Scribd
Upload
18 views16 pages

Risk Management

information security risk management

Uploaded by

Tafadzwa Chavarika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views16 pages

Risk Management

information security risk management

Uploaded by

Tafadzwa Chavarika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Risk Management in

Information Security

J Kasiroori
Introduction
Risk management is a core component of information security and establishes
how risk assessments are to be conducted.

It involves identifying, assessing, and treating risks to the confidentiality, integrity,


and availability of an organization's assets.

Thus an enterprise has to know what risks it is facing.

This program must be managed at the senior leader level of the organization and
implemented by everyone (not just the technical staff).

At a high level, we need to identify our important assets.


Identify Identify Assets

Identify Identify Threats


Risk
Manageme Assess Assess Vulnerabilities
nt Process
Assess Assess risks

Mitigate Mitigate Risks


Identify Assets
Identify Assets

Arguably, one of the most important parts of the risk


management process.

Not all assets need to be protected equally, by


determining where resources should be focused and
cost can be reduced while security increased.
Threat Identification
What is a
threat?
• A threat is a potential
occurrence that could
compromise the
confidentiality, integrity, or
availability of an
organisation's assets, data,
or systems.
• Examples of threats include
insider attacks (malicious
employees or contractors),
accidental data breaches
(employee
mistakes),unauthorised
access etc
Threat Identification Using Frameworks

• The CIA Triad or Parkerian Hexad as frameworks for discussing the nature of
threats
• For instance, if we apply this to examining the threats that we might face
against an application that processes credit card payments:
• Confidentiality—if we expose data inappropriately, we have a potential breach
• Integrity—if data becomes corrupt, we may incorrectly process payments
• Availability—if the system or application goes down, we cannot process
payments
• Possession—if we lose backup media, we have a potential breach
• Authenticity—if we do not have authentic customer information, we may
process a fraudulent transaction
• Utility—if we collect invalid or incorrect data, it has limited utility to us
Assess
vulnerabilities
Vulnerability
Assesment
• Look at assess vulnerabilities in the context of
potential threats.
• Vulnerability is a weakness which allows an
attacker to reduce a system's information
assurance.
• For instance, a specific operating system or
application that we are running, a physical
location where we have chosen to place our
office building, a data centre that is populated
over the capacity of its air-conditioning system,
a lack of backup generators, or other factors.
Assess risks
Once we have identified the
threats and vulnerabilities
for a given asset, we can
assess the overall risk.

Assess Thus, risk is the conjunction


of a threat and a

risks vulnerability.

A vulnerability with no
matching threat or a threat
with no matching
vulnerability do not
constitute a risk.
In order to help us mitigate risk, we can put
measures in place to help ensure that a given type
of threat is accounted for. These measures are
referred to as controls.

Risk Controls are divided into three categories: physical,


logical, and administrative OR management,
operational, and technical controls

mitigati Physical : those controls that protect the physical

on
environment in which our systems sit, or where our
data is stored

Administrative: based on rules, laws, policies,


procedures, guidelines, and other items that are
"paper" in nature. They set out the rules for how
we expect the users of our environment to behave.
Attack categories
Interception

Interruption
We can generally
Attack place attacks we
might face into
categories one of four
categories
Modification
Each category can
affect one or more
of the principles
of the CIA triad
Fabrication
Confidentiali
Interception
ty

Interruption

Integrity Modification

Categories Fabrication

Interruption

Availability Modification

Fabrication

You might also like