ITEC 85 Lesson 4: Risk Management PDF

ITEC 85 Lesson 4 RISK MANAGEMENT I N F O R M A T I O N A S S U R A N C E & S E C U R I T Y Risk Management The process of identifying, assessing and controlling threats to an organization's capital and earnings. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters. Security Management A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and reliability. IT security management functions include: ⚬ organizational IT security objectives, strategies and policies ⚬ determining organizational IT security requirements ⚬ identifying and analyzing security threats to IT assets ⚬ identifying and analyzing risks ⚬ specifying appropriate safeguards ⚬ monitoring the implementation and operation of safeguards ⚬ developing and implement a security awareness program ⚬ detecting and reacting to incidents ISO 27000 Security Standards IT Security Management Process Plan - Do - Check – Act (Deming Cycle) PLAN: establish policy; define objectives and processes DO: implement and operate policy, controls, processes CHECK: assess and measure and report results ACT: take corrective and preventative actions (based on audits) Organizational Context and Security Policy first examine organization’s IT security: ⚬ objectives - wanted IT security outcomes ⚬ strategies - how to meet objectives ⚬ policies - identify what needs to be done maintained and updated regularly ⚬ using periodic security reviews ⚬ reflect changing technical/risk environments Security Policy: Topics to Cover needs to address: ⚬ scope and purpose including relation of objectives to business, legal, regulatory requirements ⚬ IT security requirements ⚬ assignment of responsibilities ⚬ risk management approach ⚬ security awareness and training ⚬ general personnel issues and any legal sanctions ⚬ integration of security into systems development ⚬ information classification scheme ⚬ contingency and business continuity planning ⚬ incident detection and handling processes ⚬ how when policy reviewed, and change control to it Management Support IT security policy must be supported by senior management need IT security officer ⚬ to provide consistent overall supervision ⚬ manage process ⚬ handle incidents large organizations needs IT security officers on major projects/teams ⚬ manage process within their areas Security Risk Assessment critical component of process ⚬ else may have vulnerabilities or waste money ideally examine every asset vs risk ⚬ not feasible in practice choose one of possible alternatives based on organization’s resources and risk profile ⚬ baseline ⚬ informal ⚬ formal ⚬ combined Baseline Approach use “industry best practice” ⚬ easy, cheap, can be replicated ⚬ but gives no special consideration to org ⚬ may give too much or too little security implement safeguards against most common threats baseline recommendations and checklist documents available from various bodies alone only suitable for small organizations Informal Approach conduct informal, pragmatic risk analysis on organization’s IT systems exploits knowledge and expertise of analyst fairly quick and cheap does address some org specific issues some risks may be incorrectly assessed skewed by analysts views, varies over time suitable for small to medium sized orgs Detailed Risk Analysis most comprehensive alternative assess using formal structured process ⚬ with a number of stages ⚬ identify likelihood of risk and consequences ⚬ hence have confidence controls appropriate costly and slow, requires expert analysts may be a legal requirement to use suitable for large organizations with IT systems critical to their business objectives Combined Approach combines elements of other approaches ⚬ initial baseline on all systems ⚬ informal analysis to identify critical risks ⚬ formal assessment on these systems ⚬ iterated and extended over time better use of time and money resources better security earlier that evolves may miss some risks early recommended alternative for most orgs Detailed Risk Analysis Process Establish Context determine broad risk exposure of org ⚬ related to wider political/social environment ⚬ legal and regulatory constraints specify organization’s risk appetite set boundaries of risk assessment ⚬ partly on risk assessment approach used decide on risk assessment criteria used Asset Identification identify assets ⚬ “anything which needs to be protected” ⚬ of value to organization to meet its objectives ⚬ tangible or intangible ⚬ in practice try to identify significant assets draw on expertise of people in relevant areas of organization to identify key assets ⚬ identify and interview such personnel ⚬ see checklists in various standards Terminology Threat Identification to identify threats or risks to assets ask ⚬ who or what could cause it harm? ⚬ how could this occur? threats are anything that hinders or prevents an asset providing appropriate levels of the key security services: ⚬ confidentiality, integrity, availability, accountability, authenticity and reliability assets may have multiple threats Threat Sources threats may be ⚬ natural “acts of god” ⚬ man-made and either accidental or deliberate should consider human attackers ⚬ motivation ⚬ capability ⚬ resources ⚬ probability of attack ⚬ deterrence any previous history of attack on org Threat Identification depends on risk assessors experience uses variety of sources ⚬ natural threat chance from insurance stats ⚬ lists of potential threats in standards, IT security surveys, info from governments ⚬ tailored to organization’s environment ⚬ and any vulnerabilities in its IT systems Vulnerability Identification identify exploitable flaws or weaknesses in organization’s IT systems or processes hence determine applicability and significance of threat to organization need combination of threat and vulnerability to create a risk to an asset again can use lists of potential vulnerabilities in standards etc Analyze Risks specify likelihood of occurrence of each identified threat to asset given existing controls ⚬ management, operational, technical processes and procedures to reduce exposure of org to some risks specify consequence should threat occur hence derive overall risk rating for each threat risk = probability threat occurs x cost to organization in practice very hard to determine exactly use qualitative not quantitative, ratings for each aim to order resulting risks in order to treat them Determine Likelihood Determine Consequence Determine Resultant Risk Document in Risk Register and Evaluate Risks Risk Treatment Risk Treatment Alternatives risk acceptance: accept risk (perhaps because of excessive cost of risk treatment) risk avoidance: do not proceed with the activity that causes the risk (loss of convenience) risk transfer: buy insurance; outsource reduce consequence: modify the uses of an asset to reduce risk impact (e.g., offsite backup) reduce likelihood: implement suitable controls Assets integrity of stored file and database information availability, integrity of financial system availability, integrity of procurement system availability, integrity of maintenance/production system availability, integrity and confidentiality of mail services Threats & Vulnerabilities unauthorized modification of control system corruption, theft, loss of info attacks/errors affecting procurement system attacks/errors affecting financial system attacks/errors affecting mail system attacks/errors maintenance/production affecting system Risk Register Summary detailed need to perform risk assessment as part of IT security management process relevant security standards presented risk assessment alternatives detailed risk assessment process involves ⚬ context including asset identification ⚬ identify threats, vulnerabilities, risks ⚬ analyse and evaluate risks

ITEC 85 Lesson 4: Risk Management PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue