dle risk mgt lect
TRANSCRIPT
-
8/9/2019 DLE Risk Mgt Lect
1/122
-
8/9/2019 DLE Risk Mgt Lect
2/122
RISKMANAGEMENT
-
8/9/2019 DLE Risk Mgt Lect
3/122
LEARNING OUTCOMES – HASIL PEMBELAJARAN
Business impact
Business impact
Benefits of Info Security
Principles of Info Security RA
-
8/9/2019 DLE Risk Mgt Lect
4/122
Chapter 1: Introduction to the Security Risk Management Guide
Chapter : Sur!ey of Security Risk Management Practices
Chapter ": Security Risk Management #!er!ie$
Chapter %: Assessing Risk
Chapter &: Conducting 'ecision Support
Chapter (: Implementing Controls and Measuring Program
)ffecti!eness
-
8/9/2019 DLE Risk Mgt Lect
5/122
-
8/9/2019 DLE Risk Mgt Lect
6/122
DEFINITION OF RISK AND
ITS DYNAMICS
INTRODUCTION TO SECURITY RISK MANAGEMENT
-
8/9/2019 DLE Risk Mgt Lect
7/122
*he concept of the risk management is applied in all
aspects of +usiness, including planning and pro-ect risk
management, health and safety, and finance. It is also
a !ery common term amongst those concerned $ith I*
security.
A generic definition of risk management is the
assessment and mitigation of potential issues that are a
threat to a +usiness, $hate!er their source or origin.
-
8/9/2019 DLE Risk Mgt Lect
8/122
INTRODUCTIONTO INFORMATION SECURITY RISK
MANAGEMENT GUIDE
-
8/9/2019 DLE Risk Mgt Lect
9/122
A risk assessment determines $hat type of controls are re/uired to
protect assets and resources 0physical locations, net$orksser!ers,
staff, etc.2 from threats 3 allo$ing your organi4ation to reduce
e5posure and maintain an accepta+le 6risk tolerance6.
*he risk assessment process e!aluates the likelihood and potential
damage of identified threats, measures the indi!idual risk le!el of
each asset as they relate to Confidentiality, Integrity and A!aila+ility
0CIA2, and then gauges the effecti!eness of e5isting controls to limit
the organi4ation7s e5posure such risk. Results help the organi4ation
identify $hich assets are the most critical, pro!ides a +asis for
prioriti4ation and recommends a course for remediation.
-
8/9/2019 DLE Risk Mgt Lect
10/122
*he risk assessment $ill encompass pro!isions that address +oth
internal and e5ternal threats and ans$ers the follo$ing /uestions:
8hat can go $rong9
o$ can it go $rong9
8hat is the potential impact9
8hat pre!enti!e steps can +e taken to reduce the risk9
-
8/9/2019 DLE Risk Mgt Lect
11/122
In general, the security risk management process ena+les
organi4ations to implement and maintain processes toidentify and prioriti4e risks in their I* en!ironments there+y
impro!ing security $hich facilitates increased a!aila+ility of I*
infrastructures and impro!ed +usiness !alue.
;ormally the security risk management process offers a
com+ination of !arious approaches including pure /uantitati!e
analysis, return on security in!estment 0R#SI2 analysis,/ualitati!e analysis, and +est practice approaches.
-
8/9/2019 DLE Risk Mgt Lect
12/122
Strategic In!r"ati!n Sec#rit$An%
Ri&' Manage"ent P(anning
-
8/9/2019 DLE Risk Mgt Lect
13/122
CRITICAL SUCCESS FACTORS Successful implementation of a security risk management
program in an organi4ation in!ol!es:
a.
-
8/9/2019 DLE Risk Mgt Lect
14/122
)5ecuti!e sponsorship.
A $ell=defined list of risk management
stakeholders.
#rgani4ational maturity in terms of risk
management.
An atmosphere of open communication.
A spirit of team$ork.
A holistic !ie$ of the organi4ation.
Authority throughout the process.
CRITICAL SUCCESS FACTORS
-
8/9/2019 DLE Risk Mgt Lect
15/122
a) E*ec#ti+e S,!n&!r&-i,: Senior management must unam+iguously and enthusiastically support the security
risk management process.
Sponsorship implies the follo$ing: 'elegation of authority and responsi+ility for a clearly articulated pro-ect scope to the Security Risk Management *eam
Support for participation +y all staff as needed Allocation of sufficient resources such as personnel and financial resources >nam+iguous and energetic support of the security risk management process
Participation in the re!ie$ of the findings and recommendations of the security risk management process
-
8/9/2019 DLE Risk Mgt Lect
16/122
Stakeholders, $hich in this conte5t means mem+ers of the
organi4ation $ith a !ested interest in the results of the
security risk management process. *he Security Risk
Management *eam needs to understand $ho all of the
stakeholders are?this includes the core team itself as $ell
as the e5ecuti!e sponsor0s2.
It $ill also include the people $ho o$n the +usiness assets
that are to +e e!aluated. *he I* personnel responsi+le and
accounta+le for designing, deploying, and managing the
+usiness assets are also key stakeholders.
.) Li&t ! Ri&' Manage"ent Sta'e-!(%er&
-
8/9/2019 DLE Risk Mgt Lect
17/122
#rgani4ational maturity in terms of risk management is e!idenced
+y such things as $ell defined security processes and a solid
understanding and acceptance of security risk management at
many le!els of the organi4ation.
c) Organi/ati!na( Mat#rit$ in Ter"& ! Ri&' Manage"ent
-
8/9/2019 DLE Risk Mgt Lect
18/122
%) An At"!&,-ere ! O,en C!""#nicati!n
@ack of open communications in organi4ations fre/uently leadsto misunderstandings and impairs the a+ility of a team to
deli!er a successful solution in times of crisis incidents.
*herefore approach to communications, +oth $ithin the teamand $ith key stakeholders must +e open and free=flo$. A free=
flo$ of information not only reduces the risk of
misunderstandings and $asted effort +ut also ensures that all
team mem+ers can contri+ute to effecti!ely reducing
uncertainties surrounding the security risk incident.
-
8/9/2019 DLE Risk Mgt Lect
19/122
e) A S,irit ! Tea"0!r'
*he strength and !itality of the relationships among all of the
people $orking on the security risk management process $ill
greatly affect the effort. Regardless of the support from senior
management, the relationships that are de!eloped among security
staff and management and the rest of the organi4ation are critical
to the o!erall success of the process.
-
8/9/2019 DLE Risk Mgt Lect
20/122
) A H!(i&tic 1ie0 ! t-e Organi/ati!n
All participants in!ol!ed in the security risk management process,
particularly the Security Risk Management *eam, need to consider the
entire organi4ation during their $ork. 8hat is +est for one particular
employee is fre/uently not $hat is +est for the organi4ation as a
$hole.
@ike$ise, $hat is most +eneficial to one +usiness unit may not +e in
the +est interest of the organi4ation. Staff and managers from a
particular +usiness unit $ill instincti!ely seek to dri!e the process
to$ard outcomes that $ill +enefit them and their parts of the
organi4ation.
-
8/9/2019 DLE Risk Mgt Lect
21/122
g) A#t-!rit$ T-r!#g-!#t t-e Pr!ce&&
*eam mem+ers, in order to effecti!ely mitigate those risks +y
implementing sensi+le controls, they $ill also re/uire sufficient
authority to make the appropriate changes.
*eam mem+ers must +e empo$ered to meet the
commitments assigned to them. )mpo$erment re/uires that
team mem+ers are gi!en the resources necessary to perform
their $ork, are responsi+le for the decisions that affect their
$ork, and understand the limits to their authority.
*hey must also understand the escalation paths a!aila+le to
handle issues that transcend these limits.
-
8/9/2019 DLE Risk Mgt Lect
22/122
SUR1EY OF SECURITY RISK MANAGEMENT PRACTICES
-
8/9/2019 DLE Risk Mgt Lect
23/122
Sur!ey o+ser!ations indicate that in general there are t$o types of
Risk Management practices, namely proacti!e and reacti!e
approaches. )ach has got its o$n strengths and $eaknesses.
Similarly, in practice there also t$o methods of assessing risk namely
/ualitati!e security risk management and /uantitati!e security risk
management, the t$o traditional methods. )ach has got its o$n
strengths and $eaknesses.
S#r+e$ O Sec#rit$ Ri&' Manage"ent Practice&
-
8/9/2019 DLE Risk Mgt Lect
24/122
T-e Pr!acti+e A,,r!ac-
Proacti!e security risk management has many ad!antages o!er areacti!e approach. Instead of $aiting for +ad things to happen and
then responding to them after$ards, you minimi4e the possi+ility of
the +ad things e!er occurring in the first place.
ou make plans to protect your organi4ation7s important assets +y
implementing controls that reduce the risk of !ulnera+ilities +eing
e5ploited +y malicious soft$are, attackers, or accidental misuse.
-
8/9/2019 DLE Risk Mgt Lect
25/122
T-e Reacti+e A,,r!ac-
Reacting to security e!ent, +y trying to to contain the
situation, figure out $hat happened, and fi5 the affectedsystems as /uickly as possi+le.
A small degree of rigor to the reacti!e approach can helporgani4ations of all types to +etter use their resources. Recent
security incidents may help an organi4ation to predict andprepare for future pro+lems. A !ery systematic and andorgani4ed approach is recommended.
*his means that an organi4ation that takes time to respond tosecurity incidents in a calm and rational manner $hiledetermining the underlying reasons that allo$ed the incidentto transpire $ill +e +etter a+le to +oth protect itself fromsimilar pro+lems in the future and respond more /uickly toother issues that may arise.
-
8/9/2019 DLE Risk Mgt Lect
26/122
Si*2&te, Inci%ent Re&,!n&e Acti!n&
1. Pr!tect -#"an (ie and people7s safety should al$ays +e the
first priority.
-
8/9/2019 DLE Risk Mgt Lect
27/122
A&&e&& t-e %a"age. Immediately make a duplicate of the
hard disks in any ser!ers that $ere attacked and put those
aside for forensic use later.
*hen assess the e5tent of damage occurred as soon as
possi+le, so that you can restore the organi4ation7s operations
as soon as possi+le
Deter"ine t-e ca#&e ! t-e %a"age)
-
8/9/2019 DLE Risk Mgt Lect
28/122
Re,air t-e %a"age) In most cases, it is !ery important that
the damage +e repaired as /uickly as possi+le to restore
normal +usiness operations and reco!er data lost during the
attack. *he organi4ation7s +usiness continuity plans and
procedures should co!er the restoration strategy.
Re+ie0 re&,!n&e an% #,%ate ,!(icie&. After the
documentation and reco!ery phases are complete, you should
re!ie$ the process thoroughly.
-
8/9/2019 DLE Risk Mgt Lect
29/122
Inci%ent Re&,!n&e Pr!ce&&
-
8/9/2019 DLE Risk Mgt Lect
30/122
SECURITY RISK MANAGEMENT O1ER1IE3
-
8/9/2019 DLE Risk Mgt Lect
31/122
A,,r!ac-e& t! Ri&' Pri!riti/ati!n
Security ri&' "anage"ent process defines riskmanagement as the o!erall effort to manage risk to an
accepta+le le!el across the +usiness.
Ri&' a&&e&&"ent is defined as the process to identify and
prioriti4e risks to the +usiness.
*here are many different methodologies for prioriti4ing orassessing risks, +ut most are +ased on one of t$o approaches
or a com+ination of the t$o: 4#antitati+e ri&'
"anage"ent !r 4#a(itati+e ri&' "anage"ent)
-
8/9/2019 DLE Risk Mgt Lect
32/122
5#antitati+e Ri&' A&&e&&"ent
In /uantitati!e risk assessments, the goal is to try to calculate
o+-ecti!e numeric !alues for each of the components gathered
during the risk assessment and cost=+enefit analysis.
-
8/9/2019 DLE Risk Mgt Lect
33/122
5#antitati+e A,,r!ac- Met-!%
A +rief e5amination of some of the details of the a+o!e
approach shall pro!ide general understanding of +oth the
ad!antages and dra$+acks of /uantitati!e risk assessments :
asset !aluation costing controls
determining Return #n Security In!estment 0R#SI2
calculating !alues for Single @oss )5pectancy 0S@)2,
Annual Rate of #ccurrence 0AR#2,
Annual @oss )5pectancy 0A@)2.
-
8/9/2019 DLE Risk Mgt Lect
34/122
a. Valuing Assets
'etermining the monetary !alue of an asset is an important part of
security risk management. Many organi4ations maintain a list of
asset !alues 0As2 as part of their +usiness continuity plans.
T-e !+era(( +a(#e ! t-e a&&et t! $!#r !rgani/ati!n) Calculate
or estimate the assetDs !alue in direct financial terms. Consider a
simplified e5ample of the impact of temporary disruption of an e=
commerce 8e+ site that normally runs se!en days a $eek, % hours a
day, generating an a!erage of RM,EEE per hour in re!enue from
customer orders. ou can state $ith confidence that the annual !alue
of the 8e+ site in terms of sales re!enue is RM1F,&E,EEE.
-
8/9/2019 DLE Risk Mgt Lect
35/122
T-e i""e%iate inancia( i",act ! (!&ing t-e a&&et. If you
deli+erately simplify the e5ample and assume that the 8e+ site
generates a constant rate per hour, and the same 8e+ site +ecomes
una!aila+le for si5 hours, the calculated e5posure is .EEE(& or .E(&
percent per year. By multiplying this e5posure percentage +y the
annual !alue of the asset, you can predict that the directly attri+uta+le
losses in this case $ould +e appro5imately RM1,EEE.
T-e in%irect .#&ine&& i",act ! (!&ing t-e a&&et. In this
e5ample, the company estimates that it $ould spend H1E,EEE on
ad!ertising to counteract the negati!e pu+licity from such an incident.
Additionally, the company also estimates a loss of .E1 or 1 percent of
annual sales, or H1F&,EE. By com+ining the e5tra ad!ertising
e5penses and the loss in annual sales re!enue, you can predict a total
of H1&,EE in indirect losses in this case.
-
8/9/2019 DLE Risk Mgt Lect
36/122
Determining the SLE
*he S@) is the total amount of re!enue that is lost from a single
occurrence of the risk. It is a monetary amount that is assigned to a
single e!ent that represents the companyDs potential loss amount if a
specific threat e5ploits a !ulnera+ility. 0*he S@) is similar to the
impact of a /ualitati!e risk analysis.2
Calculate the S@) +y multiplying the asset !alue +y the e5posure
factor 0)
-
8/9/2019 DLE Risk Mgt Lect
37/122
Determining the ARO
*he AR# is the num+er of times that you reasona+ly e5pect therisk to occur during one year. Making these estimates is !ery difficult
there is !ery little actuarial data a!aila+le. 8hat has +een gathered
so far appears to +e pri!ate information held +y a fe$ property
insurance firms.
*o estimate the AR#, dra$ on your past e5perience and consult
security risk management e5perts and security and +usiness
consultants. *he AR# is similar to the pro+a+ility of a /ualitati!e risk
analysis, and its range e5tends from E percent 0ne!er2 to 1EE
percent 0al$ays2.
-
8/9/2019 DLE Risk Mgt Lect
38/122
Determining the ALE
*he A@) is the total amount of money that your organi4ation $ill lose
in one year if nothing is done to mitigate the risk. Calculate this !alue
+y multiplying the S@) +y the AR#. *he A@) is similar to the relati!e
rank of a /ualitati!e risk analysis.
-
8/9/2019 DLE Risk Mgt Lect
39/122
*he A@) pro!ides a !alue that your organi4ation can $ork $ith to
+udget $hat it $ill cost to esta+lish controls or safeguards to
pre!ent this type of damage?in this case, H",F&E or less per year?
and pro!ide an ade/uate le!el of protection. It is important to
/uantify the real possi+ility of a risk and ho$ much damage, in
monetary terms, the threat may cause in order to +e a+le to kno$
ho$ much can +e spent to protect against the potential conse/uence
of the threat.
-
8/9/2019 DLE Risk Mgt Lect
40/122
Determining Cost of Controls
'etermining the cost of controls re/uires accurate estimates on ho$
much ac/uiring, testing, deploying, operating, and maintaining eachcontrol $ould cost. Such costs $ould include +uying or de!eloping the
control solution deploying and configuring the control solution
maintaining the control solution and communicating ne$ policies.
-
8/9/2019 DLE Risk Mgt Lect
41/122
ROSI
)stimate the cost of controls +y using the follo$ing e/uation: 0A@)
+efore control2 3 0A@) after control2 3 0annual cost of control2 R#SI
-
8/9/2019 DLE Risk Mgt Lect
42/122
Results of the Quantitative Risk Analyses
*he input items from the /uantitati!e risk analyses pro!ide clearly
defined goals and results. *he follo$ing items generally are deri!ed
from the results of the pre!ious steps:
Assigned monetary !alues for assets
A comprehensi!e list of significant threats
*he pro+a+ility of each threat occurring
*he loss potential for the company on a per=threat +asis o!er 1
months Recommended safeguards, controls, and actions
-
8/9/2019 DLE Risk Mgt Lect
43/122
5#a(itati+e Ri&' A&&e&&"ent
8hat differentiates /ualitati!e risk assessment from /uantitati!e risk
assessment is that in the former you do not try to assign hard
financial !alues to assets, e5pected losses, and cost of controls.
Instead, you calculate relati!e !alues.
*he +asic process for /ualitati!e assessments is !ery similar to $hat
happens in the /uantitati!e approach. *he difference is in the details.
Comparisons +et$een the !alue of one asset and another are relati!e,
a lot of time is not in!ested in trying to calculate precise financial
num+ers for asset !aluation. *he same is true for calculating the
possi+le impact from a risk +eing reali4ed and the cost of
implementing controls.
-
8/9/2019 DLE Risk Mgt Lect
44/122
*he process of Jualitati!e Risk Assessment 0I*2according to ;IS* SPEE="E methodology is di!ided into K phases:
Selection of systems $hich are su+-ect to e!aluation,
'efinition of the scope of e!aluation, collection of needed
information
Identification of threats of e!aluated systems
Identification of suscepti+ility of e!aluated systems Analysis of applied and planned mechanisms of control
and protections
Specification of pro+a+ilities of suscepti+ility usage +y
identification of the source of threats 0pro+a+ility is defined as: lo$, medium, high2
Analysis and determination of incidents impact on system, data and
organi4ation 0impact defined in three degree scale: high, medium,
lo$2
-
8/9/2019 DLE Risk Mgt Lect
45/122
'etermination of risk le!el $ith the help of matri5.
Risk @e!el Matri5 3 for the $hole risk for identified threats. *his
matri5 is created +y as a result of multiplication of pro+a+ilities of
incidents occurrence 0high pro+a+ility recei!es 1,E $eigh, medium 3
E,&, and lo$ 3 E,12 and strength if incident impact 0high impact
recei!es 1EE 0$eighted2, medium 3 &E, and lo$ 3 1E2. #n the +asis of
matri5 there is defined le!el of $hole risk for e!ery identified threat,
determined as high for product from range 0&E,1EEL, medium for range
01E,&EL and lo$ for product from range 1,1EL.
-
8/9/2019 DLE Risk Mgt Lect
46/122
-
8/9/2019 DLE Risk Mgt Lect
47/122
-
8/9/2019 DLE Risk Mgt Lect
48/122
INTRODUCTION TO RISK
WHAT IS RISK ?
Risk is the chance of something
happening that will have an impact uponobjectives of an organization.
It is measured in terms of severity ofconsequences and likelihood.
-
8/9/2019 DLE Risk Mgt Lect
49/122
A risk is a potential problem – it mighthappen and it might not
Conceptual defnition o riskN Risk concerns uture happeningsN Risk involves change in mind, opinion,actions, places, etc.
N Risk involves choice and the uncertaintythat choice entails Two characteristics o risk
N ncertainty – the risk may or may not
happen, that is, there are no !""# risks$those, instead, are called constraints%N &oss – the risk becomes a reality andunwanted conse'uences or losses occur
-
8/9/2019 DLE Risk Mgt Lect
50/122
Taking a risk: it isn’t all a!
Taking risks is a normal unavoidable everydaynecessity
Taking controlled, informed risks is a sensible
and everyday essential part of lifeTaking uninformed, uncontrolled risks is
patently dumbe take risks not to avoid harm, but to
achieve benefits and gainsRisk taking is positive, not implicitly negative.
-
8/9/2019 DLE Risk Mgt Lect
51/122
@S> 1EEKEEF Risk Management &1
3-$ Manage Ri&'&6
It is a fact of life that chancee!ents $ill occur and affect theoutcome of your pro-ect
Murphy’s Laws codify this Okno$ledge
N If anything can go $rong, it $illQN #f things that could go $rong, the one
that causes the most damage $illoccurQ
1K 'ar$in A$ard onora+leMention gi!en to O@a$n Chair@arry 8alters. Cartoon +y ay
ie+arth, EE
• Risks are defined as the undesira+le e!ent, the chance this
e!ent might occur and the conse/uences of all possi+leoutcomes
• Risk management attempts to identify such e!ents,minimi4e their impact T pro!ide a response if the e!ent isdetected
http://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.html
-
8/9/2019 DLE Risk Mgt Lect
52/122
"#r$%s& %' Risk Manag&(&nt
-
8/9/2019 DLE Risk Mgt Lect
53/122
-
8/9/2019 DLE Risk Mgt Lect
54/122
Risk C%n)&$ts
Conse/uenceof Ad!ersary
Success
System)ffecti!eness
@ikelihoodof Attack
Risk
*he amount of control o!er each is different
-
8/9/2019 DLE Risk Mgt Lect
55/122
Re&,!n&e& t! Ri&'
Se+erit$
Fre4#enc$
High Transfer Avoid
Low Accept Accept/Transfer
Low High
-
8/9/2019 DLE Risk Mgt Lect
56/122
R()* A+ )-CR(T
(+/)(+-)) -+0(R1+2-+T
-
8/9/2019 DLE Risk Mgt Lect
57/122
)ecurity and risk management in business
environment is principally concerned with
protection and conservation o corporate
assets and resources. The task o protection
continues to be increasingly comple3 one in
a time when technology is creating new
products $and thus risk% at an e3plosive rate
and criminals are getting more
sophisticated.
In)r&asingl* C%($l&+En,ir%n(&nt
-
8/9/2019 DLE Risk Mgt Lect
58/122
4hat is R()* in a business environment5
A perilous 6 ha7ardous situation in the
business organi7ation where threat6s may
e3ploit the vulnerability surrounding an
asset6s to create a disastrous
conse'uence or impact causing fnancial
losses or loss o lives.
-
8/9/2019 DLE Risk Mgt Lect
59/122
W-at is SECURITY in a #sin&ss &n,ir%n(&nt
A secured, sae and relatively stable
environment where the business
organi7ation is able to conduct itsbusiness operations without 6 minimal
disturbance or disruptions rom threats
$ man8made and natural % by having
ade'uate security control measures.
-
8/9/2019 DLE Risk Mgt Lect
60/122
Two types o Risk in /usiness
• 9ure Risk : ;enerally pure risk do not hold
out any prospect o gain. (t always brings about negative conse'uences. -3amples – thet, negligence,
-
8/9/2019 DLE Risk Mgt Lect
61/122
Cat&g%ri&s %' Risks
=inancial Risks (normation Risks
1perational Risks)trategic Risks Reputation Risks
-nvironmental Risks
-
8/9/2019 DLE Risk Mgt Lect
62/122
A (i 7N 8 ( % S % %
-
8/9/2019 DLE Risk Mgt Lect
63/122
A#&tra(ia7Ne0 8ea(an% Stan%ar%9ASS7N8S :;?==:@ – Risk Management
-
8/9/2019 DLE Risk Mgt Lect
64/122
INFO S t Ri k M t F k
-
8/9/2019 DLE Risk Mgt Lect
65/122
INFO System Risk Management Framework
(an example)
'etermine security control effecti!eness0i.e., controls implemented correctly,
operating as intended, meeting securityre/uirements2
SP EE=&"AASS)SS
Security Controls
Continuously track changes to theinformation system that may affect
security controls and reassess control
effecti!eness
SP EE="F SP EE=&"A
M#;I*#RSecurity Controls
'ocument in the security plan, thesecurity re/uirements for the
information system and the securitycontrols planned or in place
SP EE=1'#C>M);*
Security Controls
SP EE="F
A>*#RI)Information
System'etermine risk to agency operations,agency assets, or indi!iduals and, if
accepta+le, authori4e information systemoperation
SP EE=&" SP EE="E
S>PP@)M);*Security Controls
>se risk assessment results to supplementthe tailored security control +aseline asneeded to ensure ade/uate security and
due diligence
-
8/9/2019 DLE Risk Mgt Lect
66/122
T>- C>A+;(+; )-CR(T
-+0(R1+2-+T
-
8/9/2019 DLE Risk Mgt Lect
67/122
The traditional view o security has
moved rom ?guns, guards and
gates@ through ?ciphers, saety and
society@ toward the evolving and
dynamic concept o ?providing
resilience.@
S-i't in "ara!ig(
-
8/9/2019 DLE Risk Mgt Lect
68/122
As technologies evolve, we ace more comple3
threats as opposed to traditional ones such as
bio8terrorism, cyber8terrorism and global warming
and greater demands rom society to sustain,
protect and improve our lives.
>ence the notion o security is e3panding to
include the notions o resilience, sustainability
and critical services assurance. Collectively this
notion o resilience revolves around maintaining
capability rather than protecting assets.
-
8/9/2019 DLE Risk Mgt Lect
69/122
C1+)--+C-) 1= R()*
(+
A+ 19-RAT(1+A&
-+0(R1+2-+T
-
8/9/2019 DLE Risk Mgt Lect
70/122
Man* %rgani.ati%ns !% n%t )%((it t-&(s&l,&st% -a,& an a!&/#at& s&)#rit* $%st#r& * n%ts$&n!ing '%r an &0&)ti,& S&)#rit* "r%gra(1T-is is in ,i&2 %' t-& 'a)t t-at t-& r&t#rn %n
in,&st(&nt '%r s&)#rit* $r%gra(s ar&$&r)&i,&! t% & !is)%#raging1 T-&r&'%r& (%st%rgani.ati%ns -a,& a l%2 a$$&tit& '%r risk an!ar& &+$%s&! t% #n)&rtainti&s1
3#st ask Manag&(&nt t-is /#&sti%n1 W-* n%t2& all%2 t-& S&)#rit* D&$art(&nt t% g% %nl&a,& %n& !a* &nl%)1W-at 2ill & t-& %#t)%(& %' #sin&ss
%$&rati%ns in t-&
Risk Appetite
-
8/9/2019 DLE Risk Mgt Lect
71/122
Risk Appetite
>ave security procedures have been published5oes the organi7ation has contact with &aw
-norcement Agency5
Are there periodic !"" # checks o
identifcation5
(s there control o employee movement
between areas within the plant5
(s there a continuous barrier around the
property5
-
8/9/2019 DLE Risk Mgt Lect
72/122
Ri&' A,,etiteo you operate your computer with or without
antivirus sotware antispyware5
o you open emails with orwarded
attachments rom riends or ollow'uestionable web links5
>ave you ever given your bank account
inormation to a oreign emailer to make DDD5
W-at is *%#r risk a$$&tit&? ( liberal, is it dueto risk
acceptance or ignorance5
Com anies too have risk a etites decided ater
-
8/9/2019 DLE Risk Mgt Lect
73/122
Ca#s&s %' Int&rr#$ti%n in 4#sin&ssO$&rati%ns
)ecurity 9rocesses in aily 1perations :• Access control• 9atrolling• TraBc control
• )hipping control• 4aste and thrash control• Central monitoring control
(neEectiveness o the above controls in,procedural, tools e'uipment andpersonnel competencies may incur risk andlead to business disruptions.
-
8/9/2019 DLE Risk Mgt Lect
74/122
Ot-&r El&(&nts t-at )a#s& 4#sin&ssDisr#$ti%ns• =ire• )trike 6 Riot• Transit Accident• 0iolence
• )e3ual >arassment• )abotage 6 0andalism• Contagious isease• +atural isasters
• (T )ystem 2alunction• 9ower =ailure• Terrorism
Ri k d ) it 1 ti
-
8/9/2019 DLE Risk Mgt Lect
75/122
Risk and )ecurity 1perations
SECURITY FROM A SYSTEMS PERSPECTI1E
Man,!0er
M!ne$
Mac-ine
Materia(
Met-!%
Pr!tecti+e Acti+itie&
Inci%ent Re&,!n&eActi+itie&
Rec!+er$ Acti+itie&
C!ntin#it$ Acti+itie&
Sae Sta.(e
En+ir!n"ent t!
Carr$!#t
re&,!n&i.i(itie&an% ta&'& 0it-
"ini"a(
%i&t#r.ance
r!" t-reat& .$
-a+ing en!#g-
Sec#rit$
c!ntr!(&
In$#tIn$#t S&)#rit* "r%)&ssS&)#rit* "r%)&ss O#t$#tO#t$#t
-
8/9/2019 DLE Risk Mgt Lect
76/122
"r%t&)ti,& A)ti,iti&s
In !ail* s&)#rit* %$&rati%ns t-& (ain$r%t&)ti,& a)ti,iti&s in,%l,&! ar&:
• A))&ss )%ntr%l 5 $&%$l&6 ,&-i)l& an!
g%%!s
• $atr%lling an! )l%)king a)ti,it*
• Wast& an! T-ras- )%ntr%l
• K&* )%ntr%l 7 l%)king a)ti,it*
• S-i$$ing 7 r&)&i,ing a)ti,it*
-
8/9/2019 DLE Risk Mgt Lect
77/122
F t A0 ti Ri k El t
-
8/9/2019 DLE Risk Mgt Lect
78/122
Fa)t%rs A0&)ting Risk El&(&nts
81 Ass&t: Cost, Criticality, Replacement Cost, Conse'uence, Attractiveness
91 T-r&at: (mpact, 9redictability, (ntention, Capability, 2otivation
1 ;#ln&railit*: /uilding characteristic, 9ersonnel behaviour, &ocation o assets, 1perational practices, -'pt properties
-
8/9/2019 DLE Risk Mgt Lect
79/122
An organi7ation must determine, which
assets may materially aEect thebusiness operations on a daily basis
and is o high value and is not
replaceable easily within a short time
span when loss.
CR(T(CA& A))-T) (+ A+ 1R;A+(FAT(1+
-
8/9/2019 DLE Risk Mgt Lect
80/122
E=AM">ES OF CRITICA>
ASSETS!aterial
"quipment
#acilities
$rocesses
Intellectual $roperty
Reputation
$eople
Records
-
8/9/2019 DLE Risk Mgt Lect
81/122
T*$&s %' S&)#rit* T-r&ats
• Man 5 (a!& %r Ant-r%$%g&ni)
8 9olitical -vents – -3plosives, disgruntled
employees, unauthori7ed access, employee
pilerage, espionage, arson6fres, sabotage,
etc.
Nat#ral Disast&rs
– -arth'uakes,
-
8/9/2019 DLE Risk Mgt Lect
82/122
T-reat& Lea%ing T! B#&ine&& Ri&'
/usinessRisk
in a
ynamic
-nvironment
(mpact o Risk and )ecurity
-
8/9/2019 DLE Risk Mgt Lect
83/122
(mpact o Risk and )ecurity(mplications/usiness organi7ations that are e3posed to R()* are
guests o impending disaster or negativeconse'uences. The kind o risk impacts with whichbusiness and industry are most commonlyconcerned are:
• natural catastrophe• industrial disaster• civil disturbance• criminality
• con
-
8/9/2019 DLE Risk Mgt Lect
84/122
+-)(RA/&- C1+)--+C-)
2ay lead to :
&oss o human lie
&oss o revenue
&oss o vital e'uipment
&oss o vital capabilities
+ote: All leads to disruption o/usiness
1perations
-
8/9/2019 DLE Risk Mgt Lect
85/122
)ecurity (mplications
The impact o risk causing negativeconse'uences has got serious securityimplications to the business organi7ation:
• an unstable operational environment• disruption o business activities• unnecessary diversions rom primaryactivities
• unable to meet customer demands satisaction• organi7ations image and reputation is atstake
• possibility o loosing uture business
-
8/9/2019 DLE Risk Mgt Lect
86/122
T9-) A+ )1RC-)
1= R()* T>AT CA+
A==-CT )-CR(T 19-RAT(1+)
-
8/9/2019 DLE Risk Mgt Lect
87/122
9-19&-
9eople involves the service provider,the clients and the uninvited. /ynature peopleGs behaviour is
underpinned by seeking pleasureagainst pain. Thereore they aremore inclined to violate rules tosatisy their needs. As such peopleare greater potential ha7ard in thedaily operations at workplace.
-
8/9/2019 DLE Risk Mgt Lect
88/122
9R1C-))
"r%)&ss is )%($%s&! %'t&)-n%l%g*6 $&%$l&6 an! t%%ls1
T-is is i($%rtant &)a#s&
$r%)&ss&s in,%l,& ti(& an!
int&ra)ti%n &t2&&n &ntiti&s an!
(an* %' t-& -ar! $r%l&(s in
s&)#rit* %$&rati%ns st&( 'r%(
-
8/9/2019 DLE Risk Mgt Lect
89/122
T-C>+1&1;
Technology is a double8edged sword. (t
has got both good and bad
characteristics. 4hen it is in the hands o
responsible people it becomes a aithul
servant and promotes eBciency in daily
operations. 1n the contrary, in the hands
o wrong people it will become a threat
posing risk to the operations.
C i i (i 1 ( .i(i P . .i(i
-
8/9/2019 DLE Risk Mgt Lect
90/122
Criticality 8 Criticality is the eEect thatpartial or total loss o the entity or areawould have acilityGs mission
0ulnerability 8 The susceptibility o an entity
or area to damage or destruction or thepossible thet or loss o property
9robability 8 The chances that certainevents could or might occur such as apenetration o the perimeter, compromiseo a system
Critica(it$ 1#(nera.i(it$ Pr!.a.i(it$
1 ( .i(it
-
8/9/2019 DLE Risk Mgt Lect
91/122
•1#(nera.i(itie& are !,,!rt#nitie& !,,!rt#nitie& !r cri"e !,,!rt#nitie& !r r#(e .rea'ing +i!(ati!n& !,,!rt#nitie& !r (!&&)
•B$ %einiti!n a +#(nera.i(it$ i& a 0ea'ne&& !r ga, in a &ec#rit$ ,r!gra" t-at can .e e*,(!ite% .$ t-reat& t! gain #na#t-!ri/e% acce&& t! an a&&et)
•1#(nera.i(itie& inc(#%e &tr#ct#ra( ,r!ce%#ra( e(ectr!nic -#"an an% !t-er e(e"ent& 0-ic- ,r!+i%e !,,!rt#nitie& t! attac' a&&et&)
1#(nera.i(it$
-
8/9/2019 DLE Risk Mgt Lect
92/122
The basic process o a vulnerability
assessment frst determines what assets arein need o protection, then identifes the
protection measures already in place to
secure those assets and what gaps in
protection e3ist.
The assessment measures the security
controlGs eEectiveness against valid security
metrics and provides recommendations.
-
8/9/2019 DLE Risk Mgt Lect
93/122
Three 'uestions to ask :
• ?4hat is the threat5@
• ?4hat is the level o vulnerabilityrelative to that threat5@
• ?To what e3tent will thethreat6vulnerability change5@
-
8/9/2019 DLE Risk Mgt Lect
94/122
19-RAT(1+A&
R()* 2A+A;-2-+T )TRAT-;(-)
-
8/9/2019 DLE Risk Mgt Lect
95/122
A Si",(e Un%er&tan%ing ! Ri&' Manage"ent
-
8/9/2019 DLE Risk Mgt Lect
96/122
Risk management is present in all aspects olie. (t is about the everyday trade8oEbetween an e3pected reward on a potentialdanger. >owever in the business world risk is
oten associated with some variability infnancial outcomes. /ut the notion o risk ismuch larger.
(t is universal, in the sense that it reers tohuman behaviour in the decision makingprocess. Risk management is an attemptidentiy, to measure, to monitor and to
manage uncertainty.
A Si",(e Un%er&tan%ing ! Ri&' Manage"ent
Ri k 2 t 9
-
8/9/2019 DLE Risk Mgt Lect
97/122
A Continuous Cycle o:
H Risk ass&ss(&nt risks t% t-&%rgani.ati%n ar& ass&ss&! in t&r(s %' t-& lik&li-%%! %' an
#n!&siral& &,&nt taking $la)&6 an! t-& anti)i$at&! )%ns&/#&n)&s
@ I($l&(&ntati%n s&)#rit* (&as#r&s ar&i!&nti&!
an! i($l&(&nt&! t% r&!#)& t-& lik&li-%%!an! i($a)t %' t-& #n!&siral& &,&nt t% ana))&$tal&
l&,&l
Risk 2anagement 9rocess
Risk Anal*sis an! Risk
-
8/9/2019 DLE Risk Mgt Lect
98/122
ASSETS
RISKS
THREATS 1ULNERABILITIES
ANALYSIS
MITIGATION
COUNTERMEASURES
Mitigati%n
S*st&(’s A$$r%a)-Risk Ass&ss(&nt
-
8/9/2019 DLE Risk Mgt Lect
99/122
I%enti$ T-reat&
I%enti$ 1#(nera.i(itie&
Ana($/e C!ntr!(&
Deter"ine Li'e(i-!!%
Ana($/e I",act
Deter"ine Ri&'
I%enti$ C!ntr!(& Implement Controls
'ocumented Risks
Impact Rating
@ikelihood Rating
@ist of current T planned controls
@ist of threatsT !ulnera+ilities
Pr!ce&& O#t,#t
Company historyIntelligence agency
data
Audit T test results
Business ImpactAnalysis
'ata Criticality T
Sensiti!ity analysis
In,#tM&t-%!%l%g*
-
8/9/2019 DLE Risk Mgt Lect
100/122
Ran'ing t-e Ri&' I",!rtance
-
8/9/2019 DLE Risk Mgt Lect
101/122
@S> 1EEKEEF Risk Management 1E1
Ran'ing t-e Ri&' I",!rtanceRank risks from those that can
+e neglected to those thatre/uire ele!ated !igilance
A Risk Severity Matrix can +ehelpful in prioriti4ing risksN Plot of e!ent pro+a+ility !ersus
impactRed 4one identifies the most
important e!entsello$ 4one lists risks that are
moderately important
Green 4one e!ents pro+a+lycan +e safely ignored
• ;ote that the 4ones are not symmetrical across the matri5
– igh impact lo$ pro+a+ility e!ents much more importantthan likely lo$ impact e!ents
#ive %teps Risk &ssessment !odel
-
8/9/2019 DLE Risk Mgt Lect
102/122
#ive %teps Risk &ssessment !odel
!. Asset Assessment – nderstanding theorgani7ation and identiy the people andassets at risk
I. Threat Assessment – (dentiy loss risk events
J. 0ulnerability Assessment – -stablish theprobability o loss risk and probability andre'uency o events and also the impact oevents
K. Risk assessment – -stablish the value o riskloss
L. (dentifcation o Control 2easures –9rotective measures or saeguards
C-ara)t&risti)s %' Risk C%($%n&nts
-
8/9/2019 DLE Risk Mgt Lect
103/122
%'( &sset Threat )ulnerability !itigation
1. Criticality Motivation Buildingcharacteristic
Deterrentcapabilities
2. Cost otential !yste"s and#$uip"ent
reliability
Detectioncapabilities
%. Attractiveness &ntention 'ocation of assets Delaycapabilities
(. )eplace"ent
cost
Capability ersonnelbehaviour
Assess *annunciation
capabilities
+. Conse$uence &"pact ,perationalpractices
)esponsecapabilities
$
Sec#rit$ Mitigati!n O.ecti+e&
-
8/9/2019 DLE Risk Mgt Lect
104/122
-
8/9/2019 DLE Risk Mgt Lect
105/122
) DETER 2
Meng-a(ang?) DETECT2Menge&an
;) DELAY 2Me(a".at'an
:) ASSESS 2Meni(ai
) RESPOND 2Bertin%a'
-
8/9/2019 DLE Risk Mgt Lect
106/122
Ass&t ;al#& Rating
;&r* Hig- B
Hig- <
M&!i#( >%2 9
;&r* >%2 8
-
8/9/2019 DLE Risk Mgt Lect
107/122
;&r* Hig- B
Hig- <
M&!i#( >%2 9
;&r* >%2 8
T-r&at ;al#& Rating
-
8/9/2019 DLE Risk Mgt Lect
108/122
;&r* Hig- B
Hig- <
M&!i#( >%2 9
;&r* >%2 8
;#ln&railit* ;al#&
Rating
RISK I",act Pr!.a.i(it$
-
8/9/2019 DLE Risk Mgt Lect
109/122
A&&et T-reat
I",act
1#(nera.i(
it$
Mitigati!
n
Pr!.a.i(it$
8hat areyou trying
toassess9
8hat areyou afraid
ofhappening9
8hat is theimpact to
the+usiness9
o$ couldthe threat
occur9
8hat iscurrentlyreducingthe risk9
o$ likely isthe threat
gi!enthe
controls9
C#rrent Le+e(! Ri&'
3-at i& t-e ,r!.a.i(it$ t-att-e t-reat 0i(( !+erc!"ec!ntr!(& t! cce&&#(($
e*,(!it t-e +#(nera.i(it$ an%i",act t-e a&&et6
* *
RISK I",act Pr!.a.i(it$
-
8/9/2019 DLE Risk Mgt Lect
110/122
RISK EUATION
-
8/9/2019 DLE Risk Mgt Lect
111/122
RISK Ass&t 3 T-r&at ;#ln&railit* +Mitigati%n
"r%ailit*I($a)tRISK B + < < +
B B
9+ 89
BB
<
+ 9 <
RISKl i
-
8/9/2019 DLE Risk Mgt Lect
112/122
k Ass&t ;al#& + T-r&at Rating + ;#ln&railit* Rati
Mitigati%n
E,al#ati%n
%'(o Risk )alue Risk Rating
*. +* )ery -igh
. * / 0 -igh
1. ** / *2 !edium
3. / *0 4ow
2. * / 2 )ery 4ow
D&)isi%n Matri+A Risk Han!ling
-
8/9/2019 DLE Risk Mgt Lect
113/122
D&)isi%n Matri+ A Risk Han!lingD&)isi%n Ai!
Fr&/#&n)* %' >%ss
S&,&rit*%' >%ss Hig- M&!i#( >%2
Hig-A,%i!an)&
>%ss$r&,&nti%n
an!a,%i!an)&
Trans'&r,ia
ins#ran)&
M&!i#(
>%ss$r&,&nti%n
an!a,%i!an)&
>%ss$r&,&nti%n
an!Trans'&r ,ia
ins#ran)&
Ass#($ti%nAn!
$%%ling
>%2>%ss
$r&,&nti%n
>%ss$r&,&nti%n
an!Ass#($ti%n
Ass#($ti%n
E+$&ns& ,1 S&)#rit*-i !
-
8/9/2019 DLE Risk Mgt Lect
114/122
A)-i&,&!
Dollars
Security Achieved
100% Security
-
8/9/2019 DLE Risk Mgt Lect
115/122
Beneit ===== 2 RM?=== RM ===
=== 7 ?=== Rati! i& ; t!
-
8/9/2019 DLE Risk Mgt Lect
116/122
)TRAT-;(C
ACT(1+ 9&A+) T1 C1+TR1& R()*
4hy do we need a )trategic Action
-
8/9/2019 DLE Risk Mgt Lect
117/122
4hy do we need a )trategic Action9lan5C-ara)t&risti)s nat#r& %' #sin&ss&n,ir%n(&nt:
/usiness 1rgani7ations ace continuous threatsrom
its operating environment both internal ande3ternal
4hat are these threats5 – 2an8made and natural orces
4hat are the contributing actors5 2ultiplevariables
– &egal, 9olitical, )ocial, -conomic and ;lobalClimatic conditions
)trategic Action 9lan Tools
-
8/9/2019 DLE Risk Mgt Lect
118/122
g
F%)#s Ar&as '%r C%ntin#%#s M%nit%ring6R ! K i ' l A !it !
-
8/9/2019 DLE Risk Mgt Lect
119/122
R&)%r! K&&$ing '%r r&g#lar A#!it an!R&,i&2 an! R&,is&
!. 9erimeter )ecurityI. /uilding )ecurityJ.9lant )ecurityK. )hipping Receiving )ecurity
L. Area )ecurityM. 9rotective lightingN. *ey Control &ocking evicesO. Controls o 9ersonnel 0ehiclesP. )aety or 9ersonnel
!". 1rgani7ation or -mergency!!.Thet control!I.)ecurity ;uard =orces
F#t#r& Tr&n!s
-
8/9/2019 DLE Risk Mgt Lect
120/122
In %r!&r t% satis'* t-& )-anging )#st%(&r
n&&!s as a r&s#lt %' in'%r(ati%n &+$l%si%n
t-at r&,%l#ti%ni.&! t-& #sin&ss
&n,ir%n(&nt6 t-& '#t#r& )-all&ng&s '%r
#sin&ss %rgani.ati%ns &si!&s risk
(anag&(&nt6 2ill & t% (aintain a stat& %'
$r&$ar&!n&ss at all ti(&s t% &ns#r&:• sta*ing ar&ast in int&llig&n)& gat-&ring
• R&s$%ns& $lanning
• (aintaining %rgani.ati%nal r&sili&n)&
-
8/9/2019 DLE Risk Mgt Lect
121/122
Any
Quest ons Please ???
T-anks Y%# S&& U Again
-
8/9/2019 DLE Risk Mgt Lect
122/122
T-anks Y%# S&& U Again