Information Security Risk Management

Nikhil Soni
Nikhil SoniStudent
“Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
• Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.
Thank You
1 sur 27

Information Security Risk Management

Télécharger pour lire hors ligne
Technologie

Presentation on Information Security Risk Management for Secure Software System Mtech Information Security.

Nikhil Soni
Nikhil SoniStudent

Recommandé

Vulnerability Assessment Presentation par
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
10.8K vues6 diapositives
Security risk management par
Security risk managementSecurity risk management
Security risk managementG Prachi
7K vues61 diapositives
Introduction to Cybersecurity par
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
492 vues23 diapositives
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi... par
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
1.7K vues22 diapositives
Isms awareness training par
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
18.2K vues64 diapositives
Information Security Risk Management par
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
9K vues18 diapositives

Contenu connexe

Tendances

Advanced Cybersecurity Risk Management: How to successfully address your Cybe... par
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
2.4K vues46 diapositives
Cybersecurity Awareness Session by Adam par
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
456 vues27 diapositives
IT Security management and risk assessment par
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
4.9K vues22 diapositives
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri... par
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
2.5K vues16 diapositives
End-User Security Awareness par
End-User Security AwarenessEnd-User Security Awareness
End-User Security AwarenessSurya Bathulapalli
1.1K vues18 diapositives
Information Security Awareness par
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
4.4K vues15 diapositives

Tendances(20)

Advanced Cybersecurity Risk Management: How to successfully address your Cybe... par PECB
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB 2.4K vues
Cybersecurity Awareness Session by Adam par Mohammed Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
Mohammed Adam456 vues
IT Security management and risk assessment par CAS
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS4.9K vues
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri... par Edureka!
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!2.5K vues
End-User Security Awareness par Surya Bathulapalli
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli1.1K vues
Information Security Awareness par SnapComms
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms4.4K vues
Cyber Security Incident Response par PECB
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB 11K vues
Network Security par Manoj Singh
Network SecurityNetwork Security
Network Security
Manoj Singh11.1K vues
Security Operation Center Fundamental par Amir Hossein Zargaran
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran3.5K vues
Dealing with Information Security, Risk Management & Cyber Resilience par Donald Tabone
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone1.5K vues
7 Steps to Build a SOC with Limited Resources par LogRhythm
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm109.7K vues
Introduction to NIST’s Risk Management Framework (RMF) par Donald E. Hester
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester2.5K vues
Cybersecurity Incident Management Powerpoint Presentation Slides par SlideTeam
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam712 vues
Cybersecurity - Overview par THANUJA SENEVIRATNE
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
THANUJA SENEVIRATNE936 vues
Cybersecurity Risk Management Program and Your Organization par McKonly & Asbury, LLP
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP725 vues
Patch and Vulnerability Management par Marcelo Martins
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins3.5K vues
Board and Cyber Security par Leon Fouche
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
Leon Fouche1.4K vues
Basic Security Training for End Users par Community IT Innovators
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators5K vues
Cyber Security Standards Compliance par Dr. Prashant Vats
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
Dr. Prashant Vats356 vues
Security Awareness Training par Daniel P Wallace
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace10.7K vues

Similaire à Information Security Risk Management

Practical approach to security risk management par
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
1.5K vues33 diapositives
Chapter 1 risk management (3) par
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
13K vues18 diapositives
Risk Management (1) (1).ppt par
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
383 vues52 diapositives
Risk Management par
Risk ManagementRisk Management
Risk Managementysshah
875 vues17 diapositives
Entetrprise risk management process par
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management processRabin K. Acharya PhD (MPhil,MBA,MPA,MA)
77 vues50 diapositives
Week 2 Introduction to risk management.pdf par
Week 2 Introduction to risk management.pdfWeek 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdfJeffreyKwame1
4 vues26 diapositives

Similaire à Information Security Risk Management(20)

Practical approach to security risk management par G3 intelligence Ltd
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
G3 intelligence Ltd1.5K vues
Chapter 1 risk management (3) par rafeeqameen
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
rafeeqameen13K vues
Risk Management (1) (1).ppt par AjjuSingh2
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
AjjuSingh2383 vues
Risk Management par ysshah
Risk ManagementRisk Management
Risk Management
ysshah875 vues
Entetrprise risk management process par Rabin K. Acharya PhD (MPhil,MBA,MPA,MA)
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management process
Rabin K. Acharya PhD (MPhil,MBA,MPA,MA)77 vues
Week 2 Introduction to risk management.pdf par JeffreyKwame1
Week 2 Introduction to risk management.pdfWeek 2 Introduction to risk management.pdf
Week 2 Introduction to risk management.pdf
JeffreyKwame14 vues
Risk management ppt 111p (training module) par Sadia Razzaq
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq6.8K vues
Mastering Information Technology Risk Management par Goutama Bachtiar
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar9.9K vues
Risk Management.docx par CPA Australia
Risk Management.docxRisk Management.docx
Risk Management.docx
CPA Australia75 vues
Trustee Conference AM4: Effectively managing risk par NCVO - National Council for Voluntary Organisations
Trustee Conference AM4: Effectively managing riskTrustee Conference AM4: Effectively managing risk
Trustee Conference AM4: Effectively managing risk
NCVO - National Council for Voluntary Organisations726 vues
Risk management par Anurag Bhusal
Risk managementRisk management
Risk management
Anurag Bhusal126 vues
AbstractKey FeaturesAssessmentIntroductionMeasur.docx par ransayo
AbstractKey FeaturesAssessmentIntroductionMeasur.docxAbstractKey FeaturesAssessmentIntroductionMeasur.docx
AbstractKey FeaturesAssessmentIntroductionMeasur.docx
ransayo2 vues
Coaching material about fundraising, managing risk, sustainability strategies... par Brodoto
Coaching material about fundraising, managing risk, sustainability strategies...Coaching material about fundraising, managing risk, sustainability strategies...
Coaching material about fundraising, managing risk, sustainability strategies...
Brodoto368 vues
crisc_wk_3.pptx par dotco
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
dotco9 vues
Risk Management Process.ppt par Uday Nayakwadi
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
Uday Nayakwadi8 vues
An introduction to finance par Robert Reed
An introduction to financeAn introduction to finance
An introduction to finance
Robert Reed348 vues
Pm0016 set-1 par Paul Hunt
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt562 vues
RISK MANAGEMENT.pptx par ssuser107f14
RISK MANAGEMENT.pptxRISK MANAGEMENT.pptx
RISK MANAGEMENT.pptx
ssuser107f14101 vues
COSO_ERM.ppt par SashaKing4
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
SashaKing410 vues
51_operational_risk par Hafeez Farooq
51_operational_risk51_operational_risk
51_operational_risk
Hafeez Farooq311 vues

Dernier

Microsoft Power Platform.pptx par
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
74 vues38 diapositives
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... par
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
105 vues15 diapositives
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue par
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueShapeBlue
191 vues23 diapositives
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... par
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...ShapeBlue
121 vues15 diapositives
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... par
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
130 vues29 diapositives
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... par
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...ShapeBlue
120 vues62 diapositives

Dernier(20)

Microsoft Power Platform.pptx par Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.74 vues
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... par ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue105 vues
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue par ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue191 vues
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... par ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue121 vues
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... par TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc130 vues
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... par ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue120 vues
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... par ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue59 vues
DRBD Deep Dive - Philipp Reisner - LINBIT par ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue110 vues
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue par ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue68 vues
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... par The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer40 vues
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT par ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue138 vues
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... par ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue69 vues
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... par Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 vues
NTGapps NTG LowCode Platform par Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu287 vues
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... par ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue113 vues
State of the Union - Rohit Yadav - Apache CloudStack par ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue218 vues
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ par ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue58 vues
Igniting Next Level Productivity with AI-Infused Data Integration Workflows par Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software373 vues
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates par ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue178 vues
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue par ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue75 vues

Information Security Risk Management

  • 1. “Information Risk Management” Presentation on By- Nikhil Soni 2020MTIS-06 SECURE SOFTWARE SYSTEMS
  • 2. What is Risk & Risk Management? • A Risk is a potential or future event that, should it occur, will have a (negative) impact on the Business Objectives of an Organization A + T + V = R That is, Asset + Threat + Vulnerability = Risk. • Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.
  • 3. What is Risk & Risk Management? • “Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk.”- Wikipedia
  • 4. Risk Life Cycle Threat Agent Vulnerability Risk Asset Exposures Safeguard Leads to Can damage And cause an Exploits Can be countermeasured by a
  • 5. General Terms: • Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect.
  • 6. Information Assets IS Components People Procedures Data Transmission HW SW Employees Non- employees People at trusted organizations Authorized Staff Other staff Strangers Standard Procedures Sensitive Procedures Process Storage Application OS Security Component System Devises Net Work
  • 7. General Terms: • Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. • Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
  • 8. General Terms: • Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts.
  • 9. Risk Management Process • It involves two sub processes: 1. Risk Assessment 2. Risk Control
  • 10. Identify Risks Analyze Risks Define Desired Results Select Strategy Implement Strategy Monitor Evaluate and Adjust The Process is iterative •The Processes are organized • Each Step output considered as an input for the next step Risk Control Risk Assessment Risk Management Process
  • 11. Risk Identification • First step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, will cause problems. • This is a crucial phase. If a risk is not identified it cannot be evaluated and managed • Any failure at this stage to identify risk may cause a major loss for the organization. • Risk identification provides the foundation of risk management.
  • 12. • Risk identification requires knowledge of the organization, the market in which it operates, the legal, social, economic, political, and climatic environment in which it has its impact. Risk Identification
  • 13. Risk Analysis • Assessing risk is the process of determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. • The risk analyzing step assist in determining which risks have a greater consequence or impact than others.
  • 14. Methods of Risk Analysis Risk analysis is generally lumped into two main categories: Qualitative and Quantitative. • Qualitative Risk Analysis: The root word of qualitative is “quality” and that is what these techniques focus on. Qualifying risks under this method involves making a simple list of the risks themselves, along with ranking them and mapping them out. The following are some common tricks used for assessing risks from a qualitative aspect: – Probability And Impact Assessment And Matrix: Analyzing and rating risks using probability and impact on things like cost, schedule and performance.
  • 15. Methods of Risk Analysis – Risk Categorization: Grouping risks by common root causes to develop effective responses. – Risk Urgency: The risk ranking from your probability matrix combined with urgency can help place risks priorities. – Expert Judgment: Professional opinions from people in the industry or with similar project
  • 16. Methods of Risk Analysis Quantitative Risk Analysis These methods are more about definitive measuring and probabilistic techniques. The greatest risk of all is the risk of losing money and you cannot use qualitative systems to count your cost. The following are a few simple ways in which organizations are counting their risks: – Probability distributions: Used in modeling and simulation to represent the uncertainty of values in things like task costs and labor.
  • 17. Methods of Risk Analysis – Cost and Schedule Risk Analysis: Cost estimates and scheduling are used as input values that are chosen randomly for each iteration. – Sensitivity Analysis: This is a simple technique to determine how much impact a risk poses to a project. – Expected Monetary Value analysis (EMV): Calculating the average outcome of scenarios that may or may not happen
  • 18. Strategies: Selection & Implementation • Risk treatment is about considering options for treating risks that were not considered acceptable or tolerable. • Risk treatment involves identifying options for treating or controlling risk, in order to either reduce or eliminate negative consequences, or to reduce the likelihood of an adverse occurrence.
  • 19. Strategies: Selection & Implementation • Risk control should also aim to enhance positive outcomes. • Organizations can respond to risk in a variety of ways. These include: – (i) risk acceptance – (ii) risk avoidance – (iii) risk mitigation – (iv) risk sharing – (v) risk transfer – (vi) a combination of the above.
  • 20. Strategies: Selection & Implementation • Risk Acceptance: Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.
  • 21. Strategies: Selection & Implementation • Risk Avoidance: Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk
  • 22. Strategies: Selection & Implementation • Risk Mitigation : Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. • Risk mitigation involves taking action to reduce an organization’s exposure to potential risks and reduce the likelihood that those risks will happen again.
  • 23. Strategies: Selection & Implementation • Risk Sharing or Transfer : Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. • Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies).
  • 24. Strategies: Selection & Implementation • It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation.
  • 25. Monitor and Review • Monitor and review is an essential and integral step in the risk management process. • An owner of the organization must monitor risks and review the effectiveness of the treatment plan, strategies and management system that have been set up to effectively manage risk.
  • 26. Monitor and Review • Risks need to be monitored periodically to ensure changing circumstances do not alter the risk priorities. Very few risks will remain static, therefore the risk management process needs to be regularly repeated, so that new risks are captured in the process and effectively managed.