information security risk
play

Information security risk assessments Lecture #3 Security in - PowerPoint PPT Presentation

Sep 19, 2022 •368 likes •929 views

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: Risk management 2. Guide for

  1. Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1

  2. Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: ‘Risk management 2. Guide for Information Technology Systems’ (see the SIO website). Variants on ISO 2700* 2

  3. Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 3

  4. Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 4

  5. Recap on information security Recap • ISO 27001 describes a ‘security management system’, a methodology to select and maintain security controls (from ISO 27002) based on risk assessments. This system is called Information Security Management System (ISMS) • Fundamental to ISO 27001 is that it considers IS as a continual improvement process and not as a product • The ISMS scope is an important decision • This process is known as the PDCA cycle, risk assessment is the engine in this cycle • ISO 27001 leaves room for various implementations, getting a more secure organization instead of a ‘paper tiger’ is an attention point • An organization’s ISO 27001 implementation can be formally certified • We have seen an implementation based on the ‘combined approach’ based on assets clustered in information systems 5

  6. Recap on information security Recap Conducting Risk Assessment and Treament (RAT) Critical information systems Conducting CIA Code Business Impact Analyse (BIA) Non-Critical information systems Apply baselines Critical systems management Telephone Treasury CRM Document Email ….. Billing ERP Baseline security 6

  7. Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 7

  8. ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenarios/potential incidents) Threat # n Vulnerability # n 8

  9. ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenarios) Threat # n Vulnerability # n 9

  10. ISO 27001 requirements on the RAT process Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Assessment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Risk paths (scenario’s) Threat # n Vulnerability # n 10

  11. Example: Customer Helpdesk

  12. ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 c): Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. ( Note: aka ‘risk appetite’ ) The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results.  There should be a documented methodology, risk appetite should be determined. 12

  13. ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1d): Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.  The methodology should involve assets, threats, vulnerabilities and impacts. 13

  14. ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 e): Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)  Prioritize risks and determine which need treatment. 14

  15. Example: Risk Assessment  Without baselines High Medium Risk High Risk Fire destroys telephones Insufficient staffing causes • and computers long waits for customers I M P A Low Riskk Medium Risk C Entry errors cause problems T Employee commits fraud • for customers (who then complain) Low PROBABILITY High

  16. Example: Risk Assessment  With baselines High Medium Risk High Risk Fire destroys telephones As we have insufficient staff • and computers and we enable this causes long waits I have too little insurance for customers M covering that P Low Riskk Medium Risk A We have insufficient C • Entry errors cause problems access controls on the for customers (who then T helpdesk system enabling complain) employees to commit • fraud Low PROBABILITY High

  17. ISO 27001 requirements on the RAT process Relevant ISO 27001 clauses Clause 4.2.1 f): Identify and evaluate options for the treatment of risks. • Options: Applying controls, accepting risks, avoiding risks, transferring risks to other parties Clause 4.2.1g): Select control objectives and controls for the treatment of risks. Clause 4.2.1h): Obtain management approval of the proposed residual risks.  Either accept, avoid, transfer risks or select controls. 17

  18. Example: Risk Response Medium Risk High Risk High • Fire destroys telephones and Customer has a long wait computers hire enough people • insure phones + freebees for long waits I computers M Transfer Control P Medium Risk Low Risk A C Fraud Entry errors ignore input validation T • Accept Control Low PROBABILITY High

  19. Outline • Recap on ISO 27001 • ISO 27001 requirements on the risk assessments and treatment (RAT) process • The RAT process from ISO 27005 • The RAT process from NEN 7512 and NIST SP 800-30 • Risk assessments attention points and software tools • Recap • Case on electronic banking 19

  20. The RAT process from ISO 27005 Main steps 1. Context establishment 2. Risk assessment 3. Risk estimation/evaluation 4. Risk treatment 5. Risk acceptance 6. Documentation/communication 7. Risk monitoring Source: ISO 27005 20

  21. The RAT process from ISO 27005 Main steps 1. Context establishment • Determine legal requirements • Determine scope and boundaries, e.g.:  Business process lifecycle  Information system lifecycle • Determine dependencies with other ‘systems’. 21

  22. The RAT process from ISO 27005 Allocating responsibilities RA Interconnected information systems Scope Helpdesk Invoicing dep. Department #3 Manager #1 Manager #2 Manager #3 Business Business Business info Process #1 Process #2 Process #2 info Impose requirements Information Information Information System #1 System #2 System #3 Network Internet 22

  23. The RAT process from ISO 27005 Main steps 1. Context establishment 2. Risk assessment • Identify assets (= familiarize with system) • Identify threats • Relate actual security incidents • Identify vulnerabilities • Relate existing controls (baselines in our setting) • Determine consequences (potential incidents) Threats may be of natural or human origin. 23

  24. The RAT process from ISO 27005 ‘Natural’ threat examples Source: BSI IT-Grundschutz-Catalogues 24

  25. The RAT process from ISO 27005 ‘Human’ threat examples (not limitative) Source: NIST SP 800-30 25

  26. The RAT process from ISO 27005 Vulnerability examples Source: ISO 27005 26

  27. The RAT process from ISO 27005 Vulnerability examples Alternatively, one can directly relate vulnerabilities to the 11 ISO 27002 chapters. H ISO 27002 Example topics 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human resources security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security

INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security

INFORMATION TECHNOLOGY SERVICES INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security & Privacy Office June 8, 2017 Why Unit Risk Management Programs Are Important For the most part FSU has enjoyed

402 views • 9 slides
MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement

375 views • 21 slides
INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information

INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information

INFORMATION TECHNOLOGY SERVICES INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Risk Management Program Information Security & Privacy Office June 8, 2017 Version 1.5.7 Risk Management at Florida State University Risk assessments

549 views • 11 slides
Quantitative Information Security Risk Management Effective risk management for small/medium

Quantitative Information Security Risk Management Effective risk management for small/medium

Realistic and Affordable Quantitative Information Security Risk Management Effective risk management for small/medium businesses Walter Williams Who am I Walt Williams, CISSP, SSCP, CEH, CPT, MCP Director of Security and Compliance at

756 views • 50 slides
INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Training Plan Information Security &

INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Training Plan Information Security &

INFORMATION TECHNOLOGY SERVICES INFORMATION RISK MANAGEMENT PROGRAM Developing a Unit Training Plan Information Security & Privacy Office June 8, 2017 Information Security and Privacy Plan Goal 2: Training and Outreach People are the

384 views • 13 slides
Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information

Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information

Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information Security Services Mark Martens Security Risk Management Analyst 1 Areas for Review Commonwealth ISO Certification IT Security

832 views • 40 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Reliability Engineering in Information Security: A Novel Approach to Risk Assessment Chris

Reliability Engineering in Information Security: A Novel Approach to Risk Assessment Chris

Reliability Engineering in Information Security: A Novel Approach to Risk Assessment Chris Woods, CISSP Mount Holyoke College Disclaimer This talk is: Speculative Additive Not intended to replace the advice of a competent

765 views • 42 slides
A simulation-optimization approach for information security risk management Elmar Kiesling,

A simulation-optimization approach for information security risk management Elmar Kiesling,

A simulation-optimization approach for information security risk management Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer International Conference on Operations Research September 4, 2013; Rotterdam

1.12k views • 81 slides
Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal

Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal

Risk-Aware Role-Based Access Control Liang Chen Jason Crampton Information Security Group, Royal Holloway, University of London 7th International Workshop on Security and Trust Management Risk-Aware RBAC Introduction Introduction

604 views • 16 slides
Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund

Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund

Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund Lwinder Security Manager .SE amel@iis.se @amelsec Agenda About .SE Risk and Information Security Management in a ccTLD. ISO 27001,

754 views • 37 slides
Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G

Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G

Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G February 2011 Background to the Report Builds on E3Gs climate security work since 2005 Seminars with climate and security experts in 2009-10

811 views • 51 slides
Risk Management Stephen Vono - Principal Notification Laws Definition of PII

Risk Management Stephen Vono - Principal Notification Laws Definition of PII

Information Security Risk Management Stephen Vono - Principal Notification Laws Definition of PII Compliance www.mcgowanprofessional.com Information Security Liability Paper Files Wi-Fi Networks Servers Portable

322 views • 9 slides
Isolated virtualised clusters: Testbeds for high-risk security experimentation and training

Isolated virtualised clusters: Testbeds for high-risk security experimentation and training

Isolated virtualised clusters: Testbeds for high-risk security experimentation and training Jos M. Fernandez (*) cole Polytechnique de Montral Information Systems Security Research Lab ( Laboratoire SecSI ) (*) Joint work with: -

370 views • 21 slides
Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director

Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director

Danske Bank - Launch of the first mobile bank app in Claus Hjort Bjerre Development Director Danske Bank, Group IT, Channels 12-05-2011 IT in Danske Bank Leading digital functionality for our private and corporate 10 million transactions

352 views • 20 slides
Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II)

Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II)

Automated Reasoning Model Checking with SPIN (II) Alan Bundy Automated Reasoning SPIN (II) page 1 Verifying Global Properties Assertions can be used to verify a property locally locally For example, place assert(MemReturned) at the

441 views • 25 slides
New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome

New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome

New Banks seminar New Bank Start-up Unit 19 th February 2018 NBSU Seminar NBSU Seminar Welcome and opening remarks Martin Stewart Director, Banks, Building Societies and Credit Unions, PRA 2 New Bank Seminar Agenda Timing Session

1.29k views • 109 slides
Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What

Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What

Finance I Introduction to Corporate Finance 1 Corporate Finance and the Financial Manager What is Corporate Finance? Corporate finance is concerned about three main problems: 1. Planning and managing long-term investments (Capital Budgeting).

796 views • 5 slides
GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

Chapter No. Page No. 9 201 International Finance IMPORT / EXPORT GUARANTEES GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF DISCHARGE THE LIABILITY OF THIRD PERSON IN CASE OF HIS DEFAULT.

463 views • 13 slides
SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS

SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS

Chapter No. Page No. 20 350 International Finance COMMERCIAL RATES OF EXCHANGE SPOT RATE THE NORMAL RATE QUOTED IN THE FOREIGN EXCHANGE MARKET IS THE SPOT RATE. THIS RATE IS QUOTED FOR TRANSACTIONS WHERE THE FOREIGN CURRENCY

436 views • 12 slides
Larry OToole This mornings PURPOSE. Thinking about the right combination of things

Larry OToole This mornings PURPOSE. Thinking about the right combination of things

Larry OToole This mornings PURPOSE. Thinking about the right combination of things Actions you could be starting now 3 .can you point to who owns building your sales and is there a plan? .who owns delivering my product

549 views • 18 slides
Customs Declaration Service Date: 21 January 2020 Time: 11:00 15:00 Venue: HMRC Business

Customs Declaration Service Date: 21 January 2020 Time: 11:00 15:00 Venue: HMRC Business

Customs Declaration Service Date: 21 January 2020 Time: 11:00 15:00 Venue: HMRC Business Centre, Suites 1.11, 1.12, 1.13 1 Ruskin Square Dingwall Road Croydon CR0 2WF Customs Declaration Service | Official Marking 1 NCTS API changes

1.04k views • 74 slides

More recommend