SlideShare ist ein Scribd-Unternehmen logo

Security risk management

Als PPT, PDF herunterladen
B
brijesh singh

RISK MANAGEMENT

Weiterbildung und Persönlichkeitsentwicklung
1 von 21
Security Risk Management 1 BY BRIJESH SINGH
Agenda  Overview  Reactive Vs. Proactive approaches  Quantitative risk management or qualitative risk management  Assessing Risk  Conducting Decision Support  Implementing Controls  Measuring Program Effectiveness 2
Introduction – why, who, what?  Why this guide? -- The environmental Challenge -- New legislation -- lack of in-house expertise, budget resources, and guidelines to outsource  Who should read this Guide? -- Architects and planners       -- Members of the information security team     -- Security and IT auditors       -- Senior executives, business analysts and BDMs      -- Consultants and partners.  What is in the guide? -- Survey of Security Risk Management practice       -- Security Risk Management Process:       Assessing Risk       Conducting Decision Support        Implementing Controls        Measuring Program Effectiveness 3
Reactive Approaches to Risk Management 4 Protect human life and people’s safety should always be your first priority. Contain the harm that the attack caused helps to limit additional damage. Determine the extent of the damage that the attack caused right after you contain the situation and duplicate the hard disks. Understand the resources at which attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Damage should be repaired as quickly as possible to restore normal business operations and recover data lost during the attack. Review the process thoroughly. Determine with your team the steps that were executed successfully and what mistakes were made.
Proactive Approaches to Risk Management  Instead of waiting for bad things to happen and then responding to them afterwards, you minimize the possibility of the bad things ever occurring in the first place.  Common high-level procedures: -- Identify business assets; -- Determine what damage an attack against an asset could cause to the organization. -- Identify the security vulnerabilities that the attack could exploit. -- Determine how to minimize the risk of attack by implementing appropriate controls. 5
Approaches to Risk Prioritization -- Quantitative Risk Management  The goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost – benefit analysis.  Valuing Assets: The overall of the asset to your organization; The immediate financial impact of losing the asset; The indirect business impact of losing the asset.  Determining the Single Loss Expectancy(SLE) : SLE is the total amount of revenue that is lost from a single occurrence of the risk.  Determining the Annual Rate of Occurrence(ARO): ARO is the number of times that you reasonably expect the risk to occur during one year.  Determining Annual Loss Expectance(ALE): The ALE is the total amount of money that your organization will lose in one year if nothing is done to mitigate the risk.  Determining Cost of Controls: requires accurate estimates on how much acquiring, testing, deploying, operating, and maintaining each control would cost.  Return on security Investment: ROSI = ALE before control – ALE after control – annual cost of controls.  The results of the quantitative Risk analyses: -- Assigned monetary values for asset -- A comprehensive list of significant threats -- The probability of each threat occurring -- The loss potential for the company on a per-threat basis over 12 months. -- Recommended safeguards, control, and actions. 6
Approaches to Risk Prioritization -- Qualitative Risk Management  The basic process is very similar to what happens in the quantitative approach.  The difference is in the details: -- You calculate relative values not assign hard financial values to assets, expected losses, and cost of controls. -- Risk analysis is usually conducted through a combination of questionnaires and collaborative workshops involving people from a variety of groups within the organization;   The results are presented to management for consideration during a cost-benefit analysis. 7
Comparing two approaches: 8 Quantitative Qualitative Benefi ts – Risks are prioritized by financial impact; assets are prioritized by financial values. –Results facilitate management of risk by return on security investment. –Results can be expressed in management- specific terminology (e.g., monetary values and probability expressed as a specific percentage). –Accuracy tends to increase over time as the organization builds historic record of data while gaining experience. – Enables visibility and understanding of risk ranking. – Easier to reach consensus. – Not necessary to quantify threat frequency. – Not necessary to determine financial values of assets. – Easier to involve people who are not experts on security or computers. Drawb acks –Impact values assigned to risks are based on subjective opinions of participants. – Process to reach credible results and consensus is very time consuming. – Calculations can be complex and time consuming. –Results are presented in monetary terms only, and they may be difficult for non-technical people to interpret. –Process requires expertise, so participants cannot be easily – Insufficient differentiation between important risks. – Difficult to justify investing in control implementation because there is no basis for a cost-benefit analysis. – Results are dependent upon the quality of the risk management team that is created.
Microsoft Security Risk Management Process  Is a hybrid approach that joins the best elements of the 2 traditional approaches.  Significantly simpler than traditional quantitative risk management.  Minimize resistance to results of the risk analysis and decision support phases.  Enabling consensus to be achieved more quickly and maintained throughout the process. 9
Risk Management vs. Risk Assessment 10 Risk Management Risk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Ongoing As needed Alignmen t Aligned with budgeting cycles N/A
Communicating Risk 11
Determining Risk Management Maturity Level  There are 6 levels -- 0 non existed. -- 1 Ad Hoc -- 2 Repeatable -- 3 Defined Process -- 4 Managed -- 5 Optimized  Self assessment: given a questions list, for each question, score your organization from 0 to 5 based on the definition, then add all of the score together. >= 52. The organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent. 34—50 indicates the organization has taken many significant steps to control security risks and is ready to gradually introduce the process. < 34 should consider starting very slowly with the Microsoft security risk management process by creating the core security risk management team and applying the process to a single business unit for the first few months. 12
Defining Roles and Responsibilities 13
Assessing Risk -- Identify and prioritize risks to the business  Planning —Building the foundation for a successful risk assessment.  Facilitated data gathering — Collecting risk information through facilitated risk discussions.  Risk prioritization — Ranking identified risks in a consistent and repeatable process. 14
Assessing Risk -- Planning  Alignment: Proper timing aids in building consensus during the assessment because it allows stakeholders to take active roles in the planning process. Proper alignment of the risk management process with the budget planning cycle also benefit internal and external auditing activities.  Scope: the risk assessment scope should document all organization functions included in the risk assessment.  Stakeholder Acceptance: A best practice to enlist stakeholder support is to pre-sell the concept and the activities within the risk assessment  Preparing for success: Setting reasonable expectations is critical if the risk assessment is to be successful.  Embracing Subjectivity 15
Facilitated Data Gathering  Keys to success: Building support; Discussing vs. Interrogating; Building Goodwill  Risk Discussion Preparation: -- Identify Risk Assessment Inputs -- Identify and classifying Assets -- Organizing Risk Information -- Organizing by Defense-in-Depth Layers -- Defining Threats and Vulnerabilities -- Estimating Asset Exposure -- Estimating Probability of Threats  Facilitating Risk Discussions 16
Prioritize risks  Primary Tasks and Deliverables -- Task One: Build the summary level list using broad categorizations to estimate probability of impact to the organization. Output: Summary level list to quickly identify priority risks to the organization. -- Task Two: Review summary level list with stakeholders to begin building consensus on priority risks and to select the risks for the detailed level list. -- Task three: Build the detailed level list by examining detailed attributes of the risk in the current business environment. This includes guidance to determine a quantitative estimate for each risk. Output: Detailed level list providing a close look at the top risks to the organization.  Conducting Summary Level Risk Prioritization -- Task one – Determine impact value from impact statements collected in the data gathering process. -- Task two – Estimate the probability of the impact for the summary level list. -- Task Three – Complete the summary level list by combining the impact and probability values for each risk statement.   Reviewing with stakeholders  Building detailed level list of risks. -- Determine impact and exposure; -- Identify current controls       -- Determine probability of impact; -- Determine detailed risk level  Quantifying Risks   -- Assign a monetary value to each asset class for your organization -- Input the asset value for each risk; --Produce the single loss expectancy value -- Determine the annual Rate of occurrence; --Determine the annual loss expectancy. 17
Conducting Decision Support  Define functional requirements.  Select control solutions.  Review solutions against the requirements.  Estimate the degree of risk reduction that each control provides.  Estimate costs of each solution.  Select the risk mitigation strategy. 18
Implementing Controls and Measuring Program Effectiveness  Implementing Controls phase -- Deploy and operate control solutions to reduce risk to the business. -- Seek holistic approach – Incorporate people, process, and technology in mitigation solution. -- Organize by defense-in-depth – Organize mitigation solutions across the business.  Measuring Program Effectiveness phase -- is an ongoing one in which the Security Risk Management Team periodically verifies that the controls implemented during the preceding phase are actually providing the expected degree of protection. -- Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.   -- Evaluate the risk management program for opportunities to improve. -- Develop risk scorecard – Understand risk posture and progress. 19
Level of Effort 20
THANKS FOR WATCHING BRIJESH SINGH 21

Empfohlen

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
Corporater
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
CORE Consulting
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
r2financial
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
Knowledge Group
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 

Empfohlen

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk Management
Ulukman Mamytov
 
Risk Management and Risk Transfer
Risk Management and Risk TransferRisk Management and Risk Transfer
Risk Management and Risk Transfer
CBIZ, Inc.
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
Corporater
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
CORE Consulting
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
r2financial
 
Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh Technology Risk Management Simulation - Mahesh
Technology Risk Management Simulation - Mahesh
Knowledge Group
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
Subhendu Datta
 
Risk identification
Risk identificationRisk identification
Risk identification
murukkada
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
Organizational Risk Management
Organizational Risk Management Organizational Risk Management
Organizational Risk Management
Abdullah Ahmed, PMP, RMP
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1
Muhammad Ector Prasetyo
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
Parag Deodhar
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
.AIR UNIVERSITY ISLAMABAD
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
Continuity and Resilience
 
Risk Management
Risk ManagementRisk Management
Risk Management
M.T.H Group
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
FAA Safety Team Central Florida
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
Andre Knipe
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
Prof. David E. Alexander (UCL)
 
Risk manajemen-intro
Risk manajemen-introRisk manajemen-intro
Risk manajemen-intro
Anwar Sadat
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
rafeeqameen
 
Risk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentRisk Assessment And Risk Treatment
Risk Assessment And Risk Treatment
Ben Omoakin Oguntala, developingafrica(dot)net
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
primeteacher32
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 
Risk Management 101
Risk Management 101Risk Management 101
Risk Management 101
Barry Caplin
 
Risk management
Risk managementRisk management
Risk management
Lepipi
 
SPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
SPM RISK PLANNING.pdfdddddddddddddddddddddddddddddddddddddddddddddddSPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
SPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
ShepherdChidambaeh
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 

Weitere ähnliche Inhalte

Was ist angesagt?

Risk identification
Risk identificationRisk identification
Risk identification
murukkada
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
Sadia Razzaq
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 

Was ist angesagt? (20)

Risk identification
Risk identificationRisk identification
Risk identification
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Organizational Risk Management
Organizational Risk Management Organizational Risk Management
Organizational Risk Management
 
2010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.12010; Risk Management Workshop Rev.1.1
2010; Risk Management Workshop Rev.1.1
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Risk and Business Continuity Management
Risk and Business Continuity Management Risk and Business Continuity Management
Risk and Business Continuity Management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
Introduction to Business Continuity Management
Introduction to Business Continuity ManagementIntroduction to Business Continuity Management
Introduction to Business Continuity Management
 
Risk manajemen-intro
Risk manajemen-introRisk manajemen-intro
Risk manajemen-intro
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Risk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentRisk Assessment And Risk Treatment
Risk Assessment And Risk Treatment
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
Risk Management 101
Risk Management 101Risk Management 101
Risk Management 101
 
Risk management
Risk managementRisk management
Risk management
 

Ähnlich wie Security risk management

Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016
Rohit Chawda
 
project_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.pptproject_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.ppt
BetshaTizazu2
 

Ähnlich wie Security risk management (20)

SPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
SPM RISK PLANNING.pdfdddddddddddddddddddddddddddddddddddddddddddddddSPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
SPM RISK PLANNING.pdfddddddddddddddddddddddddddddddddddddddddddddddd
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
 
Rmp
RmpRmp
Rmp
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016RiskIndia.com-Profile-01072016
RiskIndia.com-Profile-01072016
 
project_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.pptproject_risk_mgmt_final 1.ppt
project_risk_mgmt_final 1.ppt
 
PMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.pptPMI project_risk_management_final_2022.ppt
PMI project_risk_management_final_2022.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
project_risk_mgmt_final.ppt
project_risk_mgmt_final.pptproject_risk_mgmt_final.ppt
project_risk_mgmt_final.ppt
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 

Mehr von brijesh singh

Mehr von brijesh singh (13)

Delegation 2
Delegation 2Delegation 2
Delegation 2
 
Delegation
DelegationDelegation
Delegation
 
Company vehicle-safety
Company vehicle-safetyCompany vehicle-safety
Company vehicle-safety
 
Security zones-and-risk-mitigation-control-measures-v1.5
Security zones-and-risk-mitigation-control-measures-v1.5Security zones-and-risk-mitigation-control-measures-v1.5
Security zones-and-risk-mitigation-control-measures-v1.5
 
Physicalsecuritypresentation 130630193821-phpapp01
Physicalsecuritypresentation 130630193821-phpapp01Physicalsecuritypresentation 130630193821-phpapp01
Physicalsecuritypresentation 130630193821-phpapp01
 
Outsourcing security survey0706 (1)
Outsourcing security survey0706 (1)Outsourcing security survey0706 (1)
Outsourcing security survey0706 (1)
 
Org fire trining
Org fire triningOrg fire trining
Org fire trining
 
Heart attack dos donts
Heart attack dos dontsHeart attack dos donts
Heart attack dos donts
 
Guards manual 3
Guards manual 3Guards manual 3
Guards manual 3
 
Guard manual 2
Guard manual 2Guard manual 2
Guard manual 2
 
Guards manual
Guards manualGuards manual
Guards manual
 
Gsk training general 2017
Gsk training general 2017Gsk training general 2017
Gsk training general 2017
 
Fire &amp; first aid
Fire &amp; first aidFire &amp; first aid
Fire &amp; first aid
 

Kürzlich hochgeladen

2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
Delhi Call girls
 
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
Delhi Call girls
 
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Morcall Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
vikas rana
 
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
Delhi Call girls
 
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
Delhi Call girls
 
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
Call Girls in Nagpur High Profile Call Girls
 
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
dollysharma2066
 

Kürzlich hochgeladen (15)

2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Jasola (Delhi)
 
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
9892124323, Call Girls in mumbai, Vashi Call Girls , Kurla Call girls
 
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
(Aarini) Russian Call Girls Surat Call Now 8250077686 Surat Escorts 24x7
 
Pokemon Go... Unraveling the Conspiracy Theory
Pokemon Go... Unraveling the Conspiracy TheoryPokemon Go... Unraveling the Conspiracy Theory
Pokemon Go... Unraveling the Conspiracy Theory
 
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Tingre Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
$ Love Spells^ 💎 (310) 882-6330 in West Virginia, WV | Psychic Reading Best B...
$ Love Spells^ 💎 (310) 882-6330 in West Virginia, WV | Psychic Reading Best B...$ Love Spells^ 💎 (310) 882-6330 in West Virginia, WV | Psychic Reading Best B...
$ Love Spells^ 💎 (310) 882-6330 in West Virginia, WV | Psychic Reading Best B...
 
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Dashrath Puri (Delhi)
 
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Morcall Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
call Now 9811711561 Cash Payment乂 Call Girls in Dwarka Mor
 
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Palam (Delhi)
 
The Selfspace Journal Preview by Mindbrush
The Selfspace Journal Preview by MindbrushThe Selfspace Journal Preview by Mindbrush
The Selfspace Journal Preview by Mindbrush
 
LC_YouSaidYes_NewBelieverBookletDone.pdf
LC_YouSaidYes_NewBelieverBookletDone.pdfLC_YouSaidYes_NewBelieverBookletDone.pdf
LC_YouSaidYes_NewBelieverBookletDone.pdf
 
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Mukherjee Nagar (Delhi)
 
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
(Anamika) VIP Call Girls Navi Mumbai Call Now 8250077686 Navi Mumbai Escorts ...
 
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
8377087607 Full Enjoy @24/7-CLEAN-Call Girls In Chhatarpur,
 
WOMEN EMPOWERMENT women empowerment.pptx
WOMEN EMPOWERMENT women empowerment.pptxWOMEN EMPOWERMENT women empowerment.pptx
WOMEN EMPOWERMENT women empowerment.pptx
 

Security risk management

  • 2. Agenda  Overview  Reactive Vs. Proactive approaches  Quantitative risk management or qualitative risk management  Assessing Risk  Conducting Decision Support  Implementing Controls  Measuring Program Effectiveness 2
  • 3. Introduction – why, who, what?  Why this guide? -- The environmental Challenge -- New legislation -- lack of in-house expertise, budget resources, and guidelines to outsource  Who should read this Guide? -- Architects and planners       -- Members of the information security team     -- Security and IT auditors       -- Senior executives, business analysts and BDMs      -- Consultants and partners.  What is in the guide? -- Survey of Security Risk Management practice       -- Security Risk Management Process:       Assessing Risk       Conducting Decision Support        Implementing Controls        Measuring Program Effectiveness 3
  • 4. Reactive Approaches to Risk Management 4 Protect human life and people’s safety should always be your first priority. Contain the harm that the attack caused helps to limit additional damage. Determine the extent of the damage that the attack caused right after you contain the situation and duplicate the hard disks. Understand the resources at which attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Damage should be repaired as quickly as possible to restore normal business operations and recover data lost during the attack. Review the process thoroughly. Determine with your team the steps that were executed successfully and what mistakes were made.
  • 5. Proactive Approaches to Risk Management  Instead of waiting for bad things to happen and then responding to them afterwards, you minimize the possibility of the bad things ever occurring in the first place.  Common high-level procedures: -- Identify business assets; -- Determine what damage an attack against an asset could cause to the organization. -- Identify the security vulnerabilities that the attack could exploit. -- Determine how to minimize the risk of attack by implementing appropriate controls. 5
  • 6. Approaches to Risk Prioritization -- Quantitative Risk Management  The goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost – benefit analysis.  Valuing Assets: The overall of the asset to your organization; The immediate financial impact of losing the asset; The indirect business impact of losing the asset.  Determining the Single Loss Expectancy(SLE) : SLE is the total amount of revenue that is lost from a single occurrence of the risk.  Determining the Annual Rate of Occurrence(ARO): ARO is the number of times that you reasonably expect the risk to occur during one year.  Determining Annual Loss Expectance(ALE): The ALE is the total amount of money that your organization will lose in one year if nothing is done to mitigate the risk.  Determining Cost of Controls: requires accurate estimates on how much acquiring, testing, deploying, operating, and maintaining each control would cost.  Return on security Investment: ROSI = ALE before control – ALE after control – annual cost of controls.  The results of the quantitative Risk analyses: -- Assigned monetary values for asset -- A comprehensive list of significant threats -- The probability of each threat occurring -- The loss potential for the company on a per-threat basis over 12 months. -- Recommended safeguards, control, and actions. 6
  • 7. Approaches to Risk Prioritization -- Qualitative Risk Management  The basic process is very similar to what happens in the quantitative approach.  The difference is in the details: -- You calculate relative values not assign hard financial values to assets, expected losses, and cost of controls. -- Risk analysis is usually conducted through a combination of questionnaires and collaborative workshops involving people from a variety of groups within the organization;   The results are presented to management for consideration during a cost-benefit analysis. 7
  • 8. Comparing two approaches: 8 Quantitative Qualitative Benefi ts – Risks are prioritized by financial impact; assets are prioritized by financial values. –Results facilitate management of risk by return on security investment. –Results can be expressed in management- specific terminology (e.g., monetary values and probability expressed as a specific percentage). –Accuracy tends to increase over time as the organization builds historic record of data while gaining experience. – Enables visibility and understanding of risk ranking. – Easier to reach consensus. – Not necessary to quantify threat frequency. – Not necessary to determine financial values of assets. – Easier to involve people who are not experts on security or computers. Drawb acks –Impact values assigned to risks are based on subjective opinions of participants. – Process to reach credible results and consensus is very time consuming. – Calculations can be complex and time consuming. –Results are presented in monetary terms only, and they may be difficult for non-technical people to interpret. –Process requires expertise, so participants cannot be easily – Insufficient differentiation between important risks. – Difficult to justify investing in control implementation because there is no basis for a cost-benefit analysis. – Results are dependent upon the quality of the risk management team that is created.
  • 9. Microsoft Security Risk Management Process  Is a hybrid approach that joins the best elements of the 2 traditional approaches.  Significantly simpler than traditional quantitative risk management.  Minimize resistance to results of the risk analysis and decision support phases.  Enabling consensus to be achieved more quickly and maintained throughout the process. 9
  • 10. Risk Management vs. Risk Assessment 10 Risk Management Risk Assessment Goal Manage risks across business to acceptable level Identify and prioritize risks Cycle Overall program across all four phases Single phase of risk management program Schedule Ongoing As needed Alignmen t Aligned with budgeting cycles N/A
  • 12. Determining Risk Management Maturity Level  There are 6 levels -- 0 non existed. -- 1 Ad Hoc -- 2 Repeatable -- 3 Defined Process -- 4 Managed -- 5 Optimized  Self assessment: given a questions list, for each question, score your organization from 0 to 5 based on the definition, then add all of the score together. >= 52. The organization is well prepared to introduce and use the Microsoft security risk management process to its fullest extent. 34—50 indicates the organization has taken many significant steps to control security risks and is ready to gradually introduce the process. < 34 should consider starting very slowly with the Microsoft security risk management process by creating the core security risk management team and applying the process to a single business unit for the first few months. 12
  • 13. Defining Roles and Responsibilities 13
  • 14. Assessing Risk -- Identify and prioritize risks to the business  Planning —Building the foundation for a successful risk assessment.  Facilitated data gathering — Collecting risk information through facilitated risk discussions.  Risk prioritization — Ranking identified risks in a consistent and repeatable process. 14
  • 15. Assessing Risk -- Planning  Alignment: Proper timing aids in building consensus during the assessment because it allows stakeholders to take active roles in the planning process. Proper alignment of the risk management process with the budget planning cycle also benefit internal and external auditing activities.  Scope: the risk assessment scope should document all organization functions included in the risk assessment.  Stakeholder Acceptance: A best practice to enlist stakeholder support is to pre-sell the concept and the activities within the risk assessment  Preparing for success: Setting reasonable expectations is critical if the risk assessment is to be successful.  Embracing Subjectivity 15
  • 16. Facilitated Data Gathering  Keys to success: Building support; Discussing vs. Interrogating; Building Goodwill  Risk Discussion Preparation: -- Identify Risk Assessment Inputs -- Identify and classifying Assets -- Organizing Risk Information -- Organizing by Defense-in-Depth Layers -- Defining Threats and Vulnerabilities -- Estimating Asset Exposure -- Estimating Probability of Threats  Facilitating Risk Discussions 16
  • 17. Prioritize risks  Primary Tasks and Deliverables -- Task One: Build the summary level list using broad categorizations to estimate probability of impact to the organization. Output: Summary level list to quickly identify priority risks to the organization. -- Task Two: Review summary level list with stakeholders to begin building consensus on priority risks and to select the risks for the detailed level list. -- Task three: Build the detailed level list by examining detailed attributes of the risk in the current business environment. This includes guidance to determine a quantitative estimate for each risk. Output: Detailed level list providing a close look at the top risks to the organization.  Conducting Summary Level Risk Prioritization -- Task one – Determine impact value from impact statements collected in the data gathering process. -- Task two – Estimate the probability of the impact for the summary level list. -- Task Three – Complete the summary level list by combining the impact and probability values for each risk statement.   Reviewing with stakeholders  Building detailed level list of risks. -- Determine impact and exposure; -- Identify current controls       -- Determine probability of impact; -- Determine detailed risk level  Quantifying Risks   -- Assign a monetary value to each asset class for your organization -- Input the asset value for each risk; --Produce the single loss expectancy value -- Determine the annual Rate of occurrence; --Determine the annual loss expectancy. 17
  • 18. Conducting Decision Support  Define functional requirements.  Select control solutions.  Review solutions against the requirements.  Estimate the degree of risk reduction that each control provides.  Estimate costs of each solution.  Select the risk mitigation strategy. 18
  • 19. Implementing Controls and Measuring Program Effectiveness  Implementing Controls phase -- Deploy and operate control solutions to reduce risk to the business. -- Seek holistic approach – Incorporate people, process, and technology in mitigation solution. -- Organize by defense-in-depth – Organize mitigation solutions across the business.  Measuring Program Effectiveness phase -- is an ongoing one in which the Security Risk Management Team periodically verifies that the controls implemented during the preceding phase are actually providing the expected degree of protection. -- Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection.   -- Evaluate the risk management program for opportunities to improve. -- Develop risk scorecard – Understand risk posture and progress. 19