AUDIT SISTEM

INFORMASI
Amelia Setiawan
MATERI 3
Risk Assessment
RISK?
Framework: NIST 800-30 ; NIST 800-39
NIST. (2012). NIST Special Publication 800-30 Revision 1 - Guide for Conducting Risk Assessments. In NIST Guide
for Conducting Risk Assessments (Issue September).

■ Risk Management Guide for Information Security

■ Recommendations of the National Institute of
Standards and Technology
■ Risk is a function of the likelihood of a given threat-
source’s exercising a particular potential vulnerability,
and the resulting impact of that adverse event on the
organization.
Risk Management Process
Risk Models

■ Threats
■ Vulnerabilities
■ Likelihood
■ Impact
■ Risk
■ Aggregation
■ Uncertainty
Risk Approaches

■ Assessment approaches
■ Analysis approaches
Risk Management Hierarchy
Risk Assessments at the Organizational Tier

■ Support: organizational strategies, policies, guidance,

and processes for managing risk;
■ Focus: organizational operations, assets, and
individuals—comprehensive assessments across
mission/business lines.
■ Contoh:
– specific types of threats directed at organizations
– systemic weaknesses or deficiencies
– potential adverse impact on organizations
– new information and computing technologies
Risk Assessments at the Mission/Business
Process Tier
■ Support: determination of mission/business process
protection and resiliency requirements, and the
allocation of those requirements to the enterprise
architecture as part of mission/business segments
■ Focus: mission/business segments, which typically
include multiple information systems, with varying
degrees of criticality and/or sensitivity with regard to
core organizational missions/business functions;
information security architecture as a critical component
of enterprise architecture to help organizations select
common controls
Risk Assessments at the Information System
Tier
■ Support: evaluate the anticipated vulnerabilities and
predisposing conditions affecting the confidentiality,
integrity, and availability of information systems in
the context of the planned environments of
operation.
Risk Model
Risk Assessment Process
Preparing for Risk Assessment

■ Identify the purpose of the assessment;

■ Identify the scope of the assessment;
■ Identify the assumptions and constraints associated
with the assessment;
■ Identify the sources of information to be used as
inputs to the assessment; and
■ Identify the risk model and analytic approaches (i.e.,
assessment and analysis approaches) to be employed
during the assessment.
Conducting The Risk Assessment

■ Identify threat sources;

■ Identify threat events;
■ Identify vulnerabilities and the predisposing
conditions;
■ Determine the likelihood of occurrence;
■ Determine magnitude of impact; and
■ Determine information security risks.
Communicating and Sharing Risk Assessment
Information
■ Communicate the risk assessment results;
■ Share information developed in the execution of the
risk assessment,
Maintaining the Risk Assessment

■ Monitor risk factors identified in risk assessments on

an ongoing basis and understanding subsequent
changes to those factors; and
■ Update the components of risk assessments reflecting
the monitoring activities carried out by organizations.
Prepare for The Assessment

■ Thorough understanding of the IT Techniques:

system 1. Questionnaire
2. On-site Interviews
■ Scope of the risk assessment 3. Document Review
4. Use of Automated Scanning
■ Limitations of the IT system being Tool
evaluated
■ Identification of potential risks
2a. Threat Identification
■ A threat is the potential for a particular threat-source to
successfully exercise a particular vulnerability.
■ A vulnerability is a weakness that can be accidentally
triggered or intentionally exploited.
■ Threat-Source: Either (1) intent and method targeted at the
intentional exploitation of a vulnerability or (2) a situation and
method that may accidentally trigger a vulnerability.
■ Common Threat-Source: natural threats, human threats,
environmental threats.
2b. Vulnerability Identification
■ Vulnerability: A flaw or weakness in system security
procedures, design, implementation, or internal controls that
could be exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation of the
system’s security policy.
2b. Control Analysis
■ The goal of this step is to analyze the controls that
have been implemented, or are planned for
implementation, by the organization to minimize or
eliminate the likelihood (or probability) of a threat’s
exercising a system vulnerability.
3. Likelihood Determination
4. Impact Analysis
5. Risk-level Determination
Communication of result - Control
Recommendations
■ Pertimbangan:
– Effectiveness of recommended options (e.g.,
system compatibility)
– Legislation and regulation
– Organizational policy
– Operational impact
– Safety and reliability.
Communication of result - Results
Documentation
Risk Response Description Similar
To limit the risk by implementing controls that minimize the adverse
impact of a threat’s exercising a vulnerability (e.g., use of supporting,
Risk Limitation preventive, detective controls) Reduce/Limitation

To manage risk by developing a risk mitigation plan that prioritizes,

Risk Planning implements, and maintains controls Mitigate
Risk Transference Transfers the risk to compensate for potential losses Share
Risk Avoidance Avoids the risk by eliminating its cause and/or consequence. Avoid
Risk Assumption Accepts potential risks and continue on with IT operations. Accept
Contoh IT Area

■ IS Operations:
– Offsite Storage
– Onsite Storage
■ Information Security:
– Password management
– User Access
■ Change Control Management
Top 10 Application Security Risks Per OWASP
https://www.ox.security/application-security-vulnerabilities/

■ Broken Access Control

■ Cryptographic Failures
■ Injection
■ Insecure Design
■ Security Misconfiguration
■ Vulnerable and Outdated Components
■ Identification and Authentication Failures
■ Software and Data Integrity Failures
■ Security Logging and Monitoring Failures
■ Server-Side Request Forgery (SSRF)
User PoV
https://www.stackhawk.com/blog/application-security-risks-4-types-and-how-to-fix-them/

■ Logic and Desig Flow

■ Authentication and authorization flows
■ Exposure of sensitive information
TUGAS 3 (kelompok)
■ Identifikasi Vulnerability dan Threat Source dari sistem
yang telah dipilih oleh kelompok Anda.
■ Tentukan likelihood/frekuensi dari setiap vulnerability
■ Tentukan magnitude impact dari setiap vulnerability
■ Identifikasi Risiko dari sistem yang telah dipilih oleh
kelompok Anda.
■ Hitunglah risk levelnya.
■ Tentukan risk response option yang paling sesuai.
Sumber:
■ Reider, R (2002). Operational Review. Wiley
■ Otero, A. R. (2019). Information Technology Control and
Audit. Taylor & Francis
■ ISACA (2017). CISA Review Course. ISACA
■ Moeller, R. R. (2010). IT Audit, Control, and Security. Wiley
■ Gantz, S. D. (2014). The Basics of IT Audit Purposes,
Processes, and Practical Information. Elsevier
■ NIST. (2012). NIST Special Publication 800-30 Revision 1 -
Guide for Conducting Risk Assessments. In NIST Guide for
Conducting Risk Assessments (Issue September).