Information
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Information Risk Management Overview PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on
  • Presentation posted in: General

Information Risk Management Overview. Nena Young, CRP, CBCP Texas Department of Information Resources email: [email protected] Principles for All Sub-Programs. Risk Assessment and Solutions Centered Management Implementation of Controls, including policies Awareness

Download Presentation

Information Risk Management Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information risk management overview

Information

Risk

Management

Overview

Nena Young, CRP, CBCP

Texas Department of Information Resources

email: [email protected]


Information risk management overview

Principles for All Sub-Programs

  • Risk Assessment and Solutions

  • Centered Management

  • Implementation of Controls, including policies

  • Awareness

  • Monitor and Evaluation of Effectiveness

Overview


Information risk management overview

Bonus

  • In-depth Assessment of risks

  • Comprehensive picture of business and technical processes

  • Identify opportunities for process enhancements and/or re-engineering

  • Rapid, precise, smooth recovery

  • “Insurance Policy” for staying in business.

Overview


Information risk management overview

1. Risk Analysis &

Risk Assessment

2. Information Security Program

3. Business Continuity Program

Risk

BCP

Security

Program Components:


Information risk management overview

InfoSecurity Program

Risk Analysis

BCP

Roles and Responsibilities Defined

Assets Inventory

Data Classification

Roles and ResponsibilitiesDefined

Information Risk Management Program

Overview


Information risk management overview

1. Risk Analysis & Risk Assessment

Risk Analysis - The process of identifying and documenting vulnerabilities and applicable threats to assets.

Risk Assessment - Projecting losses, assigning levels of risk, and recommending appropriate measures to protect assets.

Risk Analysis

Risk


Information risk management overview

Foundation of all risk management programs

  • Snapshot in time.

  • Discover compliance with existing policies.

  • Basis for selecting cost-efficient, most appropriate protection measures for assets.

  • Equilibrium- asset loss to countermeasures

  • Provide information on likelihood of threat occurrence and asset impact.

  • Federal government and most states mandate.

  • Ensure reasonable steps are taken to prevent loss of assets.

Risk Analysis


Information risk management overview

Risk Analysis vs BIA

Risk Analysis & Assessment - (Proactive)

Initial process that identifies critical processes, evaluates current standards and countermeasures, determines cost-effective mitigation of identified risks, includes ALE.

Risk Analysis

Business Impact Analysis - (Reactive)

Quantifies risks to include exposure results such as financial loss, client good will, public confidence, etc


Information risk management overview

Jargon

  • Assets - Anything with value and is worth protecting or preserving.

  • Threats - Events or actions which always exists and can generate undesirable impacts or loss of assets. Can be either human or environmental.

  • Vulnerabilities - The “windows of opportunity” which allow threats to materialize. The exposures. Conditions of weakness.

  • Countermeasures - (Safeguards, Controls) - Devices,processes, actions, procedures that canreduce vulnerabilities. Preventive, Detective, Corrective.

  • Risk - Potential for a threat to exploit a vulnerability. A threat + a vulnerability = a RISK.

Risk Analysis


Information risk management overview

The Basics

  • Assets identified.

  • Threats identified.

  • Vulnerabilities identified.

  • Asset Losses identified.

  • Protective measures identified and proposed.

Risk Analysis


Information risk management overview

vs

QuantitativeQualitative

Theoretically . . .

  • Quantitative

  • Objective Numeric Values

  • Asset Value

  • Impact

  • Frequency of Threats

  • Countermeasure Cost-Effectiveness

  • Use of Complex Calculations (confidence factors, probabilities, SLE, ALE, )

  • Qualitative

  • Descriptive, Immeasurable Values

  • Characteristics

  • No Quantifiable Data

  • No ALE

  • Yes/No; Low/Medium/High; Vital/Critical/Important; good/bad

  • Rankings based on judgement

Risk Analysis


Information risk management overview

In the Real World. . .

Risk Analysis Involves Both

  • Quantifiable measurements.

  • Judgements based on experience and knowledge.

Risk Analysis


Information risk management overview

Ten Steps

  • Organize and Define the Scope

  • Identify and Value the Assets

  • Identify Applicable Threats

  • Identify and Describe Vulnerabilities

  • Establish Pairings (relationships)

  • Determine the Impact of Threat Occurrence

  • Measure Existing Countermeasures

  • Determine Residual Risks

  • Recommend Additional Countermeasures

  • Prepare a Risk Analysis Report

Risk Analysis


Information risk management overview

Types of Threats:

Human -Intentional

Malicious Software Invasion

Fraud or embezzlement

Human-Unintentional

Programmer Error

User Error

Environmental-Natural

Earthquakes

Flood

Environmental-Fabricated

Fire

Electromagnetic interference

Risk Analysis


Information risk management overview

Impact of Threat Occurrence

  • Impact (Loss) Categories.

  • Disclosure - Classification or sensitivity of information. Who has access

  • Modification - A realized threat causes unauthorized changes in an asset.

  • Destruction - Threat activity causes damage to an asset, making it unusable.

  • Denial of Service - A realized threat causes a loss of availability.

Risk Analysis


Information risk management overview

Types of Countermeasures

  • Preventive

  • Detective

  • Corrective

Risk Analysis


Information risk management overview

Threats

Assets

Vulnerabilities

Countermeasures

Impacts

Residual Risks are accepted, mitigated, transferred.

Risk Analysis


Information risk management overview

Knowledge Base Needed

Analysts Need to:

  • Know current and historical internal environment.

  • Know current and historical external environment.

  • Understand dependencies and vulnerabilities.

  • Understand threat profiles.

  • Understand countermeasure choices and related costs.

  • Be able to apply cost-benefit analysis to risks and countermeasures

Risk Analysis


Information risk management overview

Start here

Cycle Drivers

  • Changing Requirements

  • Changing Systems

  • Changing Environment

Threats

Which

ProtectAgainst

Exploit

Countermeasures

Increase

Vulnerabilities

Increase

Reduce

RISKS

Exposing

Which are

Limited by

Risk Analysis

Uncertainty

Increase

Assets

Business

Impacts

To a

Loss of

Boundaries

Confidentiality,

Integrity &

Availability

Causing

Modified from Len Watts, U.K., Computer /Security Risk Management Model Builders


Information risk management overview

Security

2. Information Security Program

Protection of an organization’s information assets.

Purpose - The preservation of the confidentiality, integrity, and availability” (CIA) of information. Can add utility and authenticity.


Information risk management overview

Purpose: A Secure Enterprise

  • Protection of Assets

  • Protection of Goodwill

  • Integrity of Applications and Data

  • Due Diligence

  • Protection of Employees, Shareholders, Partners, Clients

Security


Information risk management overview

Eight Steps

1. Management Sponsorship and Support

2. Organize and Define the Scope

3. Risk Analysis

4. Policies and Procedures

5. Controls

6. Security Breach Reporting and Investigation

7. Awareness Training

8. Monitor and Test

Security


Information risk management overview

The Bad Guys

  • Competitors

  • Employees (58 - 80%)

  • Foreign Governments

  • Political Activists

  • Professional Spies

Security

Reprinted from Cohen & Assc Presentation


Information risk management overview

Why Do They Attack?

  • Testing

  • Coercion

  • Military Advantage

  • Economic Advantage

  • Evidence

  • Money

  • Fun/Challenge

  • Vengeance

  • Mental Instability

  • Religious/Political Beliefs

  • Self-Defense

Security


Information risk management overview

Some HackerTools

Types of Attacks

  • Antagonism

  • Denial of Service

  • Invasion of Privacy

  • System Modification

  • Logic Bombs

  • Trojan Horses

  • Worms

  • Viruses

  • Malicious Mobile Code

  • Over 1900 Web Sites (Free Hacking Tools)

Security

Some Defense Tools

  • Virus Detection

  • Access Control

  • Firewalls

  • Dial-back Modems

  • Token-based Password

  • Public Cryptography

  • Biometrics


Information risk management overview

Internet

  • Older than…“Pong”

    Digital Watches

    IBM PC

    Disco

    MicroSoft

    Current Concept of “Hackers”

  • +12M Hosts, 120M Users (70M-USA), 12% Growth a Month

  • 1Billion users by 2005, 66% abroad

  • New Web Site every 4 seconds

  • Electronic Commerce - Single Sites Over 100,000 Requests a Day

  • + 80% Web Sites - Mobile Code Enabled

  • +90% EC Applications use Mobile Code

  • -50% Major Organizations w/Internet Use Firewall

Security


Information risk management overview

Damage - Average cost of computer break-ins - +$136K

Of companies hit by viruses and espionage, most can't

estimate the value of the damage.

Security

Chart Reprinted from Information Week


Information risk management overview

Paradox

IT MANAGERS SURVEYED BY E&Y

  • Security of Internet Connections

    62% Satisfied

    38% Not Satisfied

  • Increase Important Transactions if Security were Enhanced

    73% Yes

    • 27% No

Security


Information risk management overview

Increasing Need for Security

  • Most Fortune 500 Companies Penetrated by Cybercriminals

  • 17% of Intrusion Victims Report to Authorities

  • FBI Estimate - $10B a year in Electronic Crimes

  • Increasing Scams

    +100,000 Investors Victim to Phony Web Sites

    High-tech revolutionary devices

    Partnership with MicroSoft

    Initial Public Offering with the SEC

  • Tens of Thousands Probing Attacks against Pentagon annually

    Origin of Attacks Camouflaged through other Countries

  • DISA Vulnerability Testing

Security


Information risk management overview

Some Road Blocks to Security

  • Lack of Sufficient Budget

  • Lack of Resources - Management Support, Staff

  • Lack of Awareness

  • Lack of Tools

Security


Information risk management overview

Knowledge Base Needed (CISSP)

  • Access control

  • Telecommunications and network security

  • BCP

  • Security management practices – policies, standards, control of risk

    • control of Risk

    • information classification

    • security awareness

    • organizational architecture

    • policy development

    • risk management

  • Security architecture and models

  • Law, investigation, and ethics

  • Security


    Information risk management overview

    Knowledge Base Needed (CISSP) (con’t)

    • Application and system development security

    • Cryptography

    • Computer operations security

    • Physical security

      • threats and facility requirements

      • personnel physical access control

      • microcomputer physical security

    Security

    • “. . . information protection is not a simple matter, and it cannot be addressed from a single perspective. It is a pervasive problem that must be pursued in a holistic manner in order to provide its benefits.”


    Information risk management overview

    Define Environment

    & Assets

    Monitoring &

    Audits

    Risk Analysis

    Policies, Stds,

    Procedures

    Security

    Administration

    Design &

    Implementation

    Security


    Information risk management overview

    Define Environment

    & Assets

    Monitoring,

    Testing & Audits

    Risk Analysis

    & Assessment

    The Process

    Policies, Stds,

    Procedures

    Awareness

    & Administration

    Design &

    Implementation


    Information risk management overview

    BCP

    3. Business Continuity Program

    BCP - Spells out what, who, how, and when for a quick and smooth restoration of critical operations after a catastrophic disruptive event, minimizes losses, and eventually returns to business as normal.


    Information risk management overview

    A Rose by Any Other Name . . .

    Business Resumption Plan

    Disaster Recovery Plan

    Crisis Management Plan

    Contingency Plan

    Business Continuity Plan

    BCP


    Information risk management overview

    Goals

    • Identify weaknesses and implement a disaster prevention program

    • Minimize the duration of a serious disruption to business operations

    • Facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort

    BCP


    Information risk management overview

    Sources of Interruptions are Numerous

    • Natural

      Tornadoes, Floods, Fires . . .

    • Human

      Terrorist’s Attacks . . .

    • Most Frequent (Less Sensational)

      Equipment Failure, Theft, Employee Sabotage . . .

    BCP


    Information risk management overview

    Twelve Steps

    1. Pre-planning

    (Senior Mgmt Commitment/Support, Policies)

    2. Risk Analysis

    3. Business Impact Analysis

    4. Identify Resources and Requirements Needed

    5. Emergency Response

    6. Coordination with Public Authorities

    7. Public Relations and Crisis Communications

    8. Strategic Alternatives

    9. Plan Development/Implementation

    10. Testing/Exercises

    11. Awareness

    12. Maintenance

    BCP


    Information risk management overview

    • Business Impact Analysis (BIA)

    • Foundation of BCP

    • Establishes the value of each major organizational function as it relates to the whole

    • Provides the basis for identifying the critical resources required to develop a business recovery strategy.

    • Establishes priority for restoring the functions of the organization in the event of a disaster.

    BCP


    Information risk management overview

    Impacts

    Revenue

    Legal - fines, penalties

    Goodwill, Client & Stockholder Confidence

    Note: Losses May not be Dollars.

    BCP


    Information risk management overview

    Six Steps to BIA

    1. Identify the Critical Business Functions

    2. Prioritize These Functions

    3. Identify Dependencies and Resources Needed

    4. Identify Points of Failure for Each Function

    5. Estimate Probable Impact of Loss for Each Point of Failure

    6. Determine if a Contingency Plan is Required

    BCP


    Information risk management overview

    Failing to Test

    BCP


    Information risk management overview

    Staying Current

    • Conduct BIA on planned periodic time or after major change

    • Make sure a plan is included for each critical function that has a critical impact on mission accomplishment

    • Continue to test and evaluate plans at least once a year

    • Keep personnel responsibilities up to date and test for readiness

    • Involve key personnel in operational planning

    BCP


    Information risk management overview

    Knowledge Base Needed (CRP, CBCP)

    • Project initiation and management

    • Risk evaluation and control

    • BIA

    • Developing business continuity strategies

    • Emergency response and operations

    • Developing and implementing business continuity plans

    • Awareness and training programs

    • Maintaining and exercising business continuity plans

    • Public relations and crisis communications

    • Coordination with public authorities

    BCP


    Information risk management overview

    Scope/Maintenance

    BIA

    Testing

    BCP

    Strategic Alternatives,

    Teams

    Awareness

    Plan Development,

    Implementation


    Information risk management overview

    16%

    70%

    31%

    Financial Losses Reported

    Overview

    Importance of IRM Policy Elements

    8%

    11%

    44%

    11%

    9%

    17%


    Information risk management overview

    Process

    Obtain Sr. Mgmt Buy-in, Support

    Assign Roles and Responsibilities

    Inventory Assets

    Classify Information

    Assess Risks

    Overview

    • Business Continuity Plan

    • BIA

    • BCP Teams

    • Requirements

    • BCP Development/Implementation

    • Testing

    • Awareness

    • Maintenance

    • Information Security Plan

    • Policies/Procedures

    • Incident Reporting/Investigation

    • Countermeasures

    • Awareness

    • Monitor/Audit


    Information risk management overview

    Last Words

    “Risk is a part of every activity and can never be eliminated, nor can all the risks ever be known. Risk in itself is not bad; risk is often essential to progress. But we must learn to balance the possible negative consequences of risk [to assets] against the potential benefits of its associated opportunity.”

    “Risk Management in Practice,” SEI Technical Review

    Go ahead and take risks… just be sure that everything will turn out..

    Disasters are inevitable.... Survival isn't....


  • Login