1 / 8

Information Security Risk Assessments

Information Security Risk Assessment. 1. Required by law and policyHIPAAGLBAPCI DSSFERPAState laws. IT Risk Assessments are Different. ERM ? COSOFocuses on internal controlsIT Security Risk Assessments ? NIST 800-30Focus on asset or system. NIST 800-30 ? Stages. STEP 1: SYSTEM CHARACTERIZ

damia
Download Presentation

Information Security Risk Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Security Risk Assessments

    2. Information Security Risk Assessment Required by law and policy HIPAA GLBA PCI DSS FERPA State laws

    3. IT Risk Assessments are Different ERM – COSO Focuses on internal controls IT Security Risk Assessments – NIST 800-30 Focus on asset or system

    4. NIST 800-30 – Stages STEP 1: SYSTEM CHARACTERIZATION STEP 2: THREAT IDENTIFICATION STEP 3: VULNERABILITY IDENTIFICATION STEP 4: CONTROL ANALYSIS STEP 5: LIKELIHOOD DETERMINATION STEP 6: IMPACT ANALYSIS STEP 7: RISK DETERMINATION STEP 8: CONTROL RECOMMENDATIONS STEP 9: RESULTS DOCUMENTATION

    5. Basic IT Risk Assessment Identify asset Identify the system’s threats and associated vulnerabilities For each threat/vulnerability pair, determine the severity of impact and the likelihood of the vulnerability exploit occurring Risk level is the product of the likelihood of occurrence and the impact severity Once risk level is determined, identify safeguards Remaining risk is determined after the recommended safeguard is implemented. given existing security controls. given existing security controls.

    6. Challenges: Problems with Definitions

    7. Challenges: Lack of reliable/current data Limited data on risk factors Some costs are inherently difficult to quantify Impossible to precisely estimate the related indirect costs Information quickly out of date Changes in technology such as the possible loss of productivity that may result when new controls are implemented; and Changes in technology such as improvements in tools available to would-be intruders.such as the possible loss of productivity that may result when new controls are implemented; and Changes in technology such as improvements in tools available to would-be intruders.

    8. Questions? Contact me at: pbuechley@utsystem.edu

More Related