SlideShare une entreprise Scribd logo

Lesson 3- Fair Approach

Télécharger en tant que PPT, PDF
M
MLG College of Learning, Inc

Chapter 5

Formation
1  sur  30
Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 3 – Fair Approach to Risk Management
Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
The FAIR Approach to Risk Assessment • Identify scenario components • Evaluate loss event frequency • Evaluate probable loss magnitude • Derive and articulate risk Principles of Information Security, Fifth Edition 4
Risk Control • Involves selection of control strategies, justification of strategies to upper management, and implementation/monitoring/ongoing assessment of adopted controls • Once the ranked vulnerability risk worksheet is complete, the organization must choose one of five strategies to control each risk: – Defense – Transfer – Mitigation – Acceptance – Termination Principles of Information Security, Fifth Edition 5
Defense • Attempts to prevent exploitation of the vulnerability • Preferred approach • Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of risk avoidance: – Application of policy – Education and training – Applying technology Principles of Information Security, Fifth Edition 6
Transfer • Attempts to shift risk to other assets, processes, or organizations • If lacking, the organization should hire individuals/firms that provide security management and administration expertise. • The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks. Principles of Information Security, Fifth Edition 7
Mitigate • Attempts to reduce impact of attack rather than reduce success of attack itself • Approach includes three types of plans: – Incident response (IR) plan: define the actions to take while incident is in progress – Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process – Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs Principles of Information Security, Fifth Edition 8
Acceptance and Termination • Acceptance – Doing nothing to protect a vulnerability and accepting the outcome of its exploitation – Valid only when the particular function, service, information, or asset does not justify the cost of protection • Termination – Directs the organization to avoid business activities that introduce uncontrollable risks – May seek an alternate mechanism to meet the customer needs Principles of Information Security, Fifth Edition 9
Principles of Information Security, Fifth Edition 10
Selecting a Risk Control Strategy • Level of threat and value of asset should play a major role in the selection of strategy. • Rules of thumb on strategy selection can be applied: – When a vulnerability exists – When a vulnerability can be exploited – When attacker’s cost is less than the potential gain – When potential loss is substantial Principles of Information Security, Fifth Edition 11
Principles of Information Security, Fifth Edition 12
Justifying Controls • Before implementing one of the control strategies for a specific vulnerability, the organization must explore all consequences of vulnerability to information asset. • Several ways to determine the advantages/disadvantages of a specific control • Items that affect cost of a control or safeguard include cost of development or acquisition, training fees, implementation cost, service costs, and cost of maintenance. Principles of Information Security, Fifth Edition 13
Justifying Controls (cont’d) • Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation. • Process result is the estimate of potential loss per risk. • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) • SLE = asset value × exposure factor (EF) Principles of Information Security, Fifth Edition 14
The Cost-Benefit Analysis (CBA) Formula • CBA determines if an alternative being evaluated is worth the cost incurred to control vulnerability. – The CBA is most easily calculated using the ALE from earlier assessments, before implementation of the proposed control: • CBA = ALE(prior) – ALE(post) – ACS – ALE(prior) is the annualized loss expectancy of risk before implementation of control. – ALE(post) is the estimated ALE based on control being in place for a period of time. – ACS is the annualized cost of the safeguard. Principles of Information Security, Fifth Edition 15
Implementation, Monitoring, and Assessment of Risk Controls • The selection of the control strategy is not the end of a process. • Strategy and accompanying controls must be implemented and monitored on ongoing basis to determine effectiveness and accurately calculate the estimated residual risk. • Process continues as long as the organization continues to function. Principles of Information Security, Fifth Edition 16
Principles of Information Security, Fifth Edition 17
Quantitative Versus Qualitative Risk Control Practices • Performing the previous steps using actual values or estimates is known as quantitative assessment. • Possible to complete steps using an evaluation process based on characteristics using nonnumerical measures, called qualitative assessment • Utilizing scales rather than specific estimates relieves the organization from the difficulty of determining exact values. Principles of Information Security, Fifth Edition 18
Benchmarking and Best Practices • An alternative approach to risk management • Benchmarking: process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate • One of two measures typically used to compare practices: – Metrics-based measures, based on numerical standards – Process-based measures, more strategic and less focused on numbers Principles of Information Security, Fifth Edition 19
Benchmarking and Best Practices (cont’d) • Standard of due care: when adopting levels of security for a legal defense, the organization shows it has done what any prudent organization would do in similar circumstances. • The application of controls at or above prescribed levels and the maintenance of standards of due care show due diligence on the organization’s part. • Failure to support standard of due care or due diligence can leave the organization open to legal liability. Principles of Information Security, Fifth Edition 20
Benchmarking and Best Practices (cont’d) • Best business practices: security efforts that provide a superior level of information protection • When considering best practices for adoption in an organization, consider: – Does organization resemble identified target organization with best practice? – Are expendable resources similar? – Is organization in a similar threat environment? Principles of Information Security, Fifth Edition 21
Benchmarking and Best Practices (cont’d) • Problems with the application of benchmarking and best practices – Organizations don’t talk to each other (biggest problem). – No two organizations are identical. – Best practices are a moving target. – Researching information security benchmarks doesn’t necessarily prepare a practitioner for what to do next. Principles of Information Security, Fifth Edition 22
Benchmarking and Best Practices (cont’d) • Baselining – Performance value or metric used to compare changes in the object being measured. – In information security, baselining is the comparison of past security activities and events against an organization’s future performance. – Useful during baselining to have a guide to the overall process Principles of Information Security, Fifth Edition 23
Other Feasibility Studies • Organizational: Assesses how well the proposed IS alternatives will contribute to an organization’s efficiency, effectiveness, and overall operation • Operational: Assesses user and management acceptance and support, and the overall requirements of the organization’s stakeholders • Technical: Assesses if organization has or can acquire the technology necessary to implement and support proposed control • Political: Defines what can/cannot occur based on the consensus and relationships among communities of interest Principles of Information Security, Fifth Edition 24
Recommended Risk Control Practices • Convince budget authorities to spend up to value of asset to protect from identified threat. • Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. • Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations. Principles of Information Security, Fifth Edition 25
Documenting Results • At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk. • Another option: Document the outcome of the control strategy for each information asset- vulnerability pair as an action plan. • Risk assessment may be documented in a topic- specific report. Principles of Information Security, Fifth Edition 26
The NIST Risk Management Framework • Describes risk management as a comprehensive process requiring organizations to: – Frame risk – Assess risk – Respond to determined risk – Monitor risk on ongoing basis Principles of Information Security, Fifth Edition 27
Principles of Information Security, Fifth Edition 28
Summary • Risk identification: formal process of examining and documenting risk in information systems • Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the components of an information system • Risk identification – A risk management strategy enables identification, classification, and prioritization of organization’s information assets. – Residual risk: risk remaining to the information asset even after the existing control is applied Principles of Information Security, Fifth Edition 29
Summary (cont’d) • Risk control: Five strategies are used to control risks that result from vulnerabilities: – Defend – Transfer – Mitigate – Accept – Terminate Principles of Information Security, Fifth Edition 30

Recommandé

Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
Fred Travis
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
Toño Herrera
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 

Recommandé

Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
Fred Travis
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
Toño Herrera
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414
aidanc5
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
Steve Leventhal
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
Knowledge Group
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
Luis Martins
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
subbusai82
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
abdulkhalid murady
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal Audit
Hernan Huwyler, MBA CPA
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
MissionMode
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
Continuity and Resilience
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
Quality Improvement Consulting
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
IT-Toolkits.org
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
UOPCourseHelp
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 

Contenu connexe

Tendances

CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414
aidanc5
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
Luis Martins
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal Audit
Hernan Huwyler, MBA CPA
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
MissionMode
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
IT-Toolkits.org
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 

Tendances (20)

CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Quantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal AuditQuantitative Data-Driven Risk Management and Internal Audit
Quantitative Data-Driven Risk Management and Internal Audit
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’sBest-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
Best-in-Class Crisis Preparation: Maximize Readiness with the Four T’s
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 

Similaire à Lesson 3- Fair Approach

Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
cravennichole326
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
zeidali3
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docx
anitramcroberts
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 

Similaire à Lesson 3- Fair Approach (20)

Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Hazards and risk management
Hazards and risk managementHazards and risk management
Hazards and risk management
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docx
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Various steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim mirazVarious steps of risk assessment. md. anwar ibrahim miraz
Various steps of risk assessment. md. anwar ibrahim miraz
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 

Plus de MLG College of Learning, Inc

Plus de MLG College of Learning, Inc (20)

PC111.Lesson2
PC111.Lesson2PC111.Lesson2
PC111.Lesson2
 
PC111.Lesson1
PC111.Lesson1PC111.Lesson1
PC111.Lesson1
 
PC111-lesson1.pptx
PC111-lesson1.pptxPC111-lesson1.pptx
PC111-lesson1.pptx
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
PC 106 PPT-09.pptx
PC 106 PPT-09.pptxPC 106 PPT-09.pptx
PC 106 PPT-09.pptx
 
PC 106 PPT-07
PC 106 PPT-07PC 106 PPT-07
PC 106 PPT-07
 
PC 106 PPT-01
PC 106 PPT-01PC 106 PPT-01
PC 106 PPT-01
 
PC 106 PPT-06
PC 106 PPT-06PC 106 PPT-06
PC 106 PPT-06
 
PC 106 PPT-05
PC 106 PPT-05PC 106 PPT-05
PC 106 PPT-05
 
PC 106 Slide 04
PC 106 Slide 04PC 106 Slide 04
PC 106 Slide 04
 
PC 106 Slide no.02
PC 106 Slide no.02PC 106 Slide no.02
PC 106 Slide no.02
 
pc-106-slide-3
pc-106-slide-3pc-106-slide-3
pc-106-slide-3
 
PC 106 Slide 2
PC 106 Slide 2PC 106 Slide 2
PC 106 Slide 2
 
PC 106 Slide 1.pptx
PC 106 Slide 1.pptxPC 106 Slide 1.pptx
PC 106 Slide 1.pptx
 
Db2 characteristics of db ms
Db2 characteristics of db msDb2 characteristics of db ms
Db2 characteristics of db ms
 
Db1 introduction
Db1 introductionDb1 introduction
Db1 introduction
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 
Lesson 3.1
Lesson 3.1Lesson 3.1
Lesson 3.1
 
Lesson 1.6
Lesson 1.6Lesson 1.6
Lesson 1.6
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 

Dernier

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Dernier (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

Lesson 3- Fair Approach

  • 1. Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 3 – Fair Approach to Risk Management
  • 2. Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
  • 3. Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
  • 4. The FAIR Approach to Risk Assessment • Identify scenario components • Evaluate loss event frequency • Evaluate probable loss magnitude • Derive and articulate risk Principles of Information Security, Fifth Edition 4
  • 5. Risk Control • Involves selection of control strategies, justification of strategies to upper management, and implementation/monitoring/ongoing assessment of adopted controls • Once the ranked vulnerability risk worksheet is complete, the organization must choose one of five strategies to control each risk: – Defense – Transfer – Mitigation – Acceptance – Termination Principles of Information Security, Fifth Edition 5
  • 6. Defense • Attempts to prevent exploitation of the vulnerability • Preferred approach • Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of risk avoidance: – Application of policy – Education and training – Applying technology Principles of Information Security, Fifth Edition 6
  • 7. Transfer • Attempts to shift risk to other assets, processes, or organizations • If lacking, the organization should hire individuals/firms that provide security management and administration expertise. • The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks. Principles of Information Security, Fifth Edition 7
  • 8. Mitigate • Attempts to reduce impact of attack rather than reduce success of attack itself • Approach includes three types of plans: – Incident response (IR) plan: define the actions to take while incident is in progress – Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process – Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs Principles of Information Security, Fifth Edition 8
  • 9. Acceptance and Termination • Acceptance – Doing nothing to protect a vulnerability and accepting the outcome of its exploitation – Valid only when the particular function, service, information, or asset does not justify the cost of protection • Termination – Directs the organization to avoid business activities that introduce uncontrollable risks – May seek an alternate mechanism to meet the customer needs Principles of Information Security, Fifth Edition 9
  • 10. Principles of Information Security, Fifth Edition 10
  • 11. Selecting a Risk Control Strategy • Level of threat and value of asset should play a major role in the selection of strategy. • Rules of thumb on strategy selection can be applied: – When a vulnerability exists – When a vulnerability can be exploited – When attacker’s cost is less than the potential gain – When potential loss is substantial Principles of Information Security, Fifth Edition 11
  • 12. Principles of Information Security, Fifth Edition 12
  • 13. Justifying Controls • Before implementing one of the control strategies for a specific vulnerability, the organization must explore all consequences of vulnerability to information asset. • Several ways to determine the advantages/disadvantages of a specific control • Items that affect cost of a control or safeguard include cost of development or acquisition, training fees, implementation cost, service costs, and cost of maintenance. Principles of Information Security, Fifth Edition 13
  • 14. Justifying Controls (cont’d) • Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation. • Process result is the estimate of potential loss per risk. • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) • SLE = asset value × exposure factor (EF) Principles of Information Security, Fifth Edition 14
  • 15. The Cost-Benefit Analysis (CBA) Formula • CBA determines if an alternative being evaluated is worth the cost incurred to control vulnerability. – The CBA is most easily calculated using the ALE from earlier assessments, before implementation of the proposed control: • CBA = ALE(prior) – ALE(post) – ACS – ALE(prior) is the annualized loss expectancy of risk before implementation of control. – ALE(post) is the estimated ALE based on control being in place for a period of time. – ACS is the annualized cost of the safeguard. Principles of Information Security, Fifth Edition 15
  • 16. Implementation, Monitoring, and Assessment of Risk Controls • The selection of the control strategy is not the end of a process. • Strategy and accompanying controls must be implemented and monitored on ongoing basis to determine effectiveness and accurately calculate the estimated residual risk. • Process continues as long as the organization continues to function. Principles of Information Security, Fifth Edition 16
  • 17. Principles of Information Security, Fifth Edition 17
  • 18. Quantitative Versus Qualitative Risk Control Practices • Performing the previous steps using actual values or estimates is known as quantitative assessment. • Possible to complete steps using an evaluation process based on characteristics using nonnumerical measures, called qualitative assessment • Utilizing scales rather than specific estimates relieves the organization from the difficulty of determining exact values. Principles of Information Security, Fifth Edition 18
  • 19. Benchmarking and Best Practices • An alternative approach to risk management • Benchmarking: process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate • One of two measures typically used to compare practices: – Metrics-based measures, based on numerical standards – Process-based measures, more strategic and less focused on numbers Principles of Information Security, Fifth Edition 19
  • 20. Benchmarking and Best Practices (cont’d) • Standard of due care: when adopting levels of security for a legal defense, the organization shows it has done what any prudent organization would do in similar circumstances. • The application of controls at or above prescribed levels and the maintenance of standards of due care show due diligence on the organization’s part. • Failure to support standard of due care or due diligence can leave the organization open to legal liability. Principles of Information Security, Fifth Edition 20
  • 21. Benchmarking and Best Practices (cont’d) • Best business practices: security efforts that provide a superior level of information protection • When considering best practices for adoption in an organization, consider: – Does organization resemble identified target organization with best practice? – Are expendable resources similar? – Is organization in a similar threat environment? Principles of Information Security, Fifth Edition 21
  • 22. Benchmarking and Best Practices (cont’d) • Problems with the application of benchmarking and best practices – Organizations don’t talk to each other (biggest problem). – No two organizations are identical. – Best practices are a moving target. – Researching information security benchmarks doesn’t necessarily prepare a practitioner for what to do next. Principles of Information Security, Fifth Edition 22
  • 23. Benchmarking and Best Practices (cont’d) • Baselining – Performance value or metric used to compare changes in the object being measured. – In information security, baselining is the comparison of past security activities and events against an organization’s future performance. – Useful during baselining to have a guide to the overall process Principles of Information Security, Fifth Edition 23
  • 24. Other Feasibility Studies • Organizational: Assesses how well the proposed IS alternatives will contribute to an organization’s efficiency, effectiveness, and overall operation • Operational: Assesses user and management acceptance and support, and the overall requirements of the organization’s stakeholders • Technical: Assesses if organization has or can acquire the technology necessary to implement and support proposed control • Political: Defines what can/cannot occur based on the consensus and relationships among communities of interest Principles of Information Security, Fifth Edition 24
  • 25. Recommended Risk Control Practices • Convince budget authorities to spend up to value of asset to protect from identified threat. • Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. • Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations. Principles of Information Security, Fifth Edition 25
  • 26. Documenting Results • At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk. • Another option: Document the outcome of the control strategy for each information asset- vulnerability pair as an action plan. • Risk assessment may be documented in a topic- specific report. Principles of Information Security, Fifth Edition 26
  • 27. The NIST Risk Management Framework • Describes risk management as a comprehensive process requiring organizations to: – Frame risk – Assess risk – Respond to determined risk – Monitor risk on ongoing basis Principles of Information Security, Fifth Edition 27
  • 28. Principles of Information Security, Fifth Edition 28
  • 29. Summary • Risk identification: formal process of examining and documenting risk in information systems • Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the components of an information system • Risk identification – A risk management strategy enables identification, classification, and prioritization of organization’s information assets. – Residual risk: risk remaining to the information asset even after the existing control is applied Principles of Information Security, Fifth Edition 29
  • 30. Summary (cont’d) • Risk control: Five strategies are used to control risks that result from vulnerabilities: – Defend – Transfer – Mitigate – Accept – Terminate Principles of Information Security, Fifth Edition 30