SlideShare ist ein Scribd-Unternehmen logo

CNIT 160 Cybersecurity Risk Management Life Cycle

Sam Bowne
Sam Bowne

The document discusses risk management methodologies and frameworks including the risk management life cycle. It describes several frameworks and standards for risk management including NIST SP 800-39, NIST SP 800-30, ISO/IEC 27005, and Factor Analysis of Information Risk (FAIR). It outlines the key steps and processes in each standard/framework for conducting risk assessments and managing risks.

Bildung
1 von 38
Downloaden Sie, um offline zu lesen
CNIT 160: Cybersecurity Responsibilities 3. Information Risk Management Part 2 Pages 114 - 126
Topics • Part 1 (p. 102 - 115) • Risk Management Concepts • Implementing a Risk Management Program • Part 2 (p. 114 - 125) • The Risk Management Life Cycle • Part 3 (p. 125 - 158) • The Risk Management Life Cycle • Part 4 (p. 158 - 182) • Operational Risk Management
The Risk Management Life Cycle • Cyclical, iterative process to • Acquire, analyze, and treat risks • Formally defined in policy and process documents • Defining scope, roles and responsibilities, workflow, business rules, and business records
The Risk Management Life Cycle • Several frameworks and standards • Risk assessments
The Risk Management Life Cycle
The Risk Management Process • Scope definition • Asset identification and valuation • Risk appetite • Risk identification • Risk assessment • Vulnerability assessment • Threat advisory • Risk analysis
The Risk Management Process • Risk analysis • Probability of event occurrence • Impact of event occurrence • Mitigation • Recommendation
The Risk Management Process • Risk treatment • Accept • Mitigate • Transfer • Avoid • Risk communication
Risk Avoidance
Risk Register • List of identified risks, with • Description • Level and type • Risk treatment decisions • Also called a risk ledger
Ch 3b-1
Risk Management Methodologies • NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View" • NIST SP 800-30 "Guide for Conducting Risk Assessments" • ISO/IEC 27005 • Factor Analysis of Information Risk (FAIR)
NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View"
NIST SP 800-39 • Multilevel risk management • Information systems level • Mission/business process level • Overall organization level • Risks are communicated upward • Risk awareness and risk decisions are communicated downward
NIST SP 800-39
NIST SP 800-39
• Risk management process • Step 1: Risk framing • Step 2: Risk assessment • Step 3: Risk response • Step 4: Risk monitoring NIST SP 800-39
NIST SP 800-30 "Guide for Conducting Risk Assessments"
NIST SP 800-30 • Standard methodology for conducting a risk assessment • Quite structured • A number of worksheets recording • Threats and vulnerabilities • Probability of occurrence • Impact
NIST SP 800-30 • Steps for conducting a risk assessment • Step 1: Prepare for assessment • Determine purpose, scope, and • Source of threat, vulnerability, and impact information • MIST 800-30 has example lists
NIST SP 800-30 • Step 2: Conduct assessment • A. Identify threat sources and events
NIST SP 800-30 • B. Identify vulnerabilities and predisposing conditions
NIST SP 800-30 • C. Determine likelihood of occurrence
NIST SP 800-30 • D. Determine magnitude of impact
NIST SP 800-30 • E. Determine risk
NIST SP 800-30 • Step 3: Communicate results • Step 4: Maintain assessment • Monitor risk factors
ISO/IEC 27005
ISO/IEC 27005 • International standard • Defines a structured approach • To risk assessments and risk management
ISO/IEC 27005 • Step 1: Establish context • Scope, purpose • Criteria for evaluating risk, impact • Risk acceptance criteria • Logistical plan
ISO/IEC 27005 • Step 2: Risk assessment • Asset identification • Threat identification • Control identification • Vulnerability identification • Consequences identification
ISO/IEC 27005 • Step 3: Risk evaluation • Step 4: Risk treatment • Risk reduction (also called mitigation) • Risk retention (also called acceptance) • Risk avoidance • Risk transfer • Residual risk remains
ISO/IEC 27005 Step 5: Risk communication
ISO/IEC 27005 Step 6: Risk monitoring and review
Factor Analysis of Information Risk (FAIR)
FAIR • An analysis method for • Factors that contribute to risk • Probability of threat occurrence • Estimation of loss
FAIR • Six types of loss • Productivity • Response • Replacement • Fines and judgments • Competitive advantage • Reputation
FAIR • Ways a threat agent acts upon an asset • Access • Misuse • Disclose • Modify • Deny use
Ch 3b-2

Empfohlen

CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 

Empfohlen

CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsSam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)Sam Bowne
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementSam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
project managmnet
project managmnetproject managmnet
project managmnetdarshan942
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 
Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment KateKazhan
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12Mulyadi Yusuf
 

Weitere ähnliche Inhalte

Was ist angesagt?

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceSam Bowne
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsSam Bowne
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentSam Bowne
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)Sam Bowne
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementSam Bowne
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)Sam Bowne
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and TestingSam Bowne
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureKarthikeyan Dhayalan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
project managmnet
project managmnetproject managmnet
project managmnetdarshan942
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurancea3virani
 

Was ist angesagt? (20)

CNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security GovernanceCNIT 160: Ch 2a: Introduction to Information Security Governance
CNIT 160: Ch 2a: Introduction to Information Security Governance
 
Ch 3a: Risk Management Concepts
Ch 3a: Risk Management ConceptsCh 3a: Risk Management Concepts
Ch 3a: Risk Management Concepts
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)CNIT 160 4b: Security Program Management (Part 2)
CNIT 160 4b: Security Program Management (Part 2)
 
CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)CNIT 160: 3. Information Risk Management (Part 4)
CNIT 160: 3. Information Risk Management (Part 4)
 
CNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk ManagementCNIT 160 3a Information Risk Management
CNIT 160 3a Information Risk Management
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 
CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)CNIT 160 Ch 4 Information Security Program Development (Part 3)
CNIT 160 Ch 4 Information Security Program Development (Part 3)
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development Security
 
project managmnet
project managmnetproject managmnet
project managmnet
 
Professional Designations IT Assurance
Professional Designations IT AssuranceProfessional Designations IT Assurance
Professional Designations IT Assurance
 

Ähnlich wie CNIT 160 Cybersecurity Risk Management Life Cycle

Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment KateKazhan
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...AMIT SAHU
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –AMIT SAHU
 
Quality Risk Management
Quality Risk ManagementQuality Risk Management
Quality Risk ManagementRuchir Shah
 
Risk management - A short course
Risk management - A short courseRisk management - A short course
Risk management - A short courseMalcolm Peart
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfMUST
 

Ähnlich wie CNIT 160 Cybersecurity Risk Management Life Cycle (20)

Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment Lecture 02. OSH Risk Assessment
Lecture 02. OSH Risk Assessment
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
10- PMP Training - Risk Management
10- PMP Training - Risk Management 10- PMP Training - Risk Management
10- PMP Training - Risk Management
 
ICH Q9 Quality Risk Management
ICH Q9 Quality Risk ManagementICH Q9 Quality Risk Management
ICH Q9 Quality Risk Management
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –
 
Quality Risk Management
Quality Risk ManagementQuality Risk Management
Quality Risk Management
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
Risk management - A short course
Risk management - A short courseRisk management - A short course
Risk management - A short course
 
Rmp
RmpRmp
Rmp
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
PECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEsPECB Webinar: Risk-management in IT intensive SMEs
PECB Webinar: Risk-management in IT intensive SMEs
 
Session 18 4th edition PMP
Session 18 4th edition PMPSession 18 4th edition PMP
Session 18 4th edition PMP
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Project managment 10
Project managment 10Project managment 10
Project managment 10
 
PROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdfPROJECT RISK MANAGEMENT.pdf
PROJECT RISK MANAGEMENT.pdf
 

Mehr von Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Mehr von Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Kürzlich hochgeladen

Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 

Kürzlich hochgeladen (20)

Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 

CNIT 160 Cybersecurity Risk Management Life Cycle

  • 1. CNIT 160: Cybersecurity Responsibilities 3. Information Risk Management Part 2 Pages 114 - 126
  • 2. Topics • Part 1 (p. 102 - 115) • Risk Management Concepts • Implementing a Risk Management Program • Part 2 (p. 114 - 125) • The Risk Management Life Cycle • Part 3 (p. 125 - 158) • The Risk Management Life Cycle • Part 4 (p. 158 - 182) • Operational Risk Management
  • 3. The Risk Management Life Cycle • Cyclical, iterative process to • Acquire, analyze, and treat risks • Formally defined in policy and process documents • Defining scope, roles and responsibilities, workflow, business rules, and business records
  • 4. The Risk Management Life Cycle • Several frameworks and standards • Risk assessments
  • 6. The Risk Management Process • Scope definition • Asset identification and valuation • Risk appetite • Risk identification • Risk assessment • Vulnerability assessment • Threat advisory • Risk analysis
  • 7. The Risk Management Process • Risk analysis • Probability of event occurrence • Impact of event occurrence • Mitigation • Recommendation
  • 8. The Risk Management Process • Risk treatment • Accept • Mitigate • Transfer • Avoid • Risk communication
  • 10. Risk Register • List of identified risks, with • Description • Level and type • Risk treatment decisions • Also called a risk ledger
  • 12. Risk Management Methodologies • NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View" • NIST SP 800-30 "Guide for Conducting Risk Assessments" • ISO/IEC 27005 • Factor Analysis of Information Risk (FAIR)
  • 13. NIST SP 800-39 "Managing Information Security Risk: Organization, Mission, and Information, System View"
  • 14. NIST SP 800-39 • Multilevel risk management • Information systems level • Mission/business process level • Overall organization level • Risks are communicated upward • Risk awareness and risk decisions are communicated downward
  • 17. • Risk management process • Step 1: Risk framing • Step 2: Risk assessment • Step 3: Risk response • Step 4: Risk monitoring NIST SP 800-39
  • 18. NIST SP 800-30 "Guide for Conducting Risk Assessments"
  • 19. NIST SP 800-30 • Standard methodology for conducting a risk assessment • Quite structured • A number of worksheets recording • Threats and vulnerabilities • Probability of occurrence • Impact
  • 20. NIST SP 800-30 • Steps for conducting a risk assessment • Step 1: Prepare for assessment • Determine purpose, scope, and • Source of threat, vulnerability, and impact information • MIST 800-30 has example lists
  • 21. NIST SP 800-30 • Step 2: Conduct assessment • A. Identify threat sources and events
  • 22. NIST SP 800-30 • B. Identify vulnerabilities and predisposing conditions
  • 23. NIST SP 800-30 • C. Determine likelihood of occurrence
  • 24. NIST SP 800-30 • D. Determine magnitude of impact
  • 25. NIST SP 800-30 • E. Determine risk
  • 26. NIST SP 800-30 • Step 3: Communicate results • Step 4: Maintain assessment • Monitor risk factors
  • 28. ISO/IEC 27005 • International standard • Defines a structured approach • To risk assessments and risk management
  • 29. ISO/IEC 27005 • Step 1: Establish context • Scope, purpose • Criteria for evaluating risk, impact • Risk acceptance criteria • Logistical plan
  • 30. ISO/IEC 27005 • Step 2: Risk assessment • Asset identification • Threat identification • Control identification • Vulnerability identification • Consequences identification
  • 31. ISO/IEC 27005 • Step 3: Risk evaluation • Step 4: Risk treatment • Risk reduction (also called mitigation) • Risk retention (also called acceptance) • Risk avoidance • Risk transfer • Residual risk remains
  • 32. ISO/IEC 27005 Step 5: Risk communication
  • 33. ISO/IEC 27005 Step 6: Risk monitoring and review
  • 35. FAIR • An analysis method for • Factors that contribute to risk • Probability of threat occurrence • Estimation of loss
  • 36. FAIR • Six types of loss • Productivity • Response • Replacement • Fines and judgments • Competitive advantage • Reputation
  • 37. FAIR • Ways a threat agent acts upon an asset • Access • Misuse • Disclose • Modify • Deny use