Mitigating risks
Managing Risk in Information Systems
Lesson 3
Concepts of Risk Assessment
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objectives
Describe techniques for identifying and analyzing relevant threats, vulnerabilities, and exploits.
Describe process of performing a risk assessment.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Definition of a risk assessment
Components of risk assessments
Qualitative vs. quantitative risk assessment
When to perform risk assessments
Steps involved in a risk assessment
Identifying assets, threats, vulnerabilities
Evaluating controls and countermeasures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 5 Slides
Chapter 5: “Defining Risk Assessment Approaches”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is Risk Assessment?
Key step in a risk management process
Determination of quantitative or qualitative value of risk
Conducted for concrete situation and recognized threat
Used to help identify which safeguards (controls) to implement
Required for evaluating risk or control
Often conducted after implementation of a control
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Why Is Risk Assessment Important?
Identifies which systems/assets to protect
Gives insight into which controls provide the most value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When Should a Risk Assessment Be Conducted?
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When evaluating risk
When evaluating a control
Periodically after a control has been implemented
Critical Components of Risk Assessment
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify scope of assessment
Identify critical areas
Identify team
Identify Potential Scope for Web Server RA
Web server
Database server
Firewalls
DMZ
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative and Qualitative RAs
Quantitative Risk Assessments
Calculates absolute financial values, losses, and costs
Qualitative Risk Assessments
Calculates relative values, losses, and costs
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative Risk Assessment
Uses numbers such as dollar values
Results can help you:
Identify the priority of risks
Determine the effectiveness of controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative Risk Assessment Key Terms
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Single loss expectancy (SLE)
Annual rate of occurrence (ARO)
Annual loss expectancy (ALE)
Safeguard value
Quantitative Risk Assessment Benefits
Becomes a simple math problem
Provides a cost-benefit analysis (CBA)
Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA
Management often familiar with quantitative assessment terminology; easy to grasp details of the assessment and its recommendations
Formulas use verifiable and objective measurements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative Risk Assessment Limitations
Accurate data isn’t always available
Especially true when identifying ARO reductions
Ensuring that people use the control as expected
May need to take additional steps, such as training, to ensure users are aware of the importance of the control
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Qualitative Risk Assessment
Subjective
Probability
The likelihood that a threat will exploit a vulnerability
Impact
The negative result if a risk occurs
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Using a Risk Matrix
Matching probability and impact
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Qualitative Risk Assessment Benefits
Uses the opinions of experts
Is easy to complete
Uses words that are easy to express and understand
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Qualitative Risk Assessment Limitations
Subjective
Based on expertise of the experts
Value of the assessment is only as valuable as the expertise of the experts
No CBA
No real standards
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Comparing Assessment Methods
Quantitative
Objective
Monetary values
Historical data
Key terms:
SLE, ARO, ALE
Qualitative
Subjective
Word values
Expert opinions
Key terms:
Probability and impact
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Assessment Challenges
Using static process to evaluate a moving target
Availability
Data consistency
Estimating impact effects
Providing results that support resource allocation and risk acceptance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Risk Assessment
Start with clear goals and a defined scope.
Enlist senior management support.
Build a strong RA team.
Repeat the RA regularly.
Define a methodology to use.
Provide a report of clear risks and clear recommendations.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 6 Slides
Chapter 6: “Performing a Risk Assessment”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Steps Used in Risk Assessments
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify assets and activities to address.
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate relevant countermeasures.
Assess threats, vulnerabilities, and exploits.
Evaluate risks.
Develop and present recommendations.
Selecting a Risk Assessment Methodology
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative
Qualitative
Prior to Conducting RA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Define the assessment.
Operational characteristics
Review previous findings.
Recommendations
Mission of the system
Current status of accepted recommendations
Unapproved recommendations
Identifying the Management Structure
Refers to how responsibilities are assigned
Helpful to keep the scope within the ownership of a single entity
Large organization may have multiple divisions:
Network infrastructure
User and computer management
E-mail servers / Web servers / Database servers
Configuration and change management
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying Assets and Activities
Perform asset valuation
Base on replacement or recovery value of the asset
Ensure RA performed on current systems
Evaluate only assets that are within the boundary of the RA
Prioritize importance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements to Consider when Determining Asset Value
System access and system availability
System functions
Hardware and software assets
Personnel assets
Data and information assets
Facilities and supplies
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Evaluating Threats
Reviewing historical data
Threat modeling
Important to understand how threats interact with risks
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Evaluating Vulnerabilities
A vulnerability is a weakness
Can be a weakness in physical security, technical security, or operational security
Can be procedural, technical, or administrative
All systems have vulnerabilities
Not all vulnerabilities result in a loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Analyzing Countermeasures
In-Place Controls
In place in the operational system
Supported by associated documentation
Planned Controls
Identified in planning documents
Specified implementation date
Control Categories
National Institute of Standards and Technology (NIST)
Three classes, 18 families of controls
Grouped as procedural, technical, and physical
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Control Classes
| Control Class | Control Family Examples |
| Procedural | Policies and procedures Security plans Insurance Awareness and training |
| Technical | Login identifier System logs Firewalls |
| Physical | Locked doors Video cameras Fire detection and suppression |
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Developing Mitigating Recommendations
After performing analysis, provide specific recommendations that mitigate risks
Supporting data may include:
Threat/vulnerability pairs
Estimate of cost and time to implement
Estimate of operational impact
Cost-benefit analysis
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
33
Best Practices for Performing Risk Assessments
Ensure systems are fully described.
Review past audits.
Review past risk assessments.
Match the RA to the management structure.
Identify assets within the RA boundaries.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
34
Best Practices for Performing Risk Assessments (Cont.)
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate countermeasures.
Track the results.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
35
Summary
Definition of a risk assessment
Components of risk assessments
Qualitative vs. quantitative risk assessment
When to perform risk assessments
Steps involved in a risk assessment
Identifying assets, threats, vulnerabilities
Evaluating controls and countermeasures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.