Filetype Power Point PPTX | Posted on 31 Aug 2022 | 4 years ago
Authentication
digital resources
243x Filetype PPTX File size 1.54 MB Source: bahan-ajar.esaunggul.ac.id
The purpose of risk management
Ensure overall business and business assets are safe
Protect against competitive disadvantage
Compliance with laws and best business practices
Maintain a good public reputation
Steps of a risk management plan
Step 1: Identify Risk
Step 2: Assess Risk
Step 3: Control Risk
Steps are similar regardless of context (InfoSec, Physical
Security, Financial, etc.)
This presentation will focus on controlling risk within an
InfoSec context
Risk Identification
The steps to risk identification are: Asset Asset Type Asset Priority Level
and Function (Low,
Identify your organization’s Subcategory Medium,
High,
information assets Critical)
Bob Worker Personnel: • Secure Low
Classify and categorize said assets InfoSec Networks
into useful groups • Penetrati
on
Rank assets necessity to the Testing
organization • Make
coffee
To the right is a simplified example of Cisco UCS Hardware: • Database High
how a company may identify risks B460 M4 Networking Server
Blade Server
Customer Data: • Provide Critical
Personally Confidential informatio
Identifiable Information n for all
Information business
(PII) transactio
ns
Windows 7 Software: • Employee Medium
Operating access to
System enterprise
software
Risk Assessment
Threat Targeted Threat Possible Risk
Agent Asset Level Exploits (Scale of
The steps to risk and 1-5)
assessment are: Threat
Identify threats and threat agents
Prioritize threats and threat agents Disgruntle Company High Access 4.16
d Insider: data (i.e. control
Assess vulnerabilities in current Steal Customer credentials
InfoSec plan company PII) ,
informatio knowledge
Determine risk of each threat n of InfoSec
to sell policies,
R = P * V – M + U etc.
R = Risk Fire: Burn Company Critical Mishandle 2.78
P = Probability of threat attack the facility Facility, d
down or Personnel, equipment
V = Value of Information Asset cause Equipment
major
M = Mitigation by current controls damage
U = Uncertainty of vulnerability Hacktivists Company Low Lack of 1.39
The table to the right combines elements of : Quality of Hardware/ effective
service Software filtering
all of these in a highly simplified format deviation
Risk control
The steps to risk control are:
• Cost-Benefit Analysis (CBA)
• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)
• Annual Loss Expectancy (ALE)
• Annual Cost of the Safeguard (ASG)
• Feasibility Analysis
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility
• Risk Control Strategy Implementation
no reviews yet
Please Login to review.
