Risk Assessment Plan

profileNIK-raj
risk_ppt08_l03-Week3.pdf

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Managing Risk in Information Systems

Lesson 3 Concepts of Risk Assessment

Page 2Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Learning Objectives § Describe techniques for identifying and

analyzing relevant threats, vulnerabilities, and exploits.

§ Describe process of performing a risk assessment.

Page 3Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Key Concepts § Definition of a risk assessment § Components of risk assessments § Qualitative vs. quantitative risk assessment § When to perform risk assessments § Steps involved in a risk assessment § Identifying assets, threats, vulnerabilities § Evaluating controls and countermeasures

Page 4Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Chapter 5 Slides

Chapter 5: “Defining Risk Assessment Approaches”

Page 5Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

What Is Risk Assessment? § Key step in a risk management process § Determination of quantitative or qualitative value

of risk § Conducted for concrete situation and

recognized threat § Used to help identify which safeguards (controls)

to implement § Required for evaluating risk or control § Often conducted after implementation of a control

Page 6Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Why Is Risk Assessment Important?

§ Identifies which systems/assets to protect

§ Gives insight into which controls provide the most value

Page 7Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

When Should a Risk Assessment Be Conducted?

When evaluating risk

When evaluating a control

Periodically after a control has been implemented

Page 8Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Critical Components of Risk Assessment

Identify scope of assessment

Identify critical areas

Identify team

Page 9Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identify Potential Scope for Web Server RA

§ Web server § Database server

§ Firewalls § DMZ

Page 10Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Quantitative and Qualitative RAs

§ Quantitative Risk Assessments • Calculates absolute financial values, losses, and costs

§ Qualitative Risk Assessments • Calculates relative values, losses, and costs

Page 11Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Quantitative Risk Assessment § Uses numbers such as dollar values

§ Results can help you:

• Identify the priority of risks

• Determine the effectiveness of controls

Page 12Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Quantitative Risk Assessment Key Terms

Single loss expectancy (SLE)

Annual rate of occurrence (ARO)

Annual loss expectancy (ALE)

Safeguard value

Page 13Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Quantitative Risk Assessment Benefits § Becomes a simple math problem

§ Provides a cost-benefit analysis (CBA)

• Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA

§ Management often familiar with quantitative assessment terminology; easy to grasp details of the assessment and its recommendations

§ Formulas use verifiable and objective measurements

Page 14Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Quantitative Risk Assessment Limitations § Accurate data isn’t always available

• Especially true when identifying ARO reductions

§ Ensuring that people use the control as expected

• May need to take additional steps, such as training, to ensure users are aware of the importance of the control

Page 15Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Qualitative Risk Assessment § Subjective

§ Probability

• The likelihood that a threat will exploit a vulnerability

§ Impact

• The negative result if a risk occurs

Page 16Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Using a Risk Matrix § Matching probability and impact

Page 17Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Qualitative Risk Assessment Benefits § Uses the opinions of experts

§ Is easy to complete

§ Uses words that are easy to express and understand

Page 18Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Qualitative Risk Assessment Limitations § Subjective

§ Based on expertise of the experts

• Value of the assessment is only as valuable as the expertise of the experts

§ No CBA

§ No real standards

Page 19Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Comparing Assessment Methods

Quantitative § Objective § Monetary values § Historical data § Key terms: • SLE, ARO, ALE

Qualitative § Subjective § Word values § Expert opinions § Key terms: • Probability

and impact

Page 20Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Risk Assessment Challenges § Using static process to evaluate a moving

target

§ Availability

§ Data consistency

§ Estimating impact effects

§ Providing results that support resource allocation and risk acceptance

Page 21Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Risk Assessment § Start with clear goals and a defined scope.

§ Enlist senior management support.

§ Build a strong RA team.

§ Repeat the RA regularly.

§ Define a methodology to use.

§ Provide a report of clear risks and clear recommendations.

Page 22Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Chapter 6 Slides

Chapter 6: “Performing a Risk Assessment”

Page 23Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Steps Used in Risk Assessments Identify assets and activities to address.

Identify and evaluate relevant threats.

Identify and evaluate relevant vulnerabilities.

Identify and evaluate relevant countermeasures.

Assess threats, vulnerabilities, and exploits.

Evaluate risks.

Develop and present recommendations.

Page 24Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Selecting a Risk Assessment Methodology

Quantitative Qualitative

Page 25Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Prior to Conducting RA

Define the assessment. • Operational characteristics • Mission of the system

Review previous findings. • Recommendations • Current status of accepted recommendations • Unapproved recommendations

Page 26Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying the Management Structure § Refers to how responsibilities are assigned

• Helpful to keep the scope within the ownership of a single entity

§ Large organization may have multiple divisions:

• Network infrastructure

• User and computer management

• E-mail servers / Web servers / Database servers

• Configuration and change management

Page 27Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying Assets and Activities § Perform asset valuation

• Base on replacement or recovery value of the asset

• Ensure RA performed on current systems

• Evaluate only assets that are within the boundary of the RA

§ Prioritize importance

Page 28Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Elements to Consider when Determining Asset Value § System access and system availability

§ System functions

§ Hardware and software assets

§ Personnel assets

§ Data and information assets

§ Facilities and supplies

Page 29Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying and Evaluating Threats § Reviewing historical data

§ Threat modeling

§ Important to understand how threats interact with risks

Page 30Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying and Evaluating Vulnerabilities § A vulnerability is a weakness

• Can be a weakness in physical security, technical security, or operational security

• Can be procedural, technical, or administrative

§ All systems have vulnerabilities

§ Not all vulnerabilities result in a loss

Page 31Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying and Analyzing Countermeasures § In-Place Controls

• In place in the operational system • Supported by associated documentation

§ Planned Controls • Identified in planning documents • Specified implementation date

§ Control Categories • National Institute of Standards and Technology (NIST) • Three classes, 18 families of controls • Grouped as procedural, technical, and physical

Page 32Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Control Classes

Control Class Control Family Examples Procedural §Policies and procedures

§Security plans §Insurance §Awareness and training

Technical §Login identifier §System logs §Firewalls

Physical §Locked doors §Video cameras §Fire detection and suppression

Page 33Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com All rights reserved.

Developing Mitigating Recommendations

§ After performing analysis, provide specific recommendations that mitigate risks

§ Supporting data may include:

• Threat/vulnerability pairs

• Estimate of cost and time to implement

• Estimate of operational impact

• Cost-benefit analysis

Page 34Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Performing Risk Assessments

§ Ensure systems are fully described. § Review past audits. § Review past risk assessments. § Match the RA to the management

structure. § Identify assets within the RA boundaries.

Page 35Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Performing Risk Assessments (Cont.)

§ Identify and evaluate relevant threats. § Identify and evaluate relevant

vulnerabilities. § Identify and evaluate countermeasures. § Track the results.

Page 36Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Summary § Definition of a risk assessment § Components of risk assessments § Qualitative vs. quantitative risk assessment § When to perform risk assessments § Steps involved in a risk assessment § Identifying assets, threats, vulnerabilities § Evaluating controls and countermeasures