Risk Assessment Plan
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Managing Risk in Information Systems
Lesson 3 Concepts of Risk Assessment
Page 2Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Learning Objectives § Describe techniques for identifying and
analyzing relevant threats, vulnerabilities, and exploits.
§ Describe process of performing a risk assessment.
Page 3Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Key Concepts § Definition of a risk assessment § Components of risk assessments § Qualitative vs. quantitative risk assessment § When to perform risk assessments § Steps involved in a risk assessment § Identifying assets, threats, vulnerabilities § Evaluating controls and countermeasures
Page 4Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Chapter 5 Slides
Chapter 5: “Defining Risk Assessment Approaches”
Page 5Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
What Is Risk Assessment? § Key step in a risk management process § Determination of quantitative or qualitative value
of risk § Conducted for concrete situation and
recognized threat § Used to help identify which safeguards (controls)
to implement § Required for evaluating risk or control § Often conducted after implementation of a control
Page 6Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Why Is Risk Assessment Important?
§ Identifies which systems/assets to protect
§ Gives insight into which controls provide the most value
Page 7Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
When Should a Risk Assessment Be Conducted?
When evaluating risk
When evaluating a control
Periodically after a control has been implemented
Page 8Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Critical Components of Risk Assessment
Identify scope of assessment
Identify critical areas
Identify team
Page 9Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identify Potential Scope for Web Server RA
§ Web server § Database server
§ Firewalls § DMZ
Page 10Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Quantitative and Qualitative RAs
§ Quantitative Risk Assessments • Calculates absolute financial values, losses, and costs
§ Qualitative Risk Assessments • Calculates relative values, losses, and costs
Page 11Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Quantitative Risk Assessment § Uses numbers such as dollar values
§ Results can help you:
• Identify the priority of risks
• Determine the effectiveness of controls
Page 12Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Quantitative Risk Assessment Key Terms
Single loss expectancy (SLE)
Annual rate of occurrence (ARO)
Annual loss expectancy (ALE)
Safeguard value
Page 13Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Quantitative Risk Assessment Benefits § Becomes a simple math problem
§ Provides a cost-benefit analysis (CBA)
• Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA
§ Management often familiar with quantitative assessment terminology; easy to grasp details of the assessment and its recommendations
§ Formulas use verifiable and objective measurements
Page 14Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Quantitative Risk Assessment Limitations § Accurate data isn’t always available
• Especially true when identifying ARO reductions
§ Ensuring that people use the control as expected
• May need to take additional steps, such as training, to ensure users are aware of the importance of the control
Page 15Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Qualitative Risk Assessment § Subjective
§ Probability
• The likelihood that a threat will exploit a vulnerability
§ Impact
• The negative result if a risk occurs
Page 16Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Using a Risk Matrix § Matching probability and impact
Page 17Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Qualitative Risk Assessment Benefits § Uses the opinions of experts
§ Is easy to complete
§ Uses words that are easy to express and understand
Page 18Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Qualitative Risk Assessment Limitations § Subjective
§ Based on expertise of the experts
• Value of the assessment is only as valuable as the expertise of the experts
§ No CBA
§ No real standards
Page 19Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Comparing Assessment Methods
Quantitative § Objective § Monetary values § Historical data § Key terms: • SLE, ARO, ALE
Qualitative § Subjective § Word values § Expert opinions § Key terms: • Probability
and impact
Page 20Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Risk Assessment Challenges § Using static process to evaluate a moving
target
§ Availability
§ Data consistency
§ Estimating impact effects
§ Providing results that support resource allocation and risk acceptance
Page 21Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Risk Assessment § Start with clear goals and a defined scope.
§ Enlist senior management support.
§ Build a strong RA team.
§ Repeat the RA regularly.
§ Define a methodology to use.
§ Provide a report of clear risks and clear recommendations.
Page 22Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Chapter 6 Slides
Chapter 6: “Performing a Risk Assessment”
Page 23Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Steps Used in Risk Assessments Identify assets and activities to address.
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate relevant countermeasures.
Assess threats, vulnerabilities, and exploits.
Evaluate risks.
Develop and present recommendations.
Page 24Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Selecting a Risk Assessment Methodology
Quantitative Qualitative
Page 25Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Prior to Conducting RA
Define the assessment. • Operational characteristics • Mission of the system
Review previous findings. • Recommendations • Current status of accepted recommendations • Unapproved recommendations
Page 26Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying the Management Structure § Refers to how responsibilities are assigned
• Helpful to keep the scope within the ownership of a single entity
§ Large organization may have multiple divisions:
• Network infrastructure
• User and computer management
• E-mail servers / Web servers / Database servers
• Configuration and change management
Page 27Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying Assets and Activities § Perform asset valuation
• Base on replacement or recovery value of the asset
• Ensure RA performed on current systems
• Evaluate only assets that are within the boundary of the RA
§ Prioritize importance
Page 28Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Elements to Consider when Determining Asset Value § System access and system availability
§ System functions
§ Hardware and software assets
§ Personnel assets
§ Data and information assets
§ Facilities and supplies
Page 29Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying and Evaluating Threats § Reviewing historical data
§ Threat modeling
§ Important to understand how threats interact with risks
Page 30Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying and Evaluating Vulnerabilities § A vulnerability is a weakness
• Can be a weakness in physical security, technical security, or operational security
• Can be procedural, technical, or administrative
§ All systems have vulnerabilities
§ Not all vulnerabilities result in a loss
Page 31Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying and Analyzing Countermeasures § In-Place Controls
• In place in the operational system • Supported by associated documentation
§ Planned Controls • Identified in planning documents • Specified implementation date
§ Control Categories • National Institute of Standards and Technology (NIST) • Three classes, 18 families of controls • Grouped as procedural, technical, and physical
Page 32Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Control Classes
Control Class Control Family Examples Procedural §Policies and procedures
§Security plans §Insurance §Awareness and training
Technical §Login identifier §System logs §Firewalls
Physical §Locked doors §Video cameras §Fire detection and suppression
Page 33Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved.
Developing Mitigating Recommendations
§ After performing analysis, provide specific recommendations that mitigate risks
§ Supporting data may include:
• Threat/vulnerability pairs
• Estimate of cost and time to implement
• Estimate of operational impact
• Cost-benefit analysis
Page 34Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Performing Risk Assessments
§ Ensure systems are fully described. § Review past audits. § Review past risk assessments. § Match the RA to the management
structure. § Identify assets within the RA boundaries.
Page 35Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Performing Risk Assessments (Cont.)
§ Identify and evaluate relevant threats. § Identify and evaluate relevant
vulnerabilities. § Identify and evaluate countermeasures. § Track the results.
Page 36Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Summary § Definition of a risk assessment § Components of risk assessments § Qualitative vs. quantitative risk assessment § When to perform risk assessments § Steps involved in a risk assessment § Identifying assets, threats, vulnerabilities § Evaluating controls and countermeasures