Download topic 6.2 full

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Dragon King Theory wikipedia , lookup

Investment management wikipedia , lookup

Opportunity management wikipedia , lookup

Transcript 
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
RISK ASSESSMENT AND
RISK APPETITE
Management of Information Security, 5th Edition, © Cengage Learning
2
Risk Assessment
• Assessing the relative risk for each vulnerability is
accomplished via a process called risk assessment
• Risk assessment assigns a risk rating or score to
each specific vulnerability
• While this number does not mean anything in
absolute terms, it enables you to gauge the
relative risk associated with each vulnerable
information asset, and it facilitates the creation of
comparative ratings later in the risk control
process
Management of Information Security, 5th Edition, © Cengage Learning
3
Assessing Risk
• Estimating risk is not an exact science; thus
some practitioners use calculated values for
risk estimation, whereas others rely on
broader methods of estimation
• The goal is to develop a repeatable method to
evaluate the relative risk of each of the
vulnerabilities that have been identified and
added to the list
Management of Information Security, 5th Edition, © Cengage Learning
4
Likelihood
• Likelihood is the overall rating - a numerical value on a
defined scale - of the probability that a specific
vulnerability will be exploited
• Using the information documented during the risk
identification process, you can assign weighted scores
based on the value of each information asset, i.e. 1100, low-med-high, etc.
• Whatever rating system you employ for assigning
likelihood, use professionalism, experience, and
judgment to determine the rating—and use it
consistently
• Whenever possible, use external references for
likelihood values, after reviewing and adjusting them
for your
specific circumstances
Management of Information Security, 5th Edition, © Cengage Learning
5
Risk Estimate Factors
One method of estimating risk uses the following:
Risk is
The likelihood that the threat as to an asset will result in an
adverse impact
Multiplied by
The consequences (or level of impact) on the value of an asset as a
result of a successful attack
Less
The percentage of risk mitigated by current controls
Plus
The degree of uncertainty of current knowledge of the threat/asset
environment
R=(L*I)-M%+U%
Management of Information Security, 5th Edition, © Cengage Learning
6
Likelihood
• Likelihood is the overall rating—a numerical value
on a defined scale—of the probability that a
specific vulnerability will be exploited
• NIST’s “Special Publication 800-30 Rev. 1, Guide
for Conducting Risk Assessments,” recommends
that vulnerabilities be assigned a likelihood rating
between 0.1 (low) and 1.0 (high)
• Whenever possible, use external references for
likelihood values, after reviewing and adjusting
them for your specific circumstances
Management of Information Security, 5th Edition, © Cengage Learning
7
Assessing Potential Impact on Asset
Value (Consequences)
• Once the probability of an attack by a threat has been
evaluated, the organization will typically look at the
possible outcomes or consequences of a successful
attack
• The consequences of an attack (most often as a loss in
asset value) are of great concern to the organization in
determining where to focus its protection efforts
• Most commonly, organizations will create multiple
scenarios to better understand the potential loss of a
successful attack, using a “worst case/most likely
outcome” approach
• It is useful for organizations to retain this information,
as it can also be used during contingency planning
Management of Information Security, 5th Edition, © Cengage Learning
8
Percentage of Risk
Mitigated by Current Controls
• If a vulnerability is fully managed by an
existing control, it can be set aside
• If it is partially controlled, estimate what
percentage of the vulnerability has been
controlled
Management of Information Security, 5th Edition, © Cengage Learning
9
Uncertainty
• It is not possible to know everything about
every vulnerability
• The degree to which a current control can
reduce risk is also subject to estimation error
• Uncertainty is an estimate made by the
manager using judgment and experience
Management of Information Security, 5th Edition, © Cengage Learning
10
Risk Determination
• Asset A has an impact value of 50 and has one vulnerability,
which has a likelihood of 1.0 with no current controls. Your
assumptions and data are 90% accurate
• Asset B has an impact value of 100 and has two
vulnerabilities: vulnerability #2 has a likelihood of 0.5 with a
current control that addresses 50% of its risk; vulnerability
# 3 has a likelihood of 0.1 with no current controls. Your
assumptions and data are 80% accurate
• The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
– Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
– Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%
– Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%
Management of Information Security, 5th Edition, © Cengage Learning
11
Likelihood and Consequences
In Risk Assessment
• Another approach to calculating risk based on likelihood is the
likelihood and consequence rating from the Australian and
New Zealand Risk Management Standard 4360, which uses
qualitative methods of determining risk based on a threat’s
probability of occurrence and expected results of a successful
attack.
Management of Information Security, 5th Edition, © Cengage Learning
12
ANZ RM Standard 4360 Consequences
Levels for Organizational Threats
Management of Information Security, 5th Edition, © Cengage Learning
13
ANZ RM Standard 4360 Likelihood
Levels for Organizational Threats
Management of Information Security, 5th Edition, © Cengage Learning
14
Likelihood and Consequences
In Risk Assessment
• Next Consequences and Likelihoods are
combined, enabling the organization to
determine which threats represent the
greatest danger to the organization’s
information assets
• The resulting rankings can then be inserted
into the TVA tables for use in risk assessment
Management of Information Security, 5th Edition, © Cengage Learning
15
ANZ RM Standard 4360
Qualitative Risk Assessment Matrix
Management of Information Security, 5th Edition, © Cengage Learning
16
Documenting the Results
of Risk Assessment
• The goal of the risk management process so far
has been to identify information assets and their
vulnerabilities and to rank them according to the
need for protection
• In preparing this list, a wealth of factual
information about the assets and the threats they
face is collected
• Also, information about the controls that are
already in place is collected
• The final summarized document is the ranked
vulnerability risk worksheet
Management of Information Security, 5th Edition, © Cengage Learning
17
Ranked Vulnerability Risk Worksheet
Management of Information Security, 5th Edition, © Cengage Learning
18
Risk Identification
and Assessment Deliverables
Management of Information Security, 5th Edition, © Cengage Learning
19
Risk Appetite
• Before the organization can or should proceed, it needs to
understand whether the current level of controls identified
at the end of the risk assessment process results in a level
of risk management it can accept
• The amount of risk that remains after all current controls
are implemented is residual risk
• The organization may very well reach this point in the risk
management process, examine the documented residual
risk, simply state, “Yes, we can live with that,” and then
document everything for the next risk management review
cycle
• What is difficult is the process of formalizing exactly what
the organization “can live with”; this process is the heart of
risk appetite
Management of Information Security, 5th Edition, © Cengage Learning
20
Risk Appetite
• According to KPMG, A well-defined risk appetite should
have the following characteristics:
– Reflective of strategy, including organizational objectives,
business plans, and stakeholder expectations
– Reflective of all key aspects of the business
– Acknowledges a willingness and capacity to take on risk
– Is documented as a formal risk appetite statement
– Considers the skills, resources, and technology required to
manage and monitor risk exposures in the context of risk
appetite
– Is inclusive of a tolerance for loss or negative events that can be
reasonably quantified
– Is periodically reviewed and reconsidered with reference to
evolving industry and market conditions
– Has been approved by the board
Management of Information Security, 5th Edition, © Cengage Learning
21
Risk Appetite
• The KPMG approach to defining risk appetite involves
understanding the organization’s strategic objectives, defining risk
profiles for each major current organizational activity and future
strategic plan, defining a risk threshold for each profile, and finally
documenting the formal risk appetite statement
• The risk tolerance (or risk threshold) works hand in glove with risk
appetite, as it more clearly defines the range of acceptable risk for
each initiative, plan, or activity
• If an administrator were asked, “What level of attack success and
loss are you willing to accept for a particular system?,” the answer
would provide insight into the risk threshold for that system, as well
as that for the data it stores and processes
• If the answer to the question was “absolutely none,” the
administrator would have a zero tolerance risk exposure for the
system, and would require the highest level of protection
Management of Information Security, 5th Edition, © Cengage Learning
22
Related documents
Chapter Twelve - Cengage Learning
Chapter Twelve - Cengage Learning
Chapter Twelve - Cengage Learning
Chapter Twelve - Cengage Learning
Chapter One
Chapter One
Chapter Fifteen - Cengage Learning
Chapter Fifteen - Cengage Learning
Marketing the Program - Wayne Community College
Marketing the Program - Wayne Community College
2.7 Maximum likelihood and the Poisson distribution
2.7 Maximum likelihood and the Poisson distribution
Chapter 09 The Marketing Strategy
Chapter 09 The Marketing Strategy
CHAPTER 1 Marketing Management Series Event
CHAPTER 1 Marketing Management Series Event
Chapter 3
Chapter 3
Chapter One - Cengage Learning
Chapter One - Cengage Learning