SlideShare a Scribd company logo

CISSP Chapter 1 Risk Management

Download as PPTX, PDF
K
Karthikeyan Dhayalan

CISSP Chapter 1, Risk Management

Education
1 of 30
Risk Management Predict – Preempt – Protect Karthikeyan Dhayalan
Risk Management • Process of identifying and assessing risk, reducing it to an acceptable level • Risk Analysis • The process by which the goals of risk management are achieved • Includes examining an environment for risk, evaluating each threat event to its likelihood and the cost of damage, creating cost/benefit report for safeguards to present to management. • NIST 800-39 defines 3 tiers of risk management • Organizational tier – Concerned with the risk to the business as a whole • Business process tier – Deals with a major function within the organization • Information Systems tier – Addresses risk from a information system perspective
Risk Terminologies Asset •Anything that has value Threat •Any potential occurrence that may cause an undesirable outcome on the asset Threat Agent •The entity that takes advantage of the vulnerability Vulnerability •Weakness in an asset or absence/weakness in the control measure Exposure •Being susceptible to asset loss due to threat; instance of threat taking advantage of vulnerability; always measured in % Risk • Likelihood threat will exploit the vulnerability; Risk = Threat * Vulnerability*impact Safeguard • Anything that removes or reduces a vulnerability or protects against threat
Information Systems Risk Management Policy • Should be a subset of Overall Risk Management Policy • It provides the foundation and direction for organizations security and risk management process and procedures • Should address the following • Objectives of ISRM Team • Risk appetite • Formal process for Risk identification • Connection between ISRM and Organization’s strategic planning process • Roles and Responsibilities of ISRM Team • Mapping of Risk to Internal controls • Mapping of Risk to performance targets • Key indicators to monitor the effectiveness of controls
Risk Management Process • 4 Interrelated components that comprise the risk management process • Frame Risk: • Defines the context within which all risk activities takes place • Assess Risk: • Most critical aspect of the process; assessing the risks to determine mitigation strategies • Respond to Risk: • Determining the risk response options available • Monitor Risk: • Continuously monitor the effectiveness of controls against the risks as well as look for new risks.
Risk Analysis • Risk Assessment – Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement the security controls • Risk Analysis • Carried out after risk assessment; ensures security is cost-effective, relevant, timely and responsive to the threats • Helps prioritize risks and shows management the amount of resources needed to protect in a sensible manner • 4 main goals of risk analysis • Identify Assets and their values to the organization • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide cost benefit analysis of the safeguard • Risk Analysis must be supported and directed by senior management • Management must define the purpose and scope of analysis, appoint a team to carry out assessment and allocate necessary resources • Risk Analysis helps integrate the security objectives with the business objectives
1. Asset Valuation • Aspects to consider when assigning value to the assets • Cost to acquire or develop • Cost to maintain and protect • Value to owner and users • Value to adversaries • Price others are willing to pay • Cost to replace the asset if lost • Operational and production activities affect if the asset is not available • Liability issues if the asset is compromised • Usefulness and role of the asset in the organization
Asset Valuation - Benefits • Helps in performing effective cost/benefit analysis • Helps select specific countermeasures and safeguards • Determine the level of insurance coverage to purchase • Understand what exactly is at risk • Comply with legal and regulatory requirements
Identifying Vulnerability and Threats • Loss Potential • What the company will loose if a threat agent actually takes advantage of a vulnerability • Eg: data corruption, destruction, information disclosure • Delayed Loss • Its is secondary in nature and takes place well after a vulnerability is exploited • May include damage to reputation, loss of market, accrued penalties etc.
Risk Assessment Methodology • We will cover the following methodologies • NIST 800-30 • Facilitated Risk Analysis Process (FRAP) • OCTAVE • AS/NZS 4360 • Failure modes and Effects analysis (FMEA) • Fault Tree Analysis • CRAMM
NIST 800-30 • Focused on Computer systems and IT security issues • Establishes a 6 step Risk Management framework for Federal Systems • Categorize the information system • Select the security controls • Implement security controls • Assess security controls • Authorize the information system • Monitor the security controls
FRAP - Facilitated Risk Analysis Process • Focuses only on systems that really need assessing, to reduce cost and time obligations. • Stresses pre-screening activities so that RA steps are carried only on items that need it most • Used to analyse one system, application or business process at a time • It does not support the idea of calculating exploitation probability or ALE • Goal is ensure efficiency and cost effectiveness by keeping the assessment scope simple and small
OCTAVE • Intended to be used in situations where people manage and direct the risk evaluation within their organization • Relies on idea that people working in the organization are best positioned to understand Risk and what is needed to address them. • The scope of the Assessment is very wide than FRAP • The individuals perform assessment via facilitated workshops
AS/NZ 4360 • Takes a broader approach to Risk management • This risk methodology is more focussed on the health of the company from a business point of view than security • It can be used to understand the company financial, capital, human, and business decision risks
Failure Mode and Effects Analysis (FMEA) • Method of identifying (in a structured way) • Functions • Functional Failures • Cause of failure • Effects of failure • This is commonly used in product development and operational environments • Goal is to identify failure points and either fix or reduce the impact of the failure • It is used in Assurance Risk Management because of the level of detail, variables and complexity • This is not useful to detect complex failure modes involving multiple systems
Fault Tree Analysis • Most useful approach to identify failures in more complex environments and systems • An un-desired effect is taken as the root and events that can contribute to this effect are added as a tree • Some common software failures that can be explored • False alarms • Insufficient error handling • Sequencing or order • Incorrect timing outputs • Valid but not expected outputs
CRAMM • Created by UK and its automated tools are sold by Siemens • Works in three distinct stages • Define objectives • Assess risks • Identify countermeasures • It is a completely automated way of Risk Assessment
Risk Analysis Approaches
Quantitative Risk Analysis • Assigns monetary and numeric values to all elements of the Risk analysis process • More scientific or mathematical approach to Risk Assessment • Uses risk Calculations to attempt to predict the level of monetary loss, and the probability for each type of threat • The reports are fairly user friendly • However, not all elements can be quantified
Quantitative Risk Analysis – 6 Steps Assign Asset value Calculate Exposure Factor Calculate Single loss Expectancy Assess Annualized Rate of Occurrence Derive Annualized Loss Expectancy Perform Cost/Benefit Analysis of Counter measure
Key Terms in Quantitative Analysis • % loss the organization would suffer if a risk materializes • Also referred to as loss potential Exposure Factor (EF) • Cost associated with a single realized risk against a specific asset • SLE = AV * EF • It is calculated in $ value Single Loss Expectancy (SLE) • Frequency with which a specific threat will occur within a single year • Range from 0 (threat will not occur) to very large numbers • It is also known as probability determination Annualized Rate of Occurrence (ARO) • Possible yearly cost of all instances of a specific threat realized against a specific asset • ALE = SLE * ARO Annualized Loss Expectancy (ALE) • It’s the cost associated in procuring, developing, maintaining a control against a potential threat • The ACS should not exceed the ALE Annual Cost of Safeguard (ACS)
Cost Benefit Analysis • ALE before Safeguard – ALE after Safeguard – Cost of Countermeasure = Value of the safeguard to the company • If the above result is negative the safeguard is not financially reasonable to be implemented • It is also important to consider the issues of legal responsibility and prudent due care
Qualitative Risk Analysis • Uses a softer approach to Risk analysis • It does not quantify the data, does not use calculations • It is more opinion and scenario based and uses rating system • Techniques include judgement, best practices, intuition, and experience • Methods • Brainstorming, Delphi technique, storyboarding, focus groups, surveys, questionnaire, checklists, one-on-one meetings, Interviews
Qualitative Risk Analysis Methods •A group decision-making technique designed to generate a large number of creative ideas through an interactive process. Brainstorming •Delphi is based on the principle that decisions from a structured group of individuals are more accurate than those from unstructured group •The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ decision from the previous round as well as the reasons they provided for their judgments Delphi Technique •Processes are turned into panels of images depicting the process, so that it can be understood and discussed Storyboarding •Panels of users evaluate the user impact and state their likes and dislikes regarding the safeguard being evaluated Focus Groups •Used as an initial information gathering tool. Results of each survey can influence the content of other evaluation methods Surveys •Limit the responses of participants more than surveys, so they should be used later in the process Questionnaires •Used to make sure safeguards being evaluated cover all aspects of the threats Checklist
Qualitative vs Quantitative Qualitative • Requires no calculations • Involves high degree of guess work • Provides general areas and indications of risk • Does not allow Cost/benefit analysis • Based on opinions of individuals • Eliminates the opportunity to create a dollar value for Cost/benefit analysis • Hard to develop a security budget from the results Quantitative • Does more complex calculations • Mathematical and statistical calculations • Uses independently verifiable and objective metrics • Allows cost/benefit analysis • It is easier to automate • Used in Risk management performance tracking • Without automated tools, the process is very difficult • More preliminary work is needed to gather detailed information about the environment
Countermeasure/Safeguard Selection Modularity Should provide uniform protection Provide override functionality Default to least privilege Flexibility and security Should not panic users Clear distinction between user and admin Minimum human intervention Easily upgraded Auditing functionality Output should be in useable format Testable Should not introduce new compromise System and user performance
Total Risk vs Residual Risk Total Risk = Threats * Vulnerability * Asset Value Residual Risk = (Threats * Vulnerability * Asset Value) * control gaps Residual Risk = Total Risk – countermeasures
Handling Risk Reduce or Mitigate the risk • Implement safeguards to eliminate or vulnerabilities or block threats Risk Assignment or Transfer • Placement of the cost of risk to another entity Risk Acceptance • Conscious decision to live with the risk Risk Avoidance • Terminate the activity that is introducing the risk Risk Rejection or Ignore • Unacceptable response to risk is reject or ignore the risk
Control Categories Administrative control Logical control Physical control Administrative Control • Policies and procedures defined by an organization • Also referred as management controls • Focuses on personnel and business practices • Eg: policy, Hiring practice, training, Data classification. Technical control • Involves the hardware and/or software mechanisms used to manage and provide protection • Eg: firewall, password, biometric, authentication systems, IDS, routers, AV Physical Control • Physical mechanisms deployed to prevent, monitor, detect contact with systems or facilities • Eg: guards, fences, CCTV, dogs, mantraps, alarms
Karthikeyan Dhayalan

Recommended

CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
Karthikeyan Dhayalan
 

Recommended

CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
Karthikeyan Dhayalan
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
NUS-ISS
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
Neha Raju k
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
dotco
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 

More Related Content

What's hot

What's hot (20)

CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
Security policy
Security policySecurity policy
Security policy
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network Fundamental
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 

Similar to CISSP Chapter 1 Risk Management

Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
Komal Zahra
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 

Similar to CISSP Chapter 1 Risk Management (20)

crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
 
Hazard analysis
Hazard analysisHazard analysis
Hazard analysis
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptx
 
Risk management in pharmaceutical Industry
Risk management in pharmaceutical IndustryRisk management in pharmaceutical Industry
Risk management in pharmaceutical Industry
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Unit V - Hazard Indentification Techniques.pptx
Unit V - Hazard Indentification Techniques.pptxUnit V - Hazard Indentification Techniques.pptx
Unit V - Hazard Indentification Techniques.pptx
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
ICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk ManagementICH Guideline Q9 - Quality Risk Management
ICH Guideline Q9 - Quality Risk Management
 

Recently uploaded

Recently uploaded (20)

On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 

CISSP Chapter 1 Risk Management

  • 1. Risk Management Predict – Preempt – Protect Karthikeyan Dhayalan
  • 2. Risk Management • Process of identifying and assessing risk, reducing it to an acceptable level • Risk Analysis • The process by which the goals of risk management are achieved • Includes examining an environment for risk, evaluating each threat event to its likelihood and the cost of damage, creating cost/benefit report for safeguards to present to management. • NIST 800-39 defines 3 tiers of risk management • Organizational tier – Concerned with the risk to the business as a whole • Business process tier – Deals with a major function within the organization • Information Systems tier – Addresses risk from a information system perspective
  • 3. Risk Terminologies Asset •Anything that has value Threat •Any potential occurrence that may cause an undesirable outcome on the asset Threat Agent •The entity that takes advantage of the vulnerability Vulnerability •Weakness in an asset or absence/weakness in the control measure Exposure •Being susceptible to asset loss due to threat; instance of threat taking advantage of vulnerability; always measured in % Risk • Likelihood threat will exploit the vulnerability; Risk = Threat * Vulnerability*impact Safeguard • Anything that removes or reduces a vulnerability or protects against threat
  • 4. Information Systems Risk Management Policy • Should be a subset of Overall Risk Management Policy • It provides the foundation and direction for organizations security and risk management process and procedures • Should address the following • Objectives of ISRM Team • Risk appetite • Formal process for Risk identification • Connection between ISRM and Organization’s strategic planning process • Roles and Responsibilities of ISRM Team • Mapping of Risk to Internal controls • Mapping of Risk to performance targets • Key indicators to monitor the effectiveness of controls
  • 5. Risk Management Process • 4 Interrelated components that comprise the risk management process • Frame Risk: • Defines the context within which all risk activities takes place • Assess Risk: • Most critical aspect of the process; assessing the risks to determine mitigation strategies • Respond to Risk: • Determining the risk response options available • Monitor Risk: • Continuously monitor the effectiveness of controls against the risks as well as look for new risks.
  • 6. Risk Analysis • Risk Assessment – Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement the security controls • Risk Analysis • Carried out after risk assessment; ensures security is cost-effective, relevant, timely and responsive to the threats • Helps prioritize risks and shows management the amount of resources needed to protect in a sensible manner • 4 main goals of risk analysis • Identify Assets and their values to the organization • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide cost benefit analysis of the safeguard • Risk Analysis must be supported and directed by senior management • Management must define the purpose and scope of analysis, appoint a team to carry out assessment and allocate necessary resources • Risk Analysis helps integrate the security objectives with the business objectives
  • 7. 1. Asset Valuation • Aspects to consider when assigning value to the assets • Cost to acquire or develop • Cost to maintain and protect • Value to owner and users • Value to adversaries • Price others are willing to pay • Cost to replace the asset if lost • Operational and production activities affect if the asset is not available • Liability issues if the asset is compromised • Usefulness and role of the asset in the organization
  • 8. Asset Valuation - Benefits • Helps in performing effective cost/benefit analysis • Helps select specific countermeasures and safeguards • Determine the level of insurance coverage to purchase • Understand what exactly is at risk • Comply with legal and regulatory requirements
  • 9. Identifying Vulnerability and Threats • Loss Potential • What the company will loose if a threat agent actually takes advantage of a vulnerability • Eg: data corruption, destruction, information disclosure • Delayed Loss • Its is secondary in nature and takes place well after a vulnerability is exploited • May include damage to reputation, loss of market, accrued penalties etc.
  • 10. Risk Assessment Methodology • We will cover the following methodologies • NIST 800-30 • Facilitated Risk Analysis Process (FRAP) • OCTAVE • AS/NZS 4360 • Failure modes and Effects analysis (FMEA) • Fault Tree Analysis • CRAMM
  • 11. NIST 800-30 • Focused on Computer systems and IT security issues • Establishes a 6 step Risk Management framework for Federal Systems • Categorize the information system • Select the security controls • Implement security controls • Assess security controls • Authorize the information system • Monitor the security controls
  • 12. FRAP - Facilitated Risk Analysis Process • Focuses only on systems that really need assessing, to reduce cost and time obligations. • Stresses pre-screening activities so that RA steps are carried only on items that need it most • Used to analyse one system, application or business process at a time • It does not support the idea of calculating exploitation probability or ALE • Goal is ensure efficiency and cost effectiveness by keeping the assessment scope simple and small
  • 13. OCTAVE • Intended to be used in situations where people manage and direct the risk evaluation within their organization • Relies on idea that people working in the organization are best positioned to understand Risk and what is needed to address them. • The scope of the Assessment is very wide than FRAP • The individuals perform assessment via facilitated workshops
  • 14. AS/NZ 4360 • Takes a broader approach to Risk management • This risk methodology is more focussed on the health of the company from a business point of view than security • It can be used to understand the company financial, capital, human, and business decision risks
  • 15. Failure Mode and Effects Analysis (FMEA) • Method of identifying (in a structured way) • Functions • Functional Failures • Cause of failure • Effects of failure • This is commonly used in product development and operational environments • Goal is to identify failure points and either fix or reduce the impact of the failure • It is used in Assurance Risk Management because of the level of detail, variables and complexity • This is not useful to detect complex failure modes involving multiple systems
  • 16. Fault Tree Analysis • Most useful approach to identify failures in more complex environments and systems • An un-desired effect is taken as the root and events that can contribute to this effect are added as a tree • Some common software failures that can be explored • False alarms • Insufficient error handling • Sequencing or order • Incorrect timing outputs • Valid but not expected outputs
  • 17. CRAMM • Created by UK and its automated tools are sold by Siemens • Works in three distinct stages • Define objectives • Assess risks • Identify countermeasures • It is a completely automated way of Risk Assessment
  • 19. Quantitative Risk Analysis • Assigns monetary and numeric values to all elements of the Risk analysis process • More scientific or mathematical approach to Risk Assessment • Uses risk Calculations to attempt to predict the level of monetary loss, and the probability for each type of threat • The reports are fairly user friendly • However, not all elements can be quantified
  • 20. Quantitative Risk Analysis – 6 Steps Assign Asset value Calculate Exposure Factor Calculate Single loss Expectancy Assess Annualized Rate of Occurrence Derive Annualized Loss Expectancy Perform Cost/Benefit Analysis of Counter measure
  • 21. Key Terms in Quantitative Analysis • % loss the organization would suffer if a risk materializes • Also referred to as loss potential Exposure Factor (EF) • Cost associated with a single realized risk against a specific asset • SLE = AV * EF • It is calculated in $ value Single Loss Expectancy (SLE) • Frequency with which a specific threat will occur within a single year • Range from 0 (threat will not occur) to very large numbers • It is also known as probability determination Annualized Rate of Occurrence (ARO) • Possible yearly cost of all instances of a specific threat realized against a specific asset • ALE = SLE * ARO Annualized Loss Expectancy (ALE) • It’s the cost associated in procuring, developing, maintaining a control against a potential threat • The ACS should not exceed the ALE Annual Cost of Safeguard (ACS)
  • 22. Cost Benefit Analysis • ALE before Safeguard – ALE after Safeguard – Cost of Countermeasure = Value of the safeguard to the company • If the above result is negative the safeguard is not financially reasonable to be implemented • It is also important to consider the issues of legal responsibility and prudent due care
  • 23. Qualitative Risk Analysis • Uses a softer approach to Risk analysis • It does not quantify the data, does not use calculations • It is more opinion and scenario based and uses rating system • Techniques include judgement, best practices, intuition, and experience • Methods • Brainstorming, Delphi technique, storyboarding, focus groups, surveys, questionnaire, checklists, one-on-one meetings, Interviews
  • 24. Qualitative Risk Analysis Methods •A group decision-making technique designed to generate a large number of creative ideas through an interactive process. Brainstorming •Delphi is based on the principle that decisions from a structured group of individuals are more accurate than those from unstructured group •The experts answer questionnaires in two or more rounds. After each round, a facilitator provides an anonymous summary of the experts’ decision from the previous round as well as the reasons they provided for their judgments Delphi Technique •Processes are turned into panels of images depicting the process, so that it can be understood and discussed Storyboarding •Panels of users evaluate the user impact and state their likes and dislikes regarding the safeguard being evaluated Focus Groups •Used as an initial information gathering tool. Results of each survey can influence the content of other evaluation methods Surveys •Limit the responses of participants more than surveys, so they should be used later in the process Questionnaires •Used to make sure safeguards being evaluated cover all aspects of the threats Checklist
  • 25. Qualitative vs Quantitative Qualitative • Requires no calculations • Involves high degree of guess work • Provides general areas and indications of risk • Does not allow Cost/benefit analysis • Based on opinions of individuals • Eliminates the opportunity to create a dollar value for Cost/benefit analysis • Hard to develop a security budget from the results Quantitative • Does more complex calculations • Mathematical and statistical calculations • Uses independently verifiable and objective metrics • Allows cost/benefit analysis • It is easier to automate • Used in Risk management performance tracking • Without automated tools, the process is very difficult • More preliminary work is needed to gather detailed information about the environment
  • 26. Countermeasure/Safeguard Selection Modularity Should provide uniform protection Provide override functionality Default to least privilege Flexibility and security Should not panic users Clear distinction between user and admin Minimum human intervention Easily upgraded Auditing functionality Output should be in useable format Testable Should not introduce new compromise System and user performance
  • 27. Total Risk vs Residual Risk Total Risk = Threats * Vulnerability * Asset Value Residual Risk = (Threats * Vulnerability * Asset Value) * control gaps Residual Risk = Total Risk – countermeasures
  • 28. Handling Risk Reduce or Mitigate the risk • Implement safeguards to eliminate or vulnerabilities or block threats Risk Assignment or Transfer • Placement of the cost of risk to another entity Risk Acceptance • Conscious decision to live with the risk Risk Avoidance • Terminate the activity that is introducing the risk Risk Rejection or Ignore • Unacceptable response to risk is reject or ignore the risk
  • 29. Control Categories Administrative control Logical control Physical control Administrative Control • Policies and procedures defined by an organization • Also referred as management controls • Focuses on personnel and business practices • Eg: policy, Hiring practice, training, Data classification. Technical control • Involves the hardware and/or software mechanisms used to manage and provide protection • Eg: firewall, password, biometric, authentication systems, IDS, routers, AV Physical Control • Physical mechanisms deployed to prevent, monitor, detect contact with systems or facilities • Eg: guards, fences, CCTV, dogs, mantraps, alarms