Risk Managment Process
Risk Managment Process
Security
Risk Management
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
Risk in Information Security (cont.)
• Asset – anything that needs to be protected because it
has value and/or contributes to the successful
achievement of the organization’s objectives
Asset 1
vulnerability 1
vulnerability 2
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Security Risk Management
• Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
two major sub-processes: Identify
the
Risk Areas
Risk Identification &
Assessment
Risk Control (Mitigation) Re-evaluate
the Risks Assess the
Risk Risks
Management
Cycle
Implement Risk
Management Develop Risk
Actions Management
Plan
12
Security Risk Management (cont.)
Risk Management
Risk Identification Risk Control
http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.)
• Identifying People, Procedures and Data Assets
Not as readily identifiable as other assets – require that
experience and judgment be used.
Possible attributes:
people – avoid personal names, as they may change, use:
∗ position name
∗ position number/ID
∗ computer/network access privileges
procedures
∗ description
∗ intended purpose
∗ software/hardware/networking elements to which it is tied
∗ location of reference-document, …
data
∗ owner
∗ creator
∗ manager
∗ location, …
Risk Identification:
Asset Ranking/Prioritization
Risk Identification: Asset Ranking
Each asset is
assigned a
Data asset /
score (0.1-1.0)
for each critical
factor.
Risk Identification:
Threat Identification
& Prioritization
Risk Identification: Threat Identification
Asset 1
vulnerability 1
vulnerability 2
vulnerability 3
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Risk Identification: Threat Identification
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment
System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment
Asset-centric – starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Prioritization