INF3
510
Info
rmat
ion
Sec
urity
Uni
vers
ity o
f Osl
oS
prin
g 20
14
Lect
ure
3R
isk
Man
agem
ent
Bus
ines
s C
ontin
uity
Man
agem
ent
Uni
vers
ity o
f Osl
o, s
prin
g 20
14A
udun
Jøsa
ng
Wha
t is
risk
?
Thre
at a
gent
Vuln
erab
ility
Like
lihoo
d of
th
reat
/ in
cide
ntIm
pact
on
asse
t of
thre
at /
inci
dent
Ris
k
Aud
un J
øsan
g2
L03
-IN
F351
0, U
iO s
prin
g 2
014
Thre
ats
Vuln
erab
ilitie
s
Ass
ets
Ris
k
•M
otiv
atio
n•
Cap
acity
Wha
t is
risk
man
agem
ent?
•“IS
risk
man
agem
ent a
naly
ses
wha
t can
hap
pen
and
wha
t the
pos
sibl
e co
nseq
uenc
es c
an b
e,
befo
re d
ecid
ing
wha
t sho
uld
be d
one
and
whe
n,
to re
duce
risk
to a
n ac
cept
able
leve
l.”–
ISO
270
05
•“R
isk
man
agem
ent c
onsi
sts
of c
oord
inat
ed
activ
ities
to d
irect
and
con
trol a
n or
gani
zatio
n w
ith re
gard
to ri
sk.”
–IS
O31
000
, IS
O/IE
C 2
7002
Aud
un J
øsan
g3
L03
-IN
F351
0, U
iO s
prin
g 2
014
Ris
k M
anag
emen
t –IS
MS
inte
grat
ion
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
44
Plan
Ope
rate
Eva
luat
e
Impr
ove
IS R
isk
Man
agem
ent
ISM
S
Ris
k M
anag
emen
t sta
ndar
ds
•IS
O 2
7005
Info
rmat
ion
Sec
urity
Ris
k M
anag
emen
t•
ISO
310
00 R
isk
Man
agem
ent
•N
IST
SP
800-
39 M
anag
ing
Info
rmat
ion
Sec
urity
Ris
k•
NIS
T S
P80
0-30
Gui
de fo
r Con
duct
ing
Ris
k A
sses
smen
t–
form
erly
cal
led
“Ris
k M
anag
emen
t Gui
de fo
r In
form
atio
n Te
chno
logy
Sys
tem
s”•
NS
583
1 S
amfu
nnss
ikke
rhet
–Be
skyt
tels
e m
ot ti
lsik
tede
uø
nske
de h
andl
inge
r –R
isik
ohån
dter
ing
•N
S 5
832
Sam
funn
ssik
kerh
et –
Besk
ytte
lse
mot
tils
ikte
de
uøns
kede
han
dlin
ger –
Ris
ikoa
naly
se
Aud
un J
øsan
g5
L03
-IN
F351
0, U
iO s
prin
g 2
014
L03
-IN
F351
0, U
iO s
prin
g 2
014
6
Bas
is fo
r ass
essi
ng ri
sk
•Kn
ow th
e as
sets
: ide
ntify
, exa
min
e, a
nd u
nder
stan
d th
e in
form
atio
n an
d sy
stem
s cu
rren
tly in
pla
ce
•Kn
ow th
e en
emy:
iden
tify,
exa
min
e, a
nd u
nder
stan
d th
reat
s fa
cing
the
orga
niza
tion
•Kn
ow th
e lo
sses
you
r org
anis
atio
n ca
n to
lera
te.
•Kn
ow re
spon
sibi
lity
of e
ach
stak
ehol
ders
with
in a
n or
gani
zatio
n to
man
age
risks
that
are
enc
ount
ered
Aud
un J
øsan
g
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
47
Pro
porti
onal
ity p
rinci
ple
How
muc
h sh
ould
I sp
end
on s
ecur
ing
?
Why
??
How
muc
h sh
ould
I sp
end
on
secu
ring
my
repu
tatio
n ?
•Th
e P
ropo
rtion
ality
Prin
cipl
e:–
Appl
y a
set o
f con
trols
(ph
ysic
al, t
echn
ical
and
ad
min
istra
tive
cont
rols
) tha
t mat
ch th
e pe
rcei
ved
risk
to,
and
valu
e of
, an
orga
nisa
tion’
s in
form
atio
n as
sets
Pro
blem
s of
mea
surin
g ris
kB
usin
esse
s no
rmal
ly w
ish
to m
easu
re ri
sk in
mon
ey, b
ut
alm
ost i
mpo
ssib
le to
do
this
–Va
luat
ion
of a
sset
s•
Valu
e of
dat
a, h
ard
to a
sses
s•
Valu
e of
goo
dwill
and
cus
tom
er c
onfid
ence
, ver
y va
gue
–Li
kelih
ood
of th
reat
s•
Past
eve
nts
not a
lway
s re
leva
nt fo
r fut
ure
prob
abili
ties
–Th
e na
ture
of f
utur
e at
tack
s is
unp
redi
ctab
le–
The
actio
ns o
f fut
ure
atta
cker
s ar
e un
pred
icta
ble
–M
easu
rem
ent o
f ben
efit
from
sec
urity
con
trol
•Pr
oble
ms
with
the
diffe
renc
e of
two
appr
oxim
ate
quan
titie
s–
Est
imat
ion
of p
ast a
nd p
rese
nt ri
sk
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
48
L03
-IN
F351
0, U
iO s
prin
g 2
014
9
Rol
es in
volv
ed in
risk
man
agem
ent
•M
anag
emen
t, us
ers,
and
info
rmat
ion
tech
nolo
gy m
ust
all w
ork
toge
ther
–As
set o
wne
rs m
ust p
artic
ipat
e in
dev
elop
ing
inve
ntor
y lis
ts
–U
sers
and
exp
erts
mus
t ass
ist i
n id
entif
ying
thre
ats
and
vuln
erab
ilitie
s, a
nd in
det
erm
inin
g lik
elih
oods
–R
isk
man
agem
ent e
xper
ts m
ust g
uide
sta
keho
lder
s th
roug
h th
e ris
k as
sess
men
t pro
cess
–Se
curit
y ex
perts
mus
t ass
ist i
n se
lect
ing
cont
rols
–M
anag
emen
t mus
t rev
iew
risk
man
agem
ent p
roce
ss a
nd
appr
ove
cont
rols
Aud
un J
øsan
g
Ris
k m
anag
emen
t pro
cess
ISO
270
05
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
410
Con
text
Est
ablis
hmen
t
Ris
k A
sses
smen
t
Ris
k Tr
eatm
ent P
lan
Acc
epte
d R
esid
ual R
isk
Ris
k de
cisi
on p
oint
1:
Ass
mt.
satis
fact
ory?
Ris
k de
cisi
on p
oint
2:
Trea
tmt.
satis
fact
ory?
•Ris
k id
entif
icat
ion
•Ris
k es
timat
ion
•Ris
k ev
alua
tion
•Com
mun
icat
ion
•Org
anis
atio
n•A
ppro
ach
•Sco
pe•R
isk
crite
ria
•Ris
k re
duct
ion
•Ris
k tra
nsfe
r•R
isk
rete
ntio
n•R
isk
avoi
danc
e•C
omm
unic
atio
nY
NN
Y
Impl
emen
t ris
k tre
atm
ent p
lan
•Ris
k co
mm
unic
atio
n
Info
rmat
ion
secu
rity
stra
tegy
L03
-IN
F351
0, U
iO s
prin
g 2
014
11
Ass
et V
alua
tion
and
Prio
ritiz
atio
n •
Que
stio
ns h
elp
deve
lop
crite
ria fo
r ass
et v
alua
tion
•W
hich
info
rmat
ion
asse
t:–
is m
ost c
ritic
al to
org
aniz
atio
n’s
succ
ess?
–
gene
rate
s th
e m
ost r
even
ue/p
rofit
abilit
y?
–w
ould
be
mos
t exp
ensi
ve to
repl
ace
or p
rote
ct?
–w
ould
be
the
emba
rrass
ing
or c
ause
liab
ility
if re
veal
ed?
•Pr
iorit
izat
ion
–C
reat
e w
eigh
ting
for e
ach
cate
gory
–C
alcu
late
rela
tive
impo
rtanc
e of
eac
h as
set
–Li
st th
e as
sets
in o
rder
of i
mpo
rtanc
e us
ing
a w
eigh
ted
fact
or
anal
ysis
wor
kshe
etA
udun
Jøs
ang
L03
-IN
F351
0, U
iO s
prin
g 2
014
12
Thre
at id
entif
icat
ion
•R
ealis
tic th
reat
s ne
ed to
be
desc
ribed
; uni
mpo
rtant
th
reat
s ar
e se
t asi
de
•Th
reat
ass
essm
ent:
–W
hich
thre
ats
pres
ent d
ange
r to
asse
ts?
–W
hich
thre
ats
repr
esen
t the
mos
t dan
ger t
o in
form
atio
n?
–H
ow m
uch
wou
ld it
cos
t to
reco
ver f
rom
atta
ck?
–W
hich
thre
at a
re m
ost e
xpen
sive
to p
reve
nt?
Aud
un J
øsan
g
Thre
at M
odel
ling
•At
tack
er-c
entri
c–
Star
ts fr
om a
ttack
ers,
eva
luat
es th
eir g
oals
, and
how
they
mig
ht
achi
eve
them
thro
ugh
atta
ck tr
ee. U
sual
ly s
tarts
from
ent
ry
poin
ts o
r atta
cker
act
ion.
•Sy
stem
-cen
tric
(aka
. SW
-, de
sign
-, ar
chite
ctur
e-ce
ntric
) –
Star
ts fr
om m
odel
of s
yste
m, a
nd a
ttem
pts
to fo
llow
mod
el
dyna
mic
s an
d lo
gic,
look
ing
for t
ypes
of a
ttack
s ag
ains
t eac
h el
emen
t of t
he m
odel
. Thi
s ap
proa
ch is
e.g
. use
d fo
r thr
eat
mod
elin
g in
Mic
roso
ft's
Sec
urity
Dev
elop
men
t Life
cycl
e.
•As
set-c
entri
c–
Star
ts fr
om a
sset
s en
trust
ed to
a s
yste
m, s
uch
as a
col
lect
ion
of
sens
itive
per
sona
l inf
orm
atio
n, a
nd a
ttem
pts
to id
entif
y ho
w
secu
rity
brea
ches
of C
IA p
rope
rties
can
hap
pen.
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
413
Atta
cker
-cen
tric
atta
ck tr
ee e
xam
ple
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
414
G0:
Atta
cker
wan
ts u
ser
acco
unt d
ata
Lege
nd:
G0:
Mai
n go
al
AN
D (c
onju
nctiv
e)O
R (d
isju
nctiv
e)al
l sub
goal
s ne
eded
any
subg
oal n
eede
d
Pro
babi
lity
of a
ttack
suc
cess
: p(G
0) =
1-(1
-p(G
1))�(
1-(p
(G4)
p(G
5)))�(1
-p(G
3))
G1:
SQ
L in
ject
ion
thro
ugh
web
G2:
Impe
rson
ate
logi
nG3:
Atta
ck u
ser c
lient
with
XSS
(cro
ss s
ite s
crip
t)
G4:
Get
logi
n Id
sG5:
Find
pas
swor
ds
Sys
tem
-cen
tric
thre
at m
odel
ling
exam
ple
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
415
Fron
t end
Web
ser
ver
Back
end
app.
logi
cM
ySQ
Lda
taba
seIn
tern
et
Use
r may
not
hav
e lo
gged
off
on
shar
ed c
ompu
ter
SQ
L in
ject
ion
Una
utho
rized
acc
ess
Traf
ficin
terc
eptio
n
Impl
emen
t tim
eout
Impl
emen
t en
cryp
tion
Pas
swor
d po
licy
Valid
ate
inpu
t
Con
trols
Ass
et-c
entri
c th
reat
mod
ellin
g ex
ampl
e
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
416
Cus
tom
er
base
Com
pany
re
puta
tion
HW
and
SW
Dat
a C
IALe
gal
com
plia
nce
Dis
clos
ure
of u
ser d
ata
DO
S a
ttack
Mis
use
of
user
dat
a
Pene
tratio
n of
ser
vers
L03
-IN
F351
0, U
iO s
prin
g 2
014
17
Vul
nera
bilit
y Id
entif
icat
ion
•Sp
ecifi
c av
enue
s th
reat
age
nts
can
expl
oit t
o at
tack
an
info
rmat
ion
asse
t are
cal
led
vuln
erab
ilitie
s•
Exam
ine
how
eac
h in
cide
nt/th
reat
cou
ld b
e pe
rpet
rate
d an
d lis
t org
aniz
atio
n’s
asse
ts a
nd v
ulne
rabi
litie
s•
Proc
ess
wor
ks b
est w
hen
peop
le w
ith d
iver
se
back
grou
nds
with
in o
rgan
izat
ion
wor
k ite
rativ
ely
in a
se
ries
of b
rain
stor
min
g se
ssio
ns•
At e
nd o
f ris
k id
entif
icat
ion
proc
ess,
list
of a
sset
s an
d th
eir v
ulne
rabi
litie
s is
ach
ieve
d
Aud
un J
øsan
g
Iden
tifyi
ng s
peci
fic ri
sks
•A
valid
com
bina
tions
of t
hrea
t, vu
lner
abilit
y an
d as
set i
mpa
ct
repr
esen
ts a
sin
gle
spec
ific
risk
•Al
l rel
evan
t spe
cific
risk
s sh
ould
be
iden
tifie
dA
udun
Jøs
ang
L03
-IN
F351
0, U
iO s
prin
g 2
014
18
Vuln
erab
ilitie
s
•Wea
k pa
ssw
ords
•Poo
r aw
aren
ess
•No
inpu
t val
idat
ion
•Out
date
d an
tiviru
s
•Wea
k ci
pher
s
•Sho
rt cr
ypto
key
s
•Poo
r usa
bilit
y
•…
Ass
et im
pact
s
•Del
eted
file
s
•Dam
aged
file
s
•Dam
aged
repu
tatio
n
•Sto
len
files
-se
nsiti
vity
leve
ls 1
,2,3
•Inte
rcep
ted
traffi
c
•Fal
se tr
ansa
ctio
n
•…
Thre
ats
/ inc
iden
ts
•Pas
swor
d co
mpr
omis
e
•SQ
L in
ject
ion
•Log
ical
bom
b in
SW
•Tro
jan
infe
cts
clie
nts
•Cry
ptan
alys
is o
f cip
her
•Bru
te fo
rce
atta
ck
•Soc
ial e
ngin
eerin
g
•…..
Est
imat
ing
risk
leve
ls
Type
s of
ana
lysi
s •
Qua
litat
ive
–U
ses
desc
riptiv
e sc
ales
. E
xam
ple:
•Im
pact
leve
l:M
inor
, mod
erat
e, m
ajor
, cat
astro
phic
•Li
kelih
ood:
Rar
e, u
nlik
ely,
pos
sibl
e, li
kely
, alm
ost c
erta
in•
Sem
i-qua
ntita
tive
–Q
ualit
ativ
e sc
ales
ass
igne
d nu
mer
ical
val
ues
–C
an b
e us
ed in
form
ulae
for p
riorit
izat
ion
(with
cau
tion)
•Q
uant
itativ
e–
Use
num
eric
al v
alue
s fo
r bot
h co
nseq
uenc
e (e
.g. $
$$)a
ndlik
elih
ood
(e.g
. pro
babi
lity
valu
e)
Aud
un J
øsan
g19
L03
-IN
F351
0, U
iO s
prin
g 2
014
Qua
litat
ive
likel
ihoo
d sc
ale
Like
lihoo
dD
escr
iptio
n
Hig
hIs
exp
ecte
d to
occ
ur in
mos
t con
ditio
ns
(1 o
r mor
e tim
es p
er y
ear)
.
Med
ium
The
even
t will
pro
babl
y ha
ppen
in m
ost
cond
ition
s (e
very
2 y
ears
).
Low
The
even
t sho
uld
happ
en a
t som
e tim
e(e
very
5 y
ears
).
Unl
ikel
yTh
e ev
ent c
ould
hap
pen
at s
ome
time
(eve
ry 1
0ye
ars)
.
Increasing Likelihood
Aud
un J
øsan
g20
L03
-IN
F351
0, U
iO s
prin
g 2
014
Qua
litat
ive
impa
ct le
vel s
cale
Impa
ct
Leve
l
Des
crip
tion
Maj
or
Maj
or p
robl
ems
wou
ld o
ccur
and
thre
aten
th
e pr
ovis
ion
of im
porta
nt p
roce
sses
resu
lting
insi
gnifi
cant
fina
ncia
l los
s.
Mod
erat
e Se
rvic
esw
ould
con
tinue
,but
wou
ldne
ed
to b
ere
view
ed o
r cha
nged
.
Min
orE
ffect
iven
ess
of s
ervi
ces
wou
ld b
e th
reat
ened
but
dea
lt w
ith.
Insi
gnifi
cant
Dea
lt w
ith a
s a
part
of ro
utin
e op
erat
ions
.
Increasing Impact
Aud
un J
øsan
g21
L03
-IN
F351
0, U
iO s
prin
g 2
014
Qua
litat
ive
risk
estim
atio
n -e
xam
ple
Likelihood
Impa
ct le
vel
Ris
k le
vel
(0) I
nsig
nific
ant
(1) M
inor
(2) M
oder
ate
(3) M
ajor
(3) H
igh
(3) M
(4) H
(5) V
H(6
) E
(2) M
ediu
m(2
) L(3
) M(4
) H(5
) VH
(1) L
ow(1
) VL
(2) L
(3) M
(4) H
(0) U
nlik
ely
(0) N
(1) V
L(2
) L(3
) M
Qua
litat
ive
risk
leve
ls:A
ddlik
elih
ood
& im
pact
leve
l
Aud
un J
øsan
g22
Lege
ndE:
ext
rem
e ris
k; im
med
iate
act
ion
requ
ired
(V)H
: (ve
ry) h
igh
risk;
sen
ior m
anag
emen
t atte
ntio
n ne
eded
M: m
oder
ate
risk;
man
agem
ent r
espo
nsib
ility
mus
t be
spec
ified
(V)L
: (ve
ry) l
ow ri
sk; m
anag
e by
rout
ine
proc
edur
esN
: Neg
ligib
le ri
sk;T
o be
igno
red
Sem
i-qua
ntita
tive
risk
estim
atio
n -e
xam
ple
Impa
ct le
vel
Ris
k Le
vel
(0) N
il(1
) Ins
ign.
(2) M
inor
(3) M
oder
ate
(4) M
ajor
(4) H
igh
(0) N
il(4
) M(8
) H(1
2) V
H(1
6) E
(3) M
ediu
m(0
) Nil
(3) L
(6) M
+(9
) H+
(12)
VH
(2) L
ow(0
) Nil
(2) V
L(4
) M(6
) M+
(8) H
(1) U
nlik
ely
(0) N
il(1
) Neg
(2) V
L(3
) L(4
) M
(0) N
ever
(0) N
il(0
) Nil
(0) N
il(0
) Nil
(0) N
il
Sem
i-qua
ntita
tive
risk
leve
ls:M
ultip
lylik
elih
ood
& im
pact
leve
l
Aud
un J
øsan
g23
Like
lihoo
d
M: m
oder
ate;
Spe
cify
resp
onsi
bililt
yE:
ext
rem
e; Im
med
iate
act
ion
requ
ired
L: lo
w; M
anag
e by
rout
ine
proc
edur
esVH
: ver
y hi
gh; P
riorit
y ac
tion
actio
nVL
: ver
y lo
w; M
anag
e by
rout
ine
H+:
hig
h +;
Man
agem
ent a
ttent
ion
Neg
: Neg
ligib
le;T
o be
igno
red
H: h
igh;
Man
agem
ent
atte
ntio
nN
il: N
il;N
o ris
k ex
ists
M+:
mod
erat
e +;
Spe
cifu
resp
onsi
b
Qua
ntita
tive
risk
estim
atio
n ex
ampl
e
Exa
mpl
e qu
antit
ativ
e ris
k an
alys
is m
etho
d•
Qua
ntita
tive
para
met
ers
–As
set V
alue
(AV
)•
Estim
ated
tota
l val
ue o
f ass
et–
Expo
sure
Fac
tor (
EF)
•Pe
rcen
tage
of a
sset
loss
cau
sed
by th
reat
occ
urre
nce
–S
ingl
e Lo
ss E
xpec
tanc
y (S
LE)
•SL
E =
AV
�EF
–An
nual
ized
Rat
e of
Occ
urre
nce
(AR
O)
•Es
timat
ed fr
eque
ncy
a th
reat
will
occ
ur w
ithin
a y
ear
–An
nual
ised
Los
s E
xpec
tanc
y (A
LE)
•AL
E =
SLE
�A
RO
Aud
un J
øsan
g24
L03
-IN
F351
0, U
iO s
prin
g 2
014
Qua
ntita
tive
risk
estim
atio
n ex
ampl
e
Exa
mpl
e qu
antit
ativ
e ris
k an
alys
is•
Ris
k de
scrip
tion
–As
set:
Pub
lic im
age
(and
trus
t)–
Thre
at: D
efac
ing
web
site
thro
ugh
intru
sion
–Im
pact
: Los
s of
imag
e•
Para
met
er e
stim
ates
–A
V(p
ublic
imag
e) =
$1,
000,
000
–EF
(pub
lic im
age
affe
cted
by
defa
cing
) = 0
.05
–SL
E =
AV
�E
F =
$50,
000
–AR
O(d
efac
ing)
= 2
–AL
E =
SLE
�A
RO
= $
100,
000
•Ju
stifi
es s
pend
ing
up to
$10
0,00
0 p.
a. o
n co
ntro
ls
Aud
un J
øsan
g25
L03
-IN
F351
0, U
iO s
prin
g 2
014
Eva
luat
e ris
ks
•C
ompa
re–
the
leve
l of r
isk
foun
d du
ring
risk
anal
ysis
with
–
the
esta
blis
hed
risk
crite
ria–
NO
TE: C
onsi
der a
naly
sis
and
crite
ria o
n sa
me
basi
s -
qual
itativ
e or
qua
ntita
tive
•O
utpu
t: pr
iorit
ized
list
of r
isks
for f
urth
er a
ctio
n–
Ris
ks in
low
or a
ccep
tabl
e ris
k ca
tego
ries,
may
be
acce
pted
w
ithou
t fur
ther
trea
tmen
t
Aud
un J
øsan
g26
L03
-IN
F351
0, U
iO s
prin
g 2
014
Ris
k lis
ting
and
rank
ing
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
427
Inci
dent
/ Th
reat
Exis
ting
cont
rols
&
vuln
erab
ilitie
s As
set i
mpa
ctIm
pact
le
vel
Like
lihoo
d de
scrip
tion
Like
lihoo
dR
isk
leve
l
Com
prom
ise
of u
ser
pass
wor
d
No
cont
rol o
r en
forc
emen
t of
pass
wor
d st
reng
th
Del
eted
file
s,
brea
ch o
f co
nfid
entia
lity
and
inte
grity
MO
DE
RAT
EW
ill h
appe
n to
1
of 5
0 us
ers
ever
y ye
ar
MED
IUM
HIG
H
Viru
s in
fect
ion
on c
lient
sVi
rus
filte
r dis
able
d on
man
y cl
ient
sC
ompr
omis
e of
cl
ient
sM
OD
ER
ATE
Will
hap
pen
to
1 in
100
clie
nts
ever
y ye
ar
HIG
HEX
TREM
E
Web
ser
ver
hack
ing
and
defa
cing
IDS
, fire
wal
l, da
ily
patc
hing
, but
zer
o da
y ex
ploi
ts e
xist
Rep
utat
ion
MIN
OR
Cou
ld h
appe
n on
ce e
very
ye
ar
LOW
LOW
Logi
cal b
omb
plan
ted
by
insi
der
No
revi
ew o
f sou
rce
code
that
goe
s in
to
prod
uctio
n.
Bre
ach
of
inte
grity
or l
oss
of d
ata
MA
JOR
Cou
ld h
appe
n on
ce e
very
10
year
s
UN
LIK
ELY
MO
DE
R
ATE
Ris
k ra
nkin
g co
mpl
exity
•N
ot e
asy
to p
riorit
ize
risks
of s
ame
leve
l but
with
diff
eren
t im
pact
leve
ls a
nd li
kelih
ood
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
428
Inci
dent
/ Th
reat
Exis
ting
cont
rols
&
vuln
erab
ilitie
s As
set i
mpa
ctIm
pact
le
vel
Like
lihoo
d de
scrip
tion
Like
lihoo
dR
isk
leve
l
Rou
ter
Com
prom
ise
Pas
swor
d on
lyIn
trusi
on a
nd
disr
uptio
nM
OD
ER
ATE
Man
y tim
es
per y
ear
HIG
HH
IGH
Phy
sica
l D
estru
ctio
n of
D
ata
Cen
tre
Non
e (n
ot a
ddre
ssed
in
BC
P)
Ope
ratio
ns
Dis
rupt
ed fo
r on
e m
onth
MA
JOR
Cou
ld h
appe
n on
ce in
25
year
s
LOW
HIG
H
L03
-IN
F351
0, U
iO s
prin
g 2
014
29
Doc
umen
ting
the
resu
lts o
f ris
k as
sess
men
t•
Fina
l sum
mar
y co
mpr
ised
in ra
nked
vul
nera
bilit
y ris
k w
orks
heet
•W
orks
heet
det
ails
ass
et, a
sset
impa
ct, v
ulne
rabi
lity,
vu
lner
abilit
y lik
elih
ood,
and
risk
-ratin
g fa
ctor
•R
anke
d vu
lner
abilit
y ris
k w
orks
heet
is in
itial
wor
king
do
cum
ent f
or n
ext s
tep
in ri
sk m
anag
emen
t pro
cess
: as
sess
ing
and
cont
rollin
g ris
k
Aud
un J
øsan
g
Cos
t of r
educ
ing
risk
($)
Level of risk (risk value)
unec
onom
ic
use
judg
emen
t
impl
emen
t re
duct
ion
mea
sure
s
Ris
k tr
eatm
ent e
cono
my
?A
udun
Jøs
ang
30L0
3 -I
NF3
510,
UiO
spr
ing
201
4
L03
-IN
F351
0, U
iO s
prin
g 2
014
31
Ris
k C
ontro
l Stra
tegi
es
•O
nce
rank
ed v
ulne
rabi
lity
risk
wor
kshe
et c
ompl
ete,
m
ust c
hoos
e on
e of
four
stra
tegi
es to
con
trol e
ach
risk:
–R
educ
e/m
itiga
te ri
sk (s
ecur
ity a
nd m
itiga
tion
cont
rols
)
–Sh
are/
trans
fer r
isk
(out
sour
ce a
ctiv
ity th
at c
ause
s ris
k, o
r ins
ure)
–R
etai
n ris
k (u
nder
stan
d to
lera
te p
oten
tial
cons
eque
nces
)
–Av
oid
risk
(sto
p ac
tivity
that
cau
ses
risk)
Aud
un J
øsan
g
•Id
entif
y op
tions
for r
isk
treat
men
t by
seek
ing
oppo
rtuni
ties
that
mig
ht in
crea
se p
ositi
veou
tcom
es
with
out i
ncre
asin
g th
e ris
k.•
Opt
ions
incl
ude:
–A
ctiv
ely
seek
an
oppo
rtuni
ty fo
r cre
atin
g va
lue
and
prof
it–
Cha
nge
the
likel
ihoo
d of
opp
ortu
nity
to e
nhan
ce th
e lik
elih
ood
of b
enef
icia
l out
com
e–
Cha
nge
the
cons
eque
nces
to in
crea
se th
e ex
tent
of t
he g
ains
–Sh
arin
g th
e op
portu
nity
–R
etai
nth
e re
sidu
al o
ppor
tuni
ty
Trea
ting
risk
from
the
posi
tive
dim
ensi
on
Aud
un J
øsan
g32
L03
-IN
F351
0, U
iO s
prin
g 2
014
Bus
ines
s C
ontin
uity
Man
agem
ent
Out
line
–Bu
sine
ss C
ontin
uity
Pla
nnin
g–
Dis
aste
r Rec
over
y
Bus
ines
s co
ntin
uity
man
agem
ent
•P
roce
dure
s fo
r the
reco
very
of a
n or
gani
zatio
n's
faci
litie
s in
cas
e of
maj
or in
cide
nts
and
disa
ster
s,
so th
at th
e or
gani
zatio
n w
ill b
e ab
le to
eith
er
mai
ntai
n or
qui
ckly
resu
me
mis
sion
-crit
ical
func
tions
•BC
M s
tand
ards
–IS
O 2
7031
Gui
delin
es fo
r inf
orm
atio
n an
d co
mm
uni-
catio
ns te
chno
logy
read
ines
s fo
r bus
ines
s co
ntin
uity
–N
ISTS
P80
0-34
Con
tinge
ncy
Pla
nnin
g G
uide
for
Info
rmat
ion
Tech
nolo
gy S
yste
ms
Aud
un J
øsan
g34
L03
-IN
F351
0, U
iO s
prin
g 2
014
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
435
Effe
ct o
f BC
MH
ow c
omm
on is
BC
M in
‘the
real
wor
ld’?
•20
06 C
CS
S e
xtra
ct: M
ost c
omm
only
repo
rted
cate
gorie
s of
co
mpu
ter s
ecur
ity p
olic
ies
and
proc
edur
es 2
006
(200
5, 2
004)
:–
Med
ia b
acku
p pr
oced
ures
-95
% (9
6%, 9
5%)
–U
ser a
cces
s m
anag
emen
t -93
% (9
7%, 9
4%)
–Ex
tern
al n
etw
ork
acce
ss c
ontro
l pro
cedu
res
-78%
(83%
, 79%
)–
Doc
umen
ted
oper
atin
g pr
oced
ures
-76
% (8
0%, 8
3%)
–U
ser r
espo
nsib
ilitie
s po
licie
s -7
2% (8
2%, 7
8%)
–C
ontro
ls a
gain
st m
alic
ious
sof
twar
e -6
6% (7
5%, 7
2%)
–M
onito
ring
syst
em a
cces
s an
d us
e -
64%
(72%
, 68%
)–
Cha
nge
cont
rol p
roce
dure
s -
60%
(82%
, 75%
)–
Clo
ck s
ynch
roni
satio
n po
licy
–59
% (5
9%, 4
3%)
–D
ecom
mis
sion
ing
equi
pmen
t pro
cedu
res
–59
% (6
5%, 4
0%)
–Sy
stem
aud
it po
licy
–58
% (7
1%, 5
8%)
–B
usin
ess
cont
inui
ty m
anag
emen
t –54
%(7
3%, 5
8%)
–In
cide
nt m
anag
emen
t pro
cedu
res
-51
% (6
7%, 6
4%)
Aud
un J
øsan
g36
L03
-IN
F351
0, U
iO s
prin
g 2
014
Bus
ines
s co
ntin
uity
man
agem
ent
•Th
e ra
nge
of in
cide
nts
and
disa
ster
s to
be
cons
ider
ed in
clud
e:–
Acts
of n
atur
e, fo
r exa
mpl
e:•
Exce
ssiv
e w
eath
er c
ondi
tions
•Ea
rthqu
ake
•Fl
ood
•Fi
re–
Hum
an a
cts
(inad
verte
nt o
r del
iber
ate)
, for
exa
mpl
e:•
Hac
ker a
ctiv
ity•
Mis
take
s by
ope
ratin
g st
aff
•Th
eft
•Fr
aud
•Va
ndal
ism
•Te
rror
ism
Aud
un J
øsan
g37
L03
-IN
F351
0, U
iO s
prin
g 2
014
Bus
ines
s C
ontin
uity
Pla
n (B
CP
)
•Th
e bu
sine
ss c
ontin
uity
pla
nde
scrib
es:
–a
sequ
ence
of a
ctio
ns
–an
d th
e pa
rties
resp
onsi
ble
for
carr
ying
them
out
–
in re
spon
se to
dis
aste
rs–
in o
rder
to re
stor
e no
rmal
bus
ines
s op
erat
ions
as
quic
kly
as p
ossi
ble
Aud
un J
øsan
g38
L03
-IN
F351
0, U
iO s
prin
g 2
014
From
:
Dea
ling
with
the
cris
is To:
Bac
k in
bu
sine
ss
BC
P T
erm
inol
ogy
•Bu
sine
ss C
ontin
uity
Pla
n–
Plan
for r
esto
ring
norm
al b
usin
ess
func
tions
afte
r dis
rupt
ion
•Bu
sine
ss C
ontin
genc
y P
lan
–Sa
me
as B
usin
ess
Con
tinui
ty P
lan
–C
ontin
genc
y m
eans
”som
ethi
ng u
npre
dict
able
that
can
hap
pen”
•D
isas
ter R
ecov
ery
–R
esta
blis
hmen
t of b
usin
ess
func
tions
afte
r a d
esas
ter,
poss
ibly
in
tem
pora
ry fa
cilit
ies
Aud
un J
øsan
gL0
3 -I
NF3
510,
UiO
spr
ing
201
439
BC
P D
evel
opm
ent
BC
P St
atem
ent
•Mgm
t app
rova
l•S
cope
•Res
pons
ibili
ty•T
eam
s
Bus
ines
s Im
pact
A
naly
sis
(BIA
)•C
ritic
al fu
nctio
ns•M
TD
•Ris
ks
Iden
tify
Prev
entiv
e C
ontr
ols
•Im
plem
ent c
ontro
ls•M
itiga
te ri
sks
Rec
over
y St
rate
gies
•Pro
cess
es•F
acili
ties
•Dat
a
Doc
umen
t BC
P•R
espo
nsib
ility
•Tea
ms
•Stra
tegi
es
Test
BC
P•E
xerc
ises
•Im
prov
emen
ts•T
rain
ing
Mai
ntai
n B
CP
•Int
egra
te•U
pdat
e•D
istri
bute
Sou
rce:
NIS
T S
peci
al P
ublic
atio
n 80
0-34
Con
tinge
ncy
Pla
nnin
g G
uide
for I
nfor
mat
ion
Tech
nolo
gy S
yste
ms
(p.1
4)A
udun
Jøs
ang
40L0
3 -I
NF3
510,
UiO
spr
ing
201
4
BC
P D
evel
opm
ent a
nd O
utpu
t: N
IST
SP
800-
34, p
.31
Dev
elop
men
t
Out
put
Aud
un J
øsan
g41
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P D
evel
opm
ent -
BIA
•A
Bus
ines
s Im
pact
Ana
lysi
s (B
IA) i
s pe
rform
ed a
s pa
rt of
th
e B
CP
dev
elop
men
t to
iden
tify
the
func
tions
that
in th
e ev
ent o
f a d
isas
ter o
r dis
rupt
ion,
wou
ld c
ause
the
grea
test
fina
ncia
l or o
pera
tiona
l los
s.•
Con
side
r e.g
.:–
IT n
etw
ork
supp
ort
–D
ata
proc
essi
ng–
Acco
untin
g–
Softw
are
deve
lopm
ent
–Pa
yrol
l
Cus
tom
er s
uppo
rtO
rder
ent
ryP
rodu
ctio
n sc
hedu
ling
Pur
chas
ing
Com
mun
icat
ions
Aud
un J
øsan
g42
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P D
evel
opm
ent -
BIA
•Th
e M
TD (M
axim
um T
oler
able
Dow
ntim
e) is
def
ined
for
each
func
tion
in th
e ev
ent o
f dis
aste
r.•
Exam
ple:
–N
on-e
ssen
tial =
30
days
–N
orm
al =
7 d
ays
–Im
porta
nt =
72
hour
s–
Urg
ent =
24
hour
s–
Crit
ical
= m
inut
es to
hou
rs
Aud
un J
øsan
g43
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P D
evel
opm
ent -
Alte
rnat
ive
Site
s
•R
edun
dant
site
–M
irror
of t
he p
rimar
y pr
oces
sing
env
ironm
ent
–O
pera
ble
with
in m
inut
es•
Hot
site
–Fu
lly c
onfig
ured
har
dwar
e an
d so
ftwar
e, b
ut n
o da
ta–
Ope
rabl
e w
ithin
hou
rs•
Mob
ile s
ite•
War
m s
ite–
Parti
ally
con
figur
ed w
ith s
ome
equi
pmen
t, bu
t not
the
actu
al c
ompu
ters
–O
pera
ble
with
in d
ays
•C
old
site
–Ba
sic
elec
trici
ty a
nd p
lum
bing
–O
pera
ble
with
in w
eeks
Mor
e ex
pens
ive
Less
ex
pens
ive
Aud
un J
øsan
g44
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P D
evel
opm
ent –
Stra
tegy
Sel
ectio
n
•An
alys
e al
tern
ativ
e di
sast
er re
cove
ry s
trate
gies
–C
hoos
ing
data
and
sof
twar
e ba
ckup
faci
lity
–C
hoos
ing
alte
rnat
ive
site
type
and
con
tract
–H
uman
reso
urce
s–
Insu
ranc
e–
Rec
ipro
cal a
nd m
utua
l aid
agr
eem
ents
–M
ultip
le p
roce
ssin
g ce
ntre
s–
Dat
a pr
oces
sing
ser
vice
bur
eaus
with
resp
ect t
o B
IA, c
ost,
rest
orat
ion
time
and
prac
tical
ity
Aud
un J
øsan
g45
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P C
ompo
nent
s
•Su
ppor
ting
info
rmat
ion
–Es
tabl
ish
purp
ose,
app
licab
ility
and
sco
pe–
Syst
em d
escr
iptio
n an
d st
aff r
espo
nsib
ilitie
s
•N
otifi
catio
n/A
ctiv
atio
n P
hase
•R
ecov
ery
Pha
se•
Rec
onst
ruct
ion
Pha
se•
Appe
ndic
es–
Con
tact
info
rmat
ion
–SO
Ps
and
chec
klis
ts–
Equi
pmen
t and
sys
tem
requ
irem
ents
list
s
Aud
un J
øsan
g46
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P P
hase
s
•A
secu
rity
inci
dent
can
var
y in
mag
nitu
de fr
om m
inor
in
cide
nt to
maj
or d
isas
ter.
•D
iffer
ent s
ub-p
lans
nee
ded
for d
iffer
ent p
hase
s in
the
busi
ness
con
tinui
ty p
roce
ss.
–Pl
an fo
r act
ivat
ion
phas
e–
Plan
s fo
r rec
over
y ph
ase
–Pl
an fo
r rec
onst
itutio
n ph
ase
Aud
un J
øsan
g47
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
Act
ivat
ion
Pha
se P
lan
•Ac
tions
to ta
ke im
med
iate
ly a
fter i
ncid
ent
–Pr
oced
ures
for c
onta
ctin
g re
cove
ry te
ams
–As
sess
men
t of d
amag
e to
prim
ary
site
faci
litie
s•
Estim
ated
out
age
time
at p
rimar
y si
te•
Com
pare
with
pre
defin
ed M
TD a
nd a
ctiv
atio
n cr
iteria
–N
otify
BC
man
agem
ent
–M
anag
emen
t dec
lare
s a
disa
ster
if c
riter
ia a
re m
et–
Star
t im
plem
entin
g B
CP
•BC
P a
ctiv
atio
n re
spon
sibi
lity
–O
nly
one
pers
on
–C
EO
or o
ther
pre
defin
ed ro
le–
Succ
essi
on o
f res
pons
ibilit
y m
ust b
e pr
edef
ined
Aud
un J
øsan
g48
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
Rec
over
y P
hase
Pla
n
•Ev
acua
tion
and
safe
ty o
f per
sonn
el–
Alw
ays
first
prio
rity
•N
otify
ing
alte
rnat
ive
site
s•
Secu
ring
hom
e si
te•
Activ
atio
n of
reco
very
team
s•
Rel
ocat
ion
to a
ltern
ativ
e si
tes
•R
esum
ptio
n of
crit
ical
bus
ines
s fu
nctio
ns•
Rev
iew
ing
how
the
orga
nisa
tion
will
inte
rface
with
ex
tern
al p
artie
s (c
usto
mer
s, p
artn
ers)
from
alte
rnat
ive
site
Aud
un J
øsan
g49
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
Rec
onst
itutio
n P
hase
Pla
n
•P
lan
for r
etur
ning
to n
orm
al o
pera
tions
at p
rimar
y si
te–
Rep
airin
g pr
imar
y si
te, o
r pre
pare
new
site
–In
stal
ling
hard
war
e an
d so
ftwar
e–
Test
ing
busi
ness
func
tions
–
Mig
ratin
g bu
sine
ss fu
nctio
ns s
tepw
ise
•Le
ast c
ritic
al fu
nctio
ns fi
rst
•M
ost c
ritic
al fu
nctio
ns la
st–
Shut
ting
dow
n al
tern
ativ
e si
te–
Secu
ring
and
rem
ovin
g se
nsiti
ve d
ata
from
alte
rnat
ive
site
Aud
un J
øsan
g50
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P A
ppen
dice
s
•In
clud
e–
Con
tact
info
rmat
ion
for k
ey p
erso
nnel
•C
all t
ree
data
–C
onta
ct in
form
atio
n fo
r ven
dors
and
alte
rnat
ive
site
pro
vide
rs
•In
clud
ing
SLA
and
reci
proc
al a
gree
men
ts–
Che
cklis
ts fo
r rec
over
y pr
oces
ses
–Eq
uipm
ent a
nd s
yste
ms
requ
irem
ent l
ists
–D
escr
iptio
n of
and
dire
ctio
ns to
alte
rnat
ive
site
Aud
un J
øsan
g51
L03
-IN
F351
0, U
iO s
prin
g 2
014
BC
P T
estin
g
•C
heck
list t
est
–C
opie
s of
the
BC
P d
istri
bute
d to
dep
artm
ents
for r
evie
w•
Stru
ctur
ed w
alk-
thro
ugh
test
–R
epre
sent
ativ
es fr
om e
ach
depa
rtmen
t com
e to
geth
er to
go
thro
ugh
the
plan
•S
imul
atio
n te
st–
All s
taff
in o
pera
tiona
l and
sup
port
func
tions
com
e to
geth
er to
pr
actic
e ex
ecut
ing
the
BC
P•
Para
llel t
est
–Bu
sine
ss fu
nctio
ns te
sted
at a
ltern
ativ
e si
te•
Full
inte
rrupt
ion
test
–Bu
sine
ss fu
nctio
ns a
t prim
ary
site
hal
ted,
and
mig
rate
d to
al
tern
ativ
e si
te in
acc
orda
nce
with
the
BC
P
Aud
un J
øsan
g52
L03
-IN
F351
0, U
iO s
prin
g 2
014