Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
INFORMATION SECURITY MANAGEMENT PowerPoint Presentation
Download Presentation
INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT

109 Views Download Presentation
Download Presentation

INFORMATION SECURITY MANAGEMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 7: Risk Management Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Risk Management “The process of determining the maximumacceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

  3. Risk Terminology

  4. Risk Identification Figure 8-1 Risk identification process Source: Course Technology/Cengage Learning

  5. Importance of Assets

  6. Risk Terminology

  7. Threat Identification

  8. Threat Identification (cont’d.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security

  9. Risk Terminology

  10. Vulnerability Assessment Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

  11. Risk Terminology

  12. The TVA Worksheet (cont’d.) Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning

  13. Introduction to Risk Assessment • The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning

  14. Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate

  15. Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: • vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its risk • vulnerability # 2 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

  16. Qualitative Risk Assessment

  17. Example of Qualitative Risk Assessment