Scribd Logo
Upload

Welcome to Scribd!

  • Risk Identification

    Uploaded by

    Naveed Hussain
    47 views22 pages
    Naveed Hussain

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Naveed Hussain

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    47 views22 pages

    Risk Identification

    Uploaded by

    Naveed Hussain
    Naveed Hussain

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Information Security Management

    Risk Identification


    IMRAN ASHRAF
    Risk identification
    A risk management strategy requires that
    information security professionals know their
    organizations information assetsthat is,
    identify, classify, and prioritize them.
    Once the organizational assets have been
    identified, a threat assessment process identifies
    and quantifies the risks facing each asset.

    Asset identification & inventory

    People, Procedures, and Data Asset
    Identification
    Identifying human resources, documentation,
    and data assets is more difficult than identifying
    hardware and software assets.
    People with knowledge, experience, and
    judgment should be assigned the task.
    use a reliable data-handling process for
    recording
    record keeping mechanism should have the
    flexibility to allow the specification of attributes
    particular to the type of asset.

    People: Position name/number/ID (avoid
    names and stick to identifying positions, roles,
    or functions); supervisor; security clearance
    level; special skills
    Procedures: Description; intended purpose;
    relationship to software, hardware, and
    networking elements; storage location for
    reference; storage location for update
    Data: Classification; owner, creator, and
    manager; size of data structure; data structure
    used (sequential or relational); online or offline;
    location; backup procedures employed
    Hardware, Software, and Network
    Asset Identification
    Which attributes of hardware, software, and
    network assets should be tracked? It depends on
    the needs of the organization and its risk
    management efforts.
    Name: Use the most common device or
    program name.
    IP address: This can be a useful identifier for
    network devices and servers, but does not
    usually apply to software. You can, however, use
    a relational database and track software
    instances on specific servers or networking
    devices.
    Media access control (MAC) address: MAC
    addresses are sometimes called electronic serial
    numbers or hardware addresses.
    The MAC address number is used by the
    network operating system to identify a specific
    network device.
    Element type: For hardware, you can develop
    a list of element types, such as servers, desktops,
    networking devices, or test equipment etc
    For software elements, you may use a list of
    types that includes operating systems, custom
    applications by type (accounting, HR, or payroll
    to name a few) etc


    For example, one server might be listed as:
    DeviceClass= S (server)
    DeviceOS =W2K (Windows 2000)
    DeviceCapacity= AS (advanced server)
    Serial number: can be used for both hardware
    and software
    Manufacturer name: Record the manufacturer
    of the device or software component. This can be
    useful when responding to incidents that involve
    these devices or when certain manufacturers
    announce specific vulnerabilities.
    Manufacturers model number or part
    number:

    Software version, update revision, or FCO
    number: Whenever possible, document the
    specific software or firmware revision number
    and, for hardware devices, the current field
    change order (FCO) number.
    Physical location:
    Logical location:
    Controlling entity:
    Automated Asset Inventory Tools
    Automated tools can sometimes identify the
    system elements that make up hardware,
    software, and network components.
    For example, many organizations use automated
    asset inventory systems.
    The inventory listing is usually available in a
    database or can be exported to a database for
    custom information on security assets.
    Data Classification and Management
    Corporate and military organizations use a
    variety of classification schemes.
    Many corporations use a data classification
    scheme to help secure the confidentiality and
    integrity of information.
    The typical information classification scheme
    has three categories:
    Confidential: sensitive or proprietary.
    Used for the most sensitive corporate information
    Tightly controlled, even within the company.
    Access is strictly on a need-to-know basis

    Internal:
    Used for all internal information that does not
    meet the criteria for the confidential category
    to be viewed only by corporate employees,
    authorized contractors, and other third parties.
    External: All information that has been
    approved by management for public release.
    The military is perhaps the best-known user of data
    classification schemes.
    Unclassified data:
    Sensitive But Unclassified data (SBU):
    Any information of which the loss, misuse, or unauthorized
    access to, or modification of might adversely affect U.S.
    national interests
    Confidential data:
    Any information or material the unauthorized disclosure of
    which reasonably could be expected to cause damage to the
    national security.
    Secret data:
    Any information or material the unauthorized disclosure of
    which reasonably could be expected to cause serious
    damage to the national security.
    Top Secret data:
    Any information or material the unauthorized disclosure of
    which reasonably could be expected to cause exceptionally
    grave damage to the national ecurity.
    Identifying and prioritizing threats
    After identifying and performing the preliminary
    classification of an organizations information
    assets, next phase is threat assessment
    Examining the potential danger which poses a
    threat to organizations assets is called threat
    assessment.
    It can be done by answering some simple
    questions like:
    Which threats present a danger to an
    organizations assets in the given environment?
    Which threats represent the most danger to the
    organizations information?
    How much would it cost to recover from a
    successful attack?
    Which of the threats would require the greatest
    expenditure to prevent?


    Vulnerability identification
    Vulnerabilities are specific weeknesses that
    threat agents can exploit to attack an
    information asset.
    a flaw or weakness in an information asset,
    security procedure, design, or control that could
    be exploited accidentally or on purpose to
    breach security.
    TVA (Threats-Vulnerabilites-Assets)

    Risk Assessment
    Evaluating the relative risk for each of the
    vulnerabilities is called risk assessment.
    Risk assessment assigns a risk rating or score to
    each information asset.

    Likelihood
    Likelihood is the probability that a specific
    vulnerability will be the object of a successful
    attack.
    In risk assessment, you assign a numeric value
    to likelihood.
    Usually the value assigned is between 0.1 to 1.0

    You might also like