1 / 17

INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT. Lecture 7: Risk Management Identifying and Assessing Risk. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Risk Management.

lars
Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 7: Risk Management Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Risk Management “The process of determining the maximumacceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

  3. Risk Terminology

  4. Risk Identification Figure 8-1 Risk identification process Source: Course Technology/Cengage Learning

  5. Importance of Assets

  6. Risk Terminology

  7. Threat Identification

  8. Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

  9. Risk Terminology

  10. Vulnerability Assessment Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  11. Risk Terminology

  12. The TVA Worksheet (cont’d.) Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

  13. Introduction to Risk Assessment • The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

  14. Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate

  15. Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: • vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its risk • vulnerability # 2 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

  16. Qualitative Risk Assessment

  17. Example of Qualitative Risk Assessment

More Related