Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Investing

Risk management

advertisement 
Risk Management on IS
P L Pradhan
Abstract:
Risk management is the process of identifying vulnerabilities and threats to an organization’s infor
or IT infrastructures in achieving business objectives and deciding what counter measures, if any,
reducing the level of countermeasures and deciding which, if any, to take in reducing risk to an ap
acceptable level, based on the value of the information resource to the organization. A summary
shown in the equation as follows:
Total Risk = Threats x Vulnerability x Asset Value
Generally, risk can be transferred, reject, reduced or accepted at high, medium and low
Level Risk.
• Security risks start when the power is turned-on. At that point, security risks commence. The o
with those security risks is via risk management
• Risks can be identified & reduced, but never eliminated
• No matter how secure you make a system, it can always be broken into given sufficient resourc
motivation and money
• People are usually cheaper & easier to compromise than advance technological safeguards
Risk Management Nomenclature
•
•
•
•
•
•
•
Annualized loss expectancy (ALE)
– Single loss expectance x annualized rate of occurrence = ALE
Annualized rate of occurrence (ARO)
– On an annualized basis, the frequency with which a threat is expected to occur
Exposure factor
– A measure of the magnitude of loss or impact on the value of an asset
Probability
– Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value
should the event occur
Threat
– An event, the occurrence of which cold have an undesired impart
Safeguard
– Risk reducing measure that acts to detect, prevent or minimize loss associated with the occ
specified threat or category of threats
Vulnerability
– The absence or weakness of a risk-reducing safeguard
Risk Assessment
• Since you can’t protect yourself if you do not know what you are protecting against, a risk asse
performed
• A risk assessment answers 3 fundamental questions:
– Identify assets - What I am trying to protect?
– Identify threats - What do I need to protect against?
– Calculating risks - How much time, effort & money am I willing to expend to obtain adequa
• After risks are determined, you can then develop the policies & procedures needed to reduce t
Identifying Assets
• Tangibles
–
–
–
–
Computers, communications equipment, wiring
Data
Software
Audit records, books, documents
• Intangibles
– Privacy
– Employe safety & health
– Passwords
– Image & reputation
– Availability
--Employee morale
Identifying Threats
–
–
–
–
–
–
–
–
–
–
–
Earthquake, flood, hurricane, lightening
Structural failure, asbestos
Utility loss, i.e., water, power, telecommunications
Theft of hardware, software, data
Terrorists, both political and information
Software bugs, virii, malicious code, SPAM, mail bombs
Strikes, labor & union problems
Hackers, internal/external
Inflammatory usenet, Internet & web postings
Employee illness, death
Outbreak, epidemic, pandemic
Calculating (quantifying) Risks
• This is the hard part. Insurance & historical records may help, but your actuary is your best frie
– How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000
• Review the risks
– Lists should be regularly updated
– Small changes in operations or corporate structure can have significant risk implications
– Changes such as location, vendor, M&A, etc., must be included into the risk factor
Cost/benefit Analysis
• Cost of a loss
– Often hard to determine accurately
• Cost of prevention
– Long term/short term
• Adding up the numbers
– Output of an Excel spreadsheet listing assets, risks & possible losses
– For each loss, know its probability, predicted loss & amount of money needed to
– defend against the loss
Security Awareness
• Must be driven from the top-down
• Must be comprehensive, all the way down to the floppy & hard copies
• Education
– Hard copies
– Web-based
– Training & education
Security Management Planning
• But most importantly, to be successful in selling security you must know your company’s or clie
• Know what is important
– Each industry has differing priorities
Security management planning I
Identify costs
– Initial investment
– ongoing costs
Identify benefits
– Help Desk reduction
– Common data locations
– Reduced Remote Access costs
– Improve Business Partner access
– Enhanced public perception
Ernst & Young Cyberprocess Certification
Security management planning II
Identify potential losses if security is not properly implemented
– Trade secrets
– confidential information
– personal e-mail
– adverse publicity
– viruses, worms, malicious Java and ActiveX applications
– denial of service
– hard drive reformats, router reconfigurations
–
–
–
–
M&A
financials
hacked web pages
breach of Human Resources information
Security management planning III
Management Procrastination
Four primary reasons why the decision maker typically procrastinates in deciding whether to alloc
commence the initiative:
• Unable to understand or quantify security threats and technical vulnerabilities. This results in b
paralysis.
• Unable to measure (through quantitative or qualitative analysis) the severity and probability of ri
• Begins the analysis with a preconceived notion that the cost of controls will be excessive or the
technology does not exist.
• Believes that the security solution will interfere with the performance or appearance of the busin
Benefits:
Minimize the risk factor at minimum level.
Therefore, we can able to safeguard or protect the IS infrastructure/assets ( Data, Hardware, So
from intruder, hacker and external vendor or contractor.
The risk management & assessment method to ensure and achieve protection, data integrity, ef
efficiencies must be designed implement as per requirement of business objective of an organiz
Conclusion:
In summary, the risk assessment process is about making decisions. The impact of a successful
level of acceptable risk for any given situation is a fundamental policy decision. Likewise, vuln
design issues and must be addressed during the design, development & implementation of info
A fundamental problem of risk management then is to achieve a cost-effective balance between
characteristics and the related countermeasures to threats and impact.
References:
1). Information System audit & control by Ron Weber PHI ( Chap 7 P- 243-285)
2) CISSP Exam study guide by Shon Harrish DRP/BCP (Chap 9 P 591-603 )
3). CISSP Exam study guide by Shon Harrish Security Mgmt Practices
(Chap 4 P 57-92 )
4) Mcl.ean, Kevin & Lenwatts ( 1996) Risk Analysis Methodology “ IS audit & contron Journal I
5). Essentail of System Administration O’ Reilly (Chap 10, P467- 485) & Chap 6
( p201-243 )
6). CISSP Exam cram by Coriolis ( Chap 4 p 61-77 )
7) Software Engg by Pressman Chap 6 ( P 145- 162 )
8) ISACA Monthly Journal Vol 2, 2003
Author:
P L Pradhan, M. Sc (Phys), DCA, PG DBA, Sun Solaris Certified (UNIX) plpradhan@rediffm
At present doing Ph D program on System Security Under Sambalpur University, Orissa, India
Working Area: ( 18 Yr exp in System/IT) System Security, Risk Mgmt, Unix System Admini
Solution ( Unix Oracle Database), ERP, Datacomm & Networking, Internet Technology, MIS
and Design.
Related documents
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
What is the nature of the service
What is the nature of the service
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Operating Systems. A concept-based approach, Second
Operating Systems. A concept-based approach, Second
Worksheet 4
Worksheet 4
PHYSICS 7200 WINTER 2007
PHYSICS 7200 WINTER 2007
Course Syllabus
Course Syllabus
SWOT-Analysis-Worksheet
SWOT-Analysis-Worksheet
Download
advertisement