Information Security and Risk Management.pptx
- 1. Information Security and Risk Management
- 2. Content Introduction to risk management What is risk Example of risk assessment Types of risk assessment Why risk assessment is necessary Legal and ethical considerations in cybersecurity. Security policies, standards, and procedures.
- 3. Introduction to information security and risk management Information security and risk management are two critical and interconnected disciplines in today's digital world. work together to protect sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction, and to minimize the potential harm that could result from such events. Information security is the practice of ensuring the confidentiality, integrity, and availability (CIA triad) of information. Risk management is the process of identifying, assessing, and controlling risks. In the context of information security, this involves identifying potential threats and vulnerabilities, assessing the likelihood and impact of those threats, and implementing controls to mitigate the risks.
- 4. Why are information security and risk management important? We use computers, smartphones, and other devices to store and access sensitive information, such as financial data, personal information, and intellectual property. This information is valuable, and it is also vulnerable to attack. Cybercriminals are constantly developing new ways to steal, manipulate, or destroy information. They can use a variety of methods, such as hacking, phishing, malware, and ransomware. These attacks can have serious consequences for individuals, businesses, and governments.
- 5. Information security and risk management can help to: Protect sensitive information from unauthorized access Prevent data breaches and other security incidents Minimize the impact of security incidents that do occur Ensure compliance with relevant laws and regulations Build trust and confidence with stakeholders
- 6. key elements of an information security and risk management program effective information security and risk management program will typically include the following elements ◦ Security policies and procedures: These documents outline the organization's expectations for how information should be handled. ◦ Risk assessment: This process involves identifying and assessing the risks that the organization faces. ◦ Controls: These are measures that are put in place to mitigate risks. Controls can be technical, such as firewalls and intrusion detection systems, or administrative, such as security awareness training. ◦ Incident response: This is a plan for how the organization will respond to a security incident. ◦ Business continuity and disaster recovery: These plans are designed to help the organization recover from a major disruption, such as a natural disaster or a cyberattack.
- 7. What is risk? As per the ISO 27005 risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Risk Formula Risk=impact of a threat exploiting the vulnerability * likelihood of a threat attempting to exploit the vulnerability Impact/consequence is the outcomes of a particular threat exploiting a vulnerability Likelihood/occurrence is an chance of particular threats attempt or tries to exploit a vulnerability
- 8. Risk Management example Threat information disclosure Vulnerability lack of vulnerability assessment and penetration testing Likelihood happens at least once daily Likelihood rating = high Impact Financial impact greater then 20 million or shall have significant impact. Impact rating=high Risk risk = impact*Likelihood Risk rating = high * high = high High probability of a big financial hit
- 9. Why do we need risk management ? Avoid unwanted losses Oversight of the organization in terms of risk Evade excessive control costs
- 10. Basic definitions Asset / Process Inventory – list of assets and Process Asset Valuation – process of defining the value of asset, e.g. monetary, based on confidentiality, integrity, and availability etc. Threat – A potential aspect that could result an impact on exploiting a vulnerability e.g. information disclosure Vulnerability – weakness e.g. lack of VAPT, lack of policies and procedures Likelihood- how often threat tries or attempt to exploit vulnerability impact=-the outcome of a particular threat exploiting the vulnerability
- 11. Basic definitions contd. Inherent risk – risk which is naturally associated with asset / process Control assessment and control value – control is a tool / solution/ process to manage the risk and control assessment is an exercise of identifying control and measuring it effectiveness. The score assigned is based on the control effectiveness to mitigate a particular risk is control value Residual risk – After applying a control on a particular risk, the risk left behind is a residual risk
- 12. Definitions Asset owner – usually a person from the business side Asset custodian – usually from IT department or company who manage the assets Risk owner – personal accountable for the risk
- 13. Types of risk assessment Quantitative risk – Define the risk score in monetary value Qualitative risk – Define the risk score in descriptive adjectives Semi-quantitative – combination of quantitative and qualitative risk
- 14. Overview of Risk Management Process Various international approaches and methodologies for risk assessment ◦ NIST SP 800-50 ◦ ISO 27005 ◦ COBIT ◦ Octave – Allegro ◦ FAIR Risk Management = Asset/Process Valuation + Risk Assessment + Risk Treatment
- 15. Legal and ethical considerations in cybersecurity Legal Considerations ◦ Data Privacy Laws: Laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US govern how organizations collect, store, and use personal data. These laws give individuals certain rights over their data, such as the right to access, correct, and delete their data. ◦ Cybersecurity Legislation: Many countries have enacted cybersecurity laws that require organizations to take specific measures to protect their systems and data. These laws may mandate reporting data breaches, implementing certain security controls, or protecting critical infrastructure. ◦ Intellectual Property Protection: Cybersecurity law also protects intellectual property (IP) rights. Unauthorized access to or theft of IP can lead to legal disputes and lawsuits. ◦ Liability for Data Breaches: Organizations can be held liable for damages if they fail to adequately protect customer or employee data.
- 16. Legal and ethical considerations in cybersecurity contd. Ethical Considerations ◦ Privacy: Respecting individuals' privacy rights is an important ethical consideration in cybersecurity. Organizations should only collect and use personal data that is necessary for legitimate purposes and should take steps to protect that data from unauthorized access. ◦ Transparency: Organizations should be transparent about their cybersecurity practices. They should disclose what data they collect, how they use it, and how they protect it. ◦ Accountability: Organizations are accountable for the security of their systems and data. They should take steps to prevent security incidents and should be prepared to respond to them if they do occur. ◦ Proportionality: Cybersecurity measures should be proportionate to the risks involved. Organizations should not implement overly restrictive measures that could impede their operations or harm their customers. ◦ Non-discrimination: Cybersecurity measures should not be discriminatory. Organizations should not discriminate against individuals or groups based on their personal characteristics, such as their race, religion, or sexual orientation.
- 17. Class work Perform a risk assessment based on following assets and process ◦ Laptop ◦ Servers ◦ Change management ◦ Access control ◦ Fire extinguisher