Information Security - Lecture 4

Information Security - Lecture
4
Principals of Information Security,
Fourth Edition Chapter 4
Risk Management
Plarent Tirana Ph.D
November 21 st 2014
Topics
Learning Objectives
Introduction to risk management
Risk Identification
Risk Assessment
Risk Control Strategies
Quantitative versus Qualitative
Strategies
Fourth Edition
Learning Objectives
Upon completion of this material, you
should be able to:
Define risk management, risk identification,
and risk control
Describe how risk is identified and assessed
Assess risk based on probability of
occurrence and likely impact
Explain the fundamental aspects of
documenting risk via the process of risk
assessment
Fourth Edition
Learning Objectives
Describe the various risk mitigation
strategy options
Identify the categories that can be used
to classify controls
Recognize the existing conceptual
frameworks for evaluating risk controls
and formulate a cost benefit analysis
Describe how to maintain and
perpetuate risk controls
Fourth Edition
Topics
Learning Objectives
Risk Identification
Risk Assessment
Strategies
Fourth Edition
Critical Characteristics of
Information
The value of information comes from
the characteristics it possesses.
When a characteristic of information
changes, the value of that information
either increases, or, more commonly,
decreases.
C.I.A triangle
Confidentiality
Integrity
Availability / Accuracy / Authenticity
Fourth Edition
Confidentiality
Information has confidentiality when it is protected
from disclosure or exposure to unauthorized
individuals or systems.
Confidentiality ensures that only those with the
rights and privileges to access information are able
to do so.
When unauthorized individuals or systems can view
information, confidentiality is breached.
To protect the confidentiality:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Fourth Edition
Integrity
Information has integrity when it is whole,
complete, and uncorrupted.
The integrity of information is threatened
when the information is exposed to
corruption, damage, destruction, or other
disruption of its authentic state.
Corruption can occur while information is
Being stored
Transmitted
File hashing is an effective protection

method
Fourth Edition
Availability / Accuracy / Authenticity

Availability enables authorized users or
computer systems to access information without
interference or obstruction and to receive it in
the required format.
Information has accuracy when it is free from
mistakes or errors and it has the value that the
end user expects.
Authenticity of information is the quality or state
of being genuine or original, rather than a
reproduction or fabrication. Information is
authentic when it is in the same state in which it
was created, placed, stored, or transferred.
Fourth Edition
Overview of Risk Management

Information security managers and technicians are the
defenders of information.
The many threats discussed in Chapter 2 are constantly
attacking the defenses surrounding information assets.
Defenses are built in layers, by placing safeguard upon
safeguard.
The defenders attempt to prevent, protect, detect,
and recover from a seemingly endless series of
attacks.
Moreover, those defenders are legally prohibited
from deploying offensive tactics, so the attackers
have no need to expend resources on defense.
Fourth Edition
10
Overview of Risk Management

Know yourself: identify, examine, and
understand the information and systems
currently in place
Know the enemy: identify, examine, and
understand threats facing the organization
Responsibility of each community of interest
within an organization to manage risks that
are encountered
Community of interest: people in an
organization with (possibly) different roles
but a shared goal
Fourth Edition
11
The Roles of the Communities of

Interest
Information security, management and
users, and information technology all
must work together
Communities of interest are responsible
for:
Evaluating the risk controls
Determining which control options are cost
effective for the organization
Acquiring or installing the needed controls
Ensuring that the controls remain effective
Fourth Edition
12
The Roles of the Communities of

Interest
Information security, management and users, and
information technology all must work together, but
lead by information security community.
Management review:
Verify completeness/accuracy of asset inventory
Review and verify threats as well as controls and
mitigation strategies
Review cost effectiveness of each control
Verify effectiveness of controls deployed
Control: A safeguard or counter measure. A

security mechanism, policy, or procedure that can
counter system attack, reduce risks and resolve
vulnerability
Fourth Edition
13
Paradigm Shift - What is it?

A paradigm shift or revolutionary science is,
according to Thomas Kuhn, in his influential
book The Structure of Scientific Revolutions
(1962), a change in the basic assumptions, or
paradigms, within the ruling theory of science.
Kuhn argues that scientific advancement is
not evolutionary, but rather is a "series of
peaceful interludes punctuated by
intellectually violent revolutions", and in those
revolutions "one conceptual world view is
replaced by another".
Fourth Edition
14
Paradigm Shift - What is it?

Moving from one thought system to
another!
Above From:
http://www.taketheleap.com/define.html
Albert Einstein: We can't solve problems

by using the same kind of thinking we
used when we created them.
For information security, it is about how
and what we think of risks around us and
how to control them!
Fourth Edition
15
Components of Risk Management

Risk identification is the examination
and documentation of the security
posture of an organizations information
technology and the risks it faces.
Risk assessment is the determination of
the extent to which the organizations
information assets are exposed or at risk.
Risk control is the application of controls
to reduce the risks to an organizations
data and information systems.
Fourth Edition
16
Components of Risk Management

Fourth Edition
17
Topics
Learning Objectives
Risk Identification
Risk Assessment
Strategies
Fourth Edition
18
Risk Identification
Risk identification involves identifying,
classifying, and prioritizing an organizations
assets
A threat assessment process identifies and
quantifies the risks facing each asset
Components of risk identification:
People
Procedures
Data
Software
Hardware

Fourth Edition
19
What is a risk ?

Fourth Edition
20
Components of Risk Identification

Fourth Edition
21
Plan and Organize the Process

First step in the Risk Identification process is
to follow your project management principles
Begin by organizing a team with
representation across all affected groups
The process must then be planned out
Periodic deliverables
Reviews
Presentations to management
Tasks laid out, assignments made and

timetables discussed
Fourth Edition
22
Categorizing system components

Fourth Edition
23
Asset Identification and Inventory

Iterative process; begins with
identification of assets, including all
elements of an organizations system
(people, procedures, data and
information, software, hardware,
networking)
Assets are then classified and
categorized
Fourth Edition
24
People, Procedures, and Data Asset

Identification
Human resources, documentation, and data
information assets are more difficult to identify
SPOF (Single Point of Failure) are important to
know
Important asset attributes:
People: position name/number/ID; supervisor; security
clearance level; special skills
Procedures: description; intended purpose; what
elements it is tied to; storage location for reference;
storage location for update
Data: classification; owner/creator/ manager; data
structure size; data structure used; online/offline;
location; backup procedures employed
Fourth Edition
25
Hardware, Software, and Network

Asset Identification
What information attributes to track depends on:
Needs of organization/risk management efforts
Preferences/needs of the security and information
technology communities
Asset attributes to be considered are: name; IP

address; MAC address; element type; serial
number; manufacturer name; model/part
number; software version; physical or logical
location; controlling entity
Automated tools can identify system elements
for hardware, software, and network components
Fourth Edition
26
Data Classification and

Management
Variety of classification schemes used by
corporate and military organizations
Information owners responsible for
classifying their information assets
Information classifications must be reviewed
periodically
Most organizations do not need detailed
level of classification used by military or
federal agencies; however, organizations
may need to classify data to provide
protection
Fourth Edition
27

Management cont.d
The corporate information classifications are as
follows:
Confidential: Used for the most sensitive corporate
information that must be tightly controlled, even within
the company. Access to information with this classification
is strictly on a need- to- know basis or as required by the
terms of a contract. Information with this classification
may also be referred to as sensitive or proprietary.
Internal: Used for all internal information that does not
meet the criteria for the confidential category and is to be
viewed only by corporate employees, authorized
contractors, and other third parties.
External: All information that has been approved by
management for public release.
Fourth Edition
28

Management cont.d
US Military uses a 5 level classification
Top Secret data: Any information or material the
unauthorized disclosure of which reasonably could be
expected to cause exceptionally grave damage to the
national security. Examples of exceptionally grave damage
include armed hostilities against the United States or its
allies; disruption of foreign relations vitally affecting the
national security;.
Secret data: Any information or material the
unauthorized disclosure of which reasonably could be
expected to cause serious damage to the national security.
Examples of serious damage include disruption of foreign
relations significantly affecting the national security;
significant impairment of a program or policy directly
related to the national security;.

Fourth Edition
29

Management cont.d
Classified: Such material would cause
"damage" or be "prejudicial" to national
security if publicly available.
Restricted: Such material would cause
"undesirable effects" if publicly available.
Official: Such material forms the generality
of government business, public service
delivery and commercial activity. OFFICIAL
information must be secured against a
threat model that is broadly similar to that
faced by a large private company.
Fourth Edition
30

Management cont.d
Need-to-Know allows access to information by
individuals who need the information to perform
their work.
Security clearance structure
Each data user assigned a single level of authorization
indicating classification level
Before accessing specific set of data, employee must
meet need-to-know requirement
Management of Classified Data

Storage, distribution, portability, and destruction of
classified data
Clean desk policy
Prevent Dumpster diving
Fourth Edition
31
Classifying and Prioritizing

Information Assets
Many organizations have data
classification schemes
E.g. confidential, internal, public data
Classification of components must be

specific to allow determination of
priority levels
Categories must be comprehensive
and mutually exclusive
Fourth Edition
32
Information Asset Valuation

Questions help develop criteria for asset
valuation
Which information asset:
Is most critical to organizations success?

Generates the most revenue/profitability?
Would be most expensive to replace or protect?
Would be the most embarrassing or cause greatest
liability if revealed?
Example: DB for customer billing transactions

and DB for buying the cleaning supplies for the
company. What is more important in terms of
value of data ?
Fourth Edition
33

(contd.)

Fourth Edition
34

(contd.)
Information asset prioritization
Create weighting for each category
based on the answers to questions
Calculate relative importance of each
asset using weighted factor analysis
List the assets in order of importance
using a weighted factor analysis
worksheet

Fourth Edition
35
Example of a Weighted Factor Analysis

Worksheet

Fourth Edition
36
Identifying and Prioritizing

Threats
Realistic threats need investigation;
unimportant threats are set aside.
Example of Heartbleed bug on Windows or
Microsoft SSL bug on Linux systems. Are they
unimportant threats or no threats ?
Threat assessment:
Which threats present danger to assets?
Which threats represent the most danger to
information?
How much would it cost to recover from attack?
Which threat requires greatest expenditure to
prevent?
Fourth Edition
37
Review of Threat Classification
Any given threat may fit more than one category

This is just a model, helps to think, and be more comprehensive.
38
Vulnerability Identification
Specific avenues threat agents can exploit to
attack an information asset are called
vulnerabilities
Examine how each threat could be perpetrated
and list organizations assets and
vulnerabilities
Process works best when people with diverse
backgrounds within organization work
iteratively in a series of brainstorming sessions
At end of risk identification process, list of
assets and their vulnerabilities is achieved
Fourth Edition
39
Top Computing Executives

survey
A study conducted in 2003 and repeated in 2009 asked
the question: Based on the categories of threats
presented earlier, over 1000 top computing executives
were asked to rate each threat category on a scale of
not significant to very significant.
The data was converted to a five-point scale with five
representing very significant.
CIOs were also asked to identify the top five threats to
their organizations. These were converted into weights,
with five points for a first place vote and so on to one
point for a fifth place vote.
The two ratings were combined into a weighted rank and
compared to the rankings from 2003, as shown in next
table.
Fourth Edition
40
Top Computing Executives

survey

Fourth Edition
41
How do you know which threat exists

and the ranking of the threats?
Some key findings:
Of the approximately half of respondents who
experienced at least one security incident last
year, fully 45.6 percent of them reported theyd
been the subjects of at least one targeted attack.
When asked what security solutions ranked
highest on their wish-lists, many respondents
named tools that would improve their visibility
better log management, security information and
event management, security data visualization,
security
Respondents generally said that regulatory
compliance efforts have had a positive effect
on their
organization's security programs.
42
Fourth
Edition
Topics
Learning Objectives
Risk Identification
Risk Assessment
Strategies
Fourth Edition
43
Risk Assessment
Risk assessment evaluates the relative risk
for each vulnerability
Assigns a risk rating or score to each
information asset
The goal at this point: create a method for
evaluating the relative risk of each listed
vulnerability
A single asset may have more than one
vulnerability.
Fourth Edition
44
Likelihood
The probability that a specific vulnerability
will be the object of a successful attack
Assign numeric value: number between
0.1 (low) and 1.0 (high), or a number
between 1 and 100
Zero not used since vulnerabilities with
zero likelihood are removed from
asset/vulnerability list
Use selected rating model consistently
Use external references for values that
have been reviewed/adjusted for your
45
circumstances
Fourth
Edition
Risk Determination
For the purpose of relative risk
assessment:
Risk EQUALS
Likelihood of vulnerability
occurrence
TIMES value (or impact)
MINUS percentage risk already
controlled
PLUS an element of uncertainty
Fourth Edition
46
Risk Determination Example

Fourth Edition
47
Risk Determination Example

Fourth Edition
48
Documenting the Results of Risk

Assessment
Final summary comprised in ranked
vulnerability risk worksheet
Worksheet details asset, asset
impact, vulnerability, vulnerability
likelihood, and risk-rating factor
Ranked vulnerability risk worksheet
is initial working document for next
step in risk management process:
assessing and controlling risk
Fourth Edition
49
Ranked vulnerability risk

worksheet

Fourth Edition
50
Topics
Learning Objectives
Risk Identification
Risk Assessment
Strategies
Fourth Edition
51
Identify Possible Controls

For each threat and associated
vulnerabilities that have residual risk,
create preliminary list of control ideas
Residual risk is risk that remains to
information asset even after existing
control has been applied
There are three general categories of
controls:
Policies
Programsawareness, education, etc
Technologies
Principals
of Information Security,
Fourth Edition
52

Once ranked vulnerability risk
worksheet complete, must choose
one of five strategies to control each
risk:
Defend
Transfer
Mitigate
Accept
Terminate
Fourth Edition
53
Defend
Attempts to prevent exploitation of the
vulnerability
Preferred approach
Accomplished through countering threats,
removing asset vulnerabilities, limiting
asset access, and adding protective
safeguards
Three common methods of risk avoidance:
Application of policy
Training and education
Applying
Principals
of Information
Security,
technology
Fourth Edition
54
Transfer
Control approach that attempts to shift
risk to other assets, processes, or
organizations
If lacking, organization should hire
individuals/firms that provide security
management and administration expertise
Organization may then transfer risk
associated with management of complex
systems to another organization
experienced in dealing with those risks
President Harry Truman If cant stand the
55
heat,
get out of the kitchen
Fourth
Edition
Mitigate
Attempts to reduce impact of vulnerability
exploitation through planning and
preparation
Approach includes three types of plans
Incident response plan (IRP): define the actions
to take while incident is in progress
Disaster recovery plan (DRP): most common
mitigation procedure
Business continuity plan (BCP): encompasses
continuation of business activities if
catastrophic event occurs
Fourth Edition
56
Accept
Doing nothing to protect a
vulnerability and accepting the
outcome of its exploitation
Valid only when the particular
function, service, information, or
asset does not justify cost of
protection
Fourth Edition
57
Terminate
Directs the organization to avoid those
business activities that introduce
uncontrollable risks
May seek an alternate mechanism to meet
customer needs
Example - In 2007 Sprint announced it was
canceling the accounts of around 1,000
people who called customer service too
much.
At first blush, it might sound like a pretty jerk thing to
do, have bad service and then punish people who
complain
The terminated
customers
were scamming Sprint,
Principals
of Information
Security,
calling
in again and again, just to get free service
Fourth
Edition
58
Selecting a Risk Control

Strategy
Level of threat and value of asset play
major role in selection of strategy
Rules of thumb on strategy selection can
be applied:
When
When
When
When
a vulnerability exists
a vulnerability can be exploited
attackers cost is less than potential gain
potential loss is substantial

Fourth Edition
59
Selecting a Risk Control

Strategy

Fourth Edition
60
Feasibility Studies
Before deciding on strategy, all
information about economic/noneconomic
consequences of vulnerability of
information asset must be explored
This is an attempt to answer the question,
What are the actual and perceived
advantages of implementing a control as
opposed to the actual and perceived
disadvantages of implementing the
control?
A number of ways exist to determine
advantage of a specific control
61
Fourth Edition
Cost Benefit Analysis (CBA)

Begun by evaluating worth of assets to be
protected and the loss in value if they are
compromised
The formal process to document this is
called cost benefit analysis or economic
feasibility study
Items that affect cost of a control or
safeguard include: cost of development or
acquisition; training fees; implementation
cost; service costs; cost of maintenance
Benefit: value an organization realizes
62
using
controls to prevent losses from a
Fourth
Edition

(contd.)
Asset valuation: process of assigning
financial value or worth to each
information asset
Process result is estimate of potential loss
per risk
Expected loss per risk stated in the
following equation:
Annualized loss expectancy (ALE) =

single loss expectancy (SLE)
annualized rate of occurrence (ARO)
SLE = asset value exposure factor (EF)

Fourth Edition
63

(contd.)
CBA determines if alternative being
evaluated is worth cost incurred to control
vulnerability
CBA most easily calculated using ALE from
earlier assessments, before
implementation of proposed control:
CBA = ALE(prior) ALE(post) ACS
ALE(prior) is annualized loss expectancy of risk
before implementation of control
ALE(post) is estimated ALE based on control
being in place for a period of time
Principals
Security,
ACS of
is Information
the annualized
cost of the safeguard
Fourth Edition
64

(contd.)
Once value of assets is estimated, potential
loss from exploitation of vulnerability is
studied
Process result is estimate of potential loss
per risk
A single loss expectancy (SLE) is the
calculation of the value associated with the
most likely loss from an attack. It is a
calculation based on the value of the asset
and the exposure factor (EF), which is the
expected percentage of loss that would occur
from a particular attack, as follows:
= asset value x exposure factor (EF)

FourthSLE
Edition
65

(contd.)
Expected loss per risk stated in the
following equation:
Annualized loss expectancy (ALE) equals
Single loss expectancy (SLE) TIMES
Annualized rate of occurrence (ARO)
Annualized Loss Expectancy (ALE) =
Single Loss
Expectancy(SLE) * Annualized Rate of
Occurrence(ARO)
Or ALE = SLE * ARO
Principals
ARO of
= Information
4 ; ALESecurity,
=?
Fourth
SLEEdition
= asset value x exposure factor (EF)
66

(contd.)
CBA = ALE(prior) ALE(post) ACS
Two different ways of looking at it:
CBA = Benefit Cost or (ALE(prior) ALE(post) )
ACS
CBA = Current Cost Future Cost or
ALE(prior) ( ALE(post) + ACS )
What to do ?
CBA > 0; Good
CBA = 0; Why bother
CBA < 0; No benefit, forget it
Fourth Edition
67
Evaluation, Assessment, and

Maintenance of Risk Controls
Selection and implementation of
control strategy is not end of process
Strategy and accompanying controls
must be monitored/reevaluated on
ongoing basis to determine
effectiveness and to calculate more
accurately the estimated residual
risk
Process
continues
as long as
Principals
of Information
Security,
Fourth
Edition
organization
continues to function
68
Risk Control Cycle

Fourth Edition
69
Topics
Learning Objectives
Risk Identification
Risk Assessment
Strategies
Fourth Edition
70

Risk
Control Practices
Performing the previous steps using actual values

or estimates is known as quantitative assessment
Possible to complete steps using evaluation
process based on characteristics using non
numerical measures; called qualitative
assessment
Utilizing scales rather than specific estimates
relieves organization from difficulty of
determining exact values
For example; asset costs can be substituted by a
scale 1-20; where 1 is least cost and 20 the most
cost; similarly ARO can be substituted by a scale
Principals
ofwhere
Information
Security,
of 1-20;
1- rarely
occurs and 20 occurs
71
Fourth
Edition
daily (or even hourly).

Risk Control Practices
Quantitative analysis is hard to carry out
quickly in a large organization.
One should attempt to conduct Qualitative
analysis as a first step to risk
managementotherwise, the entire
process may take took long and it may
give wrong impression about usefulness of
the Risk Management process.
Organizations should remember the
adage, Good security now is better than
perfect
security Security,
never.
Principals
of Information
Fourth Edition
72
Benchmarking* and Best

Practices
An alternative approach to risk
management
Benchmarking: process of seeking out and
studying practices in other organizations
that ones own organization desires to
duplicate
Learn from others successes and mistakes
One of two measures typically used to
compare practices:
Metrics-based measures
Principals
of Information
Security,
Process-based
measures
Fourth Edition
73

Practices (contd)
Standard of due care: when adopting
levels of security for a legal defense,
organization shows it has done what any
prudent organization would do in similar
circumstances (do compare!)
Due diligence: demonstration that
organization is diligent in ensuring that
implemented standards continue to
provide required level of protection (do
actually help!)
Failureofto
support
standard of due care or
Principals
Information
Security,
74
Fourth
Edition
due diligence can leave organization open

Practices (contd)
Best business practices: security efforts
that provide a superior level of information
protection
When considering best practices for
adoption in an organization, consider:
Does organization resemble identified target
with best practice?
Are resources at hand similar?
Is organization in a similar threat environment?
Fourth Edition
75

Practices (contd)
Benchmarking* can yield great benefits in
the education of executives and the realized
performance improvements of operations. In
addition, benchmarking can be used to
determine strategic areas of opportunity. In
general, it is the application of what is
learned in benchmarking that delivers the
marked and impressive results so often noted.
The determination of benchmarks allows one
to make
direct
comparison. Any identified
Above
quoteafrom
: http://www.best-inclass.
gaps are improvement areas.
com/bestp/domrep.nsf/pages/716AD479AB1F512C85256DF
F006BD0
72!OpenDocument
76
Problems with the Application

of
Benchmarking and Best
Practices
Organizations dont
talk to each other (biggest
problem)
Hire consultants.
Use standards from industry organizations
No two organizations are identical
Best practices are a moving target
Stay more current on a regular basis, not
once in a while
Knowing what was going on in information
security industry in recent years through
benchmarking doesnt necessarily prepare for
Principals
Information Security,
whatsofnext
Fourth Edition
77

Practices (contd)
Baselining
Baselining is the analysis of measures against
established standards.
In information security, baselining is comparison
of security activities and events against an
organizations future performance
Useful during baselining to have a guide to the
overall process
An example is the establishment of the number
of attacks per week the organization is
experiencing. In the future, this baseline can
serve as a reference point to determine if the
average
number Security,
of attacks is increasing or
Principals
of Information
78
Fourth
Edition
decreasing.
Other Feasibility Studies (Qualitative

Approaches)
Organizational: examines how well proposed
IS alternatives will contribute to
organizations efficiency, effectiveness, and
overall operation
Operational: examines user and
management acceptance and support, and
the overall requirements of the
organizations stakeholders
Technical: examines if organization has or
can acquire the technology necessary to
implement and support the control
alternatives
79
Political:
Fourth
Edition defines what can/cannot occur
Risk Management Discussion

Points
Organization must define level of risk it

can live with
Risk appetite: defines quantity and nature
of risk that organizations are willing to
accept as trade-offs between perfect
security and unlimited accessibility
Residual risk: risk that has not been
completely removed, shifted, or planned
for
The goal of information security is not to
bring residual risk to zero; it is to bring
Principals
of Information
residual
risk intoSecurity,
line with an
80
Fourth Edition
Documenting Results
At minimum, each information asset-threat pair should
have documented control strategy clearly identifying
any remaining residual risk. Furthermore, each control
strategy should articulate which of the four
fundamental risk-reducing approaches will be used or
how they might be combined, and how that should
justify the findings by referencing the feasibility
studies.
Another option: document outcome of control strategy
for each information asset-vulnerability pair as an
action plan. This action plan includes concrete tasks,
each with accountability assigned to an organizational
unit or to an individual.
Risk assessment may be documented in a topic
specificofreport.
TheseSecurity,
are usually demand reports that
Principals
Information
are prepared
Fourth
Edition at the direction of senior management 81
Recommended Risk Control

Practices
Convince budget authorities to spend

up to value of asset to protect from
identified threat
Final control choice may be balance
of controls providing greatest value
to as many asset-threat pairs as
possible
Organizations looking to implement
controls that dont involve such
complex, inexact, and dynamic
calculations
Fourth
Edition
82
Summary
Risk identification: formal process of
examining and documenting risk in
information systems
Risk control: process of taking carefully
reasoned steps to ensure the
confidentiality, integrity, and availability of
components of an information system
Risk identification
A risk management strategy enables
identification, classification, and prioritization
of organizations information assets
Residual
risk: risk
remaining to the information
Principals
of Information
Security,
asset
even after the existing control is applied 83
Fourth
Edition
Summary (contd)
Risk control: five strategies are used to
control risks that result from
vulnerabilities:
Defend
Transfer
Mitigate
Accept
Terminate

Fourth Edition
84
Summary (contd)
Selecting a risk control strategy
Cost Benefit Analysis
Feasibility Study
Qualitative versus Quantitative Risk

Control
Best Practices and Benchmarks
Organizational Feasibility, Operational
Feasibility, Technical Feasibility, and Political
Feasibility
Risk Appetite: organizational risk tolerance

Residual risk: risk remaining after
application
of risk
controls
Principals
of Information
Security,
Fourth Edition
85

Information Security - Lecture 4

Uploaded by

Copyright:

Available Formats

Information Security - Lecture 4

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security - Lecture 4

Uploaded by

Copyright:

Available Formats

Information Security - Lecture

File hashing is an effective protection

Availability / Accuracy / Authenticity

Overview of Risk Management

Overview of Risk Management

The Roles of the Communities of

The Roles of the Communities of

Control: A safeguard or counter measure. A

Paradigm Shift - What is it?

Paradigm Shift - What is it?

Albert Einstein: We can't solve problems

Components of Risk Management

Components of Risk Management

Principals of Information Security,

Principals of Information Security,

Principals of Information Security,

Components of Risk Identification

Principals of Information Security,

Plan and Organize the Process

Tasks laid out, assignments made and

Categorizing system components

Principals of Information Security,

Asset Identification and Inventory

People, Procedures, and Data Asset

Hardware, Software, and Network

Asset attributes to be considered are: name; IP

Data Classification and

Data Classification and

Data Classification and

Principals of Information Security,

Data Classification and

Data Classification and

Management of Classified Data

Classifying and Prioritizing

Classification of components must be

Information Asset Valuation

Is most critical to organizations success?

Example: DB for customer billing transactions

Information Asset Valuation

Principals of Information Security,

Information Asset Valuation

Principals of Information Security,

Example of a Weighted Factor Analysis

Principals of Information Security,

Identifying and Prioritizing

Review of Threat Classification

Any given threat may fit more than one category

Principals of Information Security,

Top Computing Executives

Top Computing Executives

Principals of Information Security,

How do you know which threat exists

Risk Determination Example

Principals of Information Security,

Risk Determination Example

Principals of Information Security,

Documenting the Results of Risk

Ranked vulnerability risk

Principals of Information Security,