1 / 49

Risk Assessment

By: Ashwin Vignesh Madhu. Risk Assessment. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model. Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples

thuong
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By: Ashwin Vignesh Madhu Risk Assessment

  2. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  3. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  4. Objective • Risk Assessment Process • Not unique to the IT environment • Provide the desired level of mission support depending on the budget • Well-structured risk management methodology

  5. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  6. Introduction • The process of enumerating risks • Determining their classifications • Assigning probability and impact scores • Associating controls with each risk

  7. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  8. Risk • Risk Assessment measures • Magnitude of the potential loss L • Probability p that the loss will occur • Risk R can be expressed as • R = L * p (or) • Risk = Impact * Likelihood

  9. Risk (Cont..) • Risk = PA * (1-PE) * C • PA – the likelihood of adversary attack • PE - the security system effectiveness • (1- PE) - the adversary success • C – consequence of loss of the asset • High L and low p – low L and high p • Treated differently in practice • Given nearly equal priority in dealing

  10. Risk Management Cycle

  11. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  12. RA Methodologies • CCTA Risk Analysis and Management Method (CRAMM) • Consultative, Objective and Bi-functional Risk Analysis (COBRA) • RuSecure • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) • Failure Mode and Effects Analysis (FMEA) • British Standard (BS)

  13. RA Methodologies (Cont..) • Methods support in • Detecting critical places and parts in organization • Detecting risk factors • Collecting data about risk factors • Evaluation and estimation of risk • Generate report of risk management process

  14. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  15. CRAMM

  16. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  17. COBRA • COBRA • Two modules • COBRA Risk Consultant • ISO Compliance Analyst • Support in process of evaluating risk security • Evaluation steps • Building queries • Risk evaluation • Constructing reports • Contains library of countermeasures

  18. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  19. RuSecure

  20. RuSecure

  21. RuSecure

  22. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  23. British Standard

  24. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  25. Hierarchical Criteria Model

  26. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  27. Common Failures in RA • Poor executive support • High cost of implementation • Untimely response • Insufficient accountability • Inability to qualitatively measure control environment • Infrequent in assessment • Inaccurate data

  28. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  29. Elements of good RA • Provides clear instructions • Simplifies user Response • Identifies support contacts • Focuses on leaders as well as executors • Provides feedback to users and Risk leaders • Has a broad Scope • Identifies User for follow up if necessary and applicable

  30. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  31. OCTAVE • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) • Effective security risk evaluation • Considers both organizational and technological issues • Self-directed

  32. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  33. Characteristics • Identify information-related assets • Focus risk analysis activities on critical assets • Consider the relationships among critical assets, the threats to those assets, and vulnerabilities • Evaluate risks in an operational context - how they are used to conduct an organization’s business • Create a protection strategy for risk mitigation

  34. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  35. OCTAVE Process

  36. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  37. Criteria • Principle • Fundamental concepts driving the nature of the evaluation, and defining the philosophy behind the evaluation process • Attribute • Distinctive qualities, or characteristics, of the evaluation • Output • Define the outcomes that an analysis team must achieve during each phase

  38. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  39. Examples

  40. Examples

  41. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  42. OCTAVE Method Process • Phase 1: Build Asset-Based Threat Profiles • Process 1: Identify Senior Management Knowledge • Process 2: Identify Operational Area Knowledge • Process 3: Identify Staff Knowledge • Process 4: Create Threat Profiles

  43. OCTAVE Method Process • Phase 2: Identify Infrastructure Vulnerabilities • Process 5: Identify Key Components • Process 6: Evaluate Selected Components • Phase 3: Develop Security Strategy and Plans • Process 7: Conduct Risk Analysis – An organizational set of impact evaluation criteria are defined to establish the impact value • Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices

  44. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  45. Choosing Methods • Depending on organization size • Depending on organization hierarchical structure • Structured or Open-Ended Method • Analysis team composition • IT resources

  46. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples OCTAVE Methodology Choosing Methodology Our Methodology Overview

  47. Our Methodology • Policies and procedures • Requirement analysis • Network Topology • Categorizing the network • Scanning based on categorization • Analysis of vulnerabilities • Use different scanning tools • Penetration testing • Risk strategy • Mitigation of risk

  48. References • NIST – Risk Management Guide for Information Technology Systems • http://www.gao.gov/special.pubs/ai00033.pdf • http://en.wikipedia.org/wiki/Risk_management • http://en.wikipedia.org/wiki/Risk_assessment • http://www.sandia.gov/ram • http://www.carnet.hr/CUC/cuc2004/program/radovi/a5_baca/a5_full.pdf • http://www.octave.org

  49. Thank You

More Related