Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
INFORMATION SECURITY MANAGEMENT PowerPoint Presentation
Download Presentation
INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT

282 Views Download Presentation
Download Presentation

INFORMATION SECURITY MANAGEMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. INFORMATION SECURITY MANAGEMENT Lecture 8: Risk Management Controlling Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

  2. Managing Risk (cont’d.) Figure 9-1 Residual risk Source: Course Technology/Cengage Learning

  3. Managing Risk – Risk Control • Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

  4. Risk Control Cycle Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning

  5. Cost Benefit – Asset Valuation • Asset value: replacement cost and/or income derived through the use of an asset • Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

  6. Cost Benefit – Asset Valuation • Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

  7. Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

  8. Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

  9. Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS • ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control • ALE (post-control) is the ALE examined after the control has been in place for a period of time • ACS is the annual cost of the safeguard

  10. Example of Cost-Benefit Analysis Calculation • Dropping an iPad and breaking the screen • Asset value: $700 • Exposure factor: 50% • SLE = • ARO = 25% chance of damaging • ALE (prior) = • ALE (post) = • CBA (cost of case = $30) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

  11. Example of Cost-Benefit Analysis Calculation • Unprotected customer database • Asset value: $200,000 • Exposure factor: 50% • SLE = • ARO = 75% chance of occurring • ALE (prior) = • ALE (post) = • CBA (ACS = $5,000) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

  12. Recommended Risk Control Practices • Qualitative/Quantitative Approach • Octave Methods • Microsoft Risk Management Approach • FAIR

  13. Qualitative and Hybrid Measures • Quantitative assessment • Qualitative assessment • Hybrid assessment

  14. OCTAVE Method • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method • Variations of the OCTAVE method • The original OCTAVE method • OCTAVE-S • OCTAVE-Allegro www.cert.org/octave/

  15. Microsoft Risk Management Approach • Four phases in the Microsoft InfoSec risk management process: • Assessing risk • Conducting decision support • Implementing controls • Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

  16. Microsoft Risk Management Approach Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning

  17. Factor analysis of Information Risk (FAIR) • Basic FAIR analysis is comprised of four stages: • Stage 1 - Identify scenario components • Stage 2 - Evaluate loss event frequency • Stage 3 - Evaluate probable loss magnitude(PLM) • Stage 4 - Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com

  18. FAIR (cont’d.) Figure 9-4 Factor analysis of information risk (FAIR) Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

  19. Analyzing Risk Health First Case Study

  20. Step 1: Define Assets

  21. Step 1: Define Assets Consider Consequential Financial Loss

  22. Step 1: Define Assets Consider Consequential Financial Loss

  23. HIPAA Criminal Penalties Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

  24. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation • Normal threats: Threats common to all organizations • Inherent threats: Threats particular to your specific industry • Known vulnerabilities: Previous audit reports indicate deficiencies.

  25. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

  26. Step 4: Compute Expected LossStep 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Step 5: Treat Risk Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls