SlideShare a Scribd company logo

File000170

Desmond Devendran
Desmond Devendran
TechnologyEconomy & Finance
1 of 58
Download to read offline
Module LVII - Risk Assessment
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Taxpayer Data at IRS Remains Vulnerable, GAO Warns January 13, 2009 (Computerworld) Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity. This time, the criticism comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous GAO audit. The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable. For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data. Source: http://www.computerworld.com/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Risk • Security Planning • Risk Management • Risk Analysis • Risk Policy • Risk Assessment • Approval to Operate (ATO) and Interim Approval to Operate (IATO) • Risk Assessment Process • Analyze Threats and Vulnerabilities of an Information System • Residual Risk • Cost/benefit Analysis • Risk Acceptance • Risk Analysts • Risk Mitigation • Role of Documentation in Reducing Risk This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Risk Assessment Process Cost/benefit Analysis Risk Acceptance Risk MitigationRisk Analysts Residual Risk Analyze Threats and Vulnerabilities of an Information System Role of Documentation in Reducing Risk Security PlanningRisk ATO and IATO Risk Management Risk Analysis Risk AssessmentRisk Policy
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations It refers to a possibility of loss resulting from a hazard, security incident, or event It adversely affects the organization’s operations and revenues Risk=(Probability of event occurring) X (Impact of event occurring)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Planning • Risk Analysis • Roles and responsibilities of the team/personnel • Configuration of the system • Antivirus controls and Intrusion Detection • Physical Security • Network Security • Data access • Outsourcing • Policies and Procedures • Planning a Team Security planning involves: Security planning helps in managing and reducing the probability of risk
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Management Risk Management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk management involves: • Identifying risks • Analyzing risks • Developing strategies to manage identified risks • Implementing risk mitigation plans • Managing efforts accordingly
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Management Protects an organization’s information assets Protects the organization and enables to accomplish its task Minimizes the effect of risk on an organization’s assets and earning Creates a new corporation value Helps organizations to control IT security system related mission risks Allows organizations to balance the operational and financial costs of the protective measures Helps the organization’s management to identify the suitable controls for security capabilities essential for any task
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Principle of Risk Management • It is a practice of coming up with other options so that the risk in question is not realized Risk Avoidance: • It is a practice of transferring the risk in question to another entity Risk Transfer: • It includes all the procedures and practices to eliminate or considerably decrease the level of risk Risk Mitigation: • In some cases, it is vital for an organization to accept the risk present in some entities • Risk acceptance is a practice of accepting some risks Risk Acceptance:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IT Security Risk Management • Provides information regarding “how to reduce exposure to identified risks” Risk mitigation process: • Detects the source of primary and secondary attacks Risk domains: • Provides an analysis of risk exposure to threats or vulnerabilities Risk exposure: • Provides an end-to-end method for risk mitigation Risk analysis: IT security risk management comprises:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis • Assets (resources of an organization) • Disruptive events (disaster or threat to an organization) • Vulnerabilities (weakness of an organization) • Losses (due to the occurrence of the disaster) • Safeguards (preventive measures against vulnerabilities) It helps in analyzing five elements: Risk analysis is the method that defines procedures through which an organization can survive or reduce the probability of risks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Business Impact Analysis (BIA) Step-by-step approach to conduct successful Business Impact Analysis (BIA): Define potential system threats and the probability at which they may occur Discover the Maximum Acceptable Outage (MAO) for each system Estimate the cost to identify and recover operations for each system Approximate the impacts such as financial, revenue, and non-revenue impacts related to each system Define the systems which are having cross dependencies Categorize each important or non-critical system as business critical system Define critical business systems operated by your organization Define gross profit and net profit generated by your organization in the year
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process Organization divides its targets by distributing the responsibilities within the team The team involves superior personnel who undertake the responsibility of considering even minute details of the project The roles and responsibilities of team members or the employees are as follows: • Checks the level of security to manage the risks • Establishes the risk management process • Ensures that the information resources meet the audit requirements and participates in all levels of employees to implement policies and procedures • Prepares disaster recovery plan for information resources to maintain it Chief Administrative Officer/Information Resources Manager:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Identifies threats and vulnerabilities • Identifies restricted, sensitive, and unrestricted information resources • Develops and maintains risk management processes, disaster recovery/ contingency planning for information, and updated security procedures Information Resources Security Officer: • Assess information and identifies the risk • Classify the information • Approve access to information for the restricted employees • Plan contingencies to recover data Owners of Information Resources: • Implements security controls determined by the owner • Provides administrative access and preventive measures to information resources Custodian:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Ensures technical support is provided by using cost effective controls • Develops and maintains contingency plans • Develops procedures to report on monitored controls Technical Management: • Assist the other personnel to implement the security plan • Assist to update the software or hardware and brief them with the vulnerabilities • Maintain user accounts, passwords, keys, etc. Security Administrators: • Calculation of effective security control • Provides security policies, standards, and guidelines • Examines security controls that are planned and participates in risk analysis process Internal Auditor:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis and/or Vulnerability Assessment Components Vulnerability assessment is the evaluation of the current security features (personnel involvement and policies and procedures) of the organization Vulnerability assessment report provides a clear idea of the current weaknesses of an organization The questionnaires and surveys of the computer users are the important part of a vulnerability assessment Questioning the users should be based on the standards, policies, and guidelines
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Policy Risk policy is a set of ideas of what to do in particular conditions that have been approved authoritatively by a group of people, a business organization, or government • Rules of behavior for the computer system and the end results for violating those rules • Personnel and technical controls for the computer system • Methods for identifying, properly limiting, and controlling interconnections with other systems and particular methods to monitor and manage such limits • Procedures for the ongoing training of employees who are authorized access to the system • Procedures for the ongoing monitoring of the efficiency of the security controls • Provisions for continuing support if there is an interruption in the system or the system crashes Risk policy includes:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment It is a qualitative and/or quantitative evaluation of the likelihood and consequences of a risk It is the first step in a risk management methodology The output of the risk assessment process helps to identify suitable controls for reducing or eliminating risk during the risk mitigation process
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment Identifies and prioritizes security risk to critical information assets and key business processes Determines the extent of the possible threat, vulnerability, and risk related with an IT system Determines the probability of adverse events and threats to an IT system Identifies appropriate controls for reducing or eliminating risk throughout the risk mitigation process
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approval to Operate (ATO) and Interim Approval to Operate (IATO) • It is a formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk Approval to Operate (ATO) • It is a provisional approval for a system to operate if a set of mitigating conditions require that the system be turned on even though the risk is unacceptable Interim Approval to Operate (IATO)
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment to Obtain an IATO and ATO DAA’s decision to grant IATO/ATO is based on the perception of an efficient and effective allocation of risk assessment resources at the subsystem level during development and implementation of information systems A proper risk assessment helps in assessing and evaluating level of risk, residual risks, and remedies for risks that are essential prerequisites for obtaining IATO/ATO A comprehensive risk assessment policy and infrastructure implemented in organizations ensure designated approving authorities that information systems of the organization will operate within an accepted risk level
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Methodology • Develop the risk assessment team • Set the scope of the project • Identify assets covered by the assessment • Classify potential losses • Identify threats and vulnerabilities • Identify existing controls • Analyze the data • Determine cost-effective safeguards • Generate the report Risk assessment methodology provides the following guidelines:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Sources for Risk Assessments While assessing risk, it is important to make a decision based on the information sources, which include: • Any written information • Interviews and discussion • Direct observation • Work study techniques • Personal experience • Acts and regulations • Manufacturers’ instructions • Accident statistics • Task analysis
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Determine the likelihood Analyze the impact of threats Determine the level of risk to the IT-system Recommend the control to mitigate the identified risks Document the results
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Risk Assessment ProcessInput Output •Hardware and software •System interfaces •Data and information people •System mission •History of system attack •Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media •Reports from prior risk assessments •Any audit comments •Security requirements •Security test results •Current controls •Planned controls •System boundary •System functions •System and data sensitivity •Threat statement •List of potential vulnerabilities •List of current and planned controls
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) •Threat-source motivation •Threat capacity •Nature of vulnerability •Current controls Risk Assessment ProcessInput Output •Mission impact analysis •Asset criticality assessment •Data criticality •Data sensitivity •Likelihood of threat exploitation •Magnitude of impact •Adequacy of planned or current controls •Likelihood rating •Impact rating •Risks and associated risk levels •Recommended controls •Risk assessment report Determine the likelihood Analyze the impact of threats Determine the risk Recommend the control Document the results
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Develop Policy and Procedures for Conducting a Risk Assessment Senior management in the organization develop the policies and procedures to safeguard the IT system for their long term assignment according to their business objective They implement some controls to reduce the expected losses from attackers, intruders, and hackers: • Preventive control: • Use only certified copies of software files or data • Implement read-only access over software • Check new software with anti-virus before it is installed • Educate the users about the dangerous viruses and Trojans • Detective control: • Frequently run anti-virus software to detect infections • Implement and regulate date and time stamps of updation, modification, and user access to the operating system, server, network, Internet etc. • Corrective control: • Ensure that clean backup is maintained • Maintain a good documentation plan for backup and recovery • Run anti-virus software to eliminate infection on the IT-system
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports Once the risk assessment process is completed, the result should be documented briefly in an official report Risk assessment report is a complete report of assessment process which helps the organization’s management in making decisions on policy, procedural, budget, system operational, and management changes The report should be presented in a proper manner so that the organization’s management can easily understand the risks and assign resources to reduce or avoid potential losses
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports (cont’d) • Observation number and brief description of the observation • A conversation of the threat-source and vulnerability pair • Identification of the existing mitigating security controls • Likelihood discussion and evaluation • Impact analysis discussion and evaluation • Risk rating based on the risk-level matrix • Recommended controls or substitute options for reducing the risk The risk assessment report should include:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Coordinate Resources to Perform a Risk Assessment Senior Management: • Responsible for mission accomplishment and apply necessary resources to develop the capabilities needed to accomplish the mission Chief Information Officer: • Responsible for the organization’s IT planning, budgeting, and performance of information security elements System and Information Owners: • Responsible for ensuring that appropriate controls are in place to address integrity, confidentiality, and availability of the IT systems Business and Functional Managers: • Responsible for business operations and IT procurement process and also take part in risk management process IT security program managers: • Responsible for organization’s security programs such as risk management IT Security Practitioners: • Responsible for suitable implementation of security requirements in their IT systems
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Plan A risk assessment plan is a document prepared by senior management to predict risks, to estimate the effectiveness, and to create response plans to mitigate them It also consists of the risk assessment matrix that is used in risk assessment process Senior management assesses the risks continually and develops plans to address them It contains an analysis of the expected risks with both high and low impact, as well as mitigation strategies to avoid the project from derailing
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System • Any incident or event with the potential to cause harm to an IT system Threat-source: • It is the potential for a specific threat-source to effectively exercise a particular vulnerability • Common threat sources: • Natural threats: • Floods, earthquakes, tornadoes, landslides, etc. • Human threats: • Unintentional acts or deliberate actions • Environmental Threats: • Long-term power failure, pollution, chemicals, etc. Threat: • It is a weakness that can be accidentally triggered or intentionally exploited Vulnerability:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Identify and develop a list of potential threat-sources • Develop a practical estimation of the resources and potentials that may be needed to carry out an attack • Obtain known threats from the government and private sector organizations Threat Analysis:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Develop a list of system flaws and weaknesses through site investigations, conducting interviews with employees accountable for the system, and network scanning tools • Some practical methods to gather vulnerability information: • Automated vulnerability scanning • Network mapping • Security testing and evaluation • Penetration testing Vulnerability Analysis:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk The residual risk is the risk or danger still remaining even after the implementation of new or enhanced control Residual Risk = (Inherent Risk) X (Control Risk) • Where inherent risk = (threats x vulnerability) Reduce number of flaws or errors Add a targeted control Reduce magnitude of impact New or enhanced controls Residual risk
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Residual risk means the risk remaining after the implementation of risk control process Risk with a higher strategic impact should be effectively controlled in order to maintain the residual risk acceptable Risk with a lower strategic impact needs less risk control The level of acceptable residual risk depends on the senior management’s risk appetite and it differs for each organization
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk (cont’d) Impact of Risk Level of Risk Control (Quality level) Start Low Medium High Risk
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Policy Residual risk policy considers the economic, social, political factors in addition to risk This policy may have an effect on all sources within the category of the applicability criteria • Control equipment • Performance such as ambient concentrations, emission rates, and percent reduction • Work practices This policy may specify:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Standard: ISO/IEC 27005:2008 ISO/IEC 27005:2008 standard provides security guidelines for information security risk management It supports the general perceptions specified in ISO/IEC 27001 It helps to successfully implement an information security based on the risk management process This standard is relevant for all types of organizations to manage accidental threats caused by the use of applications of IT systems Knowledge of concepts, procedures, models, and terminologies specified ISO/IEC 27001 and ISO/IEC 27002 is fundamental for understanding of ISO/IEC 27005:2008
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Cost/benefit analysis is conducted for each proposed control after identifying all possible controls to find out which controls are required and suitable for their conditions It can be qualitative or quantitative It helps the organization in making a decision on what risk mitigation option to use The main aim of cost/benefit analysis is to show that the costs of implementing the controls can be justified by the reduction in the level of risk For example, the organization does not want to waste $1,000 on a control to reduce a $200 risk
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis (cont’d) • Determining the impact of implementing and not implementing the new or enhanced controls • Estimating the costs of the implementation such as: • Hardware and software purchases • Reduced operational effectiveness • Cost of implementing added policies and procedures • Cost of hiring extra personnel to implement planned policies and procedures • Training and maintenance cost • Evaluating the implementation costs and profits against system and data criticality A cost-benefit analysis for enhanced controls includes:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance According to the U.S. Government's National Information Assurance Glossary, information assurance is defined as: • “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation”
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance (cont’d) Benefits of Information Assurance: • Net Benefits = (Expected Collaboration benefits – Degraded benefits without Assurance) – Total Costs of Information Assurance Level of Collaboration Information Assets Assurance Policy (Tools, Processes, Practices) Security Risks Threats and Vulnerabilities Cost of Information Assurance Model Net Benefits Benefits
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Cost/Benefit Analysis for Information Assurance Helps to identify critical information assets and finds out the upper limit of total costs of information assurance Establishes the collaboration objectives with the security of information assets as a high priority Verifies information assurance requirements Provides a roadmap for upcoming collaborative information assurance requirements Helps to find out the cost spent on information security to deliver desired information assurance
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure Define objectives and project scope Identify project options Identify costs and benefits • Identify quantitative costs • Identify quantitative benefits • External costs and benefits • Equity and broader distributional considerations • Presenting incremental costs and benefits Discount future costs and benefits Calculate the decision criteria Sensitivity analysis Identify preferred option Prepare report • Full evaluation report • Summary reporting
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure (cont’d) Define objectives and project scope Identify project option Identify unqualified costs and benefits Identify quantified benefits Identify quantified costs Discount future costs and benefits Criteria calculate the decision criteria Undertake sensitivity tests Identify preferred option Prepare the report
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance In some cases, it is vital for the organization to accept the risk present in some entities Risk acceptance is a practice of accepting some risks based on the business decision It is a part of the risk treatment decision making process in which the organization has to decide that the system can continue with a particular risk The decision about risk acceptance is made by the organization’s committee
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance (cont’d) • Financial capacity of the organization to absorb the consequences of risk • Level of conservatism of the decision maker • Quantity of the risk inherent in the business activity normally carried out by the organization • Diversity of the business • Extent to which risk can be transferred or reduced Risk acceptability depends on:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance Process Develop risk acceptance statement for remaining exposures: • Responsible manager prepares a statement about the acceptable risks and sends it to the higher management • The statement includes detailed information of the associated risk, loss potential, and review procedures Approve the risk acceptance statement: • After completing the risk acceptance statement, it is submitted to the corporate information risk group for review and approval and other interested parties • Corporate information risk group approved the risk acceptance after reviewing the risk acceptance statement Document results: • All the outcomes of the risk acceptance process are documented and paper copies of the risk acceptance statements are maintained
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Management’s Risk Acceptance Posture The management’s decision of risk acceptance is based on the selection from a range of alternatives Businesses take risks in the hope of resulting profits The role of the security manager is to help the management in controlling risks which are considered unacceptable by the management • Adopting alternative procedures and processes that may reduce the need for security • Buying insurance is also a way to prevent the failure of security efforts • Installing security schemes is one of the best ways to minimize risks and effects of the threats • Accepting the risks as a cost of doing business is an alternate way to manage potential losses Business risks can be dealt with by:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment and Countermeasures Various controls are implemented in risk assessment process to reduce the mission risk such as: • Technical security controls: • This control is used to protect against given types of threats • Management security controls: • This control is used in combination with technical and operational controls and is implemented to manage and reduce the risk of loss and to protect an organization’s mission • Operational security controls: • This control is implemented by the organization in accordance with a available set of requirements and good organization practices
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysts Risk analysts identify and quantify the risks faced by an organization or business unit Estimate the financial and other impacts of adverse circumstances A risk analyst’s report contains the following points: • Summary and conclusions • Objectives and scope • Limitations, assumptions and justification of hypotheses • Description of relevant parts of the system • Analysis methodology • Hazard identification results • Models used, including assumptions and validation • Data and their sources • Risk estimation results • Sensitivity and uncertainty analysis • Discussion of results (including discussion of analytic difficulties) • References
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Mitigation Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat These may range from physical measures to financial measures Risk managers start with risk analysis, then seek to take actions to mitigate the risks Risk mitigation efforts may involve direct costs such as increased capital expenditure on incident handling and response
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk and Certification/Accredition of Information Systems Certification and accreditations ensure that the information systems are operating under an acceptable risk level which in turn helps in planning risk mitigation strategies It helps in building the trust of stakeholders on the organization and helps in mitigating intangible risks such as loss of customers and reputation Motivates organizations to deliver quality products and services
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Documentation in Reducing Risk Proper documentation of the risk analysis reduces the risk and enables people to handle the awkward situations Documentation of risk analysis is a direct input to the risk management process It helps in reviewing potential threats and vulnerabilities promptly It is a reminder about the anticipated errors that may occur while setting up the critical information systems
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations Risk management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment The residual risk is the risk or danger remaining after the implementation of new or enhanced control Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Recommended

File000171
File000171File000171
File000171Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
File000117
File000117File000117
File000117Desmond Devendran
 
File000115
File000115File000115
File000115Desmond Devendran
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
9780840024220 ppt ch11
9780840024220 ppt ch119780840024220 ppt ch11
9780840024220 ppt ch11Kristin Harrison
 
9780840024220 ppt ch12
9780840024220 ppt ch129780840024220 ppt ch12
9780840024220 ppt ch12Kristin Harrison
 

Recommended

File000171
File000171File000171
File000171Desmond Devendran
 
File000169
File000169File000169
File000169Desmond Devendran
 
File000117
File000117File000117
File000117Desmond Devendran
 
File000115
File000115File000115
File000115Desmond Devendran
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
9780840024220 ppt ch11
9780840024220 ppt ch119780840024220 ppt ch11
9780840024220 ppt ch11Kristin Harrison
 
9780840024220 ppt ch12
9780840024220 ppt ch129780840024220 ppt ch12
9780840024220 ppt ch12Kristin Harrison
 
9780840024220 ppt ch10
9780840024220 ppt ch109780840024220 ppt ch10
9780840024220 ppt ch10Kristin Harrison
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEBMEHMET FATIH YALDIZ
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Ch13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and ProceduresCh13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and ProceduresInformation Technology
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Lumension
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Physical Security
Physical SecurityPhysical Security
Physical Securitykavitha muneeshwaran
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Mis
MisMis
Mismisecho
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1Royalzig Luxury Furniture
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & EthicsKarthikeyan Dhayalan
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
Management of Risk and its integration within ITIL
Management of Risk and its integration within ITILManagement of Risk and its integration within ITIL
Management of Risk and its integration within ITILhdoornbos
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 

More Related Content

What's hot

Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Ch13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and ProceduresCh13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and ProceduresInformation Technology
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Lumension
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionVivek Maurya
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 

What's hot (20)

9780840024220 ppt ch10
9780840024220 ppt ch109780840024220 ppt ch10
9780840024220 ppt ch10
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEB
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Ch13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and ProceduresCh13 Business Continuity Planning and Procedures
Ch13 Business Continuity Planning and Procedures
 
8. operations security
8. operations security8. operations security
8. operations security
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...Medical Records on the Run: Protecting Patient Data with Device Control and...
Medical Records on the Run: Protecting Patient Data with Device Control and...
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Mis
MisMis
Mis
 
Ise viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solutionIse viii-information and network security [10 is835]-solution
Ise viii-information and network security [10 is835]-solution
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 

Similar to File000170

Management of Risk and its integration within ITIL
Management of Risk and its integration within ITILManagement of Risk and its integration within ITIL
Management of Risk and its integration within ITILhdoornbos
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversitySwaminath Sam
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Risk management osh
Risk management oshRisk management osh
Risk management oshjaycatubig
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 

Similar to File000170 (20)

Management of Risk and its integration within ITIL
Management of Risk and its integration within ITILManagement of Risk and its integration within ITIL
Management of Risk and its integration within ITIL
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Risk management osh
Risk management oshRisk management osh
Risk management osh
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 

More from Desmond Devendran

Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guidesDesmond Devendran
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeDesmond Devendran
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentialsDesmond Devendran
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDesmond Devendran
 

More from Desmond Devendran (20)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000176
File000176File000176
File000176
 
File000175
File000175File000175
File000175
 
File000174
File000174File000174
File000174
 
File000173
File000173File000173
File000173
 
File000172
File000172File000172
File000172
 
File000168
File000168File000168
File000168
 
File000167
File000167File000167
File000167
 
File000166
File000166File000166
File000166
 
File000165
File000165File000165
File000165
 
File000164
File000164File000164
File000164
 
File000163
File000163File000163
File000163
 
File000162
File000162File000162
File000162
 
File000161
File000161File000161
File000161
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

File000170

  • 1. Module LVII - Risk Assessment
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Taxpayer Data at IRS Remains Vulnerable, GAO Warns January 13, 2009 (Computerworld) Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity. This time, the criticism comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data. The 24-page assessment examined existing policies and controls as well as IRS efforts to fix security issues reported in a previous GAO audit. The report shows that taxpayer and other sensitive data continues to remain dangerously underprotected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues, several critical areas remain vulnerable. For example, the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data, the GAO said. It also noted that the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data. Source: http://www.computerworld.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Risk • Security Planning • Risk Management • Risk Analysis • Risk Policy • Risk Assessment • Approval to Operate (ATO) and Interim Approval to Operate (IATO) • Risk Assessment Process • Analyze Threats and Vulnerabilities of an Information System • Residual Risk • Cost/benefit Analysis • Risk Acceptance • Risk Analysts • Risk Mitigation • Role of Documentation in Reducing Risk This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Risk Assessment Process Cost/benefit Analysis Risk Acceptance Risk MitigationRisk Analysts Residual Risk Analyze Threats and Vulnerabilities of an Information System Role of Documentation in Reducing Risk Security PlanningRisk ATO and IATO Risk Management Risk Analysis Risk AssessmentRisk Policy
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations It refers to a possibility of loss resulting from a hazard, security incident, or event It adversely affects the organization’s operations and revenues Risk=(Probability of event occurring) X (Impact of event occurring)
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Planning • Risk Analysis • Roles and responsibilities of the team/personnel • Configuration of the system • Antivirus controls and Intrusion Detection • Physical Security • Network Security • Data access • Outsourcing • Policies and Procedures • Planning a Team Security planning involves: Security planning helps in managing and reducing the probability of risk
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Management Risk Management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk management involves: • Identifying risks • Analyzing risks • Developing strategies to manage identified risks • Implementing risk mitigation plans • Managing efforts accordingly
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Management Protects an organization’s information assets Protects the organization and enables to accomplish its task Minimizes the effect of risk on an organization’s assets and earning Creates a new corporation value Helps organizations to control IT security system related mission risks Allows organizations to balance the operational and financial costs of the protective measures Helps the organization’s management to identify the suitable controls for security capabilities essential for any task
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Principle of Risk Management • It is a practice of coming up with other options so that the risk in question is not realized Risk Avoidance: • It is a practice of transferring the risk in question to another entity Risk Transfer: • It includes all the procedures and practices to eliminate or considerably decrease the level of risk Risk Mitigation: • In some cases, it is vital for an organization to accept the risk present in some entities • Risk acceptance is a practice of accepting some risks Risk Acceptance:
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IT Security Risk Management • Provides information regarding “how to reduce exposure to identified risks” Risk mitigation process: • Detects the source of primary and secondary attacks Risk domains: • Provides an analysis of risk exposure to threats or vulnerabilities Risk exposure: • Provides an end-to-end method for risk mitigation Risk analysis: IT security risk management comprises:
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis • Assets (resources of an organization) • Disruptive events (disaster or threat to an organization) • Vulnerabilities (weakness of an organization) • Losses (due to the occurrence of the disaster) • Safeguards (preventive measures against vulnerabilities) It helps in analyzing five elements: Risk analysis is the method that defines procedures through which an organization can survive or reduce the probability of risks
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Business Impact Analysis (BIA) Step-by-step approach to conduct successful Business Impact Analysis (BIA): Define potential system threats and the probability at which they may occur Discover the Maximum Acceptable Outage (MAO) for each system Estimate the cost to identify and recover operations for each system Approximate the impacts such as financial, revenue, and non-revenue impacts related to each system Define the systems which are having cross dependencies Categorize each important or non-critical system as business critical system Define critical business systems operated by your organization Define gross profit and net profit generated by your organization in the year
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process Organization divides its targets by distributing the responsibilities within the team The team involves superior personnel who undertake the responsibility of considering even minute details of the project The roles and responsibilities of team members or the employees are as follows: • Checks the level of security to manage the risks • Establishes the risk management process • Ensures that the information resources meet the audit requirements and participates in all levels of employees to implement policies and procedures • Prepares disaster recovery plan for information resources to maintain it Chief Administrative Officer/Information Resources Manager:
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Identifies threats and vulnerabilities • Identifies restricted, sensitive, and unrestricted information resources • Develops and maintains risk management processes, disaster recovery/ contingency planning for information, and updated security procedures Information Resources Security Officer: • Assess information and identifies the risk • Classify the information • Approve access to information for the restricted employees • Plan contingencies to recover data Owners of Information Resources: • Implements security controls determined by the owner • Provides administrative access and preventive measures to information resources Custodian:
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of All the Players in the Risk Analysis Process (cont’d) • Ensures technical support is provided by using cost effective controls • Develops and maintains contingency plans • Develops procedures to report on monitored controls Technical Management: • Assist the other personnel to implement the security plan • Assist to update the software or hardware and brief them with the vulnerabilities • Maintain user accounts, passwords, keys, etc. Security Administrators: • Calculation of effective security control • Provides security policies, standards, and guidelines • Examines security controls that are planned and participates in risk analysis process Internal Auditor:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysis and/or Vulnerability Assessment Components Vulnerability assessment is the evaluation of the current security features (personnel involvement and policies and procedures) of the organization Vulnerability assessment report provides a clear idea of the current weaknesses of an organization The questionnaires and surveys of the computer users are the important part of a vulnerability assessment Questioning the users should be based on the standards, policies, and guidelines
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Policy Risk policy is a set of ideas of what to do in particular conditions that have been approved authoritatively by a group of people, a business organization, or government • Rules of behavior for the computer system and the end results for violating those rules • Personnel and technical controls for the computer system • Methods for identifying, properly limiting, and controlling interconnections with other systems and particular methods to monitor and manage such limits • Procedures for the ongoing training of employees who are authorized access to the system • Procedures for the ongoing monitoring of the efficiency of the security controls • Provisions for continuing support if there is an interruption in the system or the system crashes Risk policy includes:
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment It is a qualitative and/or quantitative evaluation of the likelihood and consequences of a risk It is the first step in a risk management methodology The output of the risk assessment process helps to identify suitable controls for reducing or eliminating risk during the risk mitigation process
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment Identifies and prioritizes security risk to critical information assets and key business processes Determines the extent of the possible threat, vulnerability, and risk related with an IT system Determines the probability of adverse events and threats to an IT system Identifies appropriate controls for reducing or eliminating risk throughout the risk mitigation process
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approval to Operate (ATO) and Interim Approval to Operate (IATO) • It is a formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk Approval to Operate (ATO) • It is a provisional approval for a system to operate if a set of mitigating conditions require that the system be turned on even though the risk is unacceptable Interim Approval to Operate (IATO)
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Risk Assessment to Obtain an IATO and ATO DAA’s decision to grant IATO/ATO is based on the perception of an efficient and effective allocation of risk assessment resources at the subsystem level during development and implementation of information systems A proper risk assessment helps in assessing and evaluating level of risk, residual risks, and remedies for risks that are essential prerequisites for obtaining IATO/ATO A comprehensive risk assessment policy and infrastructure implemented in organizations ensure designated approving authorities that information systems of the organization will operate within an accepted risk level
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Methodology • Develop the risk assessment team • Set the scope of the project • Identify assets covered by the assessment • Classify potential losses • Identify threats and vulnerabilities • Identify existing controls • Analyze the data • Determine cost-effective safeguards • Generate the report Risk assessment methodology provides the following guidelines:
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Sources for Risk Assessments While assessing risk, it is important to make a decision based on the information sources, which include: • Any written information • Interviews and discussion • Direct observation • Work study techniques • Personal experience • Acts and regulations • Manufacturers’ instructions • Accident statistics • Task analysis
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Determine the likelihood Analyze the impact of threats Determine the level of risk to the IT-system Recommend the control to mitigate the identified risks Document the results
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) Characterize IT-system Identify the threats Identify the vulnerabilities Analyze the controls Risk Assessment ProcessInput Output •Hardware and software •System interfaces •Data and information people •System mission •History of system attack •Data from intelligence agencies, NIPC, OIG, FedCIRC, mass media •Reports from prior risk assessments •Any audit comments •Security requirements •Security test results •Current controls •Planned controls •System boundary •System functions •System and data sensitivity •Threat statement •List of potential vulnerabilities •List of current and planned controls
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Process (cont’d) •Threat-source motivation •Threat capacity •Nature of vulnerability •Current controls Risk Assessment ProcessInput Output •Mission impact analysis •Asset criticality assessment •Data criticality •Data sensitivity •Likelihood of threat exploitation •Magnitude of impact •Adequacy of planned or current controls •Likelihood rating •Impact rating •Risks and associated risk levels •Recommended controls •Risk assessment report Determine the likelihood Analyze the impact of threats Determine the risk Recommend the control Document the results
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Develop Policy and Procedures for Conducting a Risk Assessment Senior management in the organization develop the policies and procedures to safeguard the IT system for their long term assignment according to their business objective They implement some controls to reduce the expected losses from attackers, intruders, and hackers: • Preventive control: • Use only certified copies of software files or data • Implement read-only access over software • Check new software with anti-virus before it is installed • Educate the users about the dangerous viruses and Trojans • Detective control: • Frequently run anti-virus software to detect infections • Implement and regulate date and time stamps of updation, modification, and user access to the operating system, server, network, Internet etc. • Corrective control: • Ensure that clean backup is maintained • Maintain a good documentation plan for backup and recovery • Run anti-virus software to eliminate infection on the IT-system
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports Once the risk assessment process is completed, the result should be documented briefly in an official report Risk assessment report is a complete report of assessment process which helps the organization’s management in making decisions on policy, procedural, budget, system operational, and management changes The report should be presented in a proper manner so that the organization’s management can easily understand the risks and assign resources to reduce or avoid potential losses
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Write Risk Assessment Reports (cont’d) • Observation number and brief description of the observation • A conversation of the threat-source and vulnerability pair • Identification of the existing mitigating security controls • Likelihood discussion and evaluation • Impact analysis discussion and evaluation • Risk rating based on the risk-level matrix • Recommended controls or substitute options for reducing the risk The risk assessment report should include:
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Coordinate Resources to Perform a Risk Assessment Senior Management: • Responsible for mission accomplishment and apply necessary resources to develop the capabilities needed to accomplish the mission Chief Information Officer: • Responsible for the organization’s IT planning, budgeting, and performance of information security elements System and Information Owners: • Responsible for ensuring that appropriate controls are in place to address integrity, confidentiality, and availability of the IT systems Business and Functional Managers: • Responsible for business operations and IT procurement process and also take part in risk management process IT security program managers: • Responsible for organization’s security programs such as risk management IT Security Practitioners: • Responsible for suitable implementation of security requirements in their IT systems
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Plan A risk assessment plan is a document prepared by senior management to predict risks, to estimate the effectiveness, and to create response plans to mitigate them It also consists of the risk assessment matrix that is used in risk assessment process Senior management assesses the risks continually and develops plans to address them It contains an analysis of the expected risks with both high and low impact, as well as mitigation strategies to avoid the project from derailing
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System • Any incident or event with the potential to cause harm to an IT system Threat-source: • It is the potential for a specific threat-source to effectively exercise a particular vulnerability • Common threat sources: • Natural threats: • Floods, earthquakes, tornadoes, landslides, etc. • Human threats: • Unintentional acts or deliberate actions • Environmental Threats: • Long-term power failure, pollution, chemicals, etc. Threat: • It is a weakness that can be accidentally triggered or intentionally exploited Vulnerability:
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Identify and develop a list of potential threat-sources • Develop a practical estimation of the resources and potentials that may be needed to carry out an attack • Obtain known threats from the government and private sector organizations Threat Analysis:
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Analyze Threats and Vulnerabilities of an Information System (cont’d) • Develop a list of system flaws and weaknesses through site investigations, conducting interviews with employees accountable for the system, and network scanning tools • Some practical methods to gather vulnerability information: • Automated vulnerability scanning • Network mapping • Security testing and evaluation • Penetration testing Vulnerability Analysis:
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk The residual risk is the risk or danger still remaining even after the implementation of new or enhanced control Residual Risk = (Inherent Risk) X (Control Risk) • Where inherent risk = (threats x vulnerability) Reduce number of flaws or errors Add a targeted control Reduce magnitude of impact New or enhanced controls Residual risk
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Residual risk means the risk remaining after the implementation of risk control process Risk with a higher strategic impact should be effectively controlled in order to maintain the residual risk acceptable Risk with a lower strategic impact needs less risk control The level of acceptable residual risk depends on the senior management’s risk appetite and it differs for each organization
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk (cont’d) Impact of Risk Level of Risk Control (Quality level) Start Low Medium High Risk
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Policy Residual risk policy considers the economic, social, political factors in addition to risk This policy may have an effect on all sources within the category of the applicability criteria • Control equipment • Performance such as ambient concentrations, emission rates, and percent reduction • Work practices This policy may specify:
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Residual Risk Standard: ISO/IEC 27005:2008 ISO/IEC 27005:2008 standard provides security guidelines for information security risk management It supports the general perceptions specified in ISO/IEC 27001 It helps to successfully implement an information security based on the risk management process This standard is relevant for all types of organizations to manage accidental threats caused by the use of applications of IT systems Knowledge of concepts, procedures, models, and terminologies specified ISO/IEC 27001 and ISO/IEC 27002 is fundamental for understanding of ISO/IEC 27005:2008
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Cost/benefit analysis is conducted for each proposed control after identifying all possible controls to find out which controls are required and suitable for their conditions It can be qualitative or quantitative It helps the organization in making a decision on what risk mitigation option to use The main aim of cost/benefit analysis is to show that the costs of implementing the controls can be justified by the reduction in the level of risk For example, the organization does not want to waste $1,000 on a control to reduce a $200 risk
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis (cont’d) • Determining the impact of implementing and not implementing the new or enhanced controls • Estimating the costs of the implementation such as: • Hardware and software purchases • Reduced operational effectiveness • Cost of implementing added policies and procedures • Cost of hiring extra personnel to implement planned policies and procedures • Training and maintenance cost • Evaluating the implementation costs and profits against system and data criticality A cost-benefit analysis for enhanced controls includes:
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance According to the U.S. Government's National Information Assurance Glossary, information assurance is defined as: • “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation”
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis for Information Assurance (cont’d) Benefits of Information Assurance: • Net Benefits = (Expected Collaboration benefits – Degraded benefits without Assurance) – Total Costs of Information Assurance Level of Collaboration Information Assets Assurance Policy (Tools, Processes, Practices) Security Risks Threats and Vulnerabilities Cost of Information Assurance Model Net Benefits Benefits
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Cost/Benefit Analysis for Information Assurance Helps to identify critical information assets and finds out the upper limit of total costs of information assurance Establishes the collaboration objectives with the security of information assets as a high priority Verifies information assurance requirements Provides a roadmap for upcoming collaborative information assurance requirements Helps to find out the cost spent on information security to deliver desired information assurance
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure Define objectives and project scope Identify project options Identify costs and benefits • Identify quantitative costs • Identify quantitative benefits • External costs and benefits • Equity and broader distributional considerations • Presenting incremental costs and benefits Discount future costs and benefits Calculate the decision criteria Sensitivity analysis Identify preferred option Prepare report • Full evaluation report • Summary reporting
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost/Benefit Analysis Procedure (cont’d) Define objectives and project scope Identify project option Identify unqualified costs and benefits Identify quantified benefits Identify quantified costs Discount future costs and benefits Criteria calculate the decision criteria Undertake sensitivity tests Identify preferred option Prepare the report
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance In some cases, it is vital for the organization to accept the risk present in some entities Risk acceptance is a practice of accepting some risks based on the business decision It is a part of the risk treatment decision making process in which the organization has to decide that the system can continue with a particular risk The decision about risk acceptance is made by the organization’s committee
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance (cont’d) • Financial capacity of the organization to absorb the consequences of risk • Level of conservatism of the decision maker • Quantity of the risk inherent in the business activity normally carried out by the organization • Diversity of the business • Extent to which risk can be transferred or reduced Risk acceptability depends on:
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Acceptance Process Develop risk acceptance statement for remaining exposures: • Responsible manager prepares a statement about the acceptable risks and sends it to the higher management • The statement includes detailed information of the associated risk, loss potential, and review procedures Approve the risk acceptance statement: • After completing the risk acceptance statement, it is submitted to the corporate information risk group for review and approval and other interested parties • Corporate information risk group approved the risk acceptance after reviewing the risk acceptance statement Document results: • All the outcomes of the risk acceptance process are documented and paper copies of the risk acceptance statements are maintained
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Management’s Risk Acceptance Posture The management’s decision of risk acceptance is based on the selection from a range of alternatives Businesses take risks in the hope of resulting profits The role of the security manager is to help the management in controlling risks which are considered unacceptable by the management • Adopting alternative procedures and processes that may reduce the need for security • Buying insurance is also a way to prevent the failure of security efforts • Installing security schemes is one of the best ways to minimize risks and effects of the threats • Accepting the risks as a cost of doing business is an alternate way to manage potential losses Business risks can be dealt with by:
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment and Countermeasures Various controls are implemented in risk assessment process to reduce the mission risk such as: • Technical security controls: • This control is used to protect against given types of threats • Management security controls: • This control is used in combination with technical and operational controls and is implemented to manage and reduce the risk of loss and to protect an organization’s mission • Operational security controls: • This control is implemented by the organization in accordance with a available set of requirements and good organization practices
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Analysts Risk analysts identify and quantify the risks faced by an organization or business unit Estimate the financial and other impacts of adverse circumstances A risk analyst’s report contains the following points: • Summary and conclusions • Objectives and scope • Limitations, assumptions and justification of hypotheses • Description of relevant parts of the system • Analysis methodology • Hazard identification results • Models used, including assumptions and validation • Data and their sources • Risk estimation results • Sensitivity and uncertainty analysis • Discussion of results (including discussion of analytic difficulties) • References
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Mitigation Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat These may range from physical measures to financial measures Risk managers start with risk analysis, then seek to take actions to mitigate the risks Risk mitigation efforts may involve direct costs such as increased capital expenditure on incident handling and response
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk and Certification/Accredition of Information Systems Certification and accreditations ensure that the information systems are operating under an acceptable risk level which in turn helps in planning risk mitigation strategies It helps in building the trust of stakeholders on the organization and helps in mitigating intangible risks such as loss of customers and reputation Motivates organizations to deliver quality products and services
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Documentation in Reducing Risk Proper documentation of the risk analysis reduces the risk and enables people to handle the awkward situations Documentation of risk analysis is a direct input to the risk management process It helps in reviewing potential threats and vulnerabilities promptly It is a reminder about the anticipated errors that may occur while setting up the critical information systems
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Risk is a measure of possible inability to achieve a goal, objective, or target within defined security, cost, plan, and technical limitations Risk management is the process of identifying risk, addressing risk, and taking steps to eliminate or reduce risk at an acceptable level Risk assessment is the process of identifying and accessing resources that pose a threat to the business or project environment The residual risk is the risk or danger remaining after the implementation of new or enhanced control Risk mitigation encompasses all methodologies and efforts taken to reduce either the probability or consequences of a threat
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited