1 / 22

COMP3357 Managing Cyber Risk

Richard Henson University of Worcester May 2017. COMP3357 Managing Cyber Risk. Week 12: Using Risk Assessment for BCP…. Objectives: Use theoretical principles of risk assessment to produce a risk register and risk treatment plan

ramonab
Download Presentation

COMP3357 Managing Cyber Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Henson University of Worcester May 2017 COMP3357Managing Cyber Risk

  2. Week 12: Using Risk Assessment for BCP… • Objectives: • Use theoretical principles of risk assessment to produce a risk register and risk treatment plan • Use the risk treatment plan to create a useable Business Continuity Plan

  3. ISO27001 & Risk Assessment • ISO 27001 is about… • informing an organisation which incidents could occur (i.e. assess the risks) • then find the most appropriate ways to avoid such incidents (i.e. treat the risks) • assessing the relative importance of each risk so the organisation can treat the most important one(s)

  4. Summary of Information Risk Assessment (ISO27001) - 1 • Risk Assessment Methodology • define rules on how to perform the risk management • whole organization should do it the same way • qualitative or quantitative risk assessment? • what will be the acceptable level of risk, etc.

  5. Summary of Information Risk Assessment (ISO27001) - 2 • Risk Assessment Implementation • companies typically aware of only 30% of their risks! • raise awareness… • list assets • list threats and vulnerabilities related to those assets • Identify impact and likelihood for each combination of assets/threats/vulnerabilities • finally calculate the level of risk

  6. Summary of Information Risk Assessment (ISO27001) – 3a • Risk treatment Implementation • four ways to mitigate unacceptable risks: • apply “Annex A” security controls to decrease risks • article ISO 27001 Annex A controls. • transfer the risk to another party • insurance company (buy an insurance policy) • avoid • stop doing an activity that is too risky • doing activity in a completely different fashion. • accept • if cost for mitigation higher that the damage itself!

  7. Summary of Information Risk Assessment (ISO27001) – 3b • Risk Treatment plan… how to decrease the risks with minimum investment? • management demand… (!) • achieve the same result with less money • need to figure out how!?!

  8. Summary of Information Risk Assessment (ISO27001) - 4 • ISMS Risk Assessment Report • everything done so far compiled into readable documentation • for the auditors… • internal, for future reference – checking!

  9. Summary of Information Risk Assessment (ISO27001) - 5 • Statement of Applicability (SoA) • shows security profile of the company… • based on the results of the risk treatment • lists implemented controls, why implemented, howimplemented • important for the audit (!) • For details about the SoA, see • Statement of Applicability for ISO 27001.

  10. 6 - Risk Treatment (Implementation) Plan • Theory becomes reality! • crucial to get management approval • will take considerable time and effort (and money) to implement all the controls • journey… • Start: not knowing how to setup your information security • Finish: having a very clear picture of what you need to implement • in a real company… • who (is going to implement each control) when, with which budget, etc.

  11. Gathering Risk Assessment Data • Requirements: • figuring out all the threats to the organisation’s data • cataloguing all hardware and software in the organisation into a Risk Register • although hardware may apparently be irrelevant to information management , it needs identifying so it can be appropriately categorised in the risk register! • http://www.computerworld.com/article/2723652/it-management/how-to-do-a-risk-assessment-for-iso-27001.html • http://www.computerweekly.com/tip/A-free-risk-assessment-template-for-ISO-27001-certification

  12. 1. Threats to Organisational Data • Outsiders: • hackers • competitors • Insiders: • employees with bad intent • dopey employees • either of above working with outsiders

  13. 2. Information Assets & Risk • Information Assets • data required to keep business functioning • need hardware and software to be useful! • these also carry risk • Once identified… • need to be categorised into rank order • according to how well (or not…) the organisation would survive without them

  14. The Information Asset Register (ISO27001) • List of information assets… • List of related assets… • infrastructure needed to maintain each/all asset(s) • can be non-computer hardware (e.g. cooling/ventilation system for servers) • equipment to counteract effects of natural disasters (e.g. flood defences)

  15. System Vulnerabilities • Ways that assets can be compromised • unpatched applications and/or operating systems • user accounts with poorly protected passwords • users unaware of hacker “phishing” and other social engineering tactics

  16. Calculating Risk to Information Assets • Simple formula • likelihood of loss (1-10) x impact (also 1-10) • bigger score, bigger risk! • Can be ranked accordingly • along with hardware/software to maintain each asset

  17. Asset Register to Risk Treatment Planning • “Risk Treatment” as a formal stage started with ISO27001 • now an accepted part of information risk management • process concludes with a risk treatment plan that shows how each of the risks regarded as significant will be mitigated

  18. To Mitigate or Accept a Risk? • Risk Register should contain all potential risks… • H, M, L categorisation and/or impact assessment score should indicate the main dangers • Even L categorisations and low impact assessments still need classifying as “risk accepted” • register should show acceptance or mitigation for each information resource

  19. Asset Register for BCP • Use list of assets… (incl. information assets) • devise a plan to protect each one, according to priority (H, M, L) for business continuity • another column in asset register stating how a back up for each category H asset • Protecting “H” assets • make sure a plan is in place to quickly replace that asset if damaged! • make sure that plan is put to the test on a regular basis! • no good if replacement resources not working or compatible

  20. ISO27001 and BCP • Information security continuity fundamental to business continuity • whole section A17 • CIA (confidentiality, integrity, availability) essential to online trading • BCP protects availability… • confidentiality and integrity of information also essential

  21. CIA (a recap…)

  22. BCP and Business Success • Online Businesses need to aim for 24-7 trading • Competitors will have similar targets • customers free to choose! • If 24-7 uptime depends on business partners… • they should be subject to BCP and BCP rehearsals as well!

More Related