Scribd
Upload
12 views

Risk Management

Uploaded by

Tafadzwa Chavarika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

Risk Management

Uploaded by

Tafadzwa Chavarika
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Risk Management in Information

Security

J Kasiroori
Introduction
Risk management is a core component of information security and establishes how risk
assessments are to be conducted.

It involves identifying, assessing, and treating risks to the confidentiality, integrity, and
availability of an organization's assets.

Thus an enterprise has to know what risks it is facing.

This program must be managed at the senior leader level of the organization and
implemented by everyone (not just the technical staff).

At a high level, we need to identify our important assets.


Identify Identify Assets

Identify Identify Threats


Risk
Managemen Assess Assess Vulnerabilities
t Process
Assess Assess risks

Mitigate Mitigate Risks


Identify Assets
Identify Assets

Arguably, one of the most important parts of the risk


management process.

Not all assets need to be protected equally, by determining


where resources should be focused and cost can be reduced
while security increased.
Threat Identification
What is a
threat?
• A threat is a potential occurrence
that could compromise the
confidentiality, integrity, or
availability of an organisation's
assets, data, or systems.
• Examples of threats include
insider attacks (malicious
employees or contractors),
accidental data breaches
(employee
mistakes),unauthorised access
etc
Threat Identification Using Frameworks

• The CIA Triad or Parkerian Hexad as frameworks for discussing the nature of
threats
• For instance, if we apply this to examining the threats that we might face against an
application that processes credit card payments:
• Confidentiality—if we expose data inappropriately, we have a potential breach
• Integrity—if data becomes corrupt, we may incorrectly process payments
• Availability—if the system or application goes down, we cannot process payments
• Possession—if we lose backup media, we have a potential breach
• Authenticity—if we do not have authentic customer information, we may process a
fraudulent transaction
• Utility—if we collect invalid or incorrect data, it has limited utility to us
Assess
vulnerabilitie
s
Vulnerability Assesment
• Look at assess vulnerabilities in the context of
potential threats.
• Vulnerability is a weakness which allows an attacker
to reduce a system's information assurance.
• For instance, a specific operating system or
application that we are running, a physical location
where we have chosen to place our office building, a
data centre that is populated over the capacity of its
air-conditioning system, a lack of backup generators,
or other factors.
Assess risks
Once we have identified the
threats and vulnerabilities for a
given asset, we can assess the
overall risk.

Assess Thus, risk is the conjunction of a

risks
threat and a vulnerability.

A vulnerability with no matching


threat or a threat with no
matching vulnerability do not
constitute a risk.
In order to help us mitigate risk, we can put measures in
place to help ensure that a given type of threat is
accounted for. These measures are referred to as controls.

Risk Controls are divided into three categories: physical, logical,


and administrative OR management, operational, and
technical controls

mitigati
on
Physical : those controls that protect the physical
environment in which our systems sit, or where our data is
stored

Administrative: based on rules, laws, policies, procedures,


guidelines, and other items that are "paper" in nature.
They set out the rules for how we expect the users of our
environment to behave.
Attack categories
Interception

Interruption

Attack We can generally


place attacks we
categories might face into one
of four categories
Modification
Each category can
affect one or more of
the principles of the
CIA triad
Fabrication
Confidentiality Interception

Interruption

Integrity Modification

Categories Fabrication

Interruption

Availability Modification

Fabrication

You might also like