Risk Management

RISK MANAGEMENT: IDENTIFYING AND ASSESSING RISK Learning Objectives:

Upon completion of this chapter you should be able to:

– Define risk management and its role in the SecSDLC

– Understand how risk is identified

– Assess risk based on the likelihood of occurrence and impact on an organization

– Grasp the fundamental aspects of documenting risk identification and assessment.

RiskManagement:

 If you know the enemy and know yourself, you need not fear the result of a hundred battles.

 If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

 If you know neither the enemy nor yourself, you will succumb in every battle.

Know Ourselves:

 First, we must identify, examine, and understand the information, and systems, currently in place

 In order to protect our assets, defined here as the information and the systems that use, store, and transmit it, we have to understand everything about the information

 Once we have examined these aspects, we can then look at what we are already doing to protect the information and systems from the threats.

Know the Enemy:

 For information security this means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization‘s information assets

 We then can use our understanding of these aspects to create a list of threats prioritized by importance to the organization.

Accountability for RiskManagement:

 It is the responsibility of each community of interest to manage risks; each community has a role to play:

– Information Security - best understands the threats and attacks that introduce risk

into the organization

– Management and Users – play a part in the early detection and response process - they also insure sufficient resources are allocated

– Information Technology – must assist in building secure systems and operating them safely.

Accountability for RiskManagement:

 All three communities must also:

– Evaluate the risk controls

– Determine which control options are cost effective

– Assist in acquiring or installing needed controls

– Ensure that the controls remain effective.

RiskManagement Process:

 Management reviews asset inventory

 The threats and vulnerabilities that have been identified as dangerous to the asset inventory must be reviewed and verified as complete and current

 The potential controls and mitigation strategies should be reviewed for completeness

 The cost effectiveness of each control should be reviewed as well, and the decisions about deployment of controls revisited

Risk Identification:

 A risk management strategy calls on us to ―know ourselves‖ by identifying, classifying,

and prioritizing the organization‘s information assets

 These assets are the targets of various threats and threat agents and our goal is to protect them from these threats

 Next comes threat identification:

– Assess the circumstances and setting of each information asset

– Identify the vulnerabilities and begin exploring the controls that might be used to manage the risks.

Asset Identification and Valuation:

 This iterative process begins with the identification of assets, including all of the elements of an organization‘s system: people, procedures, data and information, software, hardware, and networking elements

 Then, we classify and categorize the assets adding details as we dig deeper into the analysis.