8/6/2019 Information Security Risk Assessment Basics(1)
1/25
Information Security Risk
Assessment Basics
8/6/2019 Information Security Risk Assessment Basics(1)
2/25
The need for an information security
program Good corporate governance
8/6/2019 Information Security Risk Assessment Basics(1)
3/25
Terminology
Information assets - information or data that is ofvalue to the organization
characteristics :-
They are recognized to be of value to the organization. They are not easily replaceable without cost, skill,
time, resources or a combination.
They form a part of the organization's corporateidentity, without which, the organization may be
threatened. Their Data Classification would normally be
Proprietary, Highly Confidential or even Top Secret.
8/6/2019 Information Security Risk Assessment Basics(1)
4/25
Terminology
An Information Security incident is an eventwhich appears to be a breach of theorganization's Information Security safeguards.
vulnerability is a weakness which allows anattacker to reduce a system's informationassurance.
Vulnerability is the intersection of threeelements: a system susceptibility or flaw,
attacker access to the flaw,
attacker capability to exploit the flaw.
8/6/2019 Information Security Risk Assessment Basics(1)
5/25
Terminology
Threat: The potential for a threat source to exercise
(accidentally trigger or intentionally exploit) a specific
vulnerability.
Threat-Source: Either (1) intent and method
targeted at the intentional exploitation of a vulnerability or (2) asituation and method that may accidentally trigger a
vulnerability
Threat-Source Identification
Natural Threats
Human Threats
Environmental Threats
8/6/2019 Information Security Risk Assessment Basics(1)
6/25
Terminology
Risk is a function of the likelihoodof a given threat-sources
exercising a particular potential vulnerability, and the resulting
impactof that adverse event on the organization
To determine the likelihood of a future adverse event, threatsto an IT system must be analyzed in conjunction with the
potential vulnerabilities and the controls in place for the IT
system.
Impact refers to the magnitude ofharm that could be caused
by a threats exercise of a vulnerability.
8/6/2019 Information Security Risk Assessment Basics(1)
7/25
Threats
Imposition of legal and regulatory obligations
Organized crime or terrorist groups
Cyber-criminals, Malware authors
Phishers, Spammers
Negligent staff Storms, tornodos, floods(acts of nature)
Fraudsters, Hackers, Saboteurs
Accidental disclosure, intentional alteration of data
Unethical competitors
Disgruntled/untrained/ignorant employees Unauthorized access to or modification or disclosure of information
assets
Technical advances
8/6/2019 Information Security Risk Assessment Basics(1)
8/25
vulnerabilities
Software bugs and design flaws
Complexity in IT
Inadequate investment in appropriate information security controls
Insufficient attention to human factors in system design and
implementation Unwarranted confidence
Ignorance, carelessness, negligence
Poor or missing governance
Frequent change in the business
Inadequate contingency planning Legacy systems
Bugs in microprocessor designs and microcode
Lack of will, concern and ability to impress the need for info sec
8/6/2019 Information Security Risk Assessment Basics(1)
9/25
Information security impacts
Disruption to organizational routines and processes
Direct financial losses
Decrease in shareholder value
Loss of privacy
Reputational damage
Loss of confidence in IT Jail time, fines, suspension of licenses
Expenditure on information security controls
Replacement costs
Loss of competitive advantage
Reduced profitability, growth and bonuses
Impared growth due to inflexible /overly complexinfrastructure/system/application environments
Injury or loss of life if safety-critical systems fail
Global thermonuclear war
8/6/2019 Information Security Risk Assessment Basics(1)
10/25
Information security Risks
Theft of personal data by criminals or loss oflaptops
Information leakage, extraction or loss of
valuable private information Social engineering/pretexting
Environmental disasters
Poor information security studies, assessments
Deception including frauds Endangerment
Unauthorized exploitation of intellectual property
8/6/2019 Information Security Risk Assessment Basics(1)
11/25
Unanimous core security Practices
Security Responsibility
Risk Management
Risk Assessment
Network Security
Security Awareness Training
Incident Management
8/6/2019 Information Security Risk Assessment Basics(1)
12/25
Majority Core Security Practices
Information Security Policies
Access Control
Ph
ysical Security BCP and DRP
Secure Development Life Cycle
Accountability
Secure Media Handling
Oversight of third parties
8/6/2019 Information Security Risk Assessment Basics(1)
13/25
Security Risk Assessment
Measures the strength of overall security
program
4 stages of risk management Security risk assessment
Test and review
Risk mitigation
Operational security
8/6/2019 Information Security Risk Assessment Basics(1)
14/25
Need for Security Risk Assessment
Checks and Balances
Periodic Review
Risk based spending
Requirement
8/6/2019 Information Security Risk Assessment Basics(1)
15/25
Secondary benefits
Transfer of knowledge from securityassessment team to the organizations staff
Increased communications regarding security
among business units
Increased security awareness within theorganization
Results of security risk assessment may beused as a measure of security posture&compared to previous and future results
8/6/2019 Information Security Risk Assessment Basics(1)
16/25
Related Activities
Gap Assessment
Compliance Audit
Security Audit Vulnerability scanning
Penetration testing
Ad hoc testing
Social Engineering
Wardialing
8/6/2019 Information Security Risk Assessment Basics(1)
17/25
caselets
8/6/2019 Information Security Risk Assessment Basics(1)
18/25
Generic phases of Risk Assessment
Phase 1:Project Definition
Phase 2:Project Preparation
Phase 3:Data Gathering
Phase 4:Risk Analysis
Phase 5:Risk Mitigation
Phase 6:Risk reporting and resolution
8/6/2019 Information Security Risk Assessment Basics(1)
19/25
Phase 1:Project Definition
Project Scope
Budget
Objective
Assets
Controls
Boundaries
8/6/2019 Information Security Risk Assessment Basics(1)
20/25
Phase 2:Project Preparation
Team Preparation
Select team
Introduce team
Project preparation Obtain permission
Review business mission
Identify critical systems
Map assets
Identify threats
Determine expected controls
8/6/2019 Information Security Risk Assessment Basics(1)
21/25
Phase 3:Data Gathering
Administration Policy review Procedure review
Training review
Organization review
Interviews
observation
Technical Design review
Configuration review
Architectural review
security testing
Physical Policy review Procedure review
observation
inspection
8/6/2019 Information Security Risk Assessment Basics(1)
22/25
Phase 4:Risk Analysis
Determine risk Asset valuation
Threat and vulnerability mapping Threat Agents
Nature
Employees
Malicious Hackers
Industrial Spies
Foreign Government Spies
Threats Errors and Omissions
Fraud and Theft
Sabotage Loss of Physical and infrastructure Support
Espionage
Malicious code
Disclosure
8/6/2019 Information Security Risk Assessment Basics(1)
23/25
Vulnerabilities
Security risk
Calculate risk
Create risk statements
Obtain team consensus
8/6/2019 Information Security Risk Assessment Basics(1)
24/25
8/6/2019 Information Security Risk Assessment Basics(1)
25/25
Phase 6:Risk reporting and resolution
Risk Resolution
It is the decision by senior management ofhow to
resolve the risk resented to them
Risk reduction
Risk acceptance
Risk transference
Top Related