Lesson 1

Principles of Information Security,
Fifth Edition
Chapter 5
Risk Management
Lesson 1 – Risk
Management

Learning Objectives
• Upon completion of this material, you should be
able to:
– Define risk management, risk identification, and risk
control
– Describe how risk is identified and assessed
– Assess risk based on probability of occurrence and
likely impact
– Explain the fundamental aspects of documenting risk
via the process of risk assessment
Principles of Information Security, Fifth Edition 2

Learning Objectives (cont’d)
– Describe the various risk mitigation strategy options
– Identify the categories that can be used to classify
controls
– Discuss conceptual frameworks for evaluating risk
controls and formulate a cost-benefit analysis

Introduction
• Organizations must design and create safe
environments in which business processes and
procedures can function.
• Risk management: the process of identifying,
assessing, and reducing risks facing an organization
• Risk identification: the enumeration and
documentation of risks to an organization’s
information assets
• Risk control: the application of controls that reduce
the risks to an organization’s assets to an acceptable
level

An Overview of Risk Management
• Know yourself: identify, examine, and understand
the information and systems currently in place
• Know the enemy: identify, examine, and
understand the threats facing the organization
• Responsibility of each community of interest within
an organization to manage the risks that are
encountered

The Roles of the Communities of
Interest
• Information security, management and users, and
information technology all must work together.
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost effective
for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective

Risk Appetite and Residual Risk
• Risk appetite: It defines the quantity and nature of risk
that organizations are willing to accept as trade-offs
between perfect security and unlimited accessibility.
– Reasoned approach is one that balances the expense
of controlling vulnerabilities against possible losses if
the vulnerabilities are exploited.
• Residual risk: risk that has not been completely
removed, shifted, or planned for
– The goal of information security is to bring residual risk
into line with risk appetite.

Risk Identification
• Risk management involves identifying, classifying,
and prioritizing an organization’s assets.
• A threat assessment process identifies and
quantifies the risks facing each asset.

Plan and Organize the Process
• The first step in the risk identification process is to
follow your project management principles.
• Begin by organizing a team with representation
across all affected groups.
• The process must then be planned out.
– Periodic deliverables
– Reviews
– Presentations to management
• Tasks laid out, assignments made, and timetables
discussed

Identifying, Inventorying, and
Categorizing Assets
• Iterative process: Begins with the identification and
inventory of assets, including all elements of an
organization’s system (people, procedures, data
and information, software, hardware, networking)
• Assets are then categorized.

People, Procedures, and Data Asset
Identification
• Human resources, documentation, and data
information assets are more difficult to identify.
• Important asset attributes:
– People: position name/number/ID; supervisor;
security clearance level; special skills
– Procedures: description; intended purpose; relation
to software/hardware/networking elements; storage
location for reference; storage location for update
– Data: classification; owner/creator/manager; data
structure size; data structure used; online/offline;
location; backup procedures employed

Hardware, Software, and Network
Asset Identification
• What information attributes to track depends on:
– Needs of organization/risk management efforts
– Preferences/needs of the security and information
technology communities
• Asset attributes to be considered are name, IP
address, MAC address, element type, serial
number, manufacturer name, model/part number,
software version, physical or logical location, and
controlling entity.

Asset Inventory
• Unless information assets are identified and
inventoried, they cannot be effectively protected.
• Inventory process involves formalizing the
identification process in some form of organizational
tool.
• Automated tools can sometimes identify the system
elements that make up hardware, software, and
network components.

Asset Categorization
• People comprise employees and nonemployees.
• Procedures either do not expose knowledge useful to
a potential attacker or are sensitive and could allow
adversary to gain advantage.
• Data components account for the management of
information in transmission, processing, and storage.
• Software components are applications, operating
systems, or security components.
• Hardware: either the usual system devices and
peripherals or part of information security control
systems

Classifying, Valuing, and Prioritizing
Information Assets
• Many organizations have data classification
schemes (e.g., confidential, internal, public data).
• Classification of components must be specific
enough to enable the determination of priority levels.
• Categories must be comprehensive and mutually
exclusive.

Data Classification and Management
• Variety of classification schemes are used by
corporate and military organizations.
• Information owners are responsible for classifying
their information assets.
• Information classifications must be reviewed
periodically.
• Classifications include confidential, internal, and
external.

Data Classification and Management
(cont’d)
• Security clearances
– Each data user must be assigned authorization level
indicating classification level.
– Before accessing specific set of data, the employee
must meet the need-to-know requirement.
• Management of classified data includes storage,
distribution, transportation, and destruction.
• Clean desk policy
• Dumpster diving

Lesson 1

More Related Content

What's hot (20)

Similar to Lesson 1 (20)

More from MLG College of Learning, Inc (20)

Recently uploaded (20)

Lesson 1