Lesson 1
Download
1 / 26

Lesson 1 - PowerPoint PPT Presentation


  • 258 Views
  • Updated On :

Lesson 1. Overview and Risk Management Terminology. Course Overview. Risk Management Definition Risk Management Terminology Risk Management Issues Process and Methodology for Conducting Risk Management. ISSO Strategic Goals, Objectives, and Actions.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lesson 1 ' - Mercy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Lesson 1 l.jpg
Lesson 1

Overview

and

Risk Management Terminology


Course overview l.jpg
Course Overview

  • Risk Management Definition

  • Risk Management Terminology

  • Risk Management Issues

  • Process and Methodology for Conducting Risk Management


Isso strategic goals objectives and actions l.jpg
ISSO Strategic Goals, Objectives, and Actions

  • Defining and institutionalizing risk management for ISSO and their customers

    • Define the process

    • Get management support

    • Educate the workforce

    • Practice risk management


Objective 1 l.jpg
Objective 1

  • At the end of this part of Lesson 1, you will be able to describe what Risk Management is the elements of the Risk Management Process


Security management l.jpg
Security Management

  • Managing the risks to an organization’s mission


Risk defined l.jpg
Risk Defined

  • “The combination of events harmful to an entity’s desired state of affairs, the chance that the events will take place, and the consequences of their occurrence, as a function of time.”

    NSA Corporate Plan for INFOSEC Action, April 1996


Management defined l.jpg
Management Defined

  • The art or manner of controlling the movement or behavior of something

  • To have charge of; direct; conduct; administer

New World Dictionary of the American Language


Risk management l.jpg
Risk Management

  • “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.”

National Information Systems Security Glossary, NSTISSI No. 4009

and AFR 205-16, AFR 700-10


Risk management simply put l.jpg
Risk Management -Simply Put

  • Determine what your risks are and then decide on a course of action to deal with those risks.


Aim of risk management l.jpg

Balance Sheet

Countermeasure

Costs

Risk Costs

Aim of Risk Management

  • To aid managers strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks


Elements of the risk management process l.jpg
Elements of the Risk Management Process

  • Risk Assessment

    • Mission/Impact Analysis

    • Identification of Critical Assets

    • Threat Analysis

    • Attack/Vulnerability Analysis

  • Risk Mitigation

    • Countermeasures Development

  • Risk Decision

    • Management’s Selection of Countermeasures for Implementation


Objective 2 l.jpg
Objective 2

  • At the end of this part of Lesson 1, you will be able to match risk management terms with their definitions.


Risk assessment l.jpg
Risk Assessment

  • A study of threats and vulnerabilities, the theoretical effectiveness of present security mechanisms, and the potential impact of these factors on an organization’s ability to perform its mission


Critical asset l.jpg
Critical Asset

  • Something that when disclosed, modified, destroyed, or misused will cause harmful consequences to the organization or its goals and mission, or will provide an undesired and unintended benefit to someone


Critical asset examples l.jpg
Critical Asset Examples

  • Information

  • People

  • Software

  • Hardware

  • Facilities

  • etc.


Threat l.jpg
Threat

  • The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission


Threat examples l.jpg

Adversarial

Terrorists

Foreign States

Disgruntled Employees

Criminals

Recreational Hackers

Commercial Competitors

Non-Adversarial

Nature

Unintentional Human Acts

Threat Examples


Attack l.jpg
Attack

  • A well-defined set of actions by the threat (an active agent) that, if successful, would damage a critical asset -- cause an undesirable state of affairs -- resulting in harm to an organization’s ability to perform its mission


Vulnerability l.jpg
Vulnerability

  • A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity


Vulnerability examples l.jpg
Vulnerability Examples

  • Inadequate password management

  • Easy access to a facility

  • Weak cryptography

  • Software flaw

  • Open port

SECURITY


Consequence l.jpg
Consequence

  • The harmful result of a successful attack, degrading an organization’s ability to perform its mission


Consequence examples l.jpg
Consequence Examples

  • Harm to organization mission

    • Loss of information confidentiality

    • Loss of information integrity

    • Loss of availability of information or system functions

    • Inability to correctly authenticate sender of information

    • Inability to verify receipt of information by the intended recipient


Risk mitigation l.jpg
Risk Mitigation

Actions or countermeasures we can take to lessen risk

  • Affect threat agent or their capabilities

  • Eliminate or limit our vulnerabilities


Countermeasure examples l.jpg
Countermeasure Examples

  • Fix known exploitable software flaws

  • Enforce operational procedures

  • Provide encryption capability

  • Improve physical security

  • Disconnect unreliable networks

  • Train system administrators

  • Install virus scanning software


Risk management decision l.jpg
Risk Management Decision

  • Determination by management or command to

    • take specific actions that will mitigate risk to mission, or

    • reject countermeasure recommendations and accept risk to mission


Residual risk l.jpg
Residual Risk

  • That portion of risk that remains

    • Management decides to accept risk

    • Unconsidered threat factors

    • Unconsidered vulnerabilities

    • Incorrect conclusions


ad