Risk Assessment Plan
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Managing Risk in Information Systems
Lesson 4 Key Components of Risk Assessment
Page 2Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Learning Objectives
§ Identify assets and activities to protect within an organization.
§ Identify threats, vulnerabilities, and exploits.
§ Identify and analyze risk mitigation security controls.
Page 3Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Key Concepts
§ Identification of key activities and assets § Recognize value of data § Basic planning steps of a BIA § Techniques used to identify relevant
threats, vulnerabilities, and exploits § Identify and compare procedural, technical,
physical, and functional controls
Page 4Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Chapter 7 Slides
Chapter 7: “Identifying Assets and Activities to Be Protected”
Page 5Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
System Access and Availability
§ Goal: 99.999 percent up time § Failover cluster § RAID
Page 6Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
System Functions: Manual and Automated § Manual • Written records • Knowledge of process
§ Automated
Page 7Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Hardware Assets
§ Computers: Servers, desktop PCs § Networking devices: Routers,
switches § Network appliances: Firewalls, spam
appliances
Page 8Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved.
Hardware Assets (Cont.) § Information you need to know:
• Location • Manufacturer • Model number • Hardware components, such as processor
and random access memory (RAM)
• Hardware peripherals, such as add-on network interface cards (NICs)
• Basic Input/Output System (BIOS) version
Page 9Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Software Assets § Operating system and applications § OS specifics should include:
• Hardware system where it’s installed • Name of the operating system • Latest service pack installed
§ Application specifics should include: • Name of the application • Version number • Service pack or update information if
available
Page 10Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Personnel Assets § The people working for you § When any function or process
depends on a single person, he/she
becomes a single point of failure
§ Reduce risk by: • Hiring additional personnel • Cross-training • Rotating jobs
Page 11Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Data and Information Assets § Data protected by: • Access controls • Backups
Page 12Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Data Classifications § Organization
Classifications
Proprietary
Private
Public
Freely available
Protected Internally
Highest Level of Protection
Government § Top Secret § Secret § Confidential
Page 13Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Data and Information Asset Categories
Organization Customer Intellectual property
Data warehousing Data mining
Page 14Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
Inventory management • Used to manage hardware inventories
Asset management • Used to manage all types of assets; much
more detailed data than an inventory management system
Page 15Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Seven Domains of a Typical IT Infrastructure
Page 16Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying Facilities and Supplies Needed to Maintain Business Operations
§ Identifying mission-critical systems and applications
§ Business impact analysis planning § Business continuity planning § Disaster recovery planning § Business liability insurance planning § Asset replacement insurance planning
Page 17Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
BIA Planning Introduction § Identifies impact of sudden loss
Define the scope
Identify objectives
Identify mission-critical functions and processes
Map functions and processes to IT systems
Page 18Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identify Assets § First step in risk management • You can’t plan the protection if you
don’t know what you’re protecting
§ When do you want to identify a single point of failure? • Before it fails? • Or after if fails?
Page 19Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identify Valuable Assets § Ask a system owner • How much downtime can you
accept? - Answer: “None”
• How much data loss can you accept? - Answer: “None”
§ Then ask • “How much money are you willing to
spend?”