dle risk mgt lect

8/9/2019 DLE Risk Mgt Lect

1/122


2/122

RISKMANAGEMENT


3/122

LEARNING OUTCOMES – HASIL PEMBELAJARAN

Business impact

Business impact

Benefits of Info Security

Principles of Info Security RA


4/122

Chapter 1: Introduction to the Security Risk Management Guide

Chapter : Sur!ey of Security Risk Management Practices

Chapter ": Security Risk Management #!er!ie$

Chapter %: Assessing Risk

Chapter &: Conducting 'ecision Support

Chapter (: Implementing Controls and Measuring Program

)ffecti!eness


5/122


6/122

DEFINITION OF RISK AND

ITS DYNAMICS

INTRODUCTION TO SECURITY RISK MANAGEMENT


7/122

*he concept of the risk management is applied in all

aspects of +usiness, including planning and pro-ect risk

management, health and safety, and finance. It is also

a !ery common term amongst those concerned $ith I*

security.

A generic definition of risk management is the

assessment and mitigation of potential issues that are a

threat to a +usiness, $hate!er their source or origin.


8/122

INTRODUCTIONTO INFORMATION SECURITY RISK

MANAGEMENT GUIDE


9/122

A risk assessment determines $hat type of controls are re/uired to

protect assets and resources 0physical locations, net$orksser!ers,

staff, etc.2 from threats 3 allo$ing your organi4ation to reduce

e5posure and maintain an accepta+le 6risk tolerance6.

*he risk assessment process e!aluates the likelihood and potential

damage of identified threats, measures the indi!idual risk le!el of

each asset as they relate to Confidentiality, Integrity and A!aila+ility

0CIA2, and then gauges the effecti!eness of e5isting controls to limit

the organi4ation7s e5posure such risk. Results help the organi4ation

identify $hich assets are the most critical, pro!ides a +asis for

prioriti4ation and recommends a course for remediation.


10/122

*he risk assessment $ill encompass pro!isions that address +oth

internal and e5ternal threats and ans$ers the follo$ing /uestions:

8hat can go $rong9

o$ can it go $rong9

8hat is the potential impact9

8hat pre!enti!e steps can +e taken to reduce the risk9


11/122

In general, the security risk management process ena+les

organi4ations to implement and maintain processes toidentify and prioriti4e risks in their I* en!ironments there+y

impro!ing security $hich facilitates increased a!aila+ility of I*

infrastructures and impro!ed +usiness !alue.

;ormally the security risk management process offers a

com+ination of !arious approaches including pure /uantitati!e

analysis, return on security in!estment 0R#SI2 analysis,/ualitati!e analysis, and +est practice approaches.


12/122

Strategic In!r"ati!n Sec#rit$An%

Ri&' Manage"ent P(anning


13/122

CRITICAL SUCCESS FACTORS Successful implementation of a security risk management

program in an organi4ation in!ol!es:

a.


14/122

)5ecuti!e sponsorship.

A $ell=defined list of risk management

stakeholders.

#rgani4ational maturity in terms of risk

management.

An atmosphere of open communication.

A spirit of team$ork.

A holistic !ie$ of the organi4ation.

Authority throughout the process.

CRITICAL SUCCESS FACTORS


15/122

a) E*ec#ti+e S,!n&!r&-i,: Senior management must unam+iguously and enthusiastically support the security

risk management process.

Sponsorship implies the follo$ing: 'elegation of authority and responsi+ility for a clearly articulated pro-ect scope to the Security Risk Management *eam

Support for participation +y all staff as needed Allocation of sufficient resources such as personnel and financial resources >nam+iguous and energetic support of the security risk management process

Participation in the re!ie$ of the findings and recommendations of the security risk management process


16/122

Stakeholders, $hich in this conte5t means mem+ers of the

organi4ation $ith a !ested interest in the results of the

security risk management process. *he Security Risk

Management *eam needs to understand $ho all of the

stakeholders are?this includes the core team itself as $ell

as the e5ecuti!e sponsor0s2.

It $ill also include the people $ho o$n the +usiness assets

that are to +e e!aluated. *he I* personnel responsi+le and

accounta+le for designing, deploying, and managing the

+usiness assets are also key stakeholders.

.) Li&t ! Ri&' Manage"ent Sta'e-!(%er&


17/122

#rgani4ational maturity in terms of risk management is e!idenced

+y such things as $ell defined security processes and a solid

understanding and acceptance of security risk management at

many le!els of the organi4ation.

c) Organi/ati!na( Mat#rit$ in Ter"& ! Ri&' Manage"ent


18/122

%) An At"!&,-ere ! O,en C!""#nicati!n

@ack of open communications in organi4ations fre/uently leadsto misunderstandings and impairs the a+ility of a team to

deli!er a successful solution in times of crisis incidents.

*herefore approach to communications, +oth $ithin the teamand $ith key stakeholders must +e open and free=flo$. A free=

flo$ of information not only reduces the risk of

misunderstandings and $asted effort +ut also ensures that all

team mem+ers can contri+ute to effecti!ely reducing

uncertainties surrounding the security risk incident.


19/122

e) A S,irit ! Tea"0!r'

*he strength and !itality of the relationships among all of the

people $orking on the security risk management process $ill

greatly affect the effort. Regardless of the support from senior

management, the relationships that are de!eloped among security

staff and management and the rest of the organi4ation are critical

to the o!erall success of the process.


20/122

) A H!(i&tic 1ie0 ! t-e Organi/ati!n

All participants in!ol!ed in the security risk management process,

particularly the Security Risk Management *eam, need to consider the

entire organi4ation during their $ork. 8hat is +est for one particular

employee is fre/uently not $hat is +est for the organi4ation as a

$hole.

@ike$ise, $hat is most +eneficial to one +usiness unit may not +e in

the +est interest of the organi4ation. Staff and managers from a

particular +usiness unit $ill instincti!ely seek to dri!e the process

to$ard outcomes that $ill +enefit them and their parts of the

organi4ation.


21/122

g) A#t-!rit$ T-r!#g-!#t t-e Pr!ce&&

*eam mem+ers, in order to effecti!ely mitigate those risks +y

implementing sensi+le controls, they $ill also re/uire sufficient

authority to make the appropriate changes.

*eam mem+ers must +e empo$ered to meet the

commitments assigned to them. )mpo$erment re/uires that

team mem+ers are gi!en the resources necessary to perform

their $ork, are responsi+le for the decisions that affect their

$ork, and understand the limits to their authority.

*hey must also understand the escalation paths a!aila+le to

handle issues that transcend these limits.


22/122

SUR1EY OF SECURITY RISK MANAGEMENT PRACTICES


23/122

Sur!ey o+ser!ations indicate that in general there are t$o types of

Risk Management practices, namely proacti!e and reacti!e

approaches. )ach has got its o$n strengths and $eaknesses.

Similarly, in practice there also t$o methods of assessing risk namely

/ualitati!e security risk management and /uantitati!e security risk

management, the t$o traditional methods. )ach has got its o$n

strengths and $eaknesses.

S#r+e$ O Sec#rit$ Ri&' Manage"ent Practice&


24/122

T-e Pr!acti+e A,,r!ac-

Proacti!e security risk management has many ad!antages o!er areacti!e approach. Instead of $aiting for +ad things to happen and

then responding to them after$ards, you minimi4e the possi+ility of

the +ad things e!er occurring in the first place.

ou make plans to protect your organi4ation7s important assets +y

implementing controls that reduce the risk of !ulnera+ilities +eing

e5ploited +y malicious soft$are, attackers, or accidental misuse.


25/122

T-e Reacti+e A,,r!ac-

Reacting to security e!ent, +y trying to to contain the

situation, figure out $hat happened, and fi5 the affectedsystems as /uickly as possi+le.

A small degree of rigor to the reacti!e approach can helporgani4ations of all types to +etter use their resources. Recent

security incidents may help an organi4ation to predict andprepare for future pro+lems. A !ery systematic and andorgani4ed approach is recommended.

*his means that an organi4ation that takes time to respond tosecurity incidents in a calm and rational manner $hiledetermining the underlying reasons that allo$ed the incidentto transpire $ill +e +etter a+le to +oth protect itself fromsimilar pro+lems in the future and respond more /uickly toother issues that may arise.


26/122

Si*2&te, Inci%ent Re&,!n&e Acti!n&

1. Pr!tect -#"an (ie and people7s safety should al$ays +e the

first priority.


27/122

A&&e&& t-e %a"age. Immediately make a duplicate of the

hard disks in any ser!ers that $ere attacked and put those

aside for forensic use later.

*hen assess the e5tent of damage occurred as soon as

possi+le, so that you can restore the organi4ation7s operations

as soon as possi+le

Deter"ine t-e ca#&e ! t-e %a"age)


28/122

Re,air t-e %a"age) In most cases, it is !ery important that

the damage +e repaired as /uickly as possi+le to restore

normal +usiness operations and reco!er data lost during the

attack. *he organi4ation7s +usiness continuity plans and

procedures should co!er the restoration strategy.

Re+ie0 re&,!n&e an% #,%ate ,!(icie&. After the

documentation and reco!ery phases are complete, you should

re!ie$ the process thoroughly.


29/122

Inci%ent Re&,!n&e Pr!ce&&


30/122

SECURITY RISK MANAGEMENT O1ER1IE3


31/122

A,,r!ac-e& t! Ri&' Pri!riti/ati!n

Security ri&' "anage"ent process defines riskmanagement as the o!erall effort to manage risk to an

accepta+le le!el across the +usiness.

Ri&' a&&e&&"ent is defined as the process to identify and

prioriti4e risks to the +usiness.

*here are many different methodologies for prioriti4ing orassessing risks, +ut most are +ased on one of t$o approaches

or a com+ination of the t$o: 4#antitati+e ri&'

"anage"ent !r 4#a(itati+e ri&' "anage"ent)


32/122

5#antitati+e Ri&' A&&e&&"ent

In /uantitati!e risk assessments, the goal is to try to calculate

o+-ecti!e numeric !alues for each of the components gathered

during the risk assessment and cost=+enefit analysis.


33/122

5#antitati+e A,,r!ac- Met-!%

A +rief e5amination of some of the details of the a+o!e

approach shall pro!ide general understanding of +oth the

ad!antages and dra$+acks of /uantitati!e risk assessments :

asset !aluation costing controls

determining Return #n Security In!estment 0R#SI2

calculating !alues for Single @oss )5pectancy 0S@)2,

Annual Rate of #ccurrence 0AR#2,

Annual @oss )5pectancy 0A@)2.


34/122

a. Valuing Assets

'etermining the monetary !alue of an asset is an important part of

security risk management. Many organi4ations maintain a list of

asset !alues 0As2 as part of their +usiness continuity plans.

T-e !+era(( +a(#e ! t-e a&&et t! $!#r !rgani/ati!n) Calculate

or estimate the assetDs !alue in direct financial terms. Consider a

simplified e5ample of the impact of temporary disruption of an e=

commerce 8e+ site that normally runs se!en days a $eek, % hours a

day, generating an a!erage of RM,EEE per hour in re!enue from

customer orders. ou can state $ith confidence that the annual !alue

of the 8e+ site in terms of sales re!enue is RM1F,&E,EEE.


35/122

T-e i""e%iate inancia( i",act ! (!&ing t-e a&&et. If you

deli+erately simplify the e5ample and assume that the 8e+ site

generates a constant rate per hour, and the same 8e+ site +ecomes

una!aila+le for si5 hours, the calculated e5posure is .EEE(& or .E(&

percent per year. By multiplying this e5posure percentage +y the

annual !alue of the asset, you can predict that the directly attri+uta+le

losses in this case $ould +e appro5imately RM1,EEE.

T-e in%irect .#&ine&& i",act ! (!&ing t-e a&&et. In this

e5ample, the company estimates that it $ould spend H1E,EEE on

ad!ertising to counteract the negati!e pu+licity from such an incident.

Additionally, the company also estimates a loss of .E1 or 1 percent of

annual sales, or H1F&,EE. By com+ining the e5tra ad!ertising

e5penses and the loss in annual sales re!enue, you can predict a total

of H1&,EE in indirect losses in this case.


36/122

Determining the SLE

*he S@) is the total amount of re!enue that is lost from a single

occurrence of the risk. It is a monetary amount that is assigned to a

single e!ent that represents the companyDs potential loss amount if a

specific threat e5ploits a !ulnera+ility. 0*he S@) is similar to the

impact of a /ualitati!e risk analysis.2

Calculate the S@) +y multiplying the asset !alue +y the e5posure

factor 0)


37/122

Determining the ARO

*he AR# is the num+er of times that you reasona+ly e5pect therisk to occur during one year. Making these estimates is !ery difficult

there is !ery little actuarial data a!aila+le. 8hat has +een gathered

so far appears to +e pri!ate information held +y a fe$ property

insurance firms.

*o estimate the AR#, dra$ on your past e5perience and consult

security risk management e5perts and security and +usiness

consultants. *he AR# is similar to the pro+a+ility of a /ualitati!e risk

analysis, and its range e5tends from E percent 0ne!er2 to 1EE

percent 0al$ays2.


38/122

Determining the ALE

*he A@) is the total amount of money that your organi4ation $ill lose

in one year if nothing is done to mitigate the risk. Calculate this !alue

+y multiplying the S@) +y the AR#. *he A@) is similar to the relati!e

rank of a /ualitati!e risk analysis.


39/122

*he A@) pro!ides a !alue that your organi4ation can $ork $ith to

+udget $hat it $ill cost to esta+lish controls or safeguards to

pre!ent this type of damage?in this case, H",F&E or less per year?

and pro!ide an ade/uate le!el of protection. It is important to

/uantify the real possi+ility of a risk and ho$ much damage, in

monetary terms, the threat may cause in order to +e a+le to kno$

ho$ much can +e spent to protect against the potential conse/uence

of the threat.


40/122

Determining Cost of Controls

'etermining the cost of controls re/uires accurate estimates on ho$

much ac/uiring, testing, deploying, operating, and maintaining eachcontrol $ould cost. Such costs $ould include +uying or de!eloping the

control solution deploying and configuring the control solution

maintaining the control solution and communicating ne$ policies.


41/122

ROSI

)stimate the cost of controls +y using the follo$ing e/uation: 0A@)

+efore control2 3 0A@) after control2 3 0annual cost of control2 R#SI


42/122

Results of the Quantitative Risk Analyses

*he input items from the /uantitati!e risk analyses pro!ide clearly

defined goals and results. *he follo$ing items generally are deri!ed

from the results of the pre!ious steps:

Assigned monetary !alues for assets

A comprehensi!e list of significant threats

*he pro+a+ility of each threat occurring

*he loss potential for the company on a per=threat +asis o!er 1

months Recommended safeguards, controls, and actions


43/122

5#a(itati+e Ri&' A&&e&&"ent

8hat differentiates /ualitati!e risk assessment from /uantitati!e risk

assessment is that in the former you do not try to assign hard

financial !alues to assets, e5pected losses, and cost of controls.

Instead, you calculate relati!e !alues.

*he +asic process for /ualitati!e assessments is !ery similar to $hat

happens in the /uantitati!e approach. *he difference is in the details.

Comparisons +et$een the !alue of one asset and another are relati!e,

a lot of time is not in!ested in trying to calculate precise financial

num+ers for asset !aluation. *he same is true for calculating the

possi+le impact from a risk +eing reali4ed and the cost of

implementing controls.


44/122

*he process of Jualitati!e Risk Assessment 0I*2according to ;IS* SPEE="E methodology is di!ided into K phases:

Selection of systems $hich are su+-ect to e!aluation,

'efinition of the scope of e!aluation, collection of needed

information

Identification of threats of e!aluated systems

Identification of suscepti+ility of e!aluated systems Analysis of applied and planned mechanisms of control

and protections

Specification of pro+a+ilities of suscepti+ility usage +y

identification of the source of threats 0pro+a+ility is defined as: lo$, medium, high2

Analysis and determination of incidents impact on system, data and

organi4ation 0impact defined in three degree scale: high, medium,

lo$2


45/122

'etermination of risk le!el $ith the help of matri5.

Risk @e!el Matri5 3 for the $hole risk for identified threats. *his

matri5 is created +y as a result of multiplication of pro+a+ilities of

incidents occurrence 0high pro+a+ility recei!es 1,E $eigh, medium 3

E,&, and lo$ 3 E,12 and strength if incident impact 0high impact

recei!es 1EE 0$eighted2, medium 3 &E, and lo$ 3 1E2. #n the +asis of

matri5 there is defined le!el of $hole risk for e!ery identified threat,

determined as high for product from range 0&E,1EEL, medium for range

01E,&EL and lo$ for product from range 1,1EL.


46/122


47/122


48/122

INTRODUCTION TO RISK

WHAT IS RISK ?

Risk is the chance of something

happening that will have an impact uponobjectives of an organization.

It is measured in terms of severity ofconsequences and likelihood.


49/122

A risk is a potential problem – it mighthappen and it might not

Conceptual defnition o riskN Risk concerns uture happeningsN Risk involves change in mind, opinion,actions, places, etc.

N Risk involves choice and the uncertaintythat choice entails Two characteristics o risk

N ncertainty – the risk may or may not

happen, that is, there are no !""# risks$those, instead, are called constraints%N &oss – the risk becomes a reality andunwanted conse'uences or losses occur


50/122

Taking a risk: it isn’t all a!

Taking risks is a normal unavoidable everydaynecessity

Taking controlled, informed risks is a sensible

and everyday essential part of lifeTaking uninformed, uncontrolled risks is

patently dumbe take risks not to avoid harm, but to

achieve benefits and gainsRisk taking is positive, not implicitly negative.


51/122

@S> 1EEKEEF Risk Management &1

3-$ Manage Ri&'&6

It is a fact of life that chancee!ents $ill occur and affect theoutcome of your pro-ect

Murphy’s Laws codify this Okno$ledge

N If anything can go $rong, it $illQN #f things that could go $rong, the one

that causes the most damage $illoccurQ

1K 'ar$in A$ard onora+leMention gi!en to O@a$n Chair@arry 8alters. Cartoon +y ay

ie+arth, EE

• Risks are defined as the undesira+le e!ent, the chance this

e!ent might occur and the conse/uences of all possi+leoutcomes

• Risk management attempts to identify such e!ents,minimi4e their impact T pro!ide a response if the e!ent isdetected

http://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.htmlhttp://www.darwinawards.com/misc/index.zeebarf.html


52/122

"#r$%s& %' Risk Manag&(&nt


53/122


54/122

Risk C%n)&$ts

Conse/uenceof Ad!ersary

Success

System)ffecti!eness

@ikelihoodof Attack

Risk

*he amount of control o!er each is different


55/122

Re&,!n&e& t! Ri&'

Se+erit$

Fre4#enc$

High Transfer Avoid

Low Accept Accept/Transfer

Low High


56/122

R()* A+ )-CR(T

(+/)(+-)) -+0(R1+2-+T


57/122

)ecurity and risk management in business

environment is principally concerned with

protection and conservation o corporate

assets and resources. The task o protection

continues to be increasingly comple3 one in

a time when technology is creating new

products $and thus risk% at an e3plosive rate

and criminals are getting more

sophisticated.

In)r&asingl* C%($l&+En,ir%n(&nt


58/122

4hat is R()* in a business environment5

A perilous 6 ha7ardous situation in the

business organi7ation where threat6s may

e3ploit the vulnerability surrounding an

asset6s to create a disastrous

conse'uence or impact causing fnancial

losses or loss o lives.


59/122

W-at is SECURITY in a #sin&ss &n,ir%n(&nt

A secured, sae and relatively stable

environment where the business

organi7ation is able to conduct itsbusiness operations without 6 minimal

disturbance or disruptions rom threats

$ man8made and natural % by having

ade'uate security control measures.


60/122

Two types o Risk in /usiness

• 9ure Risk : ;enerally pure risk do not hold

out any prospect o gain. (t always brings about negative conse'uences. -3amples – thet, negligence,


61/122

Cat&g%ri&s %' Risks

=inancial Risks (normation Risks

1perational Risks)trategic Risks Reputation Risks

-nvironmental Risks


62/122

A (i 7N 8 ( % S % %


63/122

A#&tra(ia7Ne0 8ea(an% Stan%ar%9ASS7N8S :;?==:@ – Risk Management


64/122

INFO S t Ri k M t F k


65/122

INFO System Risk Management Framework

(an example)

'etermine security control effecti!eness0i.e., controls implemented correctly,

operating as intended, meeting securityre/uirements2

SP EE=&"AASS)SS

Security Controls

Continuously track changes to theinformation system that may affect

security controls and reassess control

effecti!eness

SP EE="F SP EE=&"A

M#;I*#RSecurity Controls

'ocument in the security plan, thesecurity re/uirements for the

information system and the securitycontrols planned or in place

SP EE=1'#C>M);*

Security Controls

SP EE="F

A>*#RI)Information

System'etermine risk to agency operations,agency assets, or indi!iduals and, if

accepta+le, authori4e information systemoperation

SP EE=&" SP EE="E

S>PP@)M);*Security Controls

>se risk assessment results to supplementthe tailored security control +aseline asneeded to ensure ade/uate security and

due diligence


66/122

T>- C>A+;(+; )-CR(T

-+0(R1+2-+T


67/122

The traditional view o security has

moved rom ?guns, guards and

gates@ through ?ciphers, saety and

society@ toward the evolving and

dynamic concept o ?providing

resilience.@

S-i't in "ara!ig(


68/122

As technologies evolve, we ace more comple3

threats as opposed to traditional ones such as

bio8terrorism, cyber8terrorism and global warming

and greater demands rom society to sustain,

protect and improve our lives.

>ence the notion o security is e3panding to

include the notions o resilience, sustainability

and critical services assurance. Collectively this

notion o resilience revolves around maintaining

capability rather than protecting assets.


69/122

C1+)--+C-) 1= R()*

(+

A+ 19-RAT(1+A&

-+0(R1+2-+T


70/122

Man* %rgani.ati%ns !% n%t )%((it t-&(s&l,&st% -a,& an a!&/#at& s&)#rit* $%st#r& * n%ts$&n!ing '%r an &0&)ti,& S&)#rit* "r%gra(1T-is is in ,i&2 %' t-& 'a)t t-at t-& r&t#rn %n

in,&st(&nt '%r s&)#rit* $r%gra(s ar&$&r)&i,&! t% & !is)%#raging1 T-&r&'%r& (%st%rgani.ati%ns -a,& a l%2 a$$&tit& '%r risk an!ar& &+$%s&! t% #n)&rtainti&s1

3#st ask Manag&(&nt t-is /#&sti%n1 W-* n%t2& all%2 t-& S&)#rit* D&$art(&nt t% g% %nl&a,& %n& !a* &nl%)1W-at 2ill & t-& %#t)%(& %' #sin&ss

%$&rati%ns in t-&

Risk Appetite


71/122

Risk Appetite

>ave security procedures have been published5oes the organi7ation has contact with &aw

-norcement Agency5

Are there periodic !"" # checks o

identifcation5

(s there control o employee movement

between areas within the plant5

(s there a continuous barrier around the

property5


72/122

Ri&' A,,etiteo you operate your computer with or without

antivirus sotware antispyware5

o you open emails with orwarded

attachments rom riends or ollow'uestionable web links5

>ave you ever given your bank account

inormation to a oreign emailer to make DDD5

W-at is *%#r risk a$$&tit&? ( liberal, is it dueto risk

acceptance or ignorance5

Com anies too have risk a etites decided ater


73/122

Ca#s&s %' Int&rr#$ti%n in 4#sin&ssO$&rati%ns

)ecurity 9rocesses in aily 1perations :• Access control• 9atrolling• TraBc control

• )hipping control• 4aste and thrash control• Central monitoring control

(neEectiveness o the above controls in,procedural, tools e'uipment andpersonnel competencies may incur risk andlead to business disruptions.


74/122

Ot-&r El&(&nts t-at )a#s& 4#sin&ssDisr#$ti%ns• =ire• )trike 6 Riot• Transit Accident• 0iolence

• )e3ual >arassment• )abotage 6 0andalism• Contagious isease• +atural isasters

• (T )ystem 2alunction• 9ower =ailure• Terrorism

Ri k d ) it 1 ti


75/122

Risk and )ecurity 1perations

SECURITY FROM A SYSTEMS PERSPECTI1E

Man,!0er

M!ne$

Mac-ine

Materia(

Met-!%

Pr!tecti+e Acti+itie&

Inci%ent Re&,!n&eActi+itie&

Rec!+er$ Acti+itie&

C!ntin#it$ Acti+itie&

Sae Sta.(e

En+ir!n"ent t!

Carr$!#t

re&,!n&i.i(itie&an% ta&'& 0it-

"ini"a(

%i&t#r.ance

r!" t-reat& .$

-a+ing en!#g-

Sec#rit$

c!ntr!(&

In$#tIn$#t S&)#rit* "r%)&ssS&)#rit* "r%)&ss O#t$#tO#t$#t


76/122

"r%t&)ti,& A)ti,iti&s

In !ail* s&)#rit* %$&rati%ns t-& (ain$r%t&)ti,& a)ti,iti&s in,%l,&! ar&:

• A))&ss )%ntr%l 5 $&%$l&6 ,&-i)l& an!

g%%!s

• $atr%lling an! )l%)king a)ti,it*

• Wast& an! T-ras- )%ntr%l

• K&* )%ntr%l 7 l%)king a)ti,it*

• S-i$$ing 7 r&)&i,ing a)ti,it*


77/122

F t A0 ti Ri k El t


78/122

Fa)t%rs A0&)ting Risk El&(&nts

81 Ass&t: Cost, Criticality, Replacement Cost, Conse'uence, Attractiveness

91 T-r&at: (mpact, 9redictability, (ntention, Capability, 2otivation

1 ;#ln&railit*: /uilding characteristic, 9ersonnel behaviour, &ocation o assets, 1perational practices, -'pt properties


79/122

An organi7ation must determine, which

assets may materially aEect thebusiness operations on a daily basis

and is o high value and is not

replaceable easily within a short time

span when loss.

CR(T(CA& A))-T) (+ A+ 1R;A+(FAT(1+


80/122

E=AM">ES OF CRITICA>

ASSETS!aterial

"quipment

#acilities

$rocesses

Intellectual $roperty

Reputation

$eople

Records


81/122

T*$&s %' S&)#rit* T-r&ats

• Man 5 (a!& %r Ant-r%$%g&ni)

8 9olitical -vents – -3plosives, disgruntled

employees, unauthori7ed access, employee

pilerage, espionage, arson6fres, sabotage,

etc.

Nat#ral Disast&rs

– -arth'uakes,


82/122

T-reat& Lea%ing T! B#&ine&& Ri&'

/usinessRisk

in a

ynamic

-nvironment

(mpact o Risk and )ecurity


83/122

(mpact o Risk and )ecurity(mplications/usiness organi7ations that are e3posed to R()* are

guests o impending disaster or negativeconse'uences. The kind o risk impacts with whichbusiness and industry are most commonlyconcerned are:

• natural catastrophe• industrial disaster• civil disturbance• criminality

• con


84/122

+-)(RA/&- C1+)--+C-)

2ay lead to :

&oss o human lie

&oss o revenue

&oss o vital e'uipment

&oss o vital capabilities

+ote: All leads to disruption o/usiness

1perations


85/122

)ecurity (mplications

The impact o risk causing negativeconse'uences has got serious securityimplications to the business organi7ation:

• an unstable operational environment• disruption o business activities• unnecessary diversions rom primaryactivities

• unable to meet customer demands satisaction• organi7ations image and reputation is atstake

• possibility o loosing uture business


86/122

T9-) A+ )1RC-)

1= R()* T>AT CA+

A==-CT )-CR(T 19-RAT(1+)


87/122

9-19&-

9eople involves the service provider,the clients and the uninvited. /ynature peopleGs behaviour is

underpinned by seeking pleasureagainst pain. Thereore they aremore inclined to violate rules tosatisy their needs. As such peopleare greater potential ha7ard in thedaily operations at workplace.


88/122

9R1C-))

"r%)&ss is )%($%s&! %'t&)-n%l%g*6 $&%$l&6 an! t%%ls1

T-is is i($%rtant &)a#s&

$r%)&ss&s in,%l,& ti(& an!

int&ra)ti%n &t2&&n &ntiti&s an!

(an* %' t-& -ar! $r%l&(s in

s&)#rit* %$&rati%ns st&( 'r%(


89/122

T-C>+1&1;

Technology is a double8edged sword. (t

has got both good and bad

characteristics. 4hen it is in the hands o

responsible people it becomes a aithul

servant and promotes eBciency in daily

operations. 1n the contrary, in the hands

o wrong people it will become a threat

posing risk to the operations.

C i i (i 1 ( .i(i P . .i(i


90/122

Criticality 8 Criticality is the eEect thatpartial or total loss o the entity or areawould have acilityGs mission

0ulnerability 8 The susceptibility o an entity

or area to damage or destruction or thepossible thet or loss o property

9robability 8 The chances that certainevents could or might occur such as apenetration o the perimeter, compromiseo a system

Critica(it$ 1#(nera.i(it$ Pr!.a.i(it$

1 ( .i(it


91/122

•1#(nera.i(itie& are !,,!rt#nitie& !,,!rt#nitie& !r cri"e !,,!rt#nitie& !r r#(e .rea'ing +i!(ati!n& !,,!rt#nitie& !r (!&&)

•B$ %einiti!n a +#(nera.i(it$ i& a 0ea'ne&& !r ga, in a &ec#rit$ ,r!gra" t-at can .e e*,(!ite% .$ t-reat& t! gain #na#t-!ri/e% acce&& t! an a&&et)

•1#(nera.i(itie& inc(#%e &tr#ct#ra( ,r!ce%#ra( e(ectr!nic -#"an an% !t-er e(e"ent& 0-ic- ,r!+i%e !,,!rt#nitie& t! attac' a&&et&)

1#(nera.i(it$


92/122

The basic process o a vulnerability

assessment frst determines what assets arein need o protection, then identifes the

protection measures already in place to

secure those assets and what gaps in

protection e3ist.

The assessment measures the security

controlGs eEectiveness against valid security

metrics and provides recommendations.


93/122

Three 'uestions to ask :

• ?4hat is the threat5@

• ?4hat is the level o vulnerabilityrelative to that threat5@

• ?To what e3tent will thethreat6vulnerability change5@


94/122

19-RAT(1+A&

R()* 2A+A;-2-+T )TRAT-;(-)


95/122

A Si",(e Un%er&tan%ing ! Ri&' Manage"ent


96/122

Risk management is present in all aspects olie. (t is about the everyday trade8oEbetween an e3pected reward on a potentialdanger. >owever in the business world risk is

oten associated with some variability infnancial outcomes. /ut the notion o risk ismuch larger.

(t is universal, in the sense that it reers tohuman behaviour in the decision makingprocess. Risk management is an attemptidentiy, to measure, to monitor and to

manage uncertainty.

A Si",(e Un%er&tan%ing ! Ri&' Manage"ent

Ri k 2 t 9


97/122

A Continuous Cycle o:

H Risk ass&ss(&nt risks t% t-&%rgani.ati%n ar& ass&ss&! in t&r(s %' t-& lik&li-%%! %' an

#n!&siral& &,&nt taking $la)&6 an! t-& anti)i$at&! )%ns&/#&n)&s

@ I($l&(&ntati%n s&)#rit* (&as#r&s ar&i!&nti&!

an! i($l&(&nt&! t% r&!#)& t-& lik&li-%%!an! i($a)t %' t-& #n!&siral& &,&nt t% ana))&$tal&

l&,&l

Risk 2anagement 9rocess

Risk Anal*sis an! Risk


98/122

ASSETS

RISKS

THREATS 1ULNERABILITIES

ANALYSIS

MITIGATION

COUNTERMEASURES

Mitigati%n

S*st&(’s A$$r%a)-Risk Ass&ss(&nt


99/122

I%enti$ T-reat&

I%enti$ 1#(nera.i(itie&

Ana($/e C!ntr!(&

Deter"ine Li'e(i-!!%

Ana($/e I",act

Deter"ine Ri&'

I%enti$ C!ntr!(& Implement Controls

'ocumented Risks

Impact Rating

@ikelihood Rating

@ist of current T planned controls

@ist of threatsT !ulnera+ilities

Pr!ce&& O#t,#t

Company historyIntelligence agency

data

Audit T test results

Business ImpactAnalysis

'ata Criticality T

Sensiti!ity analysis

In,#tM&t-%!%l%g*


100/122

Ran'ing t-e Ri&' I",!rtance


101/122

@S> 1EEKEEF Risk Management 1E1

Ran'ing t-e Ri&' I",!rtanceRank risks from those that can

+e neglected to those thatre/uire ele!ated !igilance

A Risk Severity Matrix can +ehelpful in prioriti4ing risksN Plot of e!ent pro+a+ility !ersus

impactRed 4one identifies the most

important e!entsello$ 4one lists risks that are

moderately important

Green 4one e!ents pro+a+lycan +e safely ignored

• ;ote that the 4ones are not symmetrical across the matri5

– igh impact lo$ pro+a+ility e!ents much more importantthan likely lo$ impact e!ents

#ive %teps Risk &ssessment !odel


102/122

#ive %teps Risk &ssessment !odel

!. Asset Assessment – nderstanding theorgani7ation and identiy the people andassets at risk

I. Threat Assessment – (dentiy loss risk events

J. 0ulnerability Assessment – -stablish theprobability o loss risk and probability andre'uency o events and also the impact oevents

K. Risk assessment – -stablish the value o riskloss

L. (dentifcation o Control 2easures –9rotective measures or saeguards

C-ara)t&risti)s %' Risk C%($%n&nts


103/122

%'( &sset Threat )ulnerability !itigation

1. Criticality Motivation Buildingcharacteristic

Deterrentcapabilities

2. Cost otential !yste"s and#$uip"ent

reliability

Detectioncapabilities

%. Attractiveness &ntention 'ocation of assets Delaycapabilities

(. )eplace"ent

cost

Capability ersonnelbehaviour

Assess *annunciation

capabilities

+. Conse$uence &"pact ,perationalpractices

)esponsecapabilities

$

Sec#rit$ Mitigati!n O.ecti+e&


104/122


105/122

) DETER 2

Meng-a(ang?) DETECT2Menge&an

;) DELAY 2Me(a".at'an

:) ASSESS 2Meni(ai

) RESPOND 2Bertin%a'


106/122

Ass&t ;al#& Rating

;&r* Hig- B

Hig- <

M&!i#( >%2 9

;&r* >%2 8


107/122

;&r* Hig- B

Hig- <

M&!i#( >%2 9

;&r* >%2 8

T-r&at ;al#& Rating


108/122

;&r* Hig- B

Hig- <

M&!i#( >%2 9

;&r* >%2 8

;#ln&railit* ;al#&

Rating

RISK I",act Pr!.a.i(it$


109/122

A&&et T-reat

I",act

1#(nera.i(

it$

Mitigati!

n

Pr!.a.i(it$

8hat areyou trying

toassess9

8hat areyou afraid

ofhappening9

8hat is theimpact to

the+usiness9

o$ couldthe threat

occur9

8hat iscurrentlyreducingthe risk9

o$ likely isthe threat

gi!enthe

controls9

C#rrent Le+e(! Ri&'

3-at i& t-e ,r!.a.i(it$ t-att-e t-reat 0i(( !+erc!"ec!ntr!(& t! cce&&#(($

e*,(!it t-e +#(nera.i(it$ an%i",act t-e a&&et6

* *

RISK I",act Pr!.a.i(it$


110/122

RISK EUATION


111/122

RISK Ass&t 3 T-r&at ;#ln&railit* +Mitigati%n

"r%ailit*I($a)tRISK B + < < +

B B

9+ 89

BB

<

+ 9 <

RISKl i


112/122

k Ass&t ;al#& + T-r&at Rating + ;#ln&railit* Rati

Mitigati%n

E,al#ati%n

%'(o Risk )alue Risk Rating

*. +* )ery -igh

. * / 0 -igh

1. ** / *2 !edium

3. / *0 4ow

2. * / 2 )ery 4ow

D&)isi%n Matri+A Risk Han!ling


113/122

D&)isi%n Matri+ A Risk Han!lingD&)isi%n Ai!

Fr&/#&n)* %' >%ss

S&,&rit*%' >%ss Hig- M&!i#( >%2

Hig-A,%i!an)&

>%ss$r&,&nti%n

an!a,%i!an)&

Trans'&r,ia

ins#ran)&

M&!i#(

>%ss$r&,&nti%n

an!a,%i!an)&

>%ss$r&,&nti%n

an!Trans'&r ,ia

ins#ran)&

Ass#($ti%nAn!

$%%ling

>%2>%ss

$r&,&nti%n

>%ss$r&,&nti%n

an!Ass#($ti%n

Ass#($ti%n

E+$&ns& ,1 S&)#rit*-i !


114/122

A)-i&,&!

Dollars

Security Achieved

100% Security


115/122

Beneit ===== 2 RM?=== RM ===

=== 7 ?=== Rati! i& ; t!


116/122

)TRAT-;(C

ACT(1+ 9&A+) T1 C1+TR1& R()*

4hy do we need a )trategic Action


117/122

4hy do we need a )trategic Action9lan5C-ara)t&risti)s nat#r& %' #sin&ss&n,ir%n(&nt:

/usiness 1rgani7ations ace continuous threatsrom

its operating environment both internal ande3ternal

4hat are these threats5 – 2an8made and natural orces

4hat are the contributing actors5 2ultiplevariables

– &egal, 9olitical, )ocial, -conomic and ;lobalClimatic conditions

)trategic Action 9lan Tools


118/122

g

F%)#s Ar&as '%r C%ntin#%#s M%nit%ring6R ! K i ' l A !it !


119/122

R&)%r! K&&$ing '%r r&g#lar A#!it an!R&,i&2 an! R&,is&

!. 9erimeter )ecurityI. /uilding )ecurityJ.9lant )ecurityK. )hipping Receiving )ecurity

L. Area )ecurityM. 9rotective lightingN. *ey Control &ocking evicesO. Controls o 9ersonnel 0ehiclesP. )aety or 9ersonnel

!". 1rgani7ation or -mergency!!.Thet control!I.)ecurity ;uard =orces

F#t#r& Tr&n!s


120/122

In %r!&r t% satis'* t-& )-anging )#st%(&r

n&&!s as a r&s#lt %' in'%r(ati%n &+$l%si%n

t-at r&,%l#ti%ni.&! t-& #sin&ss

&n,ir%n(&nt6 t-& '#t#r& )-all&ng&s '%r

#sin&ss %rgani.ati%ns &si!&s risk

(anag&(&nt6 2ill & t% (aintain a stat& %'

$r&$ar&!n&ss at all ti(&s t% &ns#r&:• sta*ing ar&ast in int&llig&n)& gat-&ring

• R&s$%ns& $lanning

• (aintaining %rgani.ati%nal r&sili&n)&


121/122

Any

Quest ons Please ???

T-anks Y%# S&& U Again


122/122

T-anks Y%# S&& U Again

dle risk mgt lect

Documents