Security Risk Assessment



Similar documents
CMS Information Security Risk Assessment (RA) Methodology

ITIL and Business Continuity (Service Perspective)

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Nine Steps to Smart Security for Small Businesses

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

Performing Effective Risk Assessments Dos and Don ts

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Ohio Supercomputer Center

identify hazards, analyze or evaluate the risk associated with that hazard, and determine appropriate ways to eliminate or control the hazard.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Toronto Public Library Disaster Recovery recommended safeguards and controls

ISO Controls and Objectives

Overview of how to test a. Business Continuity Plan

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

UoB Risk Assessment Methodology

Ensuring security the last barrier to Cloud adoption

John Essner, CISO Office of Information Technology State of New Jersey

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Prepared by Rod Davis, ABCP, MCSA November, 2011

RiskManagement ESIEE 06/03/2012. Aloysius John March 2012

External Supplier Control Requirements

Preparing for the HIPAA Security Rule

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Security COMPLIANCE Checklist For Employers

Managing IT Security with Penetration Testing

HIPAA Security Alert

MaximumOnTM. Bringing High Availability to a New Level. Introducing the Comm100 Live Chat Patent Pending MaximumOn TM Technology

Information Security Team

Chapter 6: Fundamental Cloud Security

Disaster Prevention and Recovery for School System Technology

Guidelines 1 on Information Technology Security

G-Cloud Definition of Services Security Penetration Testing

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Where every interaction matters.

MEDICAL DEVICE Cybersecurity.

Music Recording Studio Security Program Security Assessment Version 1.1

PHYSICAL SECURITY. A Primer and a Story of Why it s Necessary

HOW SAFE IS YOUR DATA??

Business Continuity Planning Guide

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

UF Risk IT Assessment Guidelines

ISO27001 Controls and Objectives

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Business Continuity Planning. Presentation and. Direction

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

Version: 3.0. Effective From: 19/06/2014

Risk Analysis and Risk Management

Security Risk Assessment Tool

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

HP Security Assessment Services

RISK ASSESSMENT On IT Infrastructure Mr Pradhan P L & Prof P K Meher

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Analyzing Risks in Healthcare. February 12, 2014

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Security Controls Implementation Plan

White Paper. Information Security -- Network Assessment

Cybersecurity Awareness. Part 1

Risk Management Handbook

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Disaster Recovery Plan

How To Assess Risk On A Trust Service Provider

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

AUTOMATED PENETRATION TESTING PRODUCTS

CPNI VIEWPOINT 02/2010 PROTECTION OF DATA CENTRES

AUTOMATED PENETRATION TESTING PRODUCTS

Risk Management Guide

HIPAA: Compliance Essentials

Practical Overview on responsibilities of Data Protection Officers. Security measures

Privacy & Security Crash Course: How Do I Do a Risk Assessment?

Information Security Management: Understanding ISO 17799

Information security risk management using ISO/IEC 27005:2008

Information Security Awareness Training

Technology Risk Management

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

SECURITY RISK MANAGEMENT

Risk Management. Januari, 28/29th th CENTR Security Workshop Brussels Bert ten Brinke

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Transcription:

Security Risk Assessment Applied Risk Management July 2002

What is Risk? Risk is: Something that creates a hazard A cost of doing business Risk can never be eliminated, merely reduced to an acceptable level

Risk Management Allocation of resources based upon informed choice To manage risk you must: Understand what must be protected Understand the hostile environment Understand the limits of your control Understand the consequences Risk can then be quantified, prioritized, and lowered to an acceptable level

The Elements of Risk Risk includes the following three elements: Asset: the entity requiring protection Threat: the event creating the hostile environment Vulnerability: a deficiency creating the hazard ( Assets may have multiple threats and vulnerabilities ) Threats exploit vulnerabilities to harm an asset

The Security Domain The security domain defines limits to organizational control The Security Domain: Is defined by physical and logical perimeter boundaries Physical walls and fences External router/firewall interfaces Includes assets that are by definition controllable Establishes scope of Threat Analysis

Risk Strategies Risk may be: Mitigated by the deployment of countermeasures Transferred via insurance or assignment Accepted when the cost of protection exceeds harm Strategy selection is based upon Cost Benefit Analysis

The Security Risk Assessment Applied Risk Management The Security Risk Assessment is: A method to identify and understand limits to organizational control (scope) A tool to identify organizational assets, threats, and vulnerabilities (threat analysis) A process to quantify hazards based upon probability and harm (risk prioritization) A means to justify risk management strategies and allocation of assets (cost benefit analysis)

Risk Assessment Process Define Security Domain Identify assets Identify threats Identify vulnerabilities Determine probability Determine harm Calculate risk Risk may now be managed

Assets That which is of value to the organization Tangible Assets Buildings Employees Data processing equipment Intangible Assets Intellectual property Goodwill

Threats Realistic events with potential harm Natural Threats Acts of God Accidental Threats Worker Illness Equipment Failure Intentional Threats Asset Theft Asset Tampering

Vulnerabilities The chinks in the armor Vulnerabilities may be found in: Location Skills Continuity planning Access controls Network monitoring

Probability Frequency in which threat will exploit vulnerability independent of harm Probability of each asset/threat/vulnerability combination should be quantified Probability Negligible Very Low Low Medium High Very High Extreme Definition Unlikely to occur 2-3 times every 5 years <= once per year <= once every 6 months <= once per month => once per month => once per day Scale 0 1 2 3 4 5 6

Harm Impact if threat exploits vulnerability independent of probability Harm of each asset/threat/vulnerability combination should be quantified Harm Insignificant Minor Significant Damaging Serious Grave Definition No impact No extra effort required to repair Tangible harm / extra effort required to repair Significant expenditure of resources required Damage to reputation and confidence Extended outage and / or loss of connectivity Compromise of large amounts of data or service Permanent shutdown Complete compromise Scale 0 1 2 3 4 5

Risk = Probability X Harm Quantification based on both frequency and impact Risk of each asset/threat/vulnerability combination should be calculated Scale 0 1-3 4-7 8-14 15-19 20-30 Definition NIL Low Medium High Critical Extreme

Example Matrix Asset Threat Vulnerability Prob Harm Risk Control Data Center flood Proximity to river 0 5 NIL Not in 100 year flood plain System Administrator Absence Lack of cross training 4 2 HIGH No funding. Risk accepted Web Server Disk crash Insufficient backup 2 3 MEDIUM Daily data backup. Spare hardware onsite Research work theft Communication channel security 1 4 MEDIUM Data Protection Standard requires encryption for external communications. Organization Reputation Server unavailability External internet interfaces 5 4 EXTREME DDoS filters enabled on all external interfaces

Benefits The Security Risk Assessment will: Clarify the limits of control Quantify the threat environment Prioritize and justify business decisions Document due diligence

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information