Information Security Risk ManagementInformation Security Risk Management

Based onBased onISO/IEC 17799ISO/IEC 17799

Houman Sadeghi KajiSpread Spectrum Communication System PhD. ,Spread Spectrum Communication System PhD. ,Cisco Certified Network Professional Security SpecialistCisco Certified Network Professional Security SpecialistBS7799 LABS7799 LAinfo@houmankaji.netinfo@houmankaji.net

Target Audience

This session is primarily intended for:This session is primarily intended for:

Systems architects and plannersSystems architects and planners

Members of the information security team Members of the information security team

Security and IT auditors Security and IT auditors

Senior executives, business analysts, and business decision makers Senior executives, business analysts, and business decision makers

Consultants and partnersConsultants and partners

Motivation for this Presentation

Security is a process, not a product. Security products will not save you.Process is composed of technology, people, and tools. This is important because processes involve time and interaction between entities and many of the hard problems in security stem from this inherent interaction.

What is a risk (generic)

A definable eventProbability of OccurrenceConsequence (impact) of occurrence

A risk is not a problem …. A problem is a risk whose time has come

Session Overview

Security Risk Management ConceptsIdentifying Security Risk Management PrerequisitesAssessing RiskConducting Decision SupportImplementing Controls and Measuring Program Effectiveness

Security Risk Management Concepts

Security Risk Management ConceptsIdentifying Security Risk Management PrerequisitesAssessing RiskConducting Decision SupportImplementing Controls and Measuring Program Effectiveness

What is a security risk

Threat – is any potential danger to information, or systems (e.g. fire)Vulnerability – is a software, hardware, or procedural weakness that may provide an attacker the open door to enter a system. (e.g. lack of water)Risk – loss potential (probability) that a threat will exploit a vulnerability.

Relationship among different security components

ThreatAgent Threat

Vulnerability

RISK

Asset

ExposureSafeguard

Gives rise toExploits

Leads to

Can damage

And causes an

Can be counter measured by a

Directly affects

Why Develop a Security Risk Management Process?

Developing a formal security risk management process can address the following: Developing a formal security risk management process can address the following:

Threat response timeRegulatory complianceInfrastructure management costsRisk prioritization and management

Threat response timeRegulatory complianceInfrastructure management costsRisk prioritization and management

Security risk management: A process for identifying, prioritizing, and managing risk to an acceptable level within the organization

How much information security is enough and how do I know?

How do I get my organization to consistently follow our security policies?

Two key questions being asked today

Key factors to implementing a successful security risk management program include:Key factors to implementing a successful security risk management program include:

An atmosphere of open communication and teamworkAn atmosphere of open communication and teamwork

Organizational maturity in terms of risk managementOrganizational maturity in terms of risk management

Executive sponsorshipExecutive sponsorship

Well-defined list of risk management stakeholdersWell-defined list of risk management stakeholders

A holistic view of the organizationA holistic view of the organization

Security risk management team authoritySecurity risk management team authority

Identifying Success Factors That Are Critical to Security Risk Management

Comparing Approaches to Risk Management

Many organizations have approached security risk management by adopting the following:Many organizations have approached security risk management by adopting the following:

The adoption of a process that reduces the risk of new vulnerabilities in your organization The adoption of a process that reduces the risk of new vulnerabilities in your organization

Proactive approach

A process that responds to security events as they occur A process that responds to security events as they occur

Reactive approach

Comparing Approaches to Risk Prioritization

Approach Benefits Drawbacks

Quantitative

Risks prioritized by financial impact; assets prioritized by their financial valuesResults facilitate management of

risk by return on security investmentResults can be expressed in

management-specific terminology

Impact values assigned to risks are based upon subjective opinions of the participantsVery time-consumingCan be extremely costly

Qualitative

Enables visibility and understanding of risk rankingEasier to reach consensusNot necessary to quantify threat

frequencyNot necessary to determine

financial values of assets

Insufficient granularity between important risksDifficult to justify investing in control as there is no basis for a cost-benefit analysisResults dependent upon the quality of the risk management team that is created

Generic Security Risk Management Methodology

Identify Baseline

OrNew Risks

Identify

ClassifyRisks

EvaluateRisks

PrioritizeRisks

Analyze

AssignResponsibility

DetermineAction Plan

Determine Response Strategy

Plan

TrackRisks

ControlRisks

Tracking & Control

Project Start

Communicate RisksInside and OutsideThe Project Team

Communication

Introducing the Security Risk Management Process

Implementing Controls

Implementing Controls

33

Conducting Decision Support

Conducting Decision Support

22

Measuring Program Effectiveness

Measuring Program Effectiveness

44 Assessing RiskAssessing Risk11

Requirements continue to change …DIRECTOR - CFO - CIO

Different Perspectives

Insurance

StrategicEconomic

Business

ProcessCulture

Strategic RiskStrategic RiskManagementManagementCapital Markets/Treasury RiskCapital Markets/Treasury Risk

Market Risk, Liquidity RiskMarket Risk, Liquidity RiskAnalytics & ModelingAnalytics & Modeling

CreditCreditAnalyticsAnalytics

Property, Casualty,Property, Casualty,LiabilityLiability

Risk ManagementRisk ManagementMultiMulti--line, Multiline, Multi--riskriskInsurance ProductsInsurance Products

Asset Asset ProtectionProtectionOperationsOperations

ComplianceCompliance

FinancialFinancialInternalInternalControlControl

ProfitProfitRecoveryRecovery

CorporateCorporateEthicsEthics

CorporateCorporateComplianceCompliance

Operational Operational RiskRisk

ManagementManagementPhysical & Physical & InformationInformation

Security

PrivacyPrivacy