risk assessment and management. objective to enable an organisation mission accomplishment, by...
TRANSCRIPT
Risk Assessment and Management
Objective
To enable an organisation mission accomplishment, by better securing the IT systems that store, process,
or transmit organisational information enabling management to make well-informed risk
management decisions to justify the expenditure (within the IT budget)
assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation resulting
from the performance of risk management.
Risk Assessment and Management
What is Risk?
Risk is the degree to which any of the vulnerabilities can be
exploited by the threats to result in loss or damage to the asset. This is called
impact Examples:
Direct loss of money (cash or credit) Breach of legislation Loss of goodwill/reputation Reduction of share value Endangering staff or confidence Loss of business opportunity Reduction in operational efficiency/performance Interruption of business activity
• Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence
Risk and its Value
Risk is a mathematical function of threats, vulnerabilities, their probability and the impact
While the threats increase with more exposure of data/systems, vulnerabilities go up with complexity of the problem
The value of the assets, if exploited determine the impact Thus, risk value is a product of the value of threat, value of
vulnerability, probability value and the asset value
This is a method by which- Risks to your organisation are identified Cost of these risks are calculated. Costs of mitigating those risks are calculated A cost benefit analysis is performed
Risk Assessment
This helps the management- To make informed decisions relating to the
security of IT assets To ensure that the relevant controls are in place
Depending on the size of the organisation, part of these controls will include extra-resourcing, i.e. a dedicated Information security officer.
In a medium to large organisation, there should be a security officer to continue the design and deployment of the security programme.
Risk Assessment
Risk Assessment
The first process in the risk management methodology.
Made to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC.
Helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Analyses the threats to an IT system, given the likely vulnerabilities and the controls in place Helps to determine the likelihood of a future adverse
event
Risk Assessment
The magnitude of harm that could be caused by a threat's exercise of vulnerability is known as Impact
In the impact analysis, the merits and demerits of quantitative and qualitative assessments are considered
We may adopt a qualitative assessment as it prioritises the risks and identifies areas for
immediate improvement in addressing the vulnerabilities
Risk Management
Risk Management
Encompasses three processes Risk assessment Risk mitigation Risk evaluation & assessment.
Risk management is the process that allows IT managers
to balance the operational and economic costs of security
to achieve gains in mission capability by protecting the IT systems and data that support their organisational mission.
Risk Management
A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities
Effective risk management must be totally integrated into the SDLC
Risk Management Process
If effective, this becomes an important component of a successful IT security programme
The process should not be treated primarily as a technical function carried out by the IT experts It should be treated as an essential
management function Risk management is the process of identifying &
assessing the risk and taking steps to reduce it to an acceptable level
Overall Risk Management Process
Risk
Increase
Increase
Vulnerabilities
Indicate
Asset Values
Threats
ControlsReduce
Increase
Security Needs
Assets
Impact on Organization
Project against Exploit
Expose
HaveMet by
Impact Assessment
The impact assessment may be made as- High: Exercise of the vulnerability may
result in the highly costly loss of major tangible assets or resources
significantly violate, harm, or impede an organisation's mission, reputation, or interest
result in human death or serious injury
The impact assessment may be made as- Medium- Exercise of the vulnerability may
result in the costly loss of tangible assets or resources
violate, harm, or impede an organisation's mission, reputation, or interest
result in human injury
The impact assessment may be made as- Low- Exercise of the vulnerability may
result in the loss of some tangible assets or resources
noticeably affect an organisation's mission, reputation, or interest.
Risk Determination
The final determination of mission risk is derived by- multiplying the ratings assigned for threat
likelihood (e.g., probability) and threat impact using a matrix-table which shows how the overall
risk ratings might be determined based on inputs from the threat likelihood and threat impact
categories. It is a 3 x 3 matrix of threat likelihood (High, Medium,
and Low) and threat impact (High, Medium, and Low).
Risk-level Matrix
Threat Likelihood
Impact
Low (10) Medium (50)
High (100)
High (1.0) Low
10 x 1.0=10
Medium
50 x 1.0=50
High
100 x1.0=100
Medium (0.5)
Low
10 x 0.5=5
Medium
50 x 0.5=25
High
100 x 0.5=50
Low (0.1) Low
10 x 0.1=1
Low
50 x 0.1=5
Low
100 x 0.1=10
Using the matrix- the risk level can be identified as High, Medium or
Low This in turn is a function of the likelihood and Impact This represents the degree or level of risk to which an
IT system, facility, or procedure might be exposed if a given vulnerability is exercised.
This also presents actions that senior management- the mission owners, must take for each risk level
From the matrix, the risk is considered- High: If an observation or finding is evaluated as a
high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a
corrective action plan must be put in place as soon as possible.
Medium: If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low: If an observation is described as low risk, the system's DM must determine whether corrective actions are still required or decide to accept the risk.