Adding to a Data Innovation Hazard Administration Program.


133 views
Uploaded on:
Description
Preparing for DHHS Information Security Officials and Backup Security Officials ... SP 800-18 Guide for Developing Security Plans for Information Technology Systems ...
Transcripts
Slide 1

Building up an Information Technology Risk Management Program Training for DHHS Information Security Officials and Backup Security Officials

Slide 2

What this preparation covers . . What Risk Management implies What NIST says you ought to do What ISO 17799 says you ought to do What C OBI T says you ought to do What Microsoft says you ought to do What HIPAA says you ought to do What NC ITS says you ought to do What DHHS says you ought to do What you ought to do and when to do it

Slide 3

Risk "Go out on a limb. That is very not quite the same as being imprudent." General George S. Patton "Just the individuals who hazard going too far can discover how far they can go" T.S. Elliot "obviously you need to put it all on the line here and there; that is the place the organic product is" Unknown

Slide 4

Information Security is the insurance of information against unapproved access or adjustment

Slide 5

What is "Danger"? Danger is the net mission sway considering both the probability that a specific risk source will work out (unintentionally trigger or purposefully misuse) a specific data framework powerlessness, and the subsequent effect on the association in the event that this ought to happen (NIST) Risk is the likelihood of a defenselessness being abused in the present environment, prompting a level of loss of privacy, respectability, or accessibility, of an advantage. (Microsoft)

Slide 6

What is Risk Management? The aggregate procedure of recognizing, controlling, and minimizing data framework related dangers to a level proportionate with the estimation of the benefits ensured The objective of a danger administration system is to ensure the association and its capacity to perform its main goal from IT-related danger

Slide 7

Risk Management is the Keystone of Information Security RM

Slide 8

Golden and Silver Rules of RM All danger is possessed! Hazard that is not appointed is claimed by the association\'s Director

Slide 9

Why are we doing this? Why do we do chance administration? Why does an auto have brakes? An auto has brakes so it can go quick We do chance administration so we can go out on a limb An association that can exploit opportunities (and the natural dangers) will outlive an association which can\'t

Slide 10

Reactive Risk Management Protect human life and individuals\' security Contain the harm Assess the harm Determine the reason for the harm Repair the harm Review reaction, and upgrade strategies

Slide 11

Proactive Risk Management Owners wish to minimize to diminish Controls force esteem that might be decreased by that may have Vulnerabilities might know about Threat Sources that endeavor prompting Risk to offer ascent to that build Threats to Assets wish to manhandle and/or may harm

Slide 12

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 13

Servers Desktop Computers Laptops and PDAs Switches and Routers Application programming Development Tools Source Code VPN Access Backup Tapes Email Data Integrity All Files on the Server Consumer Information Network Infrastructure DHCP Web Site Availability Reputation Employee Morale What Assets would we say we are Protecting?

Slide 14

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 15

Protecting From What Threats? Human Threats – Carelessness, Shoulder Surfing, User Abuse, Sabotage, Arson, Data Entry Errors, Intentional and Unintentional Procedure Violations Technical Threats – Takeover of approved session, Intrusion, Keystroke Eavesdropping, System Failure, Saturation of Resources Environmental Threats – Fire, Earthquake, Hurricane, Tornado, Cable Cuts, Power Fluctuation, Hazardous Material Accident, Overheating

Slide 16

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 17

Unlocked entryways Unlocked windows Misconfigured frameworks Missing patches Antivirus outdated Poorly composed applications Vendor secondary passages Spyware Software Configuration Systems not checked Unnecessary conventions Poorly characterized methods Stolen certifications Poor secret word assurance Poor Disaster Recovery Violations not reported Threats to What Vulnerabilities?

Slide 18

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 19

Vulnerabilities Protected by What Security Controls?

Slide 20

Proactive Risk Management Owners wish to minimize to lessen Controls force esteem that might be decreased by that may have Vulnerabilities might know about Threat Sources that endeavor prompting Risk to offer ascent to that expand Threats to Assets wish to mishandle and/or may harm

Slide 21

Two Approaches to Risk Assessment 1) Quantitative Risk Assessment Value your advantages Determine the SLE (aggregate sum lost from a solitary event of the danger) Single Loss Expectancy Determine the ARO (number of times you anticipate that the danger will happen amid one year) Annual Rate of Occurrence Determine the ALE (sum you will lose in one year if the danger is not relieved) Annual Loss Expectancy Determine the ROSI (ALE before control) – (ALE after control) – (yearly cost of control) = ROSI Return On Security Investment

Slide 22

Two Approaches to Risk Assessment 2) Qualitative Risk Assessment Estimate relative qualities Determine what dangers every benefit might confront Determine what vulnerabilities those dangers may abuse later on Determine controls which will alleviate the dangers, and the inexact expense of every control Management performs a money saving advantage examination on the outcomes

Slide 23

Risks and resources are organized by budgetary qualities Results encourage administration of danger by Return on Security Investment Results communicated in wording administration comprehends ($) Accuracy tends to increment after some time Enables perceivability and comprehension of danger positioning Easier to achieve accord Not important to evaluate risk recurrence or decide budgetary estimation of benefits Easier to include individuals who are not specialists on security or PCs Comparing the Two Approaches – the Benefits Quantitative Qualitative

Slide 24

Impact values doled out to dangers depend on subjective feeling Very tedious Calculations can be extremely intricate Results are exhibited just in fiscal terms, and can be troublesome for non-specialized individuals to decipher Process requires aptitude Insufficient separation between essential dangers Difficult to legitimize putting resources into control execution when there is no premise for a money saving advantage investigation Results are subject to the nature of the Risk Management Team that is made Comparing the Two Approaches – the Drawbacks Quantitative Qualitative

Slide 25

Effective Risk Management Threats Malicious assaults Sabotage Attempts to get to private data Natural debacles User blunder Fraud Pranks Controls Protecting Data, Applications, LAN and Workstations Potential Damage Sensitive data unveiled Services and advantages interfered with Integrity of information and reports bargained Assets lost :Public\'s Loss of certainty Failure to meet legally binding commitments Critical operations stopped

Slide 26

Know what to do now?

Slide 27

Who Wants to Help You?

Slide 28

NIST - The National Institute of Standards and Technology NIST is a non-administrative Federal office with the mission of creating and advancing estimation, benchmarks and innovation to upgrade profitability and enhance personal satisfaction They imagine – a nuclear clock; a concrete like substance that advances bone regrowth They create - programming for the 170 VA healing centers; complex computational models The set principles – weights and measures, cholesterol testing, and . . . Data Security

Slide 29

Pertinent NIST Publications SP 800-12 An Introduction to Computer Security: The NIST Handbook SP 800-18 Guide for Developing Security Plans for Information Technology Systems SP 800-26 Security Self-Assessment Guide for Information Technology Systems SP 800-30 Risk Management Guide for Information Technology Systems

Slide 30

NIST Says It\'s a Management Function The objective of Risk Management is to ensure the association and its capacity to perform its main goal The center is the mission ; not IT resources Risk Management, along these lines, is a key administration capacity of the association

Slide 31

NIST Says Risk Management has Three Parts Risk Assessment - Determining where dangers untruth, and how huge they are Risk Mitigation - Prioritizing, assessing, and executing suitable danger decreasing controls Evaluation and Assessment – Since Risk Management is ceaseless and advancing, the previous year\'s Risk Management endeavors ought to be surveyed and assessed preceding starting the cycle once more

Slide 32

Risk Management Process What is my danger? What will I do about it? How could i have been able to I do? Hazard Assessment Risk Mitigation RM Evaluation

Slide 33

National Institute of Standards and Technology SP 800-30 The Ten Steps of Risk Assessment System Characterization Threat Identification Vulnerability Identification Control Analysis Identify Threat-source/Vulnerability Pairs Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation

Slide 34

Risk Management Process What is my danger? What will I do about it? Hazard Assessment Risk Mitigation

Slide 35

Risk Mitigation Risk Mitigation is the procedure of distinguishing regions of danger that are inadmissible; and evaluating countermeasures, expenses and assets to be executed as a measure to decrease the level of danger Determining "suitable danger lessening controls" is a vocation for your Risk Management Committee

Slide 36

What is "Satisfactory" Risk? Setting your organization\'s "danger ravenousness" is up to your Director and Senior Management Because end of all danger is inconceivable, we should utilize the minimum cost approach and implem

Recommended
View more...