risk management process n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Risk Management Process PowerPoint Presentation
Download Presentation
Risk Management Process

Loading in 2 Seconds...

play fullscreen
1 / 34

Risk Management Process - PowerPoint PPT Presentation


  • 137 Views
  • Uploaded on

Risk Management Process . Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30). Lianne Stevens Nebraska Health System April 16, 2003. Goal of Risk Management Process.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Risk Management Process' - tanner


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
risk management process

Risk Management Process

Based on recommendations of the National Institute of Standards and Technology in “Risk Management Guide for Information Technology Systems” (special publication 800-30)

Lianne Stevens

Nebraska Health System

April 16, 2003

goal of risk management process
Goal of Risk Management Process
  • Protect the organization’s ability to perform its mission
  • An essential management function
definitions
Definitions
  • Risk - “…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”
  • Risk management – process of identifying, assessing and reducing risk
definitions1
Definitions
  • Threat – “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
  • Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability
nist guide purpose
NIST Guide Purpose
  • Provide a foundation for risk management program development
  • Provide information on cost-effective security controls
guide structure
Guide Structure
  • Risk Management Overview
  • Risk Assessment Methodology
  • Risk Mitigation Process
  • Ongoing Risk Evaluation
risk management overview
Risk Management Overview
  • Encompasses 3 processes
    • Risk Assessment
    • Risk Mitigation
    • Ongoing Risk Evaluation
  • Integrated into System Development Life Cycle (SDLC)
risk management overview1
Risk Management Overview
  • Key roles
    • Senior Management
    • Chief Information Officer
    • System & Information Owners
    • Business & Functional Managers
    • Information System Security Officers
    • IT Security Practitioners
    • Security Awareness Trainers
risk assessment
Risk Assessment
  • 1st process in risk management methodology
  • Used to determine potential threats and associated risk
  • Output of this process helps to identify appropriate controls to reduce or eliminate risk
risk assessment methodology
Risk Assessment Methodology
  • Step 1: System Characterization
    • Collect system-related information including:
      • Hardware
      • Software
      • Criticality
      • Users
      • Technical controls
      • Environment
risk assessment methodology1
Risk Assessment Methodology
  • Step 2: Threat Identification
    • Identify potential threat-sources that could cause harm to the IT system and its environment
    • Can be natural, human or environmental
risk assessment methodology2
Risk Assessment Methodology
  • Step 3: Vulnerability Identification
    • Develop list of system vulnerabilities (flaws or weaknesses) that could be exploited
      • Proactive System Security Testing methods include:
        • Automated vulnerability scanning tool
        • Security test and evaluation
        • Penetration testing
    • Develop Security Requirements Checklist
risk assessment methodology3
Risk Assessment Methodology
  • Step 4: Control Analysis
    • Control Methods – may be technical or non-technical
    • Control Categories – preventative or detective
    • Control Analysis Technique – use of security requirements checklist
risk assessment methodology4
Risk Assessment Methodology
  • Step 5: Likelihood Determination
    • Governing factors
      • Threat-source motivation & capability
      • Nature of the vulnerability
      • Existence & effectiveness of current controls
    • Levels – High, Medium or Low
risk assessment methodology5
Risk Assessment Methodology
  • Step 6: Impact Analysis
    • Prerequisite information
      • System mission
      • System and data criticality
      • System and data sensitivity
    • Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability
    • Quantitative vs. qualitative assessment
risk assessment methodology6
Risk Assessment Methodology
  • Step 7: Risk Determination
    • Develop Risk-Level Matrix
      • Risk Level = Threat Likelihood x Threat Impact
    • Develop Risk Scale
      • Risk Levels with associated Descriptions and Necessary Actions
risk assessment methodology7
Risk Assessment Methodology
  • Step 8: Control Recommendations
    • Factors to consider
      • Effectiveness of recommended option
      • Legislation and regulation
      • Organizational policy
      • Operational impact
      • Safety and reliability
risk assessment methodology8
Risk Assessment Methodology
  • Step 9: Results Documentation
    • Risk Assessment Report
      • Presented to senior management and mission owners
      • Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement
risk mitigation
Risk Mitigation
  • 2nd process of risk management
  • Involves prioritizing, evaluating and implementing controls
  • Options
    • Risk assumption
    • Risk avoidance
    • Risk limitation
    • Risk planning
    • Research and acknowledgment
    • Risk transference
risk mitigation2
Risk Mitigation
  • Control Implementation Approach
    • Step 1 – Prioritize actions
    • Step 2 – Evaluate recommended control options
    • Step 3 – Conduct cost-benefit analysis
    • Step 4 – Select control
    • Step 5 – Assign responsibility to implement control
risk mitigation3
Risk Mitigation
  • Control Implementation Approach
    • Step 6 – Develop Safeguard Implementation Plan (action plan)
      • Prioritizes implementation actions
      • Projects start & target completion dates
    • Step 7 – Implement selected control(s)
      • Identify any residual risk
risk mitigation4
Risk Mitigation
  • Control Categories
    • Technical Security Controls
      • Supporting
        • Identification (of users, processes)
        • Cryptographic key management
        • Security administration
        • System protections
risk mitigation5
Risk Mitigation
  • Control Categories
    • Technical Security Controls
      • Preventive
        • Authentication (e.g. passwords, tokens)
        • Authorization (e.g. update vs. view)
        • Access control enforcement
        • Non-repudiation (e.g. digital certificate)
        • Protected communications (encryption)
        • Transaction privacy (e.g. SSL)
risk mitigation6
Risk Mitigation
  • Control Categories
    • Technical Security Controls
      • Detection and Recovery
        • Audit
        • Intrusion detection and containment
        • Proof of wholeness (e.g. system integrity tool)
        • Restore secure state
        • Virus detection and eradication
risk mitigation7
Risk Mitigation
  • Control Categories
    • Management Security Controls
      • Preventive
        • Assign security responsibility
        • Develop & maintain system security plans
        • Implement personnel security controls
        • Conduct security awareness & training
risk mitigation8
Risk Mitigation
  • Control Categories
    • Management Security Controls
      • Detection
        • Implement personnel security controls
        • Conduct periodic review of controls
        • Perform periodic system audits
        • Conduct ongoing risk management
        • Authorize IT systems to address/accept residual risk
risk mitigation9
Risk Mitigation
  • Control Categories
    • Management Security Controls
      • Recovery
        • Develop, test and maintain continuity of operations plan
        • Establish incident response capability
risk mitigation10
Risk Mitigation
  • Control Categories
    • Operational Security Controls
      • Preventive
        • Control data media access and disposal
        • Limit external data distribution’
        • Control software viruses
        • Safeguard computing facility
        • Secure wiring closets
        • Provide backup capability
        • Establish off-site storage
        • Protect laptops, PCs, workstation
        • Protect IT resources from fire damage
        • Provide emergency power
        • Control computing facility environment (HVAC)
risk mitigation11
Risk Mitigation
  • Control Categories
    • Operational Security Controls
      • Detection
        • Provide physical security (e.g. motion detectors, closed-circuit TV monitors)
        • Ensure environmental security (e.g. smoke and fire detectors)
risk mitigation12
Risk Mitigation
  • Cost-Benefit Analysis
    • Can be qualitative or quantitative
    • Purpose: demonstrate that costs of implementing controls can be justified by reduction in level of risk
risk mitigation13
Risk Mitigation
  • Residual Risk
    • Risk remaining after implementation of controls
    • If not reduced to acceptable level, risk management cycle must be repeated
evaluation and assessment
Evaluation and Assessment
  • Good Security Practice
    • Should have a specific schedule for repeating risk assessment process
    • Should be flexible to allow for major system and processing changes
  • Keys for success
    • Senior management commitment
    • Support & participation of IT team
    • Competence of risk assessment team
    • Awareness and cooperation of user community
    • Ongoing evaluation & assessment
appendices
Appendices
  • Sample IT system assessment questions
  • Sample risk assessment report outline
  • Sample safeguard implementation plan (action plan) summary table
  • Acronyms
  • Glossary
  • References