IT Security management and risk assessment
Download as PPT, PDF3 likes6,393 views
The document discusses IT security management and risk assessment, outlining key terminology such as assets, threats, vulnerabilities, and risks. It details various approaches to security risk assessment, including baseline, informal, formal, and combined methods, and describes a structured process for detailed risk analysis involving asset identification, threat identification, vulnerability assessment, risk analysis, and control recommendations. The content emphasizes the importance of tailored assessments based on organizational needs and resources to effectively manage risks.
IT Security management and risk assessment
- 1. IT SECURITY MANAGEMENT AND RISK ASSESSMENT Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
- 2. Content 10.1 Terminology 10.2 Security Risk Assessment 10.3 Detailed Risk Analysis Process 10.3.1 Asset Identification / System Characterizations 10.3.2 Threat Identification 10.3.3 Vulnerability Identification 10.3.4 Analyze Risks / Control Analysis 10.3.5 Likelihood Determination 10.3.6 Impact analysis / Consequence determination 10.3.7 Risk determination 10.3.8 Control Recommendation & Result Documentation 2ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 3. 3 10.1 Terminology Asset: Anything that has value to the organization Threat: A potential cause of an unwanted incident which may result in harm to a system or organization. Vulnerability: A Weakness in an asset or group of assets which can be exploited by a threat. Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 4. 4 10.2 SECURITY RISK ASSESSMENT Critical component of process Else may have vulnerabilities or waste money Ideally examine every asset verses risk Not feasible in practice Choose one of possible alternatives based on orgs resources and risk profile Baseline Informal Formal Combined ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 5. 5 10.2.1 Baseline Approach Use “industry best practice” Easy, cheap, can be replicated But gives no special consideration to org May give too much or too little security Implement safeguards against most common threats Baseline recommendations and checklist documents available from various bodies Alone only suitable for small organizations ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 6. 6 ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 7. 7 10.2.2 Informal Approach Conduct informal, pragmatic risk analysis on organization’s IT systems Exploits knowledge and expertise of analyst Fairly quick and cheap Does address some org specific issues Some risks may be incorrectly assessed Skewed by analysts views, varies over time Suitable for small to medium sized orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 8. 8 10.2.3 Detailed / Formal Risk Analysis Most comprehensive alternative Assess using formal structured process With a number of stages Identify likelihood of risk and consequences Hence have confidence controls appropriate Costly and slow, requires expert analysts May be a legal requirement to use Suitable for large organizations with IT systems critical to their business objectives ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 9. 9 10.2.4 Combined Approach Combines elements of other approaches Initial baseline on all systems Informal analysis to identify critical risks Formal assessment on these systems Iterated and extended over time Better use of time and money resources Better security earlier that evolves May miss some risks early Recommended alternative for most orgs ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 10. 10 10.3 Detailed Risk Analysis Process ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 11. 11 10.3.1 Asset Identification / System Characterizations Identify assets “Anything which needs to be protected” Of value to organization to meet its objectives Tangible or intangible In practice try to identify significant assets Draw on expertise of people in relevant areas of organization to identify key assets Identify and interview such personnel See checklists in various standards ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 12. 12 10.3.2 Threat Identification To identify threats or risks to assets ask 1. Who or what could cause it harm? 2. How could this occur? Threats are anything that hinders or prevents an asset providing appropriate levels of the key security services: Confidentiality, Integrity, Availability, Accountability, Authenticity and Reliability Assets may have multiple threats ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 13. 13 10.3.2 a) Threat Sources Threats may be Natural “acts of god” Man-made and either accidental or deliberate Should consider human attackers: Motivation Capability Resources Probability of attack Deterrence Any previous history of attack on organization ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 14. 14 10.3.3 Vulnerability Identification Identify exploitable flaws or weaknesses in organization’s IT systems or processes Hence determine applicability and significance of threat to organization Note need combination of threat and vulnerability to create a risk to an asset Again can use lists of potential vulnerabilities in standards etc. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 15. 15 10.3.4 Analyze Risks / Control Analysis Specify likelihood of occurrence of each identified threat to asset given existing controls Management, operational, technical processes and procedures to reduce exposure of org to some risks Specify consequence should threat occur Hence derive overall risk rating for each threat Risk = probability threat occurs x cost to organization In practice very hard to determine exactly Use qualitative not quantitative, ratings for each Aim to order resulting risks in order to treat them ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 16. 16 10.3.5 Likelihood Determination Rating Likelihood Description Expanded Definition 1 Rare May occur in exceptional circumstances and may deemed as “lucky” or very unlikely. 2 Unlikely Could occur at sometime but not expected given current controls, circumstances and recent events. 3 Possible Might occur at sometime, but just as likely as not. It may be difficult to control its occurrence due to external influence 4 Likely Will probably occur in some circumstance and one should not be surprised if it occurred. 5 Almost Certain Is expected to occur in most circumstances and certainly sooner or later. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 17. 17 10.3.6 Impact analysis / Consequence determination Rating Consequence Expanded Definition 1 Insignificant Result of a minor security breach in a single area. Impact is likely to last less than several days. Require only minor expenditure to rectify. 2 Minor Result of security breach in one or two areas. Impact is likely to last less than a week. Can be rectified within project or team resources. 3 Moderate Limited systemic security breaches. Impact is likely to last up to 2 weeks. Requires management intervention. 4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks. Requires significant management intervention and resources. Loss of business or organizational outcomes if possible. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 18. 18 Rating Consequence Expanded Definition 5 Catastrophic Major Systemic security breach. Impact will last for 3 months or more. Senior Management will be required to intervene. Compliance costs are expected to be very substantial. Possible criminal or disciplinary action is likely. 6 Doomsday Multiple instances of major systemic security breaches. Impact duration cannot be determined. Senior management will be required to place the company under voluntary administration. Criminal Proceedings against senior management is expected. Substantial loss of business and failure to meet company’s objective. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 19. 19 10.3.7 Risk determination • Once the likelihood and consequence of each specific threat have been identified, a final level of risk can be assigned. • This is typically determined using a table that maps these values to a risk level, such as those shown in next Table. • The below table details the risk level assigned to each combination. • Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values. • It also indicates the interpretation of these assigned levels. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 20. 20 Consequences Likelihood Dooms day Catastrophic Major Moderate Minor Insignificant Almost Certain E E E E H H Likely E E E H H M Possible E E E H M L Unlikely E E H M L L Rare E H H M L L ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 21. 21 Risk Level Description Extreme (E) Require detailed research and management. Planning at executive / director level. Planning and Monitoring required. High (H) Require management attention. Planning at senior project or team leaders. Planning and Monitoring required. Medium (M) Can be managed by existing specific. Monitoring and response procedures. Management by employees. Low (L) Can be managed through routing procedures. ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
- 22. 22 10.3.8 Control Recommendation & Result Documentation Asset Threat/ Vulnerability Existing Controls Likelihood Consequence Level of Risk Risk Priority Internet Router Outside Hacker attack Admin password only Possible Moderate High 1 Destruction of Data Center Accidental Fire or Flood None (no disaster recovery plan) Unlikely Major High 2 Document in Risk Register and Evaluate Risks ITSY3104 - COMPUTER SECURITY A - IT SECURITY MANAGEMENT AND RISK ASSESSMENT
Editor's Notes
- #23: The results of the risk analysis process should be documented in a risk register. This should include a summary table such that shown in Table 16.5 from the text. The risks are usually sorted in decreasing order of level. This would be supported by details of how the various items were determined, including the rationale, justification, and supporting evidence used. The aim of this documentation is to provide senior management with the information they need to make appropriate decisions as how to best manage the identified risks. It also provides evidence that a formal risk assessment process has been followed if needed, and a record of decisions taken with their reasons. Once the details of potentially significant risks are determined, management needs to decide whether it needs to take action in response. This would take into account the risk profile of the organization, and its willingness to accept a certain level of risk, as determined in the initial “Establishing the Context” phase of this process. Those items with risk levels below the acceptable level would usually be accepted with no further action required. Those items with risks above this will need to be considered for treatment. Typically the risks with the higher ratings are those that need most urgently action. However, it is likely that some risks will be easier, faster, and cheaper to action than others. In the example shown, both risks were rated High. Further investigation reveals that a relatively simple and cheap treatment exists for the first risk, by tightening the router configuration to further restrict possible accesses. Treating the second risk requires the development of a full disaster recovery plan, a much slower and more costly process. Hence management would take the simple action first, to improve the organization’s overall risk profile as quickly as possible.