Daftar Isi
Latar belakang
Summary
Satrio Yudho
Pendahuluan
Satrio Yudho
Satrio Yudho
Satrio Yudho
Risk Asessment
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood determination
Impact Analysis.
Risk Determination
Control recommendations
Result Documentation.
Satrio Yudho
Risk Asessment
Satrio Yudho
Risk Asessment
System Characterization
Hardware
Software
System interface ( internal and external connectivity)
Satrio Yudho
Risk Assesment
System mission
Satrio Yudho
Risk Asessment
Flow of Information
Satrio Yudho
10
Risk Asessment
Satrio Yudho
11
Risk Asessment
Threat Identification
Natural Threats.
Human Threats
Evironmental Threats
Satrio Yudho
12
Risk Asessment
Satrio Yudho
13
Risk Asessments
Satrio Yudho
14
Risk Asessments
Satrio Yudho
15
Risk Asessments
Vulnerability identification
Satrio Yudho
16
Risk Asessments
Vulnerability identification
Satrio Yudho
17
Risk Asessments
Vulnerability identification
Satrio Yudho
18
Risk Asessments
Vulnerability resource
Vulnerability list
Satrio Yudho
19
Risk Asessments
Management
Operational
Technical
Satrio Yudho
20
Security Criteria
Satrio Yudho
21
Security Criteria
Satrio Yudho
22
Security Criteria
Satrio Yudho
23
Risk Asessment
Satrio Yudho
24
Risk Asessments
Likelihood determination
Satrio Yudho
25
Risk Asessments
Satrio Yudho
26
Risk Asessments
Satrio Yudho
27
Risk Asessments
Risk Level
Satrio Yudho
28
Risk Asessments
Control recommendation
Organizational policy
Operational impact
Satrio Yudho
29
Risk Asessment
Risk Assumption. To accept the potential risk and continue operating the IT
system or to implement controls to lower the risk to an acceptable level
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down the
system when risks are identified)
Risk Limitation. To limit the risk by implementing controls that minimize the
adverse impact of a threats exercising a vulnerability (e.g., use of
supporting, preventive, detective controls)
Risk Planning. To manage risk by developing a risk mitigation plan that
prioritizes, implements, and maintains controls
Satrio Yudho
30
Risk Asessments
Satrio Yudho
31
Risk Asessments
Support
Prevent
Satrio Yudho
32
Risk Asessments
Identification.
Security Administration.
System Protections.
Authentication
Authorization.
Nonrepudiation.
Satrio Yudho
33
Risk Asessments
Protected Communications
Transaction Privacy
Audit.
Proof of Wholeness.
Satrio Yudho
34
Risk Asessments
Satrio Yudho
35
Risk Asessments
Satrio Yudho
36
Risk Asessments
Control data media access and disposal (e.g., physical access control,
degaussing method)
Control software viruses
Safeguard computing facility (e.g., security guards, site procedures for
visitors, electronic badge system, biometrics access control, management
and distribution of locks and keys, barriers and fences)
Secure wiring closets that house hubs and cables
Provide backup capability (e.g., procedures for regular data and system
backups, archive logs that save all database changes to be used in various
recovery scenarios)
Satrio Yudho
37
Risk Asessments
Satrio Yudho
38
Summary
Satrio Yudho
39