Mitigating risks

profileramyalingala
risk_ppt08_l03.pptx

Managing Risk in Information Systems

Lesson 3

Concepts of Risk Assessment

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objectives

Describe techniques for identifying and analyzing relevant threats, vulnerabilities, and exploits.

Describe process of performing a risk assessment.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Key Concepts

Definition of a risk assessment

Components of risk assessments

Qualitative vs. quantitative risk assessment

When to perform risk assessments

Steps involved in a risk assessment

Identifying assets, threats, vulnerabilities

Evaluating controls and countermeasures

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Chapter 5 Slides

Chapter 5: “Defining Risk Assessment Approaches”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

What Is Risk Assessment?

Key step in a risk management process

Determination of quantitative or qualitative value of risk

Conducted for concrete situation and recognized threat

Used to help identify which safeguards (controls) to implement

Required for evaluating risk or control

Often conducted after implementation of a control

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Why Is Risk Assessment Important?

Identifies which systems/assets to protect

Gives insight into which controls provide the most value

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

When Should a Risk Assessment Be Conducted?

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

When evaluating risk

When evaluating a control

Periodically after a control has been implemented

Critical Components of Risk Assessment

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identify scope of assessment

Identify critical areas

Identify team

Identify Potential Scope for Web Server RA

Web server

Database server

Firewalls

DMZ

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quantitative and Qualitative RAs

Quantitative Risk Assessments

Calculates absolute financial values, losses, and costs

Qualitative Risk Assessments

Calculates relative values, losses, and costs

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quantitative Risk Assessment

Uses numbers such as dollar values

Results can help you:

Identify the priority of risks

Determine the effectiveness of controls

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quantitative Risk Assessment Key Terms

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Single loss expectancy (SLE)

Annual rate of occurrence (ARO)

Annual loss expectancy (ALE)

Safeguard value

Quantitative Risk Assessment Benefits

Becomes a simple math problem

Provides a cost-benefit analysis (CBA)

Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA

Management often familiar with quantitative assessment terminology; easy to grasp details of the assessment and its recommendations

Formulas use verifiable and objective measurements

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quantitative Risk Assessment Limitations

Accurate data isn’t always available

Especially true when identifying ARO reductions

Ensuring that people use the control as expected

May need to take additional steps, such as training, to ensure users are aware of the importance of the control

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Qualitative Risk Assessment

Subjective

Probability

The likelihood that a threat will exploit a vulnerability

Impact

The negative result if a risk occurs

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Using a Risk Matrix

Matching probability and impact

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Qualitative Risk Assessment Benefits

Uses the opinions of experts

Is easy to complete

Uses words that are easy to express and understand

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Qualitative Risk Assessment Limitations

Subjective

Based on expertise of the experts

Value of the assessment is only as valuable as the expertise of the experts

No CBA

No real standards

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Comparing Assessment Methods

Quantitative

Objective

Monetary values

Historical data

Key terms:

SLE, ARO, ALE

Qualitative

Subjective

Word values

Expert opinions

Key terms:

Probability and impact

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk Assessment Challenges

Using static process to evaluate a moving target

Availability

Data consistency

Estimating impact effects

Providing results that support resource allocation and risk acceptance

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Best Practices for Risk Assessment

Start with clear goals and a defined scope.

Enlist senior management support.

Build a strong RA team.

Repeat the RA regularly.

Define a methodology to use.

Provide a report of clear risks and clear recommendations.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Chapter 6 Slides

Chapter 6: “Performing a Risk Assessment”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Steps Used in Risk Assessments

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identify assets and activities to address.

Identify and evaluate relevant threats.

Identify and evaluate relevant vulnerabilities.

Identify and evaluate relevant countermeasures.

Assess threats, vulnerabilities, and exploits.

Evaluate risks.

Develop and present recommendations.

Selecting a Risk Assessment Methodology

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quantitative

Qualitative

Prior to Conducting RA

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Define the assessment.

Operational characteristics

Review previous findings.

Recommendations

Mission of the system

Current status of accepted recommendations

Unapproved recommendations

Identifying the Management Structure

Refers to how responsibilities are assigned

Helpful to keep the scope within the ownership of a single entity

Large organization may have multiple divisions:

Network infrastructure

User and computer management

E-mail servers / Web servers / Database servers

Configuration and change management

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifying Assets and Activities

Perform asset valuation

Base on replacement or recovery value of the asset

Ensure RA performed on current systems

Evaluate only assets that are within the boundary of the RA

Prioritize importance

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Elements to Consider when Determining Asset Value

System access and system availability

System functions

Hardware and software assets

Personnel assets

Data and information assets

Facilities and supplies

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifying and Evaluating Threats

Reviewing historical data

Threat modeling

Important to understand how threats interact with risks

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifying and Evaluating Vulnerabilities

A vulnerability is a weakness

Can be a weakness in physical security, technical security, or operational security

Can be procedural, technical, or administrative

All systems have vulnerabilities

Not all vulnerabilities result in a loss

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identifying and Analyzing Countermeasures

In-Place Controls

In place in the operational system

Supported by associated documentation

Planned Controls

Identified in planning documents

Specified implementation date

Control Categories

National Institute of Standards and Technology (NIST)

Three classes, 18 families of controls

Grouped as procedural, technical, and physical

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Control Classes

Control Class Control Family Examples
Procedural Policies and procedures Security plans Insurance Awareness and training
Technical Login identifier System logs Firewalls
Physical Locked doors Video cameras Fire detection and suppression

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Developing Mitigating Recommendations

After performing analysis, provide specific recommendations that mitigate risks

Supporting data may include:

Threat/vulnerability pairs

Estimate of cost and time to implement

Estimate of operational impact

Cost-benefit analysis

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

33

Best Practices for Performing Risk Assessments

Ensure systems are fully described.

Review past audits.

Review past risk assessments.

Match the RA to the management structure.

Identify assets within the RA boundaries.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

34

Best Practices for Performing Risk Assessments (Cont.)

Identify and evaluate relevant threats.

Identify and evaluate relevant vulnerabilities.

Identify and evaluate countermeasures.

Track the results.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

35

Summary

Definition of a risk assessment

Components of risk assessments

Qualitative vs. quantitative risk assessment

When to perform risk assessments

Steps involved in a risk assessment

Identifying assets, threats, vulnerabilities

Evaluating controls and countermeasures

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.