Scribd
Upload
461 views25 pages

Information Security Risk Assessment Basics

This document provides an overview of information security risk assessment basics. It defines key terminology related to information assets, security incidents, vulnerabilities, threats, and risks. It then outlines the generic phases of a risk assessment process including project definition, preparation, data gathering, analysis, mitigation, and reporting. The goal of a security risk assessment is to measure the strength of an organization's overall security program and identify risks to address.

Uploaded by

Gagandeep Chaudhry
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
461 views25 pages

Information Security Risk Assessment Basics

This document provides an overview of information security risk assessment basics. It defines key terminology related to information assets, security incidents, vulnerabilities, threats, and risks. It then outlines the generic phases of a risk assessment process including project definition, preparation, data gathering, analysis, mitigation, and reporting. The goal of a security risk assessment is to measure the strength of an organization's overall security program and identify risks to address.

Uploaded by

Gagandeep Chaudhry
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

Information Security Risk Assessment Basics

The need for an information security program


Good corporate governance

Terminology
Information assets - information or data that is of value to the organization characteristics : They are recognized to be of value to the organization. They are not easily replaceable without cost, skill, time, resources or a combination. They form a part of the organization's corporate identity, without which, the organization may be threatened. Their Data Classification would normally be Proprietary, Highly Confidential or even Top Secret.

Terminology
An Information Security incident is an event which appears to be a breach of the organization's Information Security safeguards. vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements:
a system susceptibility or flaw, attacker access to the flaw, attacker capability to exploit the flaw.

Terminology
Threat: The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability Threat-Source Identification Natural Threats Human Threats Environmental Threats

Terminology
Risk is a function of the likelihood of a given threat-source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat s exercise of a vulnerability.

Threats
Imposition of legal and regulatory obligations Organized crime or terrorist groups Cyber-criminals, Malware authors Phishers, Spammers Negligent staff Storms, tornodos, floods(acts of nature) Fraudsters, Hackers, Saboteurs Accidental disclosure, intentional alteration of data Unethical competitors Disgruntled/untrained/ignorant employees Unauthorized access to or modification or disclosure of information assets Technical advances

vulnerabilities
Software bugs and design flaws Complexity in IT Inadequate investment in appropriate information security controls Insufficient attention to human factors in system design and implementation Unwarranted confidence Ignorance, carelessness, negligence Poor or missing governance Frequent change in the business Inadequate contingency planning Legacy systems Bugs in microprocessor designs and microcode Lack of will, concern and ability to impress the need for info sec

Information security impacts


Disruption to organizational routines and processes Direct financial losses Decrease in shareholder value Loss of privacy Reputational damage Loss of confidence in IT Jail time, fines, suspension of licenses Expenditure on information security controls Replacement costs Loss of competitive advantage Reduced profitability, growth and bonuses Impared growth due to inflexible /overly complex infrastructure/system/application environments Injury or loss of life if safety-critical systems fail Global thermonuclear war

Information security Risks


Theft of personal data by criminals or loss of laptops Information leakage, extraction or loss of valuable private information Social engineering/pretexting Environmental disasters Poor information security studies, assessments Deception including frauds Endangerment Unauthorized exploitation of intellectual property

Unanimous core security Practices


Security Responsibility Risk Management Risk Assessment Network Security Security Awareness Training Incident Management

Majority Core Security Practices


Information Security Policies Access Control Physical Security BCP and DRP Secure Development Life Cycle Accountability Secure Media Handling Oversight of third parties

Security Risk Assessment


Measures the strength of overall security program 4 stages of risk management
Security risk assessment Test and review Risk mitigation Operational security

Need for Security Risk Assessment


Checks and Balances Periodic Review Risk based spending Requirement

Secondary benefits
Transfer of knowledge from security assessment team to the organization s staff Increased communications regarding security among business units Increased security awareness within the organization Results of security risk assessment may be used as a measure of security posture& compared to previous and future results

Related Activities
Gap Assessment Compliance Audit Security Audit Vulnerability scanning Penetration testing Ad hoc testing Social Engineering Wardialing

caselets

Generic phases of Risk Assessment


Phase 1:Project Definition Phase 2:Project Preparation Phase 3:Data Gathering Phase 4:Risk Analysis Phase 5:Risk Mitigation Phase 6:Risk reporting and resolution

Phase 1:Project Definition


Project Scope
Budget Objective Assets Controls Boundaries

Phase 2:Project Preparation


Team Preparation
Select team Introduce team

Project preparation

Obtain permission Review business mission Identify critical systems Map assets Identify threats Determine expected controls

Phase 3:Data Gathering


Administration
Policy review Procedure review Training review Organization review Interviews observation Design review Configuration review Architectural review security testing Policy review Procedure review observation inspection

Technical

Physical

Phase 4:Risk Analysis


Determine risk
Asset valuation Threat and vulnerability mapping
Threat Agents
Nature Employees Malicious Hackers Industrial Spies Foreign Government Spies Errors and Omissions Fraud and Theft Sabotage Loss of Physical and infrastructure Support Espionage Malicious code Disclosure

Threats

Vulnerabilities Security risk

Calculate risk Create risk statements Obtain team consensus

Phase 5:Risk Mitigation


Safeguards
A technique, activity or technology employed to reduce the risk to the organization s assets
Preventative Detective Corrective

Residual Security Risk


The security risk that remains after implementation of recommended safeguards
Static risk Dynamic risk

Phase 6:Risk reporting and resolution


Risk Resolution
It is the decision by senior management of how to resolve the risk resented to them
Risk reduction Risk acceptance Risk transference

You might also like