Information Security Risk Assessment Basics(1)

8/6/2019 Information Security Risk Assessment Basics(1)

1/25

Information Security Risk

Assessment Basics


2/25

The need for an information security

program Good corporate governance


3/25

Terminology

Information assets - information or data that is ofvalue to the organization

characteristics :-

They are recognized to be of value to the organization. They are not easily replaceable without cost, skill,

time, resources or a combination.

They form a part of the organization's corporateidentity, without which, the organization may be

threatened. Their Data Classification would normally be

Proprietary, Highly Confidential or even Top Secret.


4/25

Terminology

An Information Security incident is an eventwhich appears to be a breach of theorganization's Information Security safeguards.

vulnerability is a weakness which allows anattacker to reduce a system's informationassurance.

Vulnerability is the intersection of threeelements: a system susceptibility or flaw,

attacker access to the flaw,

attacker capability to exploit the flaw.


5/25

Terminology

Threat: The potential for a threat source to exercise

(accidentally trigger or intentionally exploit) a specific

vulnerability.

Threat-Source: Either (1) intent and method

targeted at the intentional exploitation of a vulnerability or (2) asituation and method that may accidentally trigger a

vulnerability

Threat-Source Identification

Natural Threats

Human Threats

Environmental Threats


6/25

Terminology

Risk is a function of the likelihoodof a given threat-sources

exercising a particular potential vulnerability, and the resulting

impactof that adverse event on the organization

To determine the likelihood of a future adverse event, threatsto an IT system must be analyzed in conjunction with the

potential vulnerabilities and the controls in place for the IT

system.

Impact refers to the magnitude ofharm that could be caused

by a threats exercise of a vulnerability.


7/25

Threats

Imposition of legal and regulatory obligations

Organized crime or terrorist groups

Cyber-criminals, Malware authors

Phishers, Spammers

Negligent staff Storms, tornodos, floods(acts of nature)

Fraudsters, Hackers, Saboteurs

Accidental disclosure, intentional alteration of data

Unethical competitors

Disgruntled/untrained/ignorant employees Unauthorized access to or modification or disclosure of information

assets

Technical advances


8/25

vulnerabilities

Software bugs and design flaws

Complexity in IT

Inadequate investment in appropriate information security controls

Insufficient attention to human factors in system design and

implementation Unwarranted confidence

Ignorance, carelessness, negligence

Poor or missing governance

Frequent change in the business

Inadequate contingency planning Legacy systems

Bugs in microprocessor designs and microcode

Lack of will, concern and ability to impress the need for info sec


9/25

Information security impacts

Disruption to organizational routines and processes

Direct financial losses

Decrease in shareholder value

Loss of privacy

Reputational damage

Loss of confidence in IT Jail time, fines, suspension of licenses

Expenditure on information security controls

Replacement costs

Loss of competitive advantage

Reduced profitability, growth and bonuses

Impared growth due to inflexible /overly complexinfrastructure/system/application environments

Injury or loss of life if safety-critical systems fail

Global thermonuclear war


10/25

Information security Risks

Theft of personal data by criminals or loss oflaptops

Information leakage, extraction or loss of

valuable private information Social engineering/pretexting

Environmental disasters

Poor information security studies, assessments

Deception including frauds Endangerment

Unauthorized exploitation of intellectual property


11/25

Unanimous core security Practices

Security Responsibility

Risk Management

Risk Assessment

Network Security

Security Awareness Training

Incident Management


12/25

Majority Core Security Practices

Information Security Policies

Access Control

Ph

ysical Security BCP and DRP

Secure Development Life Cycle

Accountability

Secure Media Handling

Oversight of third parties


13/25

Security Risk Assessment

Measures the strength of overall security

program

4 stages of risk management Security risk assessment

Test and review

Risk mitigation

Operational security


14/25

Need for Security Risk Assessment

Checks and Balances

Periodic Review

Risk based spending

Requirement


15/25

Secondary benefits

Transfer of knowledge from securityassessment team to the organizations staff

Increased communications regarding security

among business units

Increased security awareness within theorganization

Results of security risk assessment may beused as a measure of security posture&compared to previous and future results


16/25

Related Activities

Gap Assessment

Compliance Audit

Security Audit Vulnerability scanning

Penetration testing

Ad hoc testing

Social Engineering

Wardialing


17/25

caselets


18/25

Generic phases of Risk Assessment

Phase 1:Project Definition

Phase 2:Project Preparation

Phase 3:Data Gathering

Phase 4:Risk Analysis

Phase 5:Risk Mitigation

Phase 6:Risk reporting and resolution


19/25

Phase 1:Project Definition

Project Scope

Budget

Objective

Assets

Controls

Boundaries


20/25

Phase 2:Project Preparation

Team Preparation

Select team

Introduce team

Project preparation Obtain permission

Review business mission

Identify critical systems

Map assets

Identify threats

Determine expected controls


21/25

Phase 3:Data Gathering

Administration Policy review Procedure review

Training review

Organization review

Interviews

observation

Technical Design review

Configuration review

Architectural review

security testing

Physical Policy review Procedure review

observation

inspection


22/25

Phase 4:Risk Analysis

Determine risk Asset valuation

Threat and vulnerability mapping Threat Agents

Nature

Employees

Malicious Hackers

Industrial Spies

Foreign Government Spies

Threats Errors and Omissions

Fraud and Theft

Sabotage Loss of Physical and infrastructure Support

Espionage

Malicious code

Disclosure


23/25

Vulnerabilities

Security risk

Calculate risk

Create risk statements

Obtain team consensus


24/25


25/25

Phase 6:Risk reporting and resolution

Risk Resolution

It is the decision by senior management ofhow to

resolve the risk resented to them

Risk reduction

Risk acceptance

Risk transference

Documents

Information Security Risk Assessment Basics(1)