute

Risk Management Guideline

Business Continuity Management and ERM

INFORMATION AND CYBER SECURITY POLICY V1.1

There are many definitions of risk and risk management.

An Introductory Presentation for ECU Staff

Fundamentals of Project Risk Management

GOV : Enterprise Risk Management Policy

Desjardins Trust Inc. Financial Information and Information on Risk Management (unaudited)

Senior Director, Fire Life Safety & Risk Management

Objectives. What is Risk? But a Plan is not Reality. Positive Risks? What do we mean by Uncertainty?

Fraud Risk Management

Risk Management. Webinar - July 2017

APPENDIX 1. Transport for the North. Risk Management Strategy

RISK MANAGEMENT and ISO 17025:2017

Hazard Mitigation Planning

Summary Enterprise Risk Management Framework

Challenges of implementation. a regulatory perspective

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

CORPORATE RISK MANAGEMENT POLICY

HUBTOWN LIMITED REVISED RISK MANAGEMENT POLICY. (Effective from December 1, 2015)

@ - Presentation Caveat

Security Shifts in Thinking

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Approved by: Diocesan Council 17 December 2015

Chapter-8 Risk Management

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

Certified Enterprise Risk Professional (CERP) Test Content Outline

Transcription:

Security Risk Management

Related Chapters Chapter 53: Risk Management Also Chapter 32 Security Metrics: An Introduction and Literature Review Chapter 62 Assessments and Audits 2

Definition of Risk According to "ISO Guide 73 ISO 31000", "Risk" is the effect of uncertainty on objectives. An effect is a deviation from the expected positive and/or negative. Objectives can have different aspects (such as financial, health and safety, and environmental goals) and apply at different levels (such as strategic, organization-wide, project, product and process). Risk is often characterized by reference to potential events and consequences, or a combination of these. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. (Information/Cyber) Security Risk Risk associated with information technology 3

Risk and its Related Concepts Figure 53.1 Risk and its related concepts. Vulnerabilities do not cause harm unless they are exploited by a threat. 4

Risk Elements The Risk is a function of four elements: A, the value of the assets; T, the severity and likelihood of appearance of the threats; V, the nature and the extent of the vulnerabilities and the likelihood that a threat can successfully exploit them; and I, the likely impact of the harm should the threat succeed, that is, R = f(a, T, V, I) 5

Formalizing Risk Risk (R) is a function of the probability of occurrence of a loss(p) and the cost of a loss (c) R = P * C Threat Potential cause of an incident Vulnerability Weakness of asset(s) that can be exploited by a threat Asset Anything that has value to the organization 6

Risk Management Coordinated activities to identify, control, and minimize information system related risks to a level commensurate with the value of the assets protected Goal of a risk management program to protect the organization and its ability to perform its mission from IT-related risk 7

Why Risk Management? A car has brakes so it can go fast We do risk management so that we can take risks An organization that can take advantage of opportunities (and the inherent risks) will outlast an organization which cannot. 8

Risk Management Strategies Reactive Proactive A process that responds to security events as they occur A process that reduces the risk of new vulnerabilities in your organization 9

Risk Management Methods Many methods available Some supported by software tools commonly accepted evaluation criteria for risk management methods exists CRAMM U.K. government s preferred risk analysis method MAGERIT Used by Spanish government agency 10

Risk Management Methods EBIOS Used in France ISF s Standard of Good Practice FIRM SARA SPRINT OCTAVE method Developed at Carnegie-Mellon in 1999 COBRA 11

Integrating Risk Management Risk management should be integrated into the System Development Life Cycle (SDLC) Five phases of the SDLC Initiation Development or acquisition Implementation Operation and maintenance Disposal Risk management activities are included in each phase 12

Relevant Laws and Regulations Many laws/regulations exist European Union: telecommunications infrastructure and data protection HIPAA Mandates security and privacy of health data in the United States Electronic banking industry is heavily regulated Sarbanes-Oxley (U.S.) New accounting standards 13

RISK MANAGEMENT PROCESS 14

Risk Management Process Establish context Risk assessment Risk treatment/mitigation Risk acceptance Risk communication Risk monitoring & review Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 15

1. Establish Context Setting basic criteria Risk evaluation criteria Impact criteria Risk acceptance criteria Defining scope and boundaries Establishing an organization for risk management Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 16

2. Risk Assessment Risk assessment Risk analysis Identification Estimation Risk evaluation Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 17

2. Risk Assessment Risk identification Assets Threats Existing controls Vulnerabilities Consequences of loss of C.I.A. (confidentiality, integrity, availability) Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 18

2. Risk Assessment Risk estimation Use quantitative or qualitative methodology estimate Consequences Incident likelihood Level of risk Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 19

Risk Assessment Methodologies Quantitative Qualitative Benefits Risks prioritized by financial impact; assets prioritized by their financial values Results facilitate management of risk by return on security investment Results can be expressed in managementspecific terminology Enables visibility and understanding of risk ranking Easier to reach consensus t necessary to quantify threat frequency t necessary to determine financial values of assets Drawbacks Impact values assigned to risks are based upon subjective opinions of the participants Very time-consuming Can be extremely costly Insufficient granularity between important risks Difficult to justify investing in control as there is no basis for a cost-benefit analysis Results dependent upon the quality of the risk management team that is created 20

2. Risk Assessment Risk evaluation Prioritize risks by comparing levels of risks against risk evaluation criteria and risk acceptance criteria Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 21

Expressing and Measuring Risk Information security event Identified occurrence or breach of a system, service, or network Bayesian statistics Likelihood is quantifiable if factors are analyzed Asset values can be quantified Cost to replace asset Cost of suspended operations Opportunity cost 22

23

Example In this example (table in previous slide), asset values expressed on a 0-10 scale, whereas threat and vulnerability levels are expressed on a Low-Medium- High scale. risk values expressed on a scale of 1 to 7. 24

Threat Types Physical damage (fire, water, pollution); natural events (climatic phenomenon, seismic phenomenon, volcanic phenomenon); loss of essential services (failure of air-conditioning, loss of power supply, failure of telecommunication equipment); disturbance due to radiation (electromagnetic radiation, thermal radiation, electromagnetic pulses); compromise of information (eavesdropping, theft of media or documents, retrieval of discarded or recycled media); technical failures (equipment failure, software malfunction, saturation of the information system); unauthorized actions (fraudulent copying of software, corruption of data, unauthorized use of equipment); and compromise of functions (error in use, abuse of rights, denial of actions). 25

Threats Origin Threats are classified according to origin into deliberate, accidental or environmental. A deliberate threat is an action aiming at information assets (remote spying, illegal processing of data); An accidental threat is an action that can accidentally damage information assets (equipment failure, software malfunction); An environmental threat is any threat that is not based on human action (a natural event, loss of power supply). 26

Vulnerabilities Classification Hardware susceptibility to humidity, dust, soiling; unprotected storage Software no or insufficient software testing, lack of audit trail); network (unprotected communication lines, insecure network architecture Personnel inadequate recruitment processes, lack of security awareness Site location in an area susceptible to flood, unstable power grid, and Organization lack of regular audits, lack of continuity plans 27

3. Risk Treatment/ Mitigation Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 28

Residual Risk The risk remaining after the implementation of risk treatment/mitigation is the residual risk If the residual risk has not been reduced to an acceptable level, the risk management cycle must be repeated to identify a way of lowering the residual risk to an acceptable level Understand that no IT system can be risk-free 29

4. Risk Acceptance Decide if residual risks are acceptable, based on risk acceptance criteria Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 30

5. Risk Communication Sharing info between decision maker and other stakeholders Existence, nature, form, likelihood, severity, treatment and acceptability of risks Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Monitoring & Review Risk Acceptance End of 1 st /subsequent iterations 31

6. Risk monitoring and review What may be of minor significance today may be the disaster of tomorrow Review is an integral part of the risk management process Risk Communication Establish Context Risk Assessment Risk Analysis Risk Identification Risk Estimation Risk Evaluation Risk Treatment Risk Acceptance Risk Monitoring & Review End of 1 st /subsequent iterations 32

ISO AND NIST RISK MANAGEMENT STANDARDS 33

Risk Management Standards ISO/IEC 27000 Family of information security management standards Derived from British Standard 7799 ISO/IEC 27005:2011 provides guidelines for information security risk management ISO 31000:2009 Provides principles and generic guidelines for risk management NIST SP 800-30 Common foundation for risk management processes in IT systems 34

The Big Picture: ISO 31000 Risk management principles a) k) on the next slide Risk management framework A set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization Principles Risk management process Framework systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk Process 35

ISO31000 36

NIST Risk Management Framework 37

Three Tiered Risk Management Approach Strategic risk Traceability and transparency of risk based decisions Organization-wide risk awareness Tier 1 Organization Tier 2 Mission/Business Process Inter-tier and intra-tier Communications Feedback loop for continuous improvement Tier 3 Information Systems Ref: NIST SP 800-53 Tactic risk 38

References ISO 27005, Information technology -- Security techniques -- Information security risk management ISO 31000, Risk management -- Principles and guidelines NIST Risk Management Framework http://csrc.nist.gov/groups/sma/fisma/framework.html NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 2011. http://csrc.nist.gov/publications/pubssps.html 39

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback