Risk Identification and Risk Assessment
-
Upload
meredith-henry -
Category
Documents
-
view
238 -
download
0
description
Transcript of Risk Identification and Risk Assessment
Risk Identification and Risk AssessmentBikash Bhattarai
Risk Management •Risk management is the process of
dentifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
•Risk management involves three major undertakings
Risk identification Risk assessment Risk control
Cont… •Risk identification is the examination and
documentation of the security posture of an organization’s information technology and the risks it faces.
•Risk assessment is the determination of the extent to which the organization’s information assets are exposed or at risk.
•Risk control is the application of controls to reduce the risks to an organization’s data and information systems.
Know Yourself•To protect assets, which are defined here
as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible.
•Once you know what you have, you can identify what you are already doing to protect it.
Know the Enemy•This means identifying, examining, and
understanding the threats facing the organization.
•You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.
The Roles of the Communities of Interest•IT community in organization take
leadership•Management and users, when properly
trained and kept aware of the threats the organization faces, play a part in the early detection and response process.
•Management must also ensure that sufficient resources (money and personnel) are allocated
Risk Identification•A risk management strategy requires that
information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them.
Organizational Assets• People
▫Employee Trusted(Greater authority and accountability) Other (Without special privileges )
▫Non-Employee (contractors and consultants, partner and strangers.
• Procedures ▫IT and business standard procedures▫IT and business sensitive procedures.
threat agent to craft an attack against the organization or that have some other content or feature that may introduce risk to the organization.
•Data▫At all states (Storage, Transmit, Process)
•Software▫Applications▫Operating systems▫Security Components
•Hardware and Networking Components ▫Router, Switch, Firewall, UTM, IPS/IDS etc
Attributes for People, Procedures, and Data Assets• People
▫ Position name/number/ID ▫ Supervisor name/number/ID ▫ Security clearance level ▫ Special skills
• Procedures ▫ Description ▫ Intended purpose ▫ Software/hardware/networking elements to which it is tied ▫ Location where it is stored for reference ▫ Location where it is stored for update purposes
Cont…•Data
▫Classification ▫Owner/creator/manager ▫Size of data structure ▫Data structure used ▫Online or offline ▫Location ▫Backup procedures
Cont…• Networking Assets
▫Name▫IP address▫MAC address▫Asset type▫Serial number▫Manufacturer name▫Manufacturer’s model or part number▫Software version or update revision▫Physical location▫Logical location▫Controlling entity
Data Classification Example
Assessing Values for Information Assets• As each information asset is identified, categorized, and
classified, assign a relative value.• Relative values are comparative judgments made to ensure
that the most valuable information assets are given the highest priority, for example:▫ Which information asset is the most critical to the success of
the organization?▫ Which information asset generates the most revenue?▫ Which information asset generates the highest profitability?▫ Which information asset is the most expensive to replace?▫ Which information asset is the most expensive to protect?▫ Which information asset’s loss or compromise would be the
most embarrassing or cause the greatest liability?
Information Asset Prioritization
Critical Factor
Threat Identification•Any organization typically faces a wide
variety of threats.•If you assume that every threat can and
will attack every information asset, then the project scope becomes too complex.
•To make the process less cumbersome, each step in the threat identification and vulnerability identification process is managed separately and then coordinated at the end.
Identify and Prioritize Threats and Threat Agents• Each threat presents an unique challenge to
information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy.
• Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset .
• In general, this process is referred to as a threat assessment.
Threat to Information Security
Threat Assessment •Not all threats have the potential to affect
every organization. (12th floor building and flood ?)
•Which threats represent the most danger to the organization’s information?
•Cost to recover •Which of the threats would require the
greatest expenditure to prevent ?
CIO Survey Report (1000)
Vulnerability Assessment• Once you have identified the information assets of the
organization and documented some threat assessment criteria, you can begin to review every information asset for each threat.
• This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization.
• Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset.
• At the end of the risk identification process, a list of assets and their vulnerabilities has been developed.
• This list serves as the starting point for the next step in the risk management process: risk assessment.
Vulnerability Assessment of DMZ Router