A Quantitative Model for Information Security Risk Assessment-presentation

8/8/2019 A Quantitative Model for Information Security Risk Assessment-presentation

http://slidepdf.com/reader/full/a-quantitative-model-for-information-security-risk-assessment-presentation 1/39

A QUANTITATIVE MODELFOR

INFORMATION SECURITY RISK ASSESSMENT

BITS ZG629T: Dissertation

ByHARIHARAN M

(2007HZ12033)

Dissertation work carried out atSAMTEL GROUP, New Delhi



ISO Standard on Information

SecurityI n f o r m

a t i o n s e c u

r i t y m a n a g e m

e n t s y s t e m s —

R e q u i r e m

e n t s

C o d e o f p

r a c

t i c e f o

r i n f o r m

a t i o

n s e

c

u r i t y m a n a g

e m e n t



Information Security Risk

Assessment



Risk Analysis

ISO/IEC 27001:2005. Information security management systems -- Requirements, 2000, from: www.iso.org.



Quantitative Risk Assessment



Qualitative Risk Assessment



CURRENT RESEARCH











PROPOSED QUANTITATIVE MODEL

Basic Building Blocks



Information Security Triad

ISO/IEC 27001:2005. Information security management systems -- Requirements, 2000, from: www.iso.org.

t h a t t h e

a s s e t s o f

t h e s y s t

e m a r e

o n l y

a c c e

s s e d

b y a u t h o

r i z

e d p a r t i e

s

t h a t t h e a s s e t s o f t h e s y s t e m

c a n b e

m o d i f i e d b y a u t

h o r i z e d p a r t i e s o n l y , a n d

i n a u t h o r i z e d w

a y s

that the assets of a system are alwaysavailable to the authorized parties



Based on Principles of Software

Architecture



IT Infrastructure Library V3 –

Service Oriented Approach



PROPOSED QUANTITATIVE MODEL

Availability Risk Assessment



Service Oriented Approach



Service Catalogue thru Use

Case



Components of a Service

Internet

Data Centre LAN

Mail Storage Server inHigh Availability Mode

Mail Transport Server

Directory Service

(User Management)

Mail Gateway Server

Incoming &OutgoingmessageDelivery

Message Delivery

Operating

System

E-mail Client

Client -

Computer

Server – Directory

Server

Mail

Transport

Server Operating

System

Operating

System

LDAP Server

Server – Mail

HUB Server

Mail Store

Server

Operating

System

Server – MailDatabase

Server in HA

Cluster

Operating

System

SMTP Server

Server – Mail Gateway

Server



MTBF



Component-wise MTBF



MTTR



What determines Availability



How to Measure



Maturity Model for Measurement



System Maturity Levels



MTBF Matrix



Support Maturity Level



MTBF and MTTR matrix

System Architecture Maturity MTBF 1 2 3 4 5

Ad Hoc (Single System) 1 4380 48.00 24.00 16.00 8.00 4.00

Repeatable (Standby can be arranged) 2 4380 24.00 16.00 8.00 4.00 2.00

Defined (Standby part of Landscape) 3 4380 8.00 4.00 2.00 1.00 1.00

Managed (High Availability Environment) 4 26280 0.10 0.10 0.10 0.10 0.10

Optimised (could not be defined) 5

Support Architecture Maturity

(values in hrs) MTTR



Service-wise Maturity

Assessment

Service CatalogueSystem

Maturity Level

Support

Maturity Level

e-mail Access via Outlook 3 4

Blackberry Service 2 2

Video Conferencing 1 1

Internet Browsing 2 3

Corporate Intranet 2 3

Outlook Web Access 2 3

Customer Subscription (CRM) 3 3

Payroll and PF Trust Accounting 3 2



Availability Risk Assessment

Service Catalogue SystemMaturity

Level

SupportMaturity Level

MTBF MTTR Availability%

e-mail Access via Outlook 3 4 4380 1.00 99.977

Blackberry Service 2 2 4380 16.00 99.636

Video Conferencing 1 1 4380 48.00 98.916

Internet Browsing 2 3 4380 8.00 99.818

Corporate Intranet 2 3 4380 8.00 99.818

Outlook Web Access 2 3 4380 8.00 99.818

Customer Subscription (CRM) 3 3 4380 2.00 99.954

Payroll and PF Trust Accounting 3 2 4380 4.00 99.909



CASE STUDY

IT Performance Reporting



IT Performance MIS

Peoplesoft

95.50

96.00

96.50

97.00

97.50

98.00

98.50

99.00

99.50

100.00

100.50

Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb

COMMITTED SLA PeopleSoft CRM PeopleSoft SCM

SCM down time

Date Duration15.06.09 – 1 hr 4 m16.06.09 – 16 hr 10 m

SCM usersexperienced slowdown/outages for 10 hrs

CRM usersexperienced slowdown/outages for 7hrs

SCM users

experienced slowdown/outages for 13

hrs

Service Availability Measures

# of Single

Point

Failure MTBF (hrs) MTTR(hrs) Capability Index

Support

Maturity

Infrastructure

Maturity

Availability

Risk Level

PeopleSoft ERP 1 4380.00 16.00 99.64 3 1 MEDIUM



IT Performance MIS


# of Single

Point

Failure MTBF (hrs) MTTR(hrs) Capability Index

Support

Maturity

Infrastructure

Maturity

Availability

Risk Level

Internet Bandwidth (Browsing) 2 2190.00 24 98.92 2 1 HIGH

Internet Bandwidth

81.00

83.00

85.00

87.00

89.0091.00

93.00

95.00

97.00

99.00


COMMITTED SLA Internet Bandwidth (Browsing)

92.26Outages recorded for 2 days 5 hrs

(Browsing)



IT Performance MIS


# of Single

Point

Failure MTBF (hrs) MTTR(hrs) Capabil ity Index

Support

Maturity

Infrastructure

Maturity

Availability

Risk Level

DMS 4380.00 4.00 99.91 2 3 LOW

DMS

95.50

96.50

97.50

98.50

99.50

100.50


COMMITTED SLA Archival Syndication (DMS, Quark)

Outages7 incidence due toh/w fault



IT Performance MIS

Risk Index = Inverse (System Maturity Level) x Inverse ( Support Maturity Level)

Risk Value = Between 1 to 10 -> No Risk,Between 11 to 15 -> Low Risk Between 16 to 20 - > Medium Risk More than 20 -> High Risk



CONCLUSION



A Quantitative Model without relying on Financial Valuation.

Provides Prescriptive Inputs for Risk Mitigation.

Creates Baseline for Measurement of IT Performance.

Can be used for new/proposed system.

Conclusion



THANK YOU

Documents

A Quantitative Model for Information Security Risk Assessment-presentation