SlideShare une entreprise Scribd logo

Dj24712716

IJERA Editor
IJERA Editor
1  sur  5
Télécharger pour lire hors ligne
Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 Risk Management Using Spiral Model for Information Technology Rajendra Ganpatrao Sabale, Dr. A.R Dani Student of Ph.D., Singhania University, Pacheri Bari, Dist. Jhunjhunu( Rajasthan), India International Institute of Informational Techonology,Pune(Maharashtra),India Abstract: Now a day almost everything has been digitized and networked either through Local Area Network or Internet. In this digital era, as organizations use automated information technology (IT) systems to process information for improved support to achieve their objectives, risk management plays a critical role in protecting an organization‘s information assets, and therefore its aim, from IT-related risk. This paper provides information about IT risk management and good practices to follow to minimize risk. It provides a foundation for the development of an effective risk management policy. Keywords : automated information, digitized, risk management Introduction: 1. An effective risk management process is an important component of a successful IT security program. .The risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. The principal goal of an organization‘s risk management process should be to protect the organization and its ability to perform their objectives. Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. 2. Purpose Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This paper provides groundwork for the development of a successful risk management program, 3. Objective The objective of performing risk management is to enable the organization to accomplish its task  By better securing the IT systems that store, process, or transmit organizational information;  By enabling management to exercise well-informed risk management decisions to justify the expenditures that are By assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management. 4. Target Addressees This paper provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the risk management process for their IT systems. These personnel include: part of an IT budget; The Designated Approving Authority whether to allow operation of an IT system The IT security program manager, who implements the security program  Information system security officers (ISSO), who are responsible for IT security  Business or functional managers, who are responsible for the IT procurement process  Technical support personnel (e.g., network, system, application, and database administrators; computer specialists; data security analysts), who manage and administer security for the IT systems  IT system and application programmers who develop and maintain code that could affect system and data integrity  Information system auditors, who audit IT systems (DAA), who is respond  IT consultants, who support clients in risk management. 712 | P a g e
Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 5. IMPORTANCE OF RISK MANAGEMENT Risk management encompasses three processes: risk assessment, risk evaluation and. risk mitigation Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of daily routine work. Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. sible for the final Effective risk management must be totally integrated into the System Development Life Cycle. Risk management can be performed in support of each system development life cycle phase. Phase 1—Initiation • Identified risks are used to support the development of the system requirements, including security requirements, and a security concept. Phase 2—Development or Acquisition • The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development of operations (strategy) decision Phase 3— The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation Phase 4—Operation or Maintenance • Risk management activities are performed for periodic system reauthorization (or reaccreditations) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces) Phase 5—Disposal • Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner 6. Risk Management Process Risk management process involves:  Identify Organizational Risks: By surveys, interviews, and solicitation of input across divisions and departments of Probability - The likelihood of risk getting realized o Inherent Risk - The nature of the risk event o Mitigation Control Effectiveness - The effectiveness of mitigation plans 6.1 How to identify Risks? Risk Management application provides tools to quickly put together surveys and polls for gathering inputs from professionals and employees. This data is then collated into a list of identified risks for the organization. The list can be reviewed periodically and updated based on existing business scenarios. A frequently used technique in security analysis, and in particular in risk identification, is so-called structured brainstorming (HazOp-analysis [18] is a kind of structured brainstorming). It may be understood as a structured ―walk-through‖ of the target of analysis. The main idea of structured brainstorming is that a group of people with different competencies and backgrounds will view the target from different perspectives and therefore identify more, and possibly other, risks than individuals or a more heterogeneous group. The input to a brainstorming session is various kinds of target models (e.g. UML models). The models are assessed in a stepwise and structured manner under the guidance of the security analysis leader. The identified risks are documented by an analysis secretary. Construction of a conceptual model based on standardized security risk analysis terminology is first step of developing language model. the most intuitive and common interpretations are used. The conceptual model can be seen as a kind of abstract syntax for the language, and is shown in diagram. The conceptual model using UML class diagram notation 713 | P a g e
Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 IT system throughout its SDLC. The conceptual model may be explained as follows: stakeholders are those people and organizations who may affect, be affected by, or perceive themselves to be affected by, a decision or activity regarding the target of analysis An asset is something to which a stakeholder directly assigns value, and hence for which the stakeholder requires protection Assets are subject to vulnerabilities, which are weaknesses which can be exploited by one or more threats A threat is a potential cause of an unwanted incident 6.2 Risk Assessment Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization. Consequence is the level of impact that the potential risk event can have on the achievement of business objectives. Consequence will be measured on a 5 level rating Probability is the likelihood of occurrence of the potential risk event which may lead to the assessed consequences. Probability will be measured on a 5 level rating scale in the risk survey (25-Almost Certain, 20-likely, 15-Possible, 10-Unlikely, 5-Rare) 6.2.1 Calculating Inherent Risk Inherent risk signifies the exposure arising from a specific risk event before any action has been taken to manage it. Inherent Risk = Consequence X Probability Inherent risk rating will be exhibited on a 4 level rating scale (Extreme Risk, High Risk, Moderate Risk, Low Risk) 714 | P a g e
Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 6.3 Risk Assessment Report There are different kinds of risk assessment reports. As risk assessment follows risk identification, a lot of these documents will be based on the risk identification reports. Documentation is done in a systematic way and can be from different inputs. Some of stakeholder Analysis - Risk Report: This identifies probable risks posed by take holders and the impact the risk might have on other stakeholders or the project at large. WBS - Risk Report: The work breakdown structure, broken down to work packages can be assessed for risks. It may detail risks at different stages based on cost, schedule, resource and manpower factors. Scope - Risk Report: The scope statement or mission statement may be assessed for risks at the beginning of a project. For example, it could be the impact of a particular project on the community. Cost Evaluation Risk Report: Cost or funds are at constant risk in a project. It has to be maintained and controlled with as little deviation as possible from the forecasted values. Risks related to cost are in the cost evaluation risk reports. Schedule Evaluation Risk Report: Time is luxury that a project cannot afford. It is imperative that time schedules are met with as little delay as possible. Time delays can impact the progress of a project and put it at risk. Such risks are documented in the schedule evaluation risk report. Technical Evaluation Risk Report: Risks related to resources, manpower and departments fall under this category. Risks arising due to quality constraints and those which are due to design errors and poor planning also fall under this group. 6.3. Risk Mitigation A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence is called risk mitigation. It is also called risk reduction. A solution to mitigate the risk is developed and modeled to determine the level of reduced risk versus the cost to implement. If the solution provides an acceptable level of reduction in risk 715 | P a g e
Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 for the associated cost, then it is considered successful and the process is complete. The RMP can be thought of as a spiral model that allows a user to complete the process and then review the results. If the risk mitigation process was successful, then the process stops at the end of the post-mitigation task. If the risk or cost is not acceptable, then the entire process is repeated to determine if it can be improved. Best practices require that the known and perceived risk be analyzed according to the degree and likelihood of the adverse results that are anticipated to take place. Thereafter, all such risks analyzed shall be documented according to their levels of priority in a form known as the risk mitigation plan. After which, the development and integration of the corresponding risk mitigation strategies follows, and shall be referenced against the previously prepared risk management plan. A risk mitigation plan shall serve as the checklist of the anticipated risks, accordance with degree of their probability, as High, Medium or Low. Some project managers, however, deem it more appropriate to categorize the risks as most Likely, Likely or Unlikely. There are different kinds of risk assessment reports. As risk assessment follows risk identification, a lot of these documents will be based on the risk identification reports. Documentation is done in a systematic way and can be from different inputs. Some of them are discussed below. 7. Good Security Practice The risk assessment process is usually repeated at least every 3 years. However, risk management should be conducted and integrated in the SDLC for IT systems, not because it is required by law or regulation, but because it is a good practice and supports the organization‘s business objectives. There should be a specific schedule for assessing and mitigating mission risks, but the Periodically performed process should also be flexible enough to allow changes where warranted, such as major changes to the IT system and processing environment due to changes resulting from policies and new technologies. 8. Keys for Success A successful risk management program will rely on (1) Senior management‘s commitment. (2) The full support and participation of the IT team (3) The competence of the risk assessment team, which must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organization. (4) The awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of their organization. (5) An ongoing evaluation and assessment of the IT-related mission risks. Reference : (1) Risk Management guide by National Institute of Standard Technology. (2) IT security and risk management by Verizon Business. (3) A graphical approach to risk identification, motivated by Empirical. 716 | P a g e

Recommandé

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERChristopher Nanchengwa
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 

Recommandé

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERChristopher Nanchengwa
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case StudyPraveen Vackayil
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...IAEME Publication
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Risk Management
Risk ManagementRisk Management
Risk ManagementAshis Kumar Chanda
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Octav ethreat profiles
Octav ethreat profilesOctav ethreat profiles
Octav ethreat profilesFrancis Esquivel Cuenca
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
Risk management in Software Industry
Risk management in Software IndustryRisk management in Software Industry
Risk management in Software IndustryRehan Akhtar
 
Ck24574578
Ck24574578Ck24574578
Ck24574578IJERA Editor
 
Co24593599
Co24593599Co24593599
Co24593599IJERA Editor
 

Contenu connexe

Tendances

Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case StudyPraveen Vackayil
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...IAEME Publication
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
Risk management in Software Industry
Risk management in Software IndustryRisk management in Software Industry
Risk management in Software IndustryRehan Akhtar
 

Tendances (20)

Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Risk Assessment Case Study
Risk Assessment Case StudyRisk Assessment Case Study
Risk Assessment Case Study
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...Relative risk benchmarking enabling better decision making for managing infor...
Relative risk benchmarking enabling better decision making for managing infor...
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
Octav ethreat profiles
Octav ethreat profilesOctav ethreat profiles
Octav ethreat profiles
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 
Risk management in Software Industry
Risk management in Software IndustryRisk management in Software Industry
Risk management in Software Industry
 

En vedette

Lost mircevski viktor
Lost mircevski viktorLost mircevski viktor
Lost mircevski viktorIlcho Cenev
 
FELIZ NAVIDAD
FELIZ NAVIDADFELIZ NAVIDAD
FELIZ NAVIDADtrana
 
Ppt 3
Ppt 3Ppt 3
Ppt 3INFOD
 
Repositório
RepositórioRepositório
RepositórioPriifante
 
Comportamento e Influência entre Jogadores num Jogo Social Online
Comportamento e Influência entre Jogadores num Jogo Social Online Comportamento e Influência entre Jogadores num Jogo Social Online
Comportamento e Influência entre Jogadores num Jogo Social OnlineYucca Studios
 
Presentacion economia
Presentacion economiaPresentacion economia
Presentacion economiaMARIA
 
Ley organica reformatoria ala ley electoral y de organizaciones politicas
Ley organica reformatoria ala ley electoral y de organizaciones politicasLey organica reformatoria ala ley electoral y de organizaciones politicas
Ley organica reformatoria ala ley electoral y de organizaciones politicasRobert Gallegos
 

En vedette (20)

Ck24574578
Ck24574578Ck24574578
Ck24574578
 
Co24593599
Co24593599Co24593599
Co24593599
 
Cu24631635
Cu24631635Cu24631635
Cu24631635
 
Cg24551555
Cg24551555Cg24551555
Cg24551555
 
Dx24785787
Dx24785787Dx24785787
Dx24785787
 
Dn24733737
Dn24733737Dn24733737
Dn24733737
 
De24686692
De24686692De24686692
De24686692
 
Ef24836841
Ef24836841Ef24836841
Ef24836841
 
Ep24889895
Ep24889895Ep24889895
Ep24889895
 
nose
nosenose
nose
 
Lost mircevski viktor
Lost mircevski viktorLost mircevski viktor
Lost mircevski viktor
 
FELIZ NAVIDAD
FELIZ NAVIDADFELIZ NAVIDAD
FELIZ NAVIDAD
 
Ppt 3
Ppt 3Ppt 3
Ppt 3
 
Busuu
BusuuBusuu
Busuu
 
Repositório
RepositórioRepositório
Repositório
 
Comportamento e Influência entre Jogadores num Jogo Social Online
Comportamento e Influência entre Jogadores num Jogo Social Online Comportamento e Influência entre Jogadores num Jogo Social Online
Comportamento e Influência entre Jogadores num Jogo Social Online
 
Presentacion economia
Presentacion economiaPresentacion economia
Presentacion economia
 
Ley organica reformatoria ala ley electoral y de organizaciones politicas
Ley organica reformatoria ala ley electoral y de organizaciones politicasLey organica reformatoria ala ley electoral y de organizaciones politicas
Ley organica reformatoria ala ley electoral y de organizaciones politicas
 
Escola sustentável
Escola sustentávelEscola sustentável
Escola sustentável
 
CurriculumVitae
CurriculumVitaeCurriculumVitae
CurriculumVitae
 

Similaire à Dj24712716

Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docxgilbertkpeters11344
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxSUBHI7
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaDEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaLinaCovington707
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTNi
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB
 
Software IT risk-management
Software IT risk-managementSoftware IT risk-management
Software IT risk-managementgufranresearcher
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdfIntuitiveCloud
 

Similaire à Dj24712716 (20)

Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
 
Risk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docxRisk management planExecutive SummaryThe past.docx
Risk management planExecutive SummaryThe past.docx
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaDEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
Software IT risk-management
Software IT risk-managementSoftware IT risk-management
Software IT risk-management
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USA
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Grupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptxGrupo 4 - TEMA II.pptx
Grupo 4 - TEMA II.pptx
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
800-30.pptx
800-30.pptx800-30.pptx
800-30.pptx
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdf
 

Dj24712716

  • 1. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 Risk Management Using Spiral Model for Information Technology Rajendra Ganpatrao Sabale, Dr. A.R Dani Student of Ph.D., Singhania University, Pacheri Bari, Dist. Jhunjhunu( Rajasthan), India International Institute of Informational Techonology,Pune(Maharashtra),India Abstract: Now a day almost everything has been digitized and networked either through Local Area Network or Internet. In this digital era, as organizations use automated information technology (IT) systems to process information for improved support to achieve their objectives, risk management plays a critical role in protecting an organization‘s information assets, and therefore its aim, from IT-related risk. This paper provides information about IT risk management and good practices to follow to minimize risk. It provides a foundation for the development of an effective risk management policy. Keywords : automated information, digitized, risk management Introduction: 1. An effective risk management process is an important component of a successful IT security program. .The risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. The principal goal of an organization‘s risk management process should be to protect the organization and its ability to perform their objectives. Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. 2. Purpose Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This paper provides groundwork for the development of a successful risk management program, 3. Objective The objective of performing risk management is to enable the organization to accomplish its task  By better securing the IT systems that store, process, or transmit organizational information;  By enabling management to exercise well-informed risk management decisions to justify the expenditures that are By assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting from the performance of risk management. 4. Target Addressees This paper provides a common foundation for experienced and inexperienced, technical, and non-technical personnel who support or use the risk management process for their IT systems. These personnel include: part of an IT budget; The Designated Approving Authority whether to allow operation of an IT system The IT security program manager, who implements the security program  Information system security officers (ISSO), who are responsible for IT security  Business or functional managers, who are responsible for the IT procurement process  Technical support personnel (e.g., network, system, application, and database administrators; computer specialists; data security analysts), who manage and administer security for the IT systems  IT system and application programmers who develop and maintain code that could affect system and data integrity  Information system auditors, who audit IT systems (DAA), who is respond  IT consultants, who support clients in risk management. 712 | P a g e
  • 2. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 5. IMPORTANCE OF RISK MANAGEMENT Risk management encompasses three processes: risk assessment, risk evaluation and. risk mitigation Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of daily routine work. Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. sible for the final Effective risk management must be totally integrated into the System Development Life Cycle. Risk management can be performed in support of each system development life cycle phase. Phase 1—Initiation • Identified risks are used to support the development of the system requirements, including security requirements, and a security concept. Phase 2—Development or Acquisition • The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development of operations (strategy) decision Phase 3— The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation Phase 4—Operation or Maintenance • Risk management activities are performed for periodic system reauthorization (or reaccreditations) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces) Phase 5—Disposal • Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner 6. Risk Management Process Risk management process involves:  Identify Organizational Risks: By surveys, interviews, and solicitation of input across divisions and departments of Probability - The likelihood of risk getting realized o Inherent Risk - The nature of the risk event o Mitigation Control Effectiveness - The effectiveness of mitigation plans 6.1 How to identify Risks? Risk Management application provides tools to quickly put together surveys and polls for gathering inputs from professionals and employees. This data is then collated into a list of identified risks for the organization. The list can be reviewed periodically and updated based on existing business scenarios. A frequently used technique in security analysis, and in particular in risk identification, is so-called structured brainstorming (HazOp-analysis [18] is a kind of structured brainstorming). It may be understood as a structured ―walk-through‖ of the target of analysis. The main idea of structured brainstorming is that a group of people with different competencies and backgrounds will view the target from different perspectives and therefore identify more, and possibly other, risks than individuals or a more heterogeneous group. The input to a brainstorming session is various kinds of target models (e.g. UML models). The models are assessed in a stepwise and structured manner under the guidance of the security analysis leader. The identified risks are documented by an analysis secretary. Construction of a conceptual model based on standardized security risk analysis terminology is first step of developing language model. the most intuitive and common interpretations are used. The conceptual model can be seen as a kind of abstract syntax for the language, and is shown in diagram. The conceptual model using UML class diagram notation 713 | P a g e
  • 3. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 IT system throughout its SDLC. The conceptual model may be explained as follows: stakeholders are those people and organizations who may affect, be affected by, or perceive themselves to be affected by, a decision or activity regarding the target of analysis An asset is something to which a stakeholder directly assigns value, and hence for which the stakeholder requires protection Assets are subject to vulnerabilities, which are weaknesses which can be exploited by one or more threats A threat is a potential cause of an unwanted incident 6.2 Risk Assessment Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization. Consequence is the level of impact that the potential risk event can have on the achievement of business objectives. Consequence will be measured on a 5 level rating Probability is the likelihood of occurrence of the potential risk event which may lead to the assessed consequences. Probability will be measured on a 5 level rating scale in the risk survey (25-Almost Certain, 20-likely, 15-Possible, 10-Unlikely, 5-Rare) 6.2.1 Calculating Inherent Risk Inherent risk signifies the exposure arising from a specific risk event before any action has been taken to manage it. Inherent Risk = Consequence X Probability Inherent risk rating will be exhibited on a 4 level rating scale (Extreme Risk, High Risk, Moderate Risk, Low Risk) 714 | P a g e
  • 4. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 6.3 Risk Assessment Report There are different kinds of risk assessment reports. As risk assessment follows risk identification, a lot of these documents will be based on the risk identification reports. Documentation is done in a systematic way and can be from different inputs. Some of stakeholder Analysis - Risk Report: This identifies probable risks posed by take holders and the impact the risk might have on other stakeholders or the project at large. WBS - Risk Report: The work breakdown structure, broken down to work packages can be assessed for risks. It may detail risks at different stages based on cost, schedule, resource and manpower factors. Scope - Risk Report: The scope statement or mission statement may be assessed for risks at the beginning of a project. For example, it could be the impact of a particular project on the community. Cost Evaluation Risk Report: Cost or funds are at constant risk in a project. It has to be maintained and controlled with as little deviation as possible from the forecasted values. Risks related to cost are in the cost evaluation risk reports. Schedule Evaluation Risk Report: Time is luxury that a project cannot afford. It is imperative that time schedules are met with as little delay as possible. Time delays can impact the progress of a project and put it at risk. Such risks are documented in the schedule evaluation risk report. Technical Evaluation Risk Report: Risks related to resources, manpower and departments fall under this category. Risks arising due to quality constraints and those which are due to design errors and poor planning also fall under this group. 6.3. Risk Mitigation A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence is called risk mitigation. It is also called risk reduction. A solution to mitigate the risk is developed and modeled to determine the level of reduced risk versus the cost to implement. If the solution provides an acceptable level of reduction in risk 715 | P a g e
  • 5. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 4, June-July 2012, pp.712-716 for the associated cost, then it is considered successful and the process is complete. The RMP can be thought of as a spiral model that allows a user to complete the process and then review the results. If the risk mitigation process was successful, then the process stops at the end of the post-mitigation task. If the risk or cost is not acceptable, then the entire process is repeated to determine if it can be improved. Best practices require that the known and perceived risk be analyzed according to the degree and likelihood of the adverse results that are anticipated to take place. Thereafter, all such risks analyzed shall be documented according to their levels of priority in a form known as the risk mitigation plan. After which, the development and integration of the corresponding risk mitigation strategies follows, and shall be referenced against the previously prepared risk management plan. A risk mitigation plan shall serve as the checklist of the anticipated risks, accordance with degree of their probability, as High, Medium or Low. Some project managers, however, deem it more appropriate to categorize the risks as most Likely, Likely or Unlikely. There are different kinds of risk assessment reports. As risk assessment follows risk identification, a lot of these documents will be based on the risk identification reports. Documentation is done in a systematic way and can be from different inputs. Some of them are discussed below. 7. Good Security Practice The risk assessment process is usually repeated at least every 3 years. However, risk management should be conducted and integrated in the SDLC for IT systems, not because it is required by law or regulation, but because it is a good practice and supports the organization‘s business objectives. There should be a specific schedule for assessing and mitigating mission risks, but the Periodically performed process should also be flexible enough to allow changes where warranted, such as major changes to the IT system and processing environment due to changes resulting from policies and new technologies. 8. Keys for Success A successful risk management program will rely on (1) Senior management‘s commitment. (2) The full support and participation of the IT team (3) The competence of the risk assessment team, which must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organization. (4) The awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of their organization. (5) An ongoing evaluation and assessment of the IT-related mission risks. Reference : (1) Risk Management guide by National Institute of Standard Technology. (2) IT security and risk management by Verizon Business. (3) A graphical approach to risk identification, motivated by Empirical. 716 | P a g e