Professional Documents
Culture Documents
Management
Definition of risk
Risk vs uncertainty
Definition of Risk
Management (RM)
Risk Management
Structure
Internal Factors
al
n
o
i
izat
n
a
Org aturity
M
Cult
ure
External Factors
try
Corp
or
Histo ate
ry
n
o
i
t
a
ul
g
e
R
In
du
s
s
t
n
me ce
e
g
na leran
a
M
To
k
Ris
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with
Identification
Analysis
Evaluation
Avoid
Reduce
Transfer
Retain
Risk Communication
& Monitoring
Risk
Risk Assessment
Treatment
Establish
Scope &
Boundaries
Risk Appetite
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Proactive
Monitoring
Implement Risk
Mgmt Plan
A builders definition of RM
RM in Building
strategic
operating
financial
information
Strategic risks
Environmental
Natural/man made
disasters
Political
Laws/regulations
Industry
Competition
Financial markets
Organisational
Corporate objectives &
strategies
Leadership
Management
Investor/credit
relations
Human resources
Operating risks
Workforce
Suppliers
Plant & machinery
Protection
Customers
Financial risks
Capital/funding
Investing
Regulatory
environment
Information risks
Systems
Strategic
Operating
Mgt process
Avoidance
Prevention
Reduction (stop losses
or reduce damage)
Segregation of loss
exposures
Contractual risk
transfer
Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
2.
3.
5.
4.
Treat Risk
Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
Assets include:
Tangible $
Sales
Risk:
Product A
Risk:
Product B
Product C
Risk:
Intangible: High/Med/Low
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Step 1:
Determine Value of Assets
Asset Name
$ Value
Direct Loss:
Replacement
$ Value
Consequential
Financial Loss
Laptop
$1,000
Mailings=
$130 x
#Cust
Reputatio
n
= $9,000
Equipme
nt
Work
book
Confidentiality,
Integrity, and
Availability Notes
Conf., Avail.
Breach
Notification
Law
Availability
(e.g., due to
Challenge, rebellion
Unauthorized
access
Criminals
Financial gain,
Disclosure/ destruction
of info.
Fraud, computer
crimes
Terrorists
Destruction/ revenge/
extortion
Industry
Spies
Competitive advantage
Insiders
Opportunity, personal
issues
Fraud/ theft,
malware, abuse
Behavioral:
Misinterpretation:
Poorly-defined
procedures,
Disgruntled employee,
employee error,
uncontrolled processes,
Insufficient staff,
poor network design,
Inadequate mgmt,
improperly configured
Inadequate compliance
equipment
enforcement
Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication
Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
kicked terminals,
no redundancy
Step 3:
Estimate Likelihood of Exploitation
Best sources:
Past experience
mass media
Specialists and expert advice
Economic, engineering, or other models
Market research & analysis
Experiments & prototypes
Impact
Insignificant: No
meaningful impact
Minor: Impacts a small
part of the business, < $1M
Major: Impacts company
brand, >$1M
Material: Requires external
reporting, >$200M
Catastrophic: Failure or
downsizing of company
Likelihood
1.
2.
3.
4.
5.
Rare
Unlikely: Not seen
within the last 5 years
Moderate: Occurred in
last 5 years, but not in
last year
Likely: Occurred in last
year
Frequent: Occurs on a
regular basis
Catastrophic
(5)
G
HI
Major
(3)
M
M
IU
ED
Impact
Material
(4)
Minor
(2)
LO
W
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
Replacement cost +
Cost of installation of special software and data
Assumes no liability
Quantitative
Risk
Asset Threat Single Loss
Expectancy
(SLE)
Annualized
Rate of
Occurrence
(ARO)
Annual Loss
Expectancy
(ALE)
Buildi
ng
$1M
.05
(20 years)
$50K
$1K + $9K
0.2
(5 years)
$1K
Fire
Lapto Stolen
p
Extra Step:
Step 6: Risk Monitoring
Stolen Laptop
In investigation
HIPAA Incident
Response
$200K
Cost overruns
$400K
HIPAA: Physical
security
Training occurred
$200K
Training
Risk Management
Risk Management is aligned with business
strategy & direction
Risk mgmt must be a joint effort between
all key business units & IS
Business-Driven (not Technology-Driven)
Steering Committee:
Sets risk management priorities
Define Risk management objectives to
achieve business strategy
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we prone
to, and what is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we prone
to, and what is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
The FIRST step in Security Risk
Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
ALE is:
The average cost of loss of this asset, for a
single incident
An estimate using quantitative risk
management of the frequency of asset loss due
to a threat
An estimate using qualitative risk management
of the priority of the vulnerability
ALE = SLE x ARO