Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Risk

    Enviado por

    Craig S Wright
    203 visualizações33 páginas
    I have attached an old PPT on Risk from when I was at BDO. If it helps, feel free to use it. Notes and all attached, copyright is in my name (and referenced at the end). Happy reading.

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    I have attached an old PPT on Risk from when I was at BDO. If it helps, feel free to use it. Notes and all attached, copyright is in my name (and referenced at the end). Happy reading.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    203 visualizações33 páginas

    Risk

    Enviado por

    Craig S Wright
    I have attached an old PPT on Risk from when I was at BDO. If it helps, feel free to use it. Notes and all attached, copyright is in my name (and referenced at the end). Happy reading.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 33

    RISK &

    Risk Management
    By Craig S Wright, DTh LLM (Cand.) MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA CCE MSDBA AFAIM MACS
    And a partridge in a pear tree

    Todays Presentation
    Risk management and how it relates to Good Corporate Governance Its all about business

    Chartered Accountants & Advisers

    Risk modelling is just the start


    Security is a process, not a product. Security products will not save you (Bruce Schneier)

    Chartered Accountants & Advisers

    Where does Risk fit into the equation?

    Chartered Accountants & Advisers

    An analysis of Information Security risk management as a discipline


    As it currently stands, risk analysis and risk management are disciplines that have increased in popularity recently (Vaughn et al, 2004) due to a perceived lack of qualified and experienced professionals (Dark, 2004.b). But we are still in the dark!
    Chartered Accountants & Advisers

    Some Taxonomy
    What is a process? Processors are the methods that we used to achieve our objectives. How are processes implemented within an organisation?

    Chartered Accountants & Advisers

    Objectives
    An objective is a goal or something that you wish to accomplish. Who sets objectives and how are these designed to help achieve effective risk management?

    Chartered Accountants & Advisers

    Controls
    Controls of the mechanisms through which we reach our goals, but what are controls?

    Chartered Accountants & Advisers

    Policies
    Policies are themselves controls. Every policy in the organisation should relate to a business or organisational objective. Who sets policy and how?

    Chartered Accountants & Advisers

    System
    A system is defined as any collection of processes, and/or devices that accomplishes an objective.

    Chartered Accountants & Advisers

    Identifying classify risk.


    A risk analysis is a process that consists of numerous stages

    Chartered Accountants & Advisers

    Controls Matrix
    An example risk treatment matrix is listed below (as modelled from NIST (800-42) and Microsoft (2004))
    No. Threat/Risk Priority
    Controls

    Policy 1 Unauthorised access to application and internal networks and Data integrity Unauthorised transmission of confidential information Data corruption H *

    Procedure *

    Firewall *

    IDS

    Av

    etc

    2 3

    H H

    Spoofing

    Chartered Accountants & Advisers

    Implementing a risk mitigation strategy


    A Gap analysis allows the identification of controls that have not been implemented

    Chartered Accountants & Advisers

    PDCA and ISMS

    Plan Do Check Act

    Chartered Accountants & Advisers

    General risk analysis


    Risk analysis is both an art and a science

    Chartered Accountants & Advisers

    Risk analysis: techniques and methods


    Risk analysis models There are two basic forms of risk analysis: Qualitative Quantitative

    Chartered Accountants & Advisers

    Quantitative
    The two simple models of quantitative risk that all risk professionals must know: Annualised loss Likelihood of loss In addition, understand that there are other quantitative methods.
    Chartered Accountants & Advisers

    Qualitative
    Qualitative analysis is the easiest type analysis, but the results are easily skewed by personal opinion

    Chartered Accountants & Advisers

    Overview of Risk Methods


    General types of risk analysis FMECA CCA Risk Dynamics Time Based Monte Carlo
    Chartered Accountants & Advisers

    FMECA analysis
    MIL-STD-1629 Procedures for Performing a Failure Mode, Effects and Criticality Analysis should (but seldom is) be taught in any introductory risk course. Failure mode, effects and criticality analysis helps to identify: Risk factors, Preventative controls. Corrective controls FMECA couples business continuity planning or disaster recovery into the initial analysis identifies potential failures identifies the worst case for all failures occurrence and effects of failure are reduced through additional controls

    Chartered Accountants & Advisers

    CCA - cause consequence analysis


    RISO labs developed CCA (Cause consequence analysis) which is essentially a fault tree based approach. It is commonly used for analysis of security and safety problems. CCA and fault trees can be easily applied to almost any technology or system

    Chartered Accountants & Advisers

    Two tree types


    Fault trees Identify faults Determine underlying causes of the faults Event trees Identify faults. Identify consequences
    Chartered Accountants & Advisers

    Risk dynamics
    Risk dynamics looks at risk analysis and risk mitigation, as in equilibrium Thus, making a change to any control or other risk factor will impact another term. Risk dynamics is a qualitative approach to risk that uses the formula: Threat X Vulnerability = Risk
    Chartered Accountants & Advisers

    Time-based Analysis (TBA)


    Time-based analysis is a quantitative analysis that uses only a small amount of qualitative measures. TBA involves analysis of the systems to identify: The preventative controls (P) The detective controls (D) And the reactive controls on the system (R)

    Chartered Accountants & Advisers

    Monte Carlo method


    A number of stochastic techniques have been developed to aid in the risk management process. These are based on complex mathematical models that use stochastically generated random values to compute likelihood and other ratios for our analysis model.
    Chartered Accountants & Advisers

    Stochastically determined ARIMA(p,d,q) and Inference Models These methods are truly quantitative. For those who like 6-sigma and then some.

    Chartered Accountants & Advisers

    Some existing tools for risk analysis


    Crystal ball Risk + Cobra OCTAVE

    Chartered Accountants & Advisers

    Risk Management and IT Governance


    The need for a corporate governance framework The need for an internal control framework The relationship between governance, the internal control framework and risk management COSO & COBIT - The background
    Chartered Accountants & Advisers

    Generic Security Risk Management Methodology

    SEI Risk Management Paradigm Copyright Carnegie Melon University

    Project Start

    Identify Baseline Or New Risks

    Classify Risks

    Evaluate Risks

    Prioritize Risks

    Identify
    Determine Response Strategy

    Analyze

    Assign Responsibility

    Determine Action Plan

    Track Risks

    Control Risks

    Plan
    Communicate Risks Inside and Outside The Project Team

    Tracking & Control

    Communication

    Chartered Accountants & Advisers

    What is left
    Residual Risk after countermeasure is installed, there is still some risk, which is the residual risk

    (Threats x vulnerability x asset value) x control gap = residual risk

    Chartered Accountants & Advisers

    It Is a Method, Not the Solution

    Risk Management is just a means to an end Good Corporate Governance!

    Chartered Accountants & Advisers

    Questions and Answers?


    Craig S Wright BDO cwright@bdosyd.com.au Ph 02 9286 5497
    Chartered Accountants & Advisers

    Bibliography
    Or a day in the life of an academic junkie

    1. Anderson, R. J. (2001) Security Engineering A guide to building dependable distributed systems. John Wiley & Sons 2. Bell and La Padula. (1975) Secure Computer System: Unified Exposition and Multics Interpretation, ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 3. Bosworth, Seymour & Kabay, M. E. (Ed.) (2002) Computer security Handbook Fourth Edition, John Wiley & Sons Inc. USA 4. Boyd, C. and Mathuria, A. (2003) Protocols for Authentication and Key Establishment. Springer-Verlag, Berlin, Germany 5. Curtis L. Smith, John A. Schroeder, Scott T. Beck, and James K. Knudsen (2001) MODELING POWER NON-RECOVERY USING THE SAPHIRE RISK ASSESSMENT SOFTWARE, Bechtel BWXT Idaho, LLC. Viewed 20th March 2006 (http://nuclear.inl.gov/docs/papers-presentations/psam_6_nonrecovery.pdf ) 6. Delphi Group (2005) Time-Based Analysis: Process De-engineering (TBA) White Paper. 7. Dodson, Bryan & Nolan, Dennis (2005 Ed) The Reliability Engineering Handbook Quality Publishing. 8. Ford, W. and Baum, M. S. (1997) Secure Electronic Commerce. Prentice Hall 9. Garfinkel, S. and Spafford, G. (2001) Web Security, Privacy & Commerce. 2nd Edition. Cambridge, Mass: O'Reilly 10. Ghosh, A. K. (1998) E-Commerce Security. Wiley 11. Kalakota, R. and Whinston, A. B. (1996) Frontiers of Electronic Commerce. Addison-Wesley 12. Keong, Tan Hiap (2004) Risk Analysis Methodologies http://pachome1.pacific.net.sg/~thk/risk.html (Last Viewed 27th March 2005) 13. Infosec Graduate Program. Purdue University. Available on March 12, 2006 at http://www.cerias.purdue.edu/education/graduate_program/ 14. Lawrence, E., Corbitt, B., Fisher, J., Lawrence, J. and Tidwell, A. (1999) Internet Commerce 2nd Edition, Wiley 15. Mauw, Sjouke & Oostdijk, Martijn (2004) Foundations of Attack Trees Eindhoven University of Technology, Emerald 16. Microsoft (2004) The Security Risk Management Guide v1.1, Microsoft Corporation, USA 17. MIL-STD-1629 Procedures for Performing a Failure Mode, Effects and Criticality Analysis 18. Moore, Andrew P., Ellison, Robert J. & Linger Richard C. (2001) Attack Modeling for Information Security and Survivability, Carnegie Mellon University. The Software Engineering Institute US 19. Myagmar, Suvda, Lee Adam J. & Yurcik, William (2005) Threat Modelling as a Basis for Security Requirements, National Center for Supercomputing Applications (NCSA) 20. NIST (800-42) Guideline on Network Security Testing NIST Special Publication 800-42 21. NIST (800-12) An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12) 22. NIST (800-41) Guidelines on Firewalls and Firewall Policy (Special Publication 800-41) 23. NIST (800-27) Computer Security (Special Publication 800-27) 24. NIST (800-30) Risk Management Guide for Information Technology Systems (Special Publication 800-30), 2002 25. Rodrigues, Alexandre G. (2001) Managing and Modelling Project Risk Dynamics A System Dynamics-based Framework, Presented at the Fourth European Project Management Conference, PMI Europe 2001, London 26. Ryan, P. and Schneider, S. (2001) Modelling and Analysis of Security Protocols. Addison-Wesley London, UK 27. SANS (2005) GIAC ISO 17799 Training Notes, SANS GIAC 2005, Sydney AU 28. Sherif, M. H. (2000) Protocols for Secure Electronic Commerce. CRC Press 29. Stallings, William. (2002) Cryptography and Network Security, Third Edition, Prentice Hall, 30. Stallings, W. (1995) Network and Internetwork Security: principles and practice. Englewood Cliffs, N.J: Prentice Hall New York: IEEE Chartered Accountants 31. Stein, L. D. (1998) Web Security, Addison-Wesley & Advisers 32. Viega and McGraw. (2002) "Risk Analysis: Attack Trees and Other Tricks", Software Development, Vol. 10(8), pp. 30-36. 33. Winfield Treese, G. and Stewart, L. C. (2002) Designing Systems for Internet Commerce. 2nd Edition, Addison-Wesley 34. Zwicky, E. D., Cooper, S., Chapman, D. B. and Russell, D. (2000) Building Internet Firewalls. 2nd Edition, O'Reilly, UK

    Você também pode gostar