Risk Management
Risk Management
Risk Management
Risk Management
Risk Management
Learning Objectives
serve the needs of the entire organization and at the same time leverage the
These settings must maintain confidentiality and privacy and assure the
integrity of organizational data— objectives that are met via the application of
examine, understand the information and systems currently in place within your
organization. To protect assets, first is to identify what they are, its value to the
organization. Assets are defined as information and system that use, store and
Having identified your organization’s assets and weaknesses, it’s time to know
the enemy. This means identifying, examining, and understanding the threats
facing the organization. You must determine which threat aspects most
directly affect the security of the organization and its information assets, and
then use this information to create a list of threats, each one ranked according
organizational information;
plan for ways to protect data and information, the SDLC, knows as systems
Risk management is the process of identifying risk, assessing risk, and taking
program.
mission capability by protecting the IT systems and data that support their
The head of an organizational unit must ensure that the organization has the
determine the security capabilities that their IT systems must have to provide
the desired level of mission support in the face of real-world threats. Most
Organizations use risk assessment to determine the amount of the potential threat
and the risk associated with an IT system throughout its SDLC. The output of this
In this stage, the boundaries of the IT system are identified, along with
System-Related Information
1. Hardware
2. Software
3. System interfaces such as internal and external connectivity
4. Data and information
5. Persons who support and use the IT system
6. System mission which may include the processes performed by
the IT system
7. System and data criticality such as system’s value or importance
to an organization
8. System and data sensitivity.
7
Risk Management
Information-Gathering Techniques
system test results, system security plan5, security policies can provide
mapping tool can identify the services that run on a large group of hosts
system(s).
Common Threat-Sources
Types of testing
mail relaying).
3. Penetration testing
protection schemes
areas:
1. Management 2.
Operational
3. Technical.
Security Criteria
The goal of this step is to analyze the controls that have been
Control Methods
environmental security.
Control Categories
and authentication.
System mission
System and data criticality
System and data sensitivity.
a given vulnerability
RISK MITIGATION
reduce mission risk. Risk mitigation can be achieved through any of the
Risk Assumption. To accept the potential risk and continue operating the IT
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down the
Risk Limitation. To limit the risk by implementing controls that minimize the
This section provides top management, IT security expert with the following
rules of thumb.
3. When the attacker’s cost is less than the potential gain ➞ apply protections
use of system controls such as limiting what a system user can access and
4. When loss is too great ➞ apply design principles, architectural designs, and
This section emphasizes the good practice and need for an ongoing risk evaluation
and assessment and the factors that will lead to a successful risk management
program.
Risk management should be conducted and integrated in the SDLC for IT systems, not
because it is required by law or regulation, but because it is a good practice and supports
3. the competence of the risk assessment team, which must have the expertise to apply the
risk assessment methodology to a specific site and system, identify mission risks, and
4. the awareness and cooperation of members of the use community, who must follow
procedures and comply with the implemented controls to safeguard the mission of their
organization; and
7. Plug and play (technology that enables hardware devices to be installed and
installations)
Law #1: If a bad guy can persuade you to run his program on your computer,
Law #2: If a bad guy can alter the operating system on your computer, it’ s not
Law #3: If a bad guy has unrestricted physical access to your computer, it’ s
Law #4: If you allow a bad guy to upload programs to your Web site, it’ s not
Law #8: An out-of-date virus scanner is only marginally better than no virus
scanner at all.
Law #9: Absolute anonymity isn’ t practical, in real life or on the Web.