Practical Connection Assignment
Colin Horn
risk_ppt15_l011.pptxManaging Risk in Information Systems
Lesson 1
Risk Management Fundamentals
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objective
Explain the basic concepts of risk management.
Key Concepts
Defining risk
Balancing risk
Seven domains of a typical IT infrastructure
Addressing confidentiality, integrity, and availability
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
What Is Risk?
Risk: The likelihood that a loss will occur. Losses occur when a threat exposes a vulnerability.
Threat: Any activity that represents a possible danger.
Vulnerability: A weakness.
Loss: A loss results in a compromise to business functions or assets.
Tangible
Intangible
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Risk-Related Concerns for Business
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Compromise of business functions
Compromise of business sssets
Driver of business costs
Profitability versus survivability
Seven Domains of a Typical IT Infrastructure
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Figure 4-1: The seven domains of a typical IT infrastructure.
User domain
Includes usernames, passwords, biometric or other authentication, and social engineering.
Workstation Domain
Includes end user systems, laptops, desk tops, and cells phones.
LAN Domain
Includes equipment required to create an internal LAN, such as hubs, switches, and media.
LAN-WAN Domain
Includes the transition area between the LAN and the WAN, including the router and firewall.
WAN Domain
Includes routers and circuits connecting the wide area network.
System/Application Domain
Includes applications you run on your network, such as e-mail, database and Web applications.
Remote Access Domain
How remote or traveling users use your network, as in a Virtual Private Network (VPN).
Addressing CIA
Confidentiality
Integrity
Availability
Impact
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Risk Management
Risk Management
Risk
Probability of Loss
Threat
Potential Harm
Vulnerability
System Weakness
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk
Refers to the probability of loss of a valued resource:
Security, Profitability, Functionality, or Reputation.
Threat
Refers to a source that is defined as any circumstance or event with the potential to cause harm to an IT system.
Vulnerability
Refers to an error or weakness in the security system.
7
Risk Management Elements/Process
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Assess risks
Identify risks to manage
Select controls
Implement and test controls
Evaluate controls
Survivability, and Balancing Risk and Cost
Consider the cost to implement a control and the cost of not implementing the control
Spending money to manage a risk rarely adds profit; important point is that spending money on risk management can help ensure a business’s survivability
Cost to manage a risk must be balanced against the impact value
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Survivability, and Balancing Risk and Cost (Continued)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Role-based Perceptions of Risk
Management
System administrator
Tier 1 administrator
Developer
End user
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Vulnerabilities and Exploits
Standard for Information Security Vulnerability Names
11
Risk Identification Process
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Identify threats
Identify vulnerabilities
Estimate likelihood of a threat exploiting a vulnerability
| Component | Type or Source |
| Threats | External or internal Natural or man-made Intentional or accidental |
| Vulnerabilities | Audit Certification/accreditation records System logs Prior event Trouble reports Incident response teams |
Risk Identification Elements
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Identification
Ways of Identification
Management Techniques
Threats
Employee Records
Client files
Financial reports
Company history
Understand the threats
Control the threats you can
Come up with a plan of execution when threats arise
Vulnerabilities
Develop a list of vulnerabilities
Flaws
Weaknesses
Audits
Prior event history
Certification
Accreditation
System logs
Trouble reports
13
Techniques of Risk Management
Various Techniques of Risk Management
Avoidance
Mitigation
Cost-Benefit Analysis
Residual Risk
Acceptance
Transfer
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Avoidance
To avoid the risk by eliminating the risk cause and/or consequence.
Example: Moving the organization out of a flood zone.
Mitigation
To institute measures to eliminate or reduce the vulnerability.
Example: Prioritizing, evaluating, and implementing the appropriate risk-reducing controls.
Cost-Benefit Analysis (CBA)
To compare the impact of a realized risk to the cost associated with its mitigation. A CBA will include estimation of the likelihood of occurrence and impact of loss.
Example: If your organization is located on a mountain top, is it cost-effective to purchase flood insurance?
Transfer
To move the risk impact from the organization to another entity.
Example: To transfer the risk by using other options , such as purchasing insurance, to compensate for the loss.
Acceptance
To recognize that the risk cannot be economically mitigated and accept is as a “cost of doing business”.
Example: To accept that you cannot control the weather causing a power outage and your organization is temporarily disabled.
Residual Risk
To know the risk that remains after identified risks have been mitigated or accepted.
Example: A department determines that the cost for installing and maintaining add-on security software for the stand-alone personal computer ( PC) that stores its sensitive files is not justifiable, but that administrative and physical controls should be implemented to make physical access to that PC more difficult.
14
Summary
Defining risk
Balancing risk
Seven domains of a typical IT infrastructure
Addressing confidentiality, integrity, and availability
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OPTIONAL SLIDES
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/14/2014
16
Importance of Risk Management
Identifies threats and vulnerabilities
Reduces adverse impact
Improves organization survivability
Enhances cost-benefit awareness
Shows the need for risk reduction
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
