Скачать презентацию CMGT 442 Information Systems Risk Management Philip Robbins Скачать презентацию CMGT 442 Information Systems Risk Management Philip Robbins

068ef664e2f3cca75cdd95bb016d8b1d.ppt

  • Количество слайдов: 41

CMGT 442 Information Systems Risk Management Philip Robbins – November 21, 2012 (Week 2) CMGT 442 Information Systems Risk Management Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus

Objectives: Week 2 • - Risk Assessment (Part 1) Review Week 1: Concepts LT Objectives: Week 2 • - Risk Assessment (Part 1) Review Week 1: Concepts LT Activity: Week 1 & Week 2 Article Readings Stuxnet Week 2: Components of Risk Quiz #2 Review Week 2: Questions Assignments: IDV & LT Papers Review Information Sharing Articles

Review: Information Security Services Review: Information Security Services

Review: Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü Review: Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

Review: NIST SP 800 -30 Review: NIST SP 800 -30

Review: NIST SP 800 -30 Review: NIST SP 800 -30

Learning Team Activity • Activity: Review Week 1 & 2 ‘Article’ Readings - 15 Learning Team Activity • Activity: Review Week 1 & 2 ‘Article’ Readings - 15 minutes: Read Articles - 10 minutes: Answer article questions - 10 minutes: Present your article to the class - Submit for credit.

LT Activity: Week 1 Article Readings • Barr (2011) - What special issues must LT Activity: Week 1 Article Readings • Barr (2011) - What special issues must be addressed for a risk management strategy that supports user-facing, web-based systems? - What are the risks associated with disruption of these systems? • Ledford (2012) - What special issues must be considered for corporate data which are not fully digitized? - What are the risks associated with the loss of this data? - What recovery procedures do you recommend for these situations?

LT Activity: Week 2 Article Readings • Keston (2008) - How important is enterprise LT Activity: Week 2 Article Readings • Keston (2008) - How important is enterprise identity management for reducing risk throughout the enterprise? - Explain why a viable risk management strategy must include, at a minimum, a solid enterprise identity management process. • Vosevich (2011) - What software must be considered to provide adequate security management across the enterprise?

Future Risks • Weapons in Cyberspace: Are we at war? • Cyber Crime vs. Future Risks • Weapons in Cyberspace: Are we at war? • Cyber Crime vs. Cyber Warfare vs. Cyber Conflict

Break? • This is probably time for a break… Break? • This is probably time for a break…

Review: Risk Definition • What is Risk? thus • Units for measurement: Confidentiality, Integrity, Review: Risk Definition • What is Risk? thus • Units for measurement: Confidentiality, Integrity, Availability Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

Defining Risk • Risk is conditional, NOT independent. Source: Robbins, P. (Dec, 2011). Security Defining Risk • Risk is conditional, NOT independent. Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

Defining Risk • Expected Value of Risk = Product of Risks • Risk is Defining Risk • Expected Value of Risk = Product of Risks • Risk is never zero: “We can never be 100% confident for protection” • Risk Dimension (units): confidence in the loss of ISS, C-I-A “Risk Loss Confidence” Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

Risk Behavior Risk Loss Confidence Increases through interconnections with other network enclaves (risks)! Network Risk Behavior Risk Loss Confidence Increases through interconnections with other network enclaves (risks)! Network Enclave #1 Network Enclave #3 Network Enclave #2

Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. EV = LOW x MED x HIGH Risk. EV = ? Network Enclave #1 R 1 = LOW Network Enclave #3 R 3 = HIGH R 2 = MED Network Enclave #2

Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. EV = LOW x MED x HIGH Risk. EV = HIGH Network Enclave #1 R 1 = LOW Network Enclave #3 R 3 = HIGH R 2 = MED Network Enclave #2

Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. Risk Behavior Risk. EV = R 1 x R 2 x R 3 Risk. EV = LOW x MED x HIGH Risk. EV = HIGH Network Enclave #1 R 1 = LOW Network Enclave #3 R 3 = HIGH R 2 = MED Network Enclave #2

Risk Behavior: REV & RLC • Expected Value and Risk Loss Confidence vs. Cumulative Risk Behavior: REV & RLC • Expected Value and Risk Loss Confidence vs. Cumulative Risk Product Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

Total Risk • How do we quantify total risk? - Average the risk to Total Risk • How do we quantify total risk? - Average the risk to each Information Security Service: Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

Risk Component: Threats • Rapid growth of Advanced Persistent Threats (APTs) • Half million Risk Component: Threats • Rapid growth of Advanced Persistent Threats (APTs) • Half million cases of cyber related incidents in 2012. - Is this a problem? - What about vulnerabilities associated with interconnections? - How does risk management help deal with APTs? Source: US-CERT

Risk Component: Vulnerabilities • What are vulnerabilities? Any flaw or weakness that can be Risk Component: Vulnerabilities • What are vulnerabilities? Any flaw or weakness that can be exploited. – Poorly communicated or implemented policy – Improperly configured systems or controls – Inadequately trained personnel

Quantitative Risk Thresholds Quantitative Risk Thresholds

Semi-Quantitative Risk Matrix R VE SE Catastrophic (5) GH HI Major (3) ME UM Semi-Quantitative Risk Matrix R VE SE Catastrophic (5) GH HI Major (3) ME UM DI Impact E Material (4) W Insignificant (1) LO Minor (2) Rare(1) Unlikely(2) Moderate(3) Likelihood Likely (4) Frequent(5)

Risk Responses Severity High Low Accept / Transfer Avoid Accept / Transfer Low High Risk Responses Severity High Low Accept / Transfer Avoid Accept / Transfer Low High Frequency

Risk Responses • Risk Avoidance – Halt or stop activity causing risk • Risk Risk Responses • Risk Avoidance – Halt or stop activity causing risk • Risk Transference – Transfer the risk (i. e. buy insurance) • Risk Mitigation – Reduce impact with controls/safeguards • Risk Acceptance – Understand consequences and accept risk

Information Systems Risk Components • Let’s recap: What are the components of Information Systems Information Systems Risk Components • Let’s recap: What are the components of Information Systems Risk? - Threats & Threat Agents - Vulnerabilities (Weakness) - Controls (Safeguards) - Impact How is each component important to understanding and managing risk?

Risk Component Relationship Source: Harris, S. (2010). CISSP all in one exam guide, fifth Risk Component Relationship Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. Mc. Graw-Hill, New York, NY.

Break? • This is probably time for a break… Break? • This is probably time for a break…

Quiz: Week 1 • 10 -15 minutes Quiz: Week 1 • 10 -15 minutes

Week 2 Review Questions Week 2 Review Questions

Question #1 What is the likelihood of a threat taking advantage of a vulnerability Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. B. C. D. A risk A residual risk An exposure A countermeasure

Question #1 What is the likelihood of a threat taking advantage of a vulnerability Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. B. C. D. A risk A residual risk An exposure A countermeasure

Question #2 Which of the following combinations best defines risk? A. Threat coupled with Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack.

Question #2 Which of the following combinations best defines risk? A. Threat coupled with Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack.

Question #3 What can be defined as an event that could cause harm to Question #3 What can be defined as an event that could cause harm to information systems? A. B. C. D. A risk A threat A vulnerability A weakness

Question #3 What can be defined as an event that could cause harm to Question #3 What can be defined as an event that could cause harm to information systems? A. B. C. D. A risk A threat A vulnerability A weakness

Question #4 What is the definition of a security exposure? A. B. C. D. Question #4 What is the definition of a security exposure? A. B. C. D. An instance of being exposed to losses from a threat Any potential danger to information or systems Loss potential due to a threat

Question #4 What is the definition of a security exposure? A. B. C. D. Question #4 What is the definition of a security exposure? A. B. C. D. An instance of being exposed to losses from a threat Any potential danger to information or systems Loss potential due to a threat

Question #5 The absence of a safeguard, or a weakness in a system that Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. B. C. D. Threat Exposure Vulnerability Risk

Question #5 The absence of a safeguard, or a weakness in a system that Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. B. C. D. Threat Exposure Vulnerability Risk