Adding to an Information Technology Risk Management Program .


97 views
Uploaded on:
Category: Travel / Places
Description
Adding to a Data Innovation Hazard Administration Program. Preparing for DHHS Data Security Authorities and Reinforcement Security Authorities. What this preparation covers . . What Hazard Administration implies What NIST says you ought to do What ISO 17799 says you ought to do
Transcripts
Slide 1

Building up an Information Technology Risk Management Program Training for DHHS Information Security Officials and Backup Security Officials

Slide 2

What this preparation covers . . What Risk Management implies What NIST says you ought to do What ISO 17799 says you ought to do What C OBI T says you ought to do What Microsoft says you ought to do What HIPAA says you ought to do What NC ITS says you ought to do What DHHS says you ought to do What you ought to do and when to do it

Slide 3

Risk "Go for broke. That is very unique in relation to being imprudent." General George S. Patton "Just the individuals who hazard going too far can discover how far they can go" T.S. Elliot "obviously you need to put it all on the line at times; that is the place the natural product is" Unknown

Slide 4

Information Security is the insurance of information against unapproved get to or change

Slide 5

What is "Hazard"? Hazard is the net mission affect considering both the probability that a specific danger source will work out (coincidentally trigger or purposefully abuse) a specific data framework helplessness, and the subsequent effect on the association if this ought to happen (NIST) Risk is the likelihood of a powerlessness being misused in the present condition, prompting to a level of loss of secrecy, trustworthiness, or accessibility, of an advantage. (Microsoft)

Slide 6

What is Risk Management? The aggregate procedure of recognizing, controlling, and limiting data framework related dangers to a level comparable with the estimation of the advantages ensured The objective of a hazard administration program is to ensure the association and its capacity to play out its central goal from IT-related hazard

Slide 7

Risk Management is the Keystone of Information Security RM

Slide 8

Golden and Silver Rules of RM All hazard is claimed! Chance that is not relegated is possessed by the association\'s Director

Slide 9

Why are we doing this? Why do we do hazard administration? Why does an auto have brakes? An auto has brakes so it can go quick We do hazard administration so we can go out on a limb An association that can exploit openings (and the characteristic dangers) will outlive an association which can\'t

Slide 10

Reactive Risk Management Protect human life and individuals\' wellbeing Contain the harm Assess the harm Determine the reason for the harm Repair the harm Review reaction, and refresh strategies

Slide 11

Proactive Risk Management Owners wish to limit to diminish Controls force esteem that might be lessened by that may have Vulnerabilities might know about Threat Sources that endeavor prompting to Risk to offer ascent to that expansion Threats to Assets wish to manhandle and additionally may harm

Slide 12

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 13

Servers Desktop Computers Laptops and PDAs Switches and Routers Application programming Development Tools Source Code VPN Access Backup Tapes Email Data Integrity All Files on the Server Consumer Information Network Infrastructure DHCP Web Site Availability Reputation Employee Morale What Assets would we say we are Protecting?

Slide 14

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 15

Protecting From What Threats? Human Threats – Carelessness, Shoulder Surfing, User Abuse, Sabotage, Arson, Data Entry Errors, Intentional and Unintentional Procedure Violations Technical Threats – Takeover of approved session, Intrusion, Keystroke Eavesdropping, System Failure, Saturation of Resources Environmental Threats – Fire, Earthquake, Hurricane, Tornado, Cable Cuts, Power Fluctuation, Hazardous Material Accident, Overheating

Slide 16

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 17

Unlocked entryways Unlocked windows Misconfigured frameworks Missing patches Antivirus obsolete Poorly composed applications Vendor secondary passages Spyware Software Configuration Systems not observed Unnecessary conventions Poorly characterized techniques Stolen accreditations Poor secret key insurance Poor Disaster Recovery Violations not detailed Threats to What Vulnerabilities?

Slide 18

Proactive Risk Management Owners Controls Vulnerabilities Threat Sources Risk Threats Assets

Slide 19

Vulnerabilities Protected by What Security Controls?

Slide 20

Proactive Risk Management Owners wish to limit to decrease Controls force esteem that might be lessened by that may have Vulnerabilities might know about Threat Sources that endeavor prompting to Risk to offer ascent to that expansion Threats to Assets wish to mishandle and additionally may harm

Slide 21

Two Approaches to Risk Assessment 1) Quantitative Risk Assessment Value your advantages Determine the SLE (aggregate sum lost from a solitary event of the hazard) Single Loss Expectancy Determine the ARO (number of times you anticipate that the hazard will happen amid one year) Annual Rate of Occurrence Determine the ALE (sum you will lose in one year if the hazard is not relieved) Annual Loss Expectancy Determine the ROSI (ALE before control) – (ALE after control) – (yearly cost of control) = ROSI Return On Security Investment

Slide 22

Two Approaches to Risk Assessment 2) Qualitative Risk Assessment Estimate relative qualities Determine what dangers every benefit might confront Determine what vulnerabilities those dangers may misuse later on Determine controls which will moderate the dangers, and the surmised cost of each control Management plays out a money saving advantage examination on the outcomes

Slide 23

Risks and resources are organized by budgetary qualities Results encourage administration of hazard by Return on Security Investment Results communicated in wording administration comprehends ($) Accuracy tends to increment over the long run Enables perceivability and comprehension of hazard positioning Easier to achieve agreement Not important to measure risk recurrence or decide monetary estimation of benefits Easier to include individuals who are not specialists on security or PCs Comparing the Two Approaches – the Benefits Quantitative Qualitative

Slide 24

Impact values doled out to dangers depend on subjective supposition Very tedious Calculations can be extremely mind boggling Results are exhibited just in fiscal terms, and can be troublesome for non-specialized individuals to translate Process requires skill Insufficient separation between essential dangers Difficult to legitimize putting resources into control execution when there is no reason for a money saving advantage investigation Results are reliant on the nature of the Risk Management Team that is made Comparing the Two Approaches – the Drawbacks Quantitative Qualitative

Slide 25

Effective Risk Management Threats Malicious assaults Sabotage Attempts to get to private data Natural calamities User blunder Fraud Pranks Controls Protecting Data, Applications, LAN and Workstations Potential Damage Sensitive data revealed Services and advantages interfered with Integrity of information and reports traded off Assets lost :Public\'s Loss of certainty Failure to meet authoritative commitments Critical operations stopped

Slide 26

Know what to do now?

Slide 27

Who Wants to Help You?

Slide 28

NIST - The National Institute of Standards and Technology NIST is a non-administrative Federal office with the mission of creating and advancing estimation, guidelines and innovation to upgrade efficiency and enhance personal satisfaction They design – a nuclear clock; a bond like substance that advances bone regrowth They create - programming for the 170 VA healing facilities; complex computational models The set benchmarks – weights and measures, cholesterol testing, and . . . Data Security

Slide 29

Pertinent NIST Publications SP 800-12 An Introduction to Computer Security: The NIST Handbook SP 800-18 Guide for Developing Security Plans for Information Technology Systems SP 800-26 Security Self-Assessment Guide for Information Technology Systems SP 800-30 Risk Management Guide for Information Technology Systems

Slide 30

NIST Says It\'s a Management Function The objective of Risk Management is to ensure the association and its capacity to play out its main goal The concentration is the mission ; not IT resources Risk Management, in this manner, is a basic administration capacity of the association

Slide 31

NIST Says Risk Management has Three Parts Risk Assessment - Determining where dangers lie, and how huge they are Risk Mitigation - Prioritizing, assessing, and actualizing fitting danger decreasing controls Evaluation and Assessment – Since Risk Management is consistent and advancing, the previous year\'s Risk Management endeavors ought to be surveyed and assessed preceding starting the cycle once more

Slide 32

Risk Management Process What is my hazard? What will I do about it? How could I do? Hazard Assessment Risk Mitigation RM Evaluation

Slide 33

National Institute of Standards and Technology SP 800-30 The Ten Steps of Risk Assessment System Characterization Threat Identification Vulnerability Identification Control Analysis Identify Threat-source/Vulnerability Pairs Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation

Slide 34

Risk Management Process What is my hazard? What will I do about it? Hazard Assessment Risk Mitigation

Slide 35

Risk Mitigation Risk Mitigation is the way toward recognizing regions of hazard that are unsatisfactory; and evaluating countermeasures, expenses and assets to be actualized as a measure to diminish the level of hazard Determining "proper hazard lessening controls" is a vocation for your Risk Management Committee

Slide 36

What is "Adequate" Risk? Setting your organization\'s "hazard craving" is up to your Director and Senior Management Because end of all hazard is outlandish, we should utilize the minimum cost approach and implem

Recommended
View more...