Anda di halaman 1dari 25

Course : 7183T - IT Risk Management and

Disaster Recovery

Managing Information Security


Risk
Session 3

Contents
Importance of Risk Management
Risk Assessment
Risk Mitigation

Bina Nusantara

Importance of Risk Management


Risk management is the process that allows IT managers to
balance the operational and economic costs of protective
measures and achieve gains in mission capability by protecting the
IT systems and data that support their organizations missions.
This process is not unique to the IT environment; indeed it
pervades decision-making in all areas of our daily lives.
Take the case of home security, for example. Many people decide
to have home security systems installed and pay a monthly fee to
a service provider to have these systems monitored for the better
protection of their property.

Bina Nusantara

Integration Of Risk Management Into SDLC


Effective risk management must be totally integrated
into the SDLC. An IT systems SDLC has five phases:
initiation, development or acquisition, implementation,
operation or maintenance, and disposal.
the risk management methodology is the same
regardless of the SDLC phase for which the assessment
is being conducted.
Risk management is an iterative process that can be
performed during each major phase of the SDLC.

Bina Nusantara

Bina Nusantara

Key Roles
Senior Management. Senior management, under the standard of due care
and ultimate responsibility for mission accomplishment, must ensure that
the necessary resources are effectively applied to develop the capabilities
needed to accomplish the mission. They must also assess and incorporate
results of the risk assessment activity into the decision making process. An
effective risk management program that assesses and mitigates IT-related
mission risks requires the support and involvement of senior management.
Chief Information Officer (CIO). The CIO is responsible for the agencys IT
planning, budgeting, and performance including its information security
components. Decisions made in these areas should be based on an
effective risk management program.
System and Information Owners. The system and information owners
are responsible for ensuring that proper controls are in place to address
integrity, confidentiality, and availability of the IT systems and data they
own. Typically the system and information owners are responsible for
changes to their IT systems. Thus, they usually have to approve and sign
off on changes to their IT systems (e.g., system enhancement, major
changes to the software and hardware). The system and information
owners must therefore understand their role in the risk management
process and fully support this process.
Bina Nusantara

Key Roles
Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk
management process. These managers are the individuals with the authority and
responsibility for making the trade-off decisions essential to mission
accomplishment. Their involvement in the risk management process enables the
achievement of proper security for the IT systems, which, if managed properly, will
provide mission effectiveness with a minimal expenditure of resources.
ISSO. IT security program managers and computer security officers are responsible
for their organizations security programs, including risk management. Therefore,
they play a leading role in introducing an appropriate, structured methodology to
help identify, evaluate, and minimize risks to the IT systems that support their
organizations missions. ISSOs also act as major consultants in support of senior
management to ensure that this activity takes place on an ongoing basis.
IT Security Practitioners. IT security practitioners (e.g., network, system,
application, and database administrators; computer specialists; security analysts;
security consultants) are responsible for proper implementation of security
requirements in their IT systems. As changes occur in the existing IT system
environment (e.g., expansion in network connectivity, changes to the existing
infrastructure and organizational policies, introduction of new technologies), the IT
security practitioners must support or use the risk management process to identify
and assess new potential risks and implement new security controls as needed to
safeguard their IT systems.
Bina Nusantara

Risk Assessment
Risk is a function of the likelihood of a given threat-sources
exercising a particular potential vulnerability, and the resulting
impact of that adverse event on the organization.

Step
Step
Step
Step
Step
Step
Step
Step
Step

1
2
3
4
5
6
7
8
9

Bina Nusantara

System Characterization (Section 3.1)


Threat Identification (Section 3.2)
Vulnerability Identification (Section 3.3)
Control Analysis (Section 3.4)
Likelihood Determination (Section 3.5)
Impact Analysis (Section 3.6)
Risk Determination (Section 3.7)
Control Recommendations (Section 3.8)
Results Documentation (Section 3.9).

Bina Nusantara

System Characterization
System-Related Information

Hardware
Software
System interfaces (e.g., internal and external connectivity)
Data and information
Persons who support and use the IT system
System mission (e.g., the processes performed by the IT
system)
System and data criticality (e.g., the systems value or
importance to an organization)
System and data sensitivity

Bina Nusantara

Information-Gathering Techniques

Questionnaire
On-site Interviews.
Document Review.
Use of Automated Scanning Tool.

Output from Step 1 Characterization of


the IT system assessed, a good picture of
the IT system environment, and
delineation of system boundary

Bina Nusantara

Threat Identification
Threat-Source Identification: The goal of this step is
to identify the potential threat-sources and compile a
threat statement listing potential threat-sources that
are applicable to the IT system being evaluated.
Motivation and the resources for carrying out an attack
make humans potentially dangerous threat-sources.
This information will be useful to organizations studying
their human threat environments and customizing their
human threat statements.

Bina Nusantara

Bina Nusantara

Vulnerability Identification
Vulnerability: A flaw or weakness in system
security procedures, design, implementation, or
internal controls that could be exercised
(accidentally triggered or intentionally exploited)
and result in a security breach or a violation of the
systems security policy.
Output from Step 3 A list of the system
vulnerabilities (observations)7 that could be
exercised by the potential threat-sources

Bina Nusantara

Control Analysis
The goal of this step is to analyze the controls that have
been implemented, or are planned for implementation, by
the organization to minimize or eliminate the likelihood (or
probability) of a threats exercising a system vulnerability.
Output from Step 4List of current or planned
controls used for the IT system to mitigate the
likelihood of a vulnerabilitys being exercised and
reduce the impact of such an adverse event

Bina Nusantara

Likelihood Determination

Output from Step 5 Likelihood rating (High,


Medium, Low)

Bina Nusantara

Impact Analysis
The next major step in measuring level of risk is to
determine the adverse impact resulting from a
successful threat exercise of a vulnerability.
Before beginning the impact analysis, it is necessary
to obtain the following necessary information as
discussed in Section 3.1.1:
System mission (e.g., the processes performed by the IT
system)
System and data criticality (e.g., the systems value or
importance to an organization)
System and data sensitivity.

Bina Nusantara

Impact Analysis
Loss of Integrity. System and data integrity refers to the requirement that
information be protected from improper modification. Integrity is lost if
unauthorized changes are made to the data or IT system by either
intentional or accidental acts. If the loss of system or data integrity is not
corrected, continued use of the contaminated system or corrupted data
could result in inaccuracy, fraud, or erroneous decisions. Also, violation of
integrity may be the first step in a successful attack against system
availability or confidentiality. For all these reasons, loss of integrity reduces
the assurance of an IT system.
Loss of Availability. If a mission-critical IT system is unavailable to its end
users, the organizations mission may be affected. Loss of system
functionality and operational effectiveness, for example, may result in loss of
productive time, thus impeding the end users performance of their
functions in supporting the organizations mission.
Loss of Confidentiality. System and data confidentiality refers to the
protection of information from unauthorized disclosure. The impact of
unauthorized disclosure of confidential information can range from the
jeopardizing of national security to the disclosure of Privacy Act data.
Unauthorized, unanticipated, or unintentional disclosure could result in loss
of public confidence, embarrassment, or legal action against the
organization.
Bina Nusantara

Quantitative versus Qualitative Assessment


The main advantage of the qualitative impact analysis is that it
prioritizes the risks and identifies areas for immediate improvement in
addressing the vulnerabilities.
The disadvantage of the qualitative analysis is that it does not
provide specific quantifiable measurements of the magnitude of the
impacts, therefore making a cost-benefit analysis of any recommended
controls difficult.
The major advantage of a quantitative impact analysis is that it
provides a measurement of the impacts magnitude, which can be used in
the cost-benefit analysis of recommended controls.
The disadvantage is that, depending on the numerical ranges used to
express the measurement, the meaning of the quantitative impact
analysis may be unclear, requiring the result to be interpreted in a
qualitative manner. Additional factors often must be considered to
determine the magnitude of impact.

Bina Nusantara

Matrix & Description of Risk Level

Bina Nusantara

Control Recommendations
During this step of the process, controls that could mitigate or
eliminate the identified risks, as appropriate to the organizations
operations, are provided. The goal of the recommended controls
is to reduce the level of risk to the IT system and its data to an
acceptable level.
The following factors should be considered in recommending
controls and alternative solutions to minimize or eliminate
identified risks:

Effectiveness of recommended options (e.g., system compatibility)


Legislation and regulation
Organizational policy
Operational impact
Safety and reliability.

Bina Nusantara

Risk Mitigation
Risk mitigation, the second process of risk
management, involves prioritizing, evaluating, and
implementing the appropriate risk-reducing controls
recommended from the risk assessment process.
Because the elimination of all risk is usually
impractical or close to impossible, it is the
responsibility of senior management and functional
and business managers to use the least-cost
approach and implement the most appropriate
controls to decrease mission risk to an acceptable
level, with minimal adverse impact on the
organizations resources and mission.
Bina Nusantara

Risk mitigation
Risk Assumption. To accept the potential risk and continue operating
the IT system or to implement controls to lower the risk to an
acceptable level
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down
the system when risks are identified)
Risk Limitation. To limit the risk by implementing controls that
minimize the adverse impact of a threats exercising a vulnerability
(e.g., use of supporting, preventive, detective controls)
Risk Planning. To manage risk by developing a risk mitigation plan
that prioritizes, implements, and maintains controls
Research and Acknowledgment. To lower the risk of loss by
acknowledging the vulnerability or flaw and researching controls to
correct the vulnerability
Risk Transference. To transfer the risk by using other options to
compensate for the loss, such as purchasing insurance.

Bina Nusantara

Risk Mitigation Strategy

Bina Nusantara