Risk Management Methodology - Copy
Download as PPTX, PDF2 likes1,672 views
This document outlines a risk management methodology consisting of risk assessment and risk mitigation processes. It describes assessing assets according to classification, valuation of confidentiality, integrity and availability, and calculation of risk level based on asset value, threat level and vulnerability level. Risks are mapped to risk levels of very low, low, medium, high and very high. Controls are identified to treat risks deemed not acceptable. The effectiveness of controls is evaluated to determine if residual risk is reduced to an acceptable level.
Risk Management Methodology - Copy
- 1. Risk Management Methodology Basic IT Governance Phase I DRAFT VER 1.0 Octobar 2015
- 2. 2 1 Risk Assessment Methodology Agenda
- 3. Risk Management Methodology Risk Management Consist of Two Part I(TS)2 Risk Management based on ISO/IEC 27001:2005 Standard and Guidelines for information security Risk Assessment Risk Mitigation
- 5. Risk Assessment Methodology ASSET Classification of Assets Assets will be classified into four main categories
- 6. 6 Assets Categories Category Groups Examples Hardware Computer Hardware Servers, Desktops, Laptops, Storage the end of that period. Computer Peripheral Printers, Scanners, Shredders Electronic Device Computer protection equipment (theft protection equipment etc. ) Electric Device (Shredders, UPS, Power Stabilizer ) Telecom Device (Phones, Faxes ,PDA’s, Smart Phones Networking Devices Routers, Hubs, Switches Software Commercialized Software Core processing applications, Desktop and workstation office productivity software, Operating system, Network Devices OSI, Back office and environmental software (database engines, back- up and storage management software) Internally Developed Software Financial Application, Personnel Application Information Physical Information Asset Documents Hard Copies (Policies, Procedures), DVDs, CDs, Backup tape Electronic Information Asset Documents Soft Copies (Policies, Procedures), Databases, Configuration files, Passwords file, Audit logs People Internal Resources Security Admin, Network Admin, System Admin, Operator External Resources Third Party, Vendors Engineers, Consultants.
- 7. Risk Assessment Methodology ASSET Assets Valuation Integrity AvailabilityConfidentiality
- 8. 8 Level Value Criteria Very High 5 Strictly Confidential High 4 Confidential Medium 3 Internal Low 2 Private Very Low 1 Public Confidentiality Scales Description Unauthorized, unanticipated, or unintentional disclosure of confidential information could result in Extremely High, Serious, Immediate and/or Long term loss of public confidence, embarrassment, financial or legal action against the organization. Unauthorized, unanticipated, or unintentional disclosure of confidential information could result in a High, Serious, Immediate and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Unauthorized, unanticipated, or unintentional disclosure of confidential information could result in Serious, Gradual and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Unauthorized, unanticipated, or unintentional disclosure of confidential information could result in Serious, Gradual and/or Short termembarrassment, financial or Non Major legal action against the organization. Unauthorized, unanticipated, or unintentional disclosure of confidential information could result in Non Serious, Gradual and/or Short term embarrassment, financial or Non Major legal action against the organization.
- 9. 9 Level Value Criteria Very High 5 Strictly Confidential High 4 Confidential Medium 3 Internal Low 2 Private Very Low 1 Public Unauthorized changes to the data or information systemby either intentional or accidental acts will result in inaccuracy, fraud, or erroneous decisions. That will leadto Serious, Gradual and/or Short termembarrassment, financial or Non Major legal action against the organization. Unauthorized changes to the data or information systemby either intentional or accidental acts will result in inaccuracy, fraud, or erroneous decisions. That will lead to Non Serious, Gradual and/or Short termembarrassment, financial or Non Major legal action against the organization. Integrity Scales Description Unauthorized changes to the data or information systemby either intentional or accidental acts will result in inaccuracy, fraud, or erroneous decisions. That will leadto Extremely High, Serious, Immediate and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Unauthorized changes to the data or information systemby either intentional or accidental acts will result in inaccuracy, fraud, or erroneous decisions. That will leadt to High, Serious, Immediate and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Unauthorized changes to the data or information systemby either intentional or accidental acts will result in inaccuracy, fraud, or erroneous decisions. That will leadto Serious, Gradual and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization.
- 10. 10 Level Value Very High 5 High 4 Medium 3 Low 2 Very Low 1 Availability Scales Description Loss of data, systemfunctionality and operational effectiveness for Less than or Equal to 4 hours will have an Extremely High, Serious, Immediate and/or Long term loss of public confidence, embarrassment, financial or legal action against the organization. Loss of data, systemfunctionality and operational effectiveness for Less than or Equal to 10 hours will have an High, Serious, Immediate and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Loss of data, systemfunctionality and operational effectiveness for Less than or Equal to 48 hours will have a Serious, Gradual and/or Long termloss of public confidence, embarrassment, financial or legal action against the organization. Loss of data, systemfunctionality and operational effectiveness for Less than or Equal to 5 days will have an Serious, Gradual and/or Short termembarrassment, financial or Non Major legal action against the organization. Loss of data, systemfunctionality and operational effectiveness for Less than or Equal to 7 days will have an Non Serious, Gradual and/or Short term embarrassment, financial or Non Major legal action against the organization.
- 11. Asset Values 11 Level Value Very High 5 High 4 Medium 3 Low 2 Very Low 1 The asset has a very low financial, technical, or legal value and its’ compromise will not have a any negative reputation, financial, operational, marketing or legal consequence on the organization. Description The asset has extremely high financial or technical, or legal value and it’s compromise will have very serious and/or long termnegative reputation, financial, operational, marketing or legal consequences on the organization with an adverse effect on its critical business processes. The asset has high financial or technical, or legal value and it’s compromise will have serious and/or long termnegative reputation, financial, operational, marketing or legal consequences on the organization with an adverse effect on its critical business processes. The asset has moderate financial, technical, or legal value and its’ compromise will have a noticeable negative reputation, financial, operational, marketing or legal consequence on the organization with a low effect on its critical business processes. The asset has low financial, technical, or legal value and its’ compromise will not have a significant negative reputation, financial, operational, marketing or legal consequence on the organization.
- 12. Risk Assessment Methodology ASSET Assets Valuation Asset Value Integrity AvailabilityConfidentiality
- 13. 13 C I A Asset Value Level 1 5 1 5 Very High 3 1 4 4 High 3 2 1 3 Medium 2 2 1 2 Low 1 1 1 1 Very Low Risk Assessment Methodology Asset Valuation is based on qualitative approach and the value is described in terms of Very High, High, Medium, Low and Very low impacts.
- 14. Risk Assessment Methodology Threats and Vulnerabilities Identification VulnerabilityASSET Probability Impact Zero Controls Vulnerability Level Vulnerability Threat Threat Level Threats and Vulnerabilities Valuation
- 15. 15 Level Value Very High 5 High 4 Medium 3 Low 2 Very Low 1 1- Threat source is neither motivated nor capable 2- Very low likelihood of occurrence Threats Scales Description 1- Threats that affects Company’s reputation (Industrial Espionage, Legal Violations, etc) 2- Very high likelihood of occurrence 1- Deliberate Threats, Any occurrence that has premeditated intent, for example include a malcontent, employee shredding important documents etc. (Unauthorized Access, Social Engineering, etc) 2- High likelihood of occurrence 1- Accidental Threats, Any occurrence that doesn’t have premeditated intent, for examples an employee accidentally deleting an important file, failed backup etc. (User Operational Errors) 2- Natural Threats and Environmental Threats (Earthquake, lightening, High temperature, etc) 3- Medium likelihood of occurrence 1- Natural Threats and Environmental Threats (Earthquake, lightening, High temperature, etc) 2- Low likelihood of occurrence
- 16. 16 Level Value Very High 5 High 4 Medium 3 Low 2 Very Low 1 The vulnerability is not considered exploitable at present. (For example: Obsolete/age of the hardware) Vulnerabilities Scales Description The vulnerability can be exploited by an unskilled attacker (e.g. script-kiddie), by using ready-made exploits. (For example: Lack of perimeter security control IDS, IPS, Firewall etc). The vulnerability can be exploited by an advanced attacker via a sophisticated attack with custom-built tools/methods. Furthermore, the attacker must be considerably determined. (For example: Uncontrolled access to systemutilities (Administrative privilege). The vulnerability is considered to be exploitable by an advanced attacker, but only under certain conditions: • Very determined attacker • Substantial knowledge of the internal network (For example: Inadequate logical access controls) The vulnerability cannot be directly exploited, but there is a possibility to be exploited in the future (For example: Lack of physical controls.)
- 17. Risk Assessment Methodology Calculation of Risk = Risk Level Asset Value Threat Level Vulnerability Level
- 18. Risk Assessment Example 18 Low 4 3 2 Asset Value Threat Value Vulnerability ValueHigh Medium MoR =Asset Value x Threat Value x Vulnerability Value MoR= 4x 3x 2 = 24
- 19. MoR Mapping to Risk Level 19 Asset, Threat and Vulnerability Scale is set from 1 to 5 MoR Risk Level 1 - 20 Very Low 21 - 32 Low 33 - 50 Medium 51 - 75 High 76 - 125 Very High MOR Mapping to Risk Level The Risk Level Scale will be from 1 to 125 (5x5x5=125)
- 20. Acceptable Level OF Risk 20 The Acceptable Level of Risk will be All the Risks with Value below 32 All The Risks With The Risk Level of Low and Very Low will be Acceptable and The Risks With Values Medium, High and Very High Need to be Treated.
- 21. Risk Mitigation Methodology 21 Risk Level Prepare Risk Mitigation Options Finish Not Acceptable Acceptable Existing Controls
- 22. Risk Mitigation Options Criteria’s 22 Controls identified and selected in the risk mitigation options phase need to be: Controls are Documented (Policies and Procedures) Policies and Procedures (Management Security Controls), are implemented to manage and reduce the risk of loss and to protect an organization’s assets and mission. Management controls focus on the requirement of information protection policy, , which are carried out through operational procedures to fulfill the organization’s goals and missions. Controls are Implemented Controls identified and selected in the risk mitigation options phase need to be implemented and evidences of the implementation must be available. Implemented Controls are Effective Based on the assurance level the existing control or suggested control can provide to reduce or eliminate the vulnerability Note: The effectiveness of the implemented controls will be based on Experience and/or Judgment and will be evaluated, checked and verified continually throughout ISMS Audits
- 23. Risk Mitigation Methodology 23 Controls Implementation Finish Define Additional Controls Prepare Risk Treatment Plan Recalculate the Risk Existing Controls Acceptable Recalculate the Risk Not Acceptable Residual Risk Not Acceptable MoR with Existing Controls Prepare Risk Mitigation Options
Editor's Notes
- #2: 1
- #11: Input from the Client is need with regard to: What is the maximum tolerable down time for which the Availability of the asset and/or services need to be considered from Very Low to Very High
- #13: The values for C, I and A are different and the maximum value of them is been taken as overall asset value.
- #21: We need to have the management decision on the Acceptable Level of Risk. Acceptable Level of Risk can be: To Accept all the Risks with Medium, Low & Very Low values as provided and to treat all the Risks with High & Very High Values. The second option can be to accept the Risk with Low & Very Low values and Treat the Risks with Medium, High & Very High