INFORMATION SECURITY MANAGEMENT

# INFORMATION SECURITY MANAGEMENT

## INFORMATION SECURITY MANAGEMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. INFORMATION SECURITY MANAGEMENT Lecture 8: Risk Management Controlling Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2. Managing Risk (cont’d.) Figure 9-1 Residual risk Source: Course Technology/Cengage Learning

3. Managing Risk – Risk Control • Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

4. Risk Control Cycle Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning

5. Cost Benefit – Asset Valuation • Asset value: replacement cost and/or income derived through the use of an asset • Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset (\$) x EF (%)

6. Cost Benefit – Asset Valuation • Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

7. Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: \$4,000 Exposure factor ? SLE, ARO, ALE ?

8. Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: \$4,000 Exposure factor ? SLE, ARO, ALE ?

9. Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS • ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control • ALE (post-control) is the ALE examined after the control has been in place for a period of time • ACS is the annual cost of the safeguard

10. Example of Cost-Benefit Analysis Calculation • Dropping an iPad and breaking the screen • Asset value: \$700 • Exposure factor: 50% • SLE = • ARO = 25% chance of damaging • ALE (prior) = • ALE (post) = • CBA (cost of case = \$30) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

11. Example of Cost-Benefit Analysis Calculation • Unprotected customer database • Asset value: \$200,000 • Exposure factor: 50% • SLE = • ARO = 75% chance of occurring • ALE (prior) = • ALE (post) = • CBA (ACS = \$5,000) • CBA = ALE(prior) – ALE(post) – ACS • CBA =

12. Recommended Risk Control Practices • Qualitative/Quantitative Approach • Octave Methods • Microsoft Risk Management Approach • FAIR

13. Qualitative and Hybrid Measures • Quantitative assessment • Qualitative assessment • Hybrid assessment

14. OCTAVE Method • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method • Variations of the OCTAVE method • The original OCTAVE method • OCTAVE-S • OCTAVE-Allegro www.cert.org/octave/

15. Microsoft Risk Management Approach • Four phases in the Microsoft InfoSec risk management process: • Assessing risk • Conducting decision support • Implementing controls • Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

16. Microsoft Risk Management Approach Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning

17. Factor analysis of Information Risk (FAIR) • Basic FAIR analysis is comprised of four stages: • Stage 1 - Identify scenario components • Stage 2 - Evaluate loss event frequency • Stage 3 - Evaluate probable loss magnitude(PLM) • Stage 4 - Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com

18. FAIR (cont’d.) Figure 9-4 Factor analysis of information risk (FAIR) Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

19. Analyzing Risk Health First Case Study

20. Step 1: Define Assets

21. Step 1: Define Assets Consider Consequential Financial Loss

22. Step 1: Define Assets Consider Consequential Financial Loss

23. HIPAA Criminal Penalties Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

24. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation • Normal threats: Threats common to all organizations • Inherent threats: Threats particular to your specific industry • Known vulnerabilities: Previous audit reports indicate deficiencies.

25. Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

26. Step 4: Compute Expected LossStep 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Step 5: Treat Risk Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls