Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ●...
-
Upload
arleen-cobb -
Category
Documents
-
view
225 -
download
3
Transcript of Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ●...
![Page 1: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/1.jpg)
Risk Management
CS5493
![Page 2: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/2.jpg)
Risk Management
The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating
risks
![Page 3: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/3.jpg)
Risk Management
● An ongoing process that has a life-cycle– (sustainability cycle)
![Page 4: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/4.jpg)
Risk Management
● Minimize the effects of negative risks● Maximize the effects of positive risks
![Page 5: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/5.jpg)
Risk Management
● Asset – anything of value
![Page 6: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/6.jpg)
Risk Management
● threat – anything that can exploit, obtain, damage or destroy an asset via a vulnerability intentionally or accidentally.
A threat is what you wish to protect against.
![Page 7: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/7.jpg)
Risk Management
● Vulnerability – weaknesses exploited by threats that compromise assets.
A vulnerability is a weakness
![Page 8: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/8.jpg)
Define a Risk Equation
● Risk = Threats x Vulnerabilities– Threats = frequency of an adverse event– Vulnerability = the probability that a threat will
succeed.– Risk = the risk probability
![Page 9: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/9.jpg)
Risk Management
● The exposure cost is the product of the risk-probability value times the loss (of the asset) in dollars.
Cost = RiskProbability * AssetLoss
![Page 10: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/10.jpg)
Example (annual)
● Probability of a fire in the data center resulting in a loss: 0.75%
● Probability of the fire destroying all assets in the data center: 15%
● Risk Probability = .0075*.15 = .001125
![Page 11: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/11.jpg)
Example (annual)
● Replacement value of the data center: $750,000.
● Estimated annual loss due to fire = $843.75
(risk probability * value of the asset)
![Page 12: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/12.jpg)
Risk Identification
● The process of determining the risks to assets.● Create the “risk register”
![Page 13: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/13.jpg)
Risk Register
● Creation:– Brainstorming meeting to identify the risks– Surveys– Other events to collect information.
![Page 14: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/14.jpg)
Risk Register
● Content– A description of each identified risk– Probability of the risk event occurring– Steps to mitigate– Rank each risk in the register– Describe the impact if the risk-event actually
occurs and include the cost.
![Page 15: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/15.jpg)
Risk Register
● Ranking risks– Limited budget will require dropping some
perceived risks.– Concentrate on the most important issues.
![Page 16: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/16.jpg)
Risk Analysis
● Qualitative● Quantitative
![Page 17: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/17.jpg)
Risk Analysis
● Qualitative– Risk classification
● High● Medium● Low
– risk impact : how would it impact the overall business.
![Page 18: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/18.jpg)
Risk Analysis
● Quantitative– Use math
![Page 19: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/19.jpg)
Risk Analysis
● Quantitative– EF = Exposure Factor– SLE = Single Loss Expectancy
● SLE = Asset Value x EF– ARO = annual rate of occurrence– ALE = annual loss expectancy
● ALE = SLE x ARO
![Page 20: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/20.jpg)
Quantitative Risk Table
Resource Risk Value EF SLE ARO ALE
Building Fire $700,000.00 0.6 $420,000.00 0.2 $84,000.00
File Server disk crash $50,000.00 0.5 $25,000.00 0.2 $5,000.00
Data theft $200,000.00 0.9 $180,000.00 0.7 $126,000.00
![Page 21: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/21.jpg)
Risk Response Planning
● Negative Risks● Positive Risks
![Page 22: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/22.jpg)
Risk Response Planning
● Responses to negative risks– Eliminate– Transfer– Mitigate– Accept
![Page 23: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/23.jpg)
Negative Risk Response
● Eliminate – implies that the threat has been eliminated (probability of zero).
● Transfer – insurance is used to transfer risk● Mitigate – reduce the probability of the event
from occurring by taking some action.● Accept – take no additional action.
![Page 24: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/24.jpg)
Risk Response Planning
● Response to positive risks– Exploit– Share– Enhance– Accept
![Page 25: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/25.jpg)
Positive Risk Response
● Exploit – S-A-P is packaged and sold.● Share – finding a partner to purchase in bulk
and capture a lower price.● Enhance – meeting a deadline ahead of
schedule and collecting a bonus● Accept – take no action
![Page 26: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/26.jpg)
BIA
● Business Impact Analysis, BIA– A formal analysis separating an organization's
functions into critical and non-critical categories
![Page 27: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/27.jpg)
BIA RPO
● RPO - Recovery Point Objective,– Determine the amount of asset loss that is
acceptable
![Page 28: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/28.jpg)
BIA RTO
● RTO - Recovery Time Objective,– The maximum allowable time to recover from
asset loss.
![Page 29: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/29.jpg)
Risk Management
• BIA- Business Impact Analysis
• BCP- Business Continuity Plan
• DRP - Disaster Recovery Plan
![Page 30: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/30.jpg)
BIA
● Business Impact Analysis,– Classifying business functions and activities into
critical or non-critical categories.– Determining the prerequisites to support each
function/activity.– Determine the maximum amount of time each
function/activity can be unavailable.
![Page 31: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/31.jpg)
BCP
● BCP – Business Continuity Plan– A response plan to interruptions of critical
functions● An interruption is an event that lasts for a short period
and while it will result in measurable loss, is not fatal.● Creation of an IT intrusion response team
![Page 32: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/32.jpg)
DRP
● DRP – Disaster Recovery Plan– A plan for responding to losses and interruptions
critical to the sustainability of the enterprise.– Creation of an IT disaster response team
![Page 33: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/33.jpg)
DRP
● DRP – Disaster Recovery Plan– Fire– Flood– Hurricane– Tornado– Earthquake
![Page 34: Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.](https://reader031.fdocuments.net/reader031/viewer/2022013101/56649f385503460f94c55023/html5/thumbnails/34.jpg)
DRP Requirements
● Contact list of critical personnel● Complete inventory of physical assets● Inventory of IT software applications for critical
business functions.● Data/system backups● Alternate or redundant facility planning