1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
JOHNLLOYDFERIDO
8 views
31 slides
Jun 28, 2024
Slide 1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
About This Presentation
SOMETHING.X
Slide Content
RISK MANAGEMENT FOR SECURITY CS 22/L
“ Once we know our weaknesses, they cease to do us any harm.”
WHAT IS RISK MANAGEMENT?
RISK MANAGEMENT The process of recognizing risk to an organization’s information assets and infrastructure, as represented by vulnerabilities, and taking efforts to minimize that risk to an acceptable level. Protects against financial losses, reputational damage, and operational disruptions. Enables informed decision-making and promotes long-term sustainability.
RISK ASSESSMENT The determination of the extent to which the organization’s information assets are exposed or at risk.
RISK CONTROL The application of controls to reduce the risks to an organization’s data and information systems.
RISK MANAGEMENT “ You don’t have to be afraid of the outcome of a hundred wars if you know your enemy and yourself. If you know yourself but not your opponent, every victory will be followed by a defeat. You will lose every war if you don’t recognize the adversary or yourself.”
KEY TASK: RISK MANAGEMENT
RISK MANAGEMENT Know yourself Know the enemy The roles of communities of interests
RISK IDENTIFICATION
RISK IDENTIFICATION PEOPLE,PROCEDURE AND DATA ASSET IDENTIFICATION: People: Position name/number/ID (avoid names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update Data: Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or offline; location; backup procedures employee
RISK IDENTIFICATION HARDWARE, SOFTWARE AND NETWORK ASSET IDENTIFICATION: Name IP address MAC Address Element type Serial number Manufacturer name Manufacturer’s model number Software version, update revision and FCO numbers Physical and logical location Controlling Entity
RISK IDENTIFICATION DATA CLASSIFICATION AND MANAGEMENT: Data Classification scheme – help secure the confidentiality and integrity of information. The information classifications are as follows: Confidential: Used for the most sensitive corporate information that must be tightly controlled, even within the company. Access to information with this classification is strictly on a need-to-know basis or as required by the terms of a contract. Information with this classification may also be referred to as “sensitive” or “proprietary.” Internal: Used for all internal information that does not meet the criteria for the confidential category and is to be viewed only by corporate employees, authorized contractors, and other third parties. External: All information that has been approved by management for public release.
RISK IDENTIFICATION IDENTIFYING AND PRIORITIZING THREATS: Threat assessment – examination to assess the potential of a threat to endanger the organization.
RISK IDENTIFICATION TECHNIQUES Brainstorming sessions SWOT Analysis FMEA (Failure Mode and Effect Analysis) Scenario Planning Security Assessment Industry Best Practices and Threat Intelligence Report
RISK ASSESSMENT It assigns a risk rating score to each information asset. Likelihood – he probability that a specific vulnerability will be the object of a successful attack.
RISK ASSESSMENT MATRIX
RISK ASSESSMENT MATRIX Used to assess and prioritize risks based on the likelihood and severity of their consequences. The risk matrix is based on two intersecting factors: the likelihood the risk event will occur and the potential impact the risk event will have. In other words, it’s a tool that helps you visualize the probability versus the severity of a potent
SAMPLE SCENARIO A data breach occurs on the cloud storage platform used by a retail store, potentially exposing customer payment information (credit card details) and personal data (names, addresses).
DO AN ASSESSMENT A small accounting firm receives an email that appears to be from a legitimate vendor, requesting urgent payment information update. An employee, unaware of the phishing attempt, clicks a malicious link in the email, potentially compromising the firm's financial data and exposing client information.
DO AN ASSESSMENT A company salesperson loses their laptop containing unencrypted customer credit card data while traveling. This data breach could lead to fraudulent charges on customer accounts and significant financial losses for both the company and its customers.
RISK CONTROL STRATEGIES DEFEND – attempts to prevent the exploitation of the vulnerability. TRANSFER – attempts to shift risk to other assets, other processes, or other organizations. MITIGATE – attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. ACCEPT – the choice to do nothing to protect a vulnerability and to accept the outcome if its exploitation. TERMINATE – directs the organization to avoid those business activities that introduce uncontrollable risks.
SLE A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the exposure factor (EF) , which is the expected percentage of loss that would occur from a particular attack, as follows: SLE = asset value x exposure factor (EF) Web site has an estimated value of $1,000,000 (value determined by asset valuation), and a deliberate act of sabotage or vandalism (hacker defacement) scenario indicates that 10 percent of the Web site would be damaged or destroyed after such an attack, then the SLE for this Web site would be $1,000,000 X 0.10 = $100,000.
APPLY RISK TREATMENT Hackers launch a DoS attack on Zenith Bank's online banking platform during peak business hours, overwhelming the system and causing an outage. This prevents customers from accessing their accounts, making transactions, and could lead to frustration and potential loss of business.
RISK MANAGEMENT Residual risk – is the risk to the information asset that remains even after the application controls.
RISK MANAGEMENT PLAN a comprehensive documentation of your organization’s risk management process for special projects that offer opportunities to grow and reinvent. The purpose of a risk management plan is to help you identify, evaluate and plan for possible risks that may arise within the project management process.
RISK MANAGEMENT PLAN Asset Identification Risk Identification Project Risk Assessment Risk Control
BENEFITS OF RISK MANAGEMENT This Photo by Unknown Author is licensed under CC BY-NC Reduced Risk of Data Breaches and Cyber Attacks Improved Compliance Enhanced Customer Trust and Confidence Improved Reputation Increased Efficiency Improved Risk Assessment and Decision-Making Improved Ability to Adapt and Respond to Change
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 31
- Age 523 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views