Information Security Risk Management-PR1 Security Risk... · Process is composed of technology,...
Transcript of Information Security Risk Management-PR1 Security Risk... · Process is composed of technology,...
Information Security Risk ManagementInformation Security Risk Management
Based onBased onISO/IEC 17799ISO/IEC 17799
Houman Sadeghi KajiSpread Spectrum Communication System PhD. ,Spread Spectrum Communication System PhD. ,Cisco Certified Network Professional Security SpecialistCisco Certified Network Professional Security SpecialistBS7799 LABS7799 [email protected]@houmankaji.net
Target Audience
This session is primarily intended for:This session is primarily intended for:
Systems architects and plannersSystems architects and planners
Members of the information security team Members of the information security team
Security and IT auditors Security and IT auditors
Senior executives, business analysts, and business decision makers Senior executives, business analysts, and business decision makers
Consultants and partnersConsultants and partners
Motivation for this Presentation
Security is a process, not a product. Security products will not save you.Process is composed of technology, people, and tools. This is important because processes involve time and interaction between entities and many of the hard problems in security stem from this inherent interaction.
What is a risk (generic)
A definable eventProbability of OccurrenceConsequence (impact) of occurrence
A risk is not a problem …. A problem is a risk whose time has come
Session Overview
Security Risk Management ConceptsIdentifying Security Risk Management PrerequisitesAssessing RiskConducting Decision SupportImplementing Controls and Measuring Program Effectiveness
Security Risk Management Concepts
Security Risk Management ConceptsIdentifying Security Risk Management PrerequisitesAssessing RiskConducting Decision SupportImplementing Controls and Measuring Program Effectiveness
What is a security risk
Threat – is any potential danger to information, or systems (e.g. fire)Vulnerability – is a software, hardware, or procedural weakness that may provide an attacker the open door to enter a system. (e.g. lack of water)Risk – loss potential (probability) that a threat will exploit a vulnerability.
Relationship among different security components
ThreatAgent Threat
Vulnerability
RISK
Asset
ExposureSafeguard
Gives rise toExploits
Leads to
Can damage
And causes an
Can be counter measured by a
Directly affects
Why Develop a Security Risk Management Process?
Developing a formal security risk management process can address the following: Developing a formal security risk management process can address the following:
Threat response timeRegulatory complianceInfrastructure management costsRisk prioritization and management
Threat response timeRegulatory complianceInfrastructure management costsRisk prioritization and management
Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization
How much information security is enough and how do I know?
How do I get my organization to consistently follow our security policies?
Two key questions being asked today
Key factors to implementing a successful security risk management program include:Key factors to implementing a successful security risk management program include:
An atmosphere of open communication and teamworkAn atmosphere of open communication and teamwork
Organizational maturity in terms of risk managementOrganizational maturity in terms of risk management
Executive sponsorshipExecutive sponsorship
Well-defined list of risk management stakeholdersWell-defined list of risk management stakeholders
A holistic view of the organizationA holistic view of the organization
Security risk management team authoritySecurity risk management team authority
Identifying Success Factors That Are Critical to Security Risk Management
Comparing Approaches to Risk Management
Many organizations have approached security risk management by adopting the following:Many organizations have approached security risk management by adopting the following:
The adoption of a process that reduces the risk of new vulnerabilities in your organization The adoption of a process that reduces the risk of new vulnerabilities in your organization
Proactive approach
A process that responds to security events as they occur A process that responds to security events as they occur
Reactive approach
Comparing Approaches to Risk Prioritization
Approach Benefits Drawbacks
Quantitative
Risks prioritized by financial impact; assets prioritized by their financial valuesResults facilitate management of
risk by return on security investmentResults can be expressed in
management-specific terminology
Impact values assigned to risks are based upon subjective opinions of the participantsVery time-consumingCan be extremely costly
Qualitative
Enables visibility and understanding of risk rankingEasier to reach consensusNot necessary to quantify threat
frequencyNot necessary to determine
financial values of assets
Insufficient granularity between important risksDifficult to justify investing in control as there is no basis for a cost-benefit analysisResults dependent upon the quality of the risk management team that is created
Generic Security Risk Management Methodology
Identify Baseline
OrNew Risks
Identify
ClassifyRisks
EvaluateRisks
PrioritizeRisks
Analyze
AssignResponsibility
DetermineAction Plan
Determine Response Strategy
Plan
TrackRisks
ControlRisks
Tracking & Control
Project Start
Communicate RisksInside and OutsideThe Project Team
Communication
Introducing the Security Risk Management Process
Implementing Controls
Implementing Controls
33
Conducting Decision Support
Conducting Decision Support
22
Measuring Program Effectiveness
Measuring Program Effectiveness
44 Assessing RiskAssessing Risk11
Requirements continue to change …DIRECTOR - CFO - CIO
Different Perspectives
Insurance
StrategicEconomic
Business
ProcessCulture
Strategic RiskStrategic RiskManagementManagementCapital Markets/Treasury RiskCapital Markets/Treasury Risk
Market Risk, Liquidity RiskMarket Risk, Liquidity RiskAnalytics & ModelingAnalytics & Modeling
CreditCreditAnalyticsAnalytics
Property, Casualty,Property, Casualty,LiabilityLiability
Risk ManagementRisk ManagementMultiMulti--line, Multiline, Multi--riskriskInsurance ProductsInsurance Products
Asset Asset ProtectionProtectionOperationsOperations
ComplianceCompliance
FinancialFinancialInternalInternalControlControl
ProfitProfitRecoveryRecovery
CorporateCorporateEthicsEthics
CorporateCorporateComplianceCompliance
Operational Operational RiskRisk
ManagementManagementPhysical & Physical & InformationInformation
Security
PrivacyPrivacy