Risk Assessment Plan

profileNIK-raj
Chapter7_ISOL533.pdf

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Managing Risk in Information Systems

Lesson 4 Key Components of Risk Assessment

Page 2Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Learning Objectives

§ Identify assets and activities to protect within an organization.

§ Identify threats, vulnerabilities, and exploits.

§ Identify and analyze risk mitigation security controls.

Page 3Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Key Concepts

§ Identification of key activities and assets § Recognize value of data § Basic planning steps of a BIA § Techniques used to identify relevant

threats, vulnerabilities, and exploits § Identify and compare procedural, technical,

physical, and functional controls

Page 4Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Chapter 7 Slides

Chapter 7: “Identifying Assets and Activities to Be Protected”

Page 5Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

System Access and Availability

§ Goal: 99.999 percent up time § Failover cluster § RAID

Page 6Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

System Functions: Manual and Automated § Manual • Written records • Knowledge of process

§ Automated

Page 7Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Hardware Assets

§ Computers: Servers, desktop PCs § Networking devices: Routers,

switches § Network appliances: Firewalls, spam

appliances

Page 8Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com All rights reserved.

Hardware Assets (Cont.) § Information you need to know:

• Location • Manufacturer • Model number • Hardware components, such as processor

and random access memory (RAM)

• Hardware peripherals, such as add-on network interface cards (NICs)

• Basic Input/Output System (BIOS) version

Page 9Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Software Assets § Operating system and applications § OS specifics should include:

• Hardware system where it’s installed • Name of the operating system • Latest service pack installed

§ Application specifics should include: • Name of the application • Version number • Service pack or update information if

available

Page 10Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Personnel Assets § The people working for you § When any function or process

depends on a single person, he/she

becomes a single point of failure

§ Reduce risk by: • Hiring additional personnel • Cross-training • Rotating jobs

Page 11Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Data and Information Assets § Data protected by: • Access controls • Backups

Page 12Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Data Classifications § Organization

Classifications

Proprietary

Private

Public

Freely available

Protected Internally

Highest Level of Protection

Government § Top Secret § Secret § Confidential

Page 13Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Data and Information Asset Categories

Organization Customer Intellectual property

Data warehousing Data mining

Page 14Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure

Inventory management • Used to manage hardware inventories

Asset management • Used to manage all types of assets; much

more detailed data than an inventory management system

Page 15Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Seven Domains of a Typical IT Infrastructure

Page 16Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying Facilities and Supplies Needed to Maintain Business Operations

§ Identifying mission-critical systems and applications

§ Business impact analysis planning § Business continuity planning § Disaster recovery planning § Business liability insurance planning § Asset replacement insurance planning

Page 17Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

BIA Planning Introduction § Identifies impact of sudden loss

Define the scope

Identify objectives

Identify mission-critical functions and processes

Map functions and processes to IT systems

Page 18Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identify Assets § First step in risk management • You can’t plan the protection if you

don’t know what you’re protecting

§ When do you want to identify a single point of failure? • Before it fails? • Or after if fails?

Page 19Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identify Valuable Assets § Ask a system owner • How much downtime can you

accept? - Answer: “None”

• How much data loss can you accept? - Answer: “None”

§ Then ask • “How much money are you willing to

spend?”