Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

download/CIS 75E 052115 Slides Risk - Security

Managing Risk in Information Systems
Lesson 5
Strategies for Mitigating Risk
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objectives
 Describe concepts for planning risk
mitigation throughout an organization.
 Describe concepts for implementing a risk
mitigation plan.
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
 Identifying the scope of a risk management




plan
Best practices for planning risk mitigation
Ways to prioritize risk management
requirements
Developing an organizational risk mitigation
plan
Best practices for implementing a risk
mitigation plan
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Strategies of Risk Mitigation
Identify the cost of risk mitigation
Determine loss if threat exploits vulnerability
Conduct business impact analysis (BIA)
Calculate maximum acceptable outage (MAO)
Establish service level agreements
Develop disaster recovery plan (DRP)
National Institute of Standard and Technology
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Scope of Risk Management
 Critical business operations
 Customer service delivery
 Mission-critical business systems,
applications, and data access
 Seven domains of a typical IT infrastructure
 Information systems security gap
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Compliance Issues
 CIPA requires a TPM
Children's Internet Protection Act (CIPA) requires that K-12 schools and libraries in the United States use Internet filters
and implement other measures to protect children from harmful online content as a condition for federal funding. It was
signed into law on December 21, 2000, and was found to be constitutional by the United States Supreme Court on June
23, 2003. http://en.wikipedia.org/wiki/Children%27s_Internet_Protection_Act
Other laws may require other controls
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Creating a Risk Mitigation Plan
 Complete a risk assessment
 Identify costs
 Perform cost-benefit analysis (CBA)
 Implement plan
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Creating a Risk Mitigation Plan
High-level review of risk assessment
 Identify and evaluate relevant threats
 Identify and evaluate relevant
vulnerabilities
 Identify and evaluate countermeasures
 Develop mitigating recommendations
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Reviewing Risk Assessment
Countermeasures
 In-place countermeasures
 Planned countermeasures
 Approved countermeasures
 Overlapping countermeasures
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Calculating Costs
 Initial
purchase
 Facility
 Installation
 Training
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Calculating Costs
 Look for hidden costs
 Is extra power required to eliminate a
single point of failure?
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Time to Implement
 Simple configurations can be implemented in
a shorter time period
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Time to Implement
 Complex configurations
• More planning and time
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
DISCOVER: PROCESS
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Identifying Critical Business
Functions (CBFs)
 Making a purchase
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Identifying CBFs
 Receiving funds
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Identifying CBFs
 Shipping products
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Performing a Cost-Benefit Analysis
1. Identify losses you expect before, or
without, a countermeasure
2. Identify the losses you expect after
implementing the countermeasure
 Calculating projected benefits:
Loss Before Countermeasure ─ Loss After
Countermeasure = Projected Benefits
 Determining value of countermeasure:
Projected Benefits ─ Cost of Countermeasure =
Countermeasure Value
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
DISCOVER: ROLES
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Key Roles Involved with a Risk
Management Plan
• Chief executive officer (CEO)
• Chief operating officer (COO)
• Chief financial officer (CFO)
• Data owners and custodians
• IT management
• Human resources (HR) professionals
• Industry-specific management
• Corporate legal department
• Auditors
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
DISCOVER: CONTEXT
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Risk Within the Seven Domains
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Risk Mitigation Best Practices
• Review historical documentation
- Although risks change, many of the threats
and vulnerabilities will be the same
• Include both a narrow and broad focus
- Identify specific risks and mitigation strategies
and broaden the focus to include the entire
organization
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Risk Mitigation Best Practices
• Ensure that governing laws are identified
- If you don’t know what laws apply, you won’t
be in compliance
• Redo RAs when a control changes
- If a control changes, the original RA is no
longer valid
• Include a cost-benefit analysis
- CBAs provide justification for controls and help
determine their value
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Implementing a Risk Mitigation Plan
 Stay within budget
• Ensure costs calculated accurately
 Stay on schedule
• Use tools to
manage project
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
DISCOVER: RATIONALE
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Prioritizing and Analyzing Risk
 Cost associated with the loss of a business
component or process
 Loss of customer confidence
 Lack of compliance
 Lack of insurance to mitigate or transfer risk
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Monitoring Implementation
 Use project management tools
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Summary
 Identifying the scope of a risk management
plan
 Best practices for planning risk mitigation
 Ways to prioritize risk management
requirements
 Developing an organizational risk mitigation
plan
 Best practices for implementing a risk
mitigation plan
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
OPTIONAL SLIDES
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Assessing How Security
Countermeasures/Safeguards Can Assist
with Risk Mitigation
• Controls are implemented at a point in time to
reduce the risks at that time
• A control will attempt to mitigate risk by:
- Reducing the impact of threats to an
acceptable level
- Reducing a vulnerability to an acceptable level
• Risk assessment (RA) is a point-in-time
assessment
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Identifying Risk Mitigation and Risk
Reduction Elements
Account management controls
Access controls
Physical access
Personnel policies
Security awareness and training
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Operational Impact
 Tradeoff with security:
• The more secure a system, the harder it is
to use
• The easier it is to use, the less secure it is
 Firewall implicit deny philosophy
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Prioritizing Risk Elements
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Following Up on the Risk Mitigation
Plan
• Ensure countermeasures are implemented
- POAM
• Ensure security gaps have been closed
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Related documents
For Exercises 1-6, match the problem solving strategy with the
For Exercises 1-6, match the problem solving strategy with the
Chapter 9 Learning Objectives
Chapter 9 Learning Objectives
Transition Guide - Jones & Bartlett Learning
Transition Guide - Jones & Bartlett Learning
Webinar Presentation
Webinar Presentation
Public Health Program Book List for MPH Courses – Sum
Public Health Program Book List for MPH Courses – Sum
Chapter 21 Learning Objectives
Chapter 21 Learning Objectives
Chapter 1 Exercises and Answers
Chapter 1 Exercises and Answers
Chapter 5: Baseline Vital Signs and SAMPLE History
Chapter 5: Baseline Vital Signs and SAMPLE History
Overview
Overview
Download