Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ●...
-
Upload
arleen-cobb -
Category
Documents
-
view
219 -
download
3
Transcript of Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ●...
Risk Management
CS5493
Risk Management
The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating
risks
Risk Management
● An ongoing process that has a life-cycle– (sustainability cycle)
Risk Management
● Minimize the effects of negative risks● Maximize the effects of positive risks
Risk Management
● Asset – anything of value
Risk Management
● threat – anything that can exploit, obtain, damage or destroy an asset via a vulnerability intentionally or accidentally.
A threat is what you wish to protect against.
Risk Management
● Vulnerability – weaknesses exploited by threats that compromise assets.
A vulnerability is a weakness
Define a Risk Equation
● Risk = Threats x Vulnerabilities– Threats = frequency of an adverse event– Vulnerability = the probability that a threat will
succeed.– Risk = the risk probability
Risk Management
● The exposure cost is the product of the risk-probability value times the loss (of the asset) in dollars.
Cost = RiskProbability * AssetLoss
Example (annual)
● Probability of a fire in the data center resulting in a loss: 0.75%
● Probability of the fire destroying all assets in the data center: 15%
● Risk Probability = .0075*.15 = .001125
Example (annual)
● Replacement value of the data center: $750,000.
● Estimated annual loss due to fire = $843.75
(risk probability * value of the asset)
Risk Identification
● The process of determining the risks to assets.● Create the “risk register”
Risk Register
● Creation:– Brainstorming meeting to identify the risks– Surveys– Other events to collect information.
Risk Register
● Content– A description of each identified risk– Probability of the risk event occurring– Steps to mitigate– Rank each risk in the register– Describe the impact if the risk-event actually
occurs and include the cost.
Risk Register
● Ranking risks– Limited budget will require dropping some
perceived risks.– Concentrate on the most important issues.
Risk Analysis
● Qualitative● Quantitative
Risk Analysis
● Qualitative– Risk classification
● High● Medium● Low
– risk impact : how would it impact the overall business.
Risk Analysis
● Quantitative– Use math
Risk Analysis
● Quantitative– EF = Exposure Factor– SLE = Single Loss Expectancy
● SLE = Asset Value x EF– ARO = annual rate of occurrence– ALE = annual loss expectancy
● ALE = SLE x ARO
Quantitative Risk Table
Resource Risk Value EF SLE ARO ALE
Building Fire $700,000.00 0.6 $420,000.00 0.2 $84,000.00
File Server disk crash $50,000.00 0.5 $25,000.00 0.2 $5,000.00
Data theft $200,000.00 0.9 $180,000.00 0.7 $126,000.00
Risk Response Planning
● Negative Risks● Positive Risks
Risk Response Planning
● Responses to negative risks– Eliminate– Transfer– Mitigate– Accept
Negative Risk Response
● Eliminate – implies that the threat has been eliminated (probability of zero).
● Transfer – insurance is used to transfer risk● Mitigate – reduce the probability of the event
from occurring by taking some action.● Accept – take no additional action.
Risk Response Planning
● Response to positive risks– Exploit– Share– Enhance– Accept
Positive Risk Response
● Exploit – S-A-P is packaged and sold.● Share – finding a partner to purchase in bulk
and capture a lower price.● Enhance – meeting a deadline ahead of
schedule and collecting a bonus● Accept – take no action
BIA
● Business Impact Analysis, BIA– A formal analysis separating an organization's
functions into critical and non-critical categories
BIA RPO
● RPO - Recovery Point Objective,– Determine the amount of asset loss that is
acceptable
BIA RTO
● RTO - Recovery Time Objective,– The maximum allowable time to recover from
asset loss.
Risk Management
• BIA- Business Impact Analysis
• BCP- Business Continuity Plan
• DRP - Disaster Recovery Plan
BIA
● Business Impact Analysis,– Classifying business functions and activities into
critical or non-critical categories.– Determining the prerequisites to support each
function/activity.– Determine the maximum amount of time each
function/activity can be unavailable.
BCP
● BCP – Business Continuity Plan– A response plan to interruptions of critical
functions● An interruption is an event that lasts for a short period
and while it will result in measurable loss, is not fatal.● Creation of an IT intrusion response team
DRP
● DRP – Disaster Recovery Plan– A plan for responding to losses and interruptions
critical to the sustainability of the enterprise.– Creation of an IT disaster response team
DRP
● DRP – Disaster Recovery Plan– Fire– Flood– Hurricane– Tornado– Earthquake
DRP Requirements
● Contact list of critical personnel● Complete inventory of physical assets● Inventory of IT software applications for critical
business functions.● Data/system backups● Alternate or redundant facility planning