MIS 5206 Protecting Information Assets
Protecting Information Assets- Week 4 -
Risk Evaluation
MIS 5206 Protecting Information Assets
MIS5206 Week 4
• Readings– Vacca, Security Management Systems, Chapter 22
– Vacca, Risk Management, Chapter 53
– ISACA RiskIT Framework pp. 47- 96
– NIST Reading 1: Information Security Handbook: A Guide for Managers, Chapter 10 – “Risk Management”, pp.84-95
• Class– In the News
– Week 3 Material Highlights
– Risk Evaluation
– Test Taking Tip
– Quiz
MIS 5206 Protecting Information Assets
Week 3: Data Classification Process and Models
3
Why is data classification important?
• Focuses attention on the identification and valuation of information assets
• Is the basis for access control policy and processes
MIS 5206 Protecting Information Assets
Week 3: Data classification process and models
MIS 5206 Protecting Information Assets
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Collect Data
MIS 5206 Protecting Information Assets
Collect Data
MIS 5206 Protecting Information Assets
Risk Evaluation - Key Components
Collect Data
Identify relevant data to enable effective IT-related risk identification, analysis and reporting
Analyze Risk
Develop useful information to support risk decisions that take into account the business impact of risk factors
Maintain RiskProfile
Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
MIS 5206 Protecting Information Assets
Analyze Risk
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
Annualized loss expectancy (ALE) =
Single loss expectancy (SLE) X Annualized rate of occurrence (ARO)
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
FIPS 199: Risk event impact ratings
MIS 5206 Protecting Information Assets
FIPS 199: Composite IS risk event impact ratings
Example with multiple information types:
MIS 5206 Protecting Information Assets
Analyzing risk
17
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99
MIS 5206 Protecting Information Assets
Analyze Risk
MIS 5206 Protecting Information Assets
MIS 5206 Protecting Information Assets
Maintain Risk Profile
MIS 5206 Protecting Information Assets
Maintain Risk Profile
MIS 5206 Protecting Information Assets
Case: HDFC Banking
22
Let’s discuss the case:
Article is a bit dated, since it was written online adoption and use has increased exponentially.
Is online banking in India still in awareness creation mode?
Generationally…?Age is a big issue – older folks want face to face “guarantee” for their transactions
Geographically…?City dwellers versus country dwellers is a big thing!
Country dwellers…• Anything that is tangible, that customers can touch they can trust• To many in the country - online is not tangible, if they cannot physically
see/touch the bank teller then there is a believe it cannot be trusted
MIS 5206 Protecting Information Assets
Case: HDFC Banking
23
Let’s discuss the case:
• What is the role of employee security awareness training in the overall security risk management strategy?
• To what extent should a company attempt to educate their customers about security concerns?
• What are some of the methods a company can use to raise security awareness?
MIS 5206 Protecting Information Assets
Case: HDFC Banking
24
• What if anything should HDFC do to make existing customers more secure?
• How should HDFC deal with customers who, while signed-up, do not use online banking services?
• At this point, should HDFC bank outsource secure data and transactions?
MIS 5206 Protecting Information Assets
Test Taking Tip
25
Focus on the “highest likelihood” answers for test taking efficiency
Here’s why:• Some of the answers use unfamiliar terms and stand out as unlikely and
can therefore be discarded immediately
- Eliminate any “probably wrong” answers first -
• Some answers are clearly wrong and you can recognize them based on your familiarity with the subject
• The correct answer may require a careful reading of the wording of the question and eliminating the unlikely answers early in the evaluation process helps you focus on key concepts for making the choice
MIS 5206 Protecting Information Assets
Test Taking Tip
26
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
MIS 5206 Protecting Information Assets
Test Taking Tip
27
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing seems mandatory about this scenario
MIS 5206 Protecting Information Assets
Test Taking Tip
28
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Maybe ….
MIS 5206 Protecting Information Assets
Test Taking Tip
29
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Nothing about roles other than manager in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
30
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
Distributed is not relevant to the information in the question
MIS 5206 Protecting Information Assets
Test Taking Tip
31
Example:
The promotion manager of Northeast Electronics has been made the owner of the department’s printers and other resources. The manager can now designate who in the department can use the the large format printer. What term is used to describe this type of access control?
A. MandatoryB. Role-BasedC. DiscretionaryD. Distributed
Answer: C
MIS 5206 Protecting Information Assets
Quiz
32