1 / 34

Risk Management Process

Risk Management Process . Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30). Lianne Stevens Nebraska Health System April 16, 2003. Goal of Risk Management Process.

tanner
Download Presentation

Risk Management Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management Process Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30) Lianne Stevens Nebraska Health System April 16, 2003

  2. Goal of Risk Management Process • Protect the organization’s ability to perform its mission • An essential management function

  3. Definitions • Risk - “…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” • Risk management – process of identifying, assessing and reducing risk

  4. Definitions • Threat – “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” • Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability

  5. NIST Guide Purpose • Provide a foundation for risk management program development • Provide information on cost-effective security controls

  6. Guide Structure • Risk Management Overview • Risk Assessment Methodology • Risk Mitigation Process • Ongoing Risk Evaluation

  7. Risk Management Overview • Encompasses 3 processes • Risk Assessment • Risk Mitigation • Ongoing Risk Evaluation • Integrated into System Development Life Cycle (SDLC)

  8. Risk Management Overview • Key roles • Senior Management • Chief Information Officer • System & Information Owners • Business & Functional Managers • Information System Security Officers • IT Security Practitioners • Security Awareness Trainers

  9. Risk Assessment • 1st process in risk management methodology • Used to determine potential threats and associated risk • Output of this process helps to identify appropriate controls to reduce or eliminate risk

  10. Risk Assessment Methodology • Step 1: System Characterization • Collect system-related information including: • Hardware • Software • Criticality • Users • Technical controls • Environment

  11. Risk Assessment Methodology • Step 2: Threat Identification • Identify potential threat-sources that could cause harm to the IT system and its environment • Can be natural, human or environmental

  12. Risk Assessment Methodology • Step 3: Vulnerability Identification • Develop list of system vulnerabilities (flaws or weaknesses) that could be exploited • Proactive System Security Testing methods include: • Automated vulnerability scanning tool • Security test and evaluation • Penetration testing • Develop Security Requirements Checklist

  13. Risk Assessment Methodology • Step 4: Control Analysis • Control Methods – may be technical or non-technical • Control Categories – preventative or detective • Control Analysis Technique – use of security requirements checklist

  14. Risk Assessment Methodology • Step 5: Likelihood Determination • Governing factors • Threat-source motivation & capability • Nature of the vulnerability • Existence & effectiveness of current controls • Levels – High, Medium or Low

  15. Risk Assessment Methodology • Step 6: Impact Analysis • Prerequisite information • System mission • System and data criticality • System and data sensitivity • Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability • Quantitative vs. qualitative assessment

  16. Risk Assessment Methodology • Step 7: Risk Determination • Develop Risk-Level Matrix • Risk Level = Threat Likelihood x Threat Impact • Develop Risk Scale • Risk Levels with associated Descriptions and Necessary Actions

  17. Risk Assessment Methodology • Step 8: Control Recommendations • Factors to consider • Effectiveness of recommended option • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability

  18. Risk Assessment Methodology • Step 9: Results Documentation • Risk Assessment Report • Presented to senior management and mission owners • Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement

  19. Risk Mitigation • 2nd process of risk management • Involves prioritizing, evaluating and implementing controls • Options • Risk assumption • Risk avoidance • Risk limitation • Risk planning • Research and acknowledgment • Risk transference

  20. Risk Mitigation • Strategy

  21. Risk Mitigation • Control Implementation Approach • Step 1 – Prioritize actions • Step 2 – Evaluate recommended control options • Step 3 – Conduct cost-benefit analysis • Step 4 – Select control • Step 5 – Assign responsibility to implement control

  22. Risk Mitigation • Control Implementation Approach • Step 6 – Develop Safeguard Implementation Plan (action plan) • Prioritizes implementation actions • Projects start & target completion dates • Step 7 – Implement selected control(s) • Identify any residual risk

  23. Risk Mitigation • Control Categories • Technical Security Controls • Supporting • Identification (of users, processes) • Cryptographic key management • Security administration • System protections

  24. Risk Mitigation • Control Categories • Technical Security Controls • Preventive • Authentication (e.g. passwords, tokens) • Authorization (e.g. update vs. view) • Access control enforcement • Non-repudiation (e.g. digital certificate) • Protected communications (encryption) • Transaction privacy (e.g. SSL)

  25. Risk Mitigation • Control Categories • Technical Security Controls • Detection and Recovery • Audit • Intrusion detection and containment • Proof of wholeness (e.g. system integrity tool) • Restore secure state • Virus detection and eradication

  26. Risk Mitigation • Control Categories • Management Security Controls • Preventive • Assign security responsibility • Develop & maintain system security plans • Implement personnel security controls • Conduct security awareness & training

  27. Risk Mitigation • Control Categories • Management Security Controls • Detection • Implement personnel security controls • Conduct periodic review of controls • Perform periodic system audits • Conduct ongoing risk management • Authorize IT systems to address/accept residual risk

  28. Risk Mitigation • Control Categories • Management Security Controls • Recovery • Develop, test and maintain continuity of operations plan • Establish incident response capability

  29. Risk Mitigation • Control Categories • Operational Security Controls • Preventive • Control data media access and disposal • Limit external data distribution’ • Control software viruses • Safeguard computing facility • Secure wiring closets • Provide backup capability • Establish off-site storage • Protect laptops, PCs, workstation • Protect IT resources from fire damage • Provide emergency power • Control computing facility environment (HVAC)

  30. Risk Mitigation • Control Categories • Operational Security Controls • Detection • Provide physical security (e.g. motion detectors, closed-circuit TV monitors) • Ensure environmental security (e.g. smoke and fire detectors)

  31. Risk Mitigation • Cost-Benefit Analysis • Can be qualitative or quantitative • Purpose: demonstrate that costs of implementing controls can be justified by reduction in level of risk

  32. Risk Mitigation • Residual Risk • Risk remaining after implementation of controls • If not reduced to acceptable level, risk management cycle must be repeated

  33. Evaluation and Assessment • Good Security Practice • Should have a specific schedule for repeating risk assessment process • Should be flexible to allow for major system and processing changes • Keys for success • Senior management commitment • Support & participation of IT team • Competence of risk assessment team • Awareness and cooperation of user community • Ongoing evaluation & assessment

  34. Appendices • Sample IT system assessment questions • Sample risk assessment report outline • Sample safeguard implementation plan (action plan) summary table • Acronyms • Glossary • References

More Related