Security Management and Control Overview Risk Analysis Controls and Safeguards Source http mashable com CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Risk Analysis ISO 27000 Series International Standards Organization Security Management Objectives of Risk Analysis identify and categorize the risks to assets that threaten the regular operations of an organization seems mundane but this can make or break a company provides info to managers to help them evaluate the risks and then determine how best to deal with treat them likelihood of occurrence and frequencies and times depends on the type of business risk likelihood can be categorized as Rating 1 Likelihood Description Rare 2 Unlikely 3 Possible 4 Lik l Likely 5 Almost Certain CSCI 415 Computer and Network Security why do we care about rare risks Expanded Definition May occur only in exceptional circumstances and may deemed as unlucky unlucky or very unlikely unlikely Could occur at some time but not expected given current controls circumstances and recent events Might occur at some time but just as likely as not It may be difficult to control its occurrence due to external influences Will probably b bl occur in i some circumstance i t and d one should h ld not be surprised if it occurred Is expected to occur in most circumstances and certainly sooner or later Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Risk Analysis Risk Probability that threat occurs x Cost to organization Risk Appetite level of risk the organization views as acceptable Balance Risk Treatment with day to day productive functioning of a company The specified p likelihood needs to be realistic In particular a rating of Likely or higher suggests that this threat has occurred sometime previously In contrast the Unlikely and Rare ratings can be very hard to quantify they are an indication that the threat is of concern but knowing whether it could potentially p y occur is difficult to specify p y typically such threats would only be considered if the consequences to the organization of their occurrence are so severe that they have to be considered even if extremely improbable need to determine consequence CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Determining Consequence Rating 1 Consequence Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic 6 Doomsday CSCI 415 Computer and Network Security Expanded Definition Generally a result of a minor security breach in a single area Impact is likely to last less than several days and requires only minor expenditure to rectify Result of a securityy breach in one or two areas Impact p is likelyy to last less than a week but can be dealt with at the segment or project level without management intervention Can gene rally be rectified within project or team resources Limited systemic and possibly ongoing security breaches Impact is likelyy to last upp to 2 weeks and ggenerallyy requires q management g intervention Will have ongoing compliance costs to overcome Ongoing systemic security breach Impact will likely last 4 8 weeks and require significant management intervention and resources to overcome and co mpliance costs are expected to be substantial Loss of business or organizational g outcomes is ppossible but not expected especially if this is a once off Major systemic security breach Impact will last for 3 months or more and senior management will be requ ired to intervene for the duration of the event to overcome shortcomings Compliance costs are expected p to be veryy substantial Substantial ppublic or ppolitical debate about and loss of confidence in the organization is likely Possible criminal or disciplinary action is likely Multiple instances of major systemic security breaches Impact duration cannot be de termined and senior management will be required q to pplace the company p y under voluntaryy administration or other form of major restructuring Criminal proceedings against senior management is expected and sub stantial loss of bus iness and failure to meet organizational objectives is unavoidable Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Resultant Risk How CTOs CIO make the big bucks Once the likelihood and consequence of each specific threat have been identified a final level of risk needs to be assigned This is Thi i typically t i ll d determined t i d using i a table t bl that th t maps these th values l tto a risk i k level This table details the risk level assigned to each combination combination Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative values values It also indicates the interpretation of these assigned levels CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Resultant Risk Register Consequences Likelihood Almost Certain Lik l Likely Possible Unlikely Rare Risk Level Extreme E High H Medium M Low L Doomsday E Catastrophic Major E E Moderate E Minor H Insignificant H E E E E E E E H H H M M H M L L M L L L E E H H Description Will require detailed research and management planning at an execu tive director level Ongoing planning and monitoring will be requ ired with regular reviews level reviews Substantial adjustment of controls to manage the risk are expected with costs possibly exceeding original forecasts Requires management attention but management and planning can be left to senior project or team leaders leaders Ongoing planning and monitoring with regular reviews are likely though ad justment of controls are likely to be met from within existing resources Can be managed by existing specific monitoring and response p rocedures Management by employees is suitable with appropriate monitoring and reviews Can be managed through routine procedures CSCI 415 Computer and Network Security Dr Nazli Hardy Partially adapted from Computer Security Principles Practices Stallings Lawrie Security Management and Control Example Risk Register Asset Internet Router Destruction of Data Center Threat Vulnerability Outside Hacker attack