Содержание
- 2. Day 3 Learning Objectives To understand the motivations for the practice of information risk management within
- 3. Session Overview Why do we have to manage information risk What are the enterprise drivers What
- 4. Why Existing and growing dependency upon information infrastructure and digital assets Rapidly growing with pace of
- 5. YouTube incident coverage Grocery Store 2008 Facebook 2012 Sony 2011 Stuxnet 2010 The Loop, Stuxnet 2010
- 6. Enterprise Drivers Maximise output in the face of risk Outputs include services, products, revenue Information Security
- 7. Relationship to process Information infrastructure and services likely to be used by majority of key business
- 8. Syndicate Exercise 1 Consider the exposure of a student to information risk day-to-day in normal life,
- 9. Definitions Information Security Management entails the identification of an organisations information assets and the development, documentation,
- 10. Definitions Availability: ensuring that access is granted to authorised users as required, within expected and declared
- 11. Definitions Assets Threats Vulnerability Exploits and Attack Vectors Likelihood Impact Mitigation and control Residual risk
- 12. Definitions Risk Analysis: Process of analysing risk for a particular environment (organisation, project, business unit…) resulting
- 13. Definitions Qualitative risk analysis A relative scale: low, medium, high.., 1,2,3,4… Appropriate where no accurate data
- 14. Information Risk Management Lifecycle From Security Risk Management, Evan Wheeler
- 15. Resource Profiling The act of identifying the assets and resources requiring protection Need to understand relative
- 16. Risk Assessment For the critical assets: Identify the presence of threat Relate the threat to potential
- 17. Example Risk Exposure “..communications could be intercepted in transit and decrypted by a malicious party resulting
- 18. Risk Evaluation The process by which the risks output from the assessment are balanced and prioritised,
- 19. Document The results of the risk assessment and the evaluation along with key points of rationale
- 20. Risk Mitigation and Remediation Implementing the plan. Options (for any particular risk) are: Limit the severity
- 21. Validation Verify adequacy of controls: Design review Configuration review Policy review Role and responsibility awareness review
- 22. Monitoring and Audit Through-life aspects: Log and audit network activity and security appliance alerts to maintain
- 23. Methods, Standards, Regulation Risk Assessment and Management Methodologies: HP Business Risk Assessment OCTAVE, DBSy, CRAMM, COBIT,
- 24. The OCTAVE Principals Organisational and Cultural Open communication, global perspective, teamwork Risk Management Principals Forward-looking view,
- 25. Basic Risk Assessment Create resource profiles Identify critical assets Understand the security requirements for critical assets
- 26. Types of Assets Information and data (paper or electronic), including intellectual property Information systems and services
- 27. Prioritising Assets Rank in relation to business objectives or business sensitivity (or some other measure such
- 28. The Input Challenge Understanding the critical assets will require input from senior and middle management, since
- 29. Identify Threat Consider threat sources in relation to the high priority assets, and the range of
- 30. Assess Consequence For each asset and threat outcome determine potential impact on organisation There may be
- 31. Tabulate
- 32. Incorporate Probability Assess how likely a particular threat will attempt a breach: Level of motivation (reward
- 33. Combine for Risk
- 34. Scenario – Assisted Living Local health authority has urgent requirement to deliver more health services direct
- 35. Assisted Living Example Risks
- 36. Identify Security Requirements For risks determine security requirements, in terms of does it contain personally identifiable
- 37. Prioritize Security Requirements Rank risks with critical at top What is the relative ranking of the
- 39. Скачать презентацию