Practical Connection Assignment
Colin Horn
risk_ppt15_l06.pptxManaging Risk in Information Systems
Lesson 6
Performing a Risk Assessment
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objectives
Describe process of performing a risk assessment.
Key Concepts
Steps involved in a risk assessment
Identifying assets, threats, vulnerabilities
Evaluating controls and countermeasures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 6 Slides
Chapter 6: “Performing a Risk Assessment”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Steps Used in Risk Assessments
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify assets and activities to address.
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate relevant countermeasures.
Assess threats, vulnerabilities, and exploits.
Evaluate risks.
Develop and present recommendations.
Selecting a Risk Assessment Methodology
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative
Qualitative
Prior to Conducting RA
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Define the assessment.
Operational characteristics
Review previous findings.
Recommendations
Mission of the system
Current status of accepted recommendations
Unapproved recommendations
Identifying the Management Structure
Refers to how responsibilities are assigned
Helpful to keep the scope within the ownership of a single entity
Large organization may have multiple divisions:
Network infrastructure
User and computer management
E-mail servers / Web servers / Database servers
Configuration and change management
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying Assets and Activities
Perform asset valuation
Base on replacement or recovery value of the asset
Ensure RA performed on current systems
Evaluate only assets that are within the boundary of the RA
Prioritize importance
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements to Consider when Determining Asset Value
System access and system availability
System functions
Hardware and software assets
Personnel assets
Data and information assets
Facilities and supplies
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Evaluating Threats
Reviewing historical data
Threat modeling
Important to understand how threats interact with risks
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Evaluating Vulnerabilities
A vulnerability is a weakness
Can be a weakness in physical security, technical security, or operational security
Can be procedural, technical, or administrative
All systems have vulnerabilities
Not all vulnerabilities result in a loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identifying and Analyzing Countermeasures
In-Place Controls
In place in the operational system
Supported by associated documentation
Planned Controls
Identified in planning documents
Specified implementation date
Control Categories
National Institute of Standards and Technology (NIST)
Three classes, 18 families of controls
Grouped as procedural, technical, and physical
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Control Classes
| Control Class | Control Family Examples |
| Procedural | Policies and procedures Security plans Insurance Awareness and training |
| Technical | Login identifier System logs Firewalls |
| Physical | Locked doors Video cameras Fire detection and suppression |
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Developing Mitigating Recommendations
After performing analysis, provide specific recommendations that mitigate risks
Supporting data may include:
Threat/vulnerability pairs
Estimate of cost and time to implement
Estimate of operational impact
Cost-benefit analysis
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Best Practices for Performing Risk Assessments
Ensure systems are fully described.
Review past audits.
Review past risk assessments.
Match the RA to the management structure.
Identify assets within the RA boundaries.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Best Practices for Performing Risk Assessments (Cont.)
Identify and evaluate relevant threats.
Identify and evaluate relevant vulnerabilities.
Identify and evaluate countermeasures.
Track the results.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
16
Summary
Definition of a risk assessment
Components of risk assessments
Qualitative vs. quantitative risk assessment
When to perform risk assessments
Steps involved in a risk assessment
Identifying assets, threats, vulnerabilities
Evaluating controls and countermeasures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
