Security Management and ControlOverview Risk Analysis Controls and SafeguardsCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSource: http://mashable.comSecurity Management and ControlRisk Analysis ISO 27000 Series (International Standards Organization) –Security Management Objectives of Risk Analysis:identify and categorize the risks to assetsthatthreaten the regular operationsof–identify and categorize the risks to assets that threaten the regular operations of an organization – seems mundane, but this can make or break a company– provides info to managers to help them evaluate the risks and then determine how best to deal with (treat) them–likelihood of occurrence –and frequencies and times (depends on the type of businessrisk likelihood can be categorized as:why do we care about rare risks?risk likelihood can be categorized as:Rating LikelihoodDescriptionExpanded Definition1 Rare May occur only in exceptional circumstances and maydeemedas“unlucky”orveryunlikelywhy do we care about rare risks?deemedasunluckyorveryunlikely.2 Unlikely Could occur at some time but not expected given currentcontrols, circumstances, and recent events.3 Possible Might occur at some time, but just as likely as not. It may bedifficult to control its occurrence due to external influences.4LiklWillbbliitdhldCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrie4LikelyWillprobablyoccurinsomecircumstance andone shouldnot be surprised if it occurred.5 AlmostCertainIs expected to occur in most circumstances and certainlysooner or later.Security Management and ControlRisk Analysis Risk = Probability that threat occurs x Cost to organization Risk Appetite = level of risk the organization views as acceptable Balance Risk Treatment -–> with day to day productive functioning of a company The specified likelihood needs to be realisticp In particular, a rating of Likely or higher suggests that this threat has occurred sometime previously.  In contrast, the Unlikely and Rare ratings can be very hard to quantify.– they are an indication that the threat is of concern, but knowing whether it could potentially occur is difficult to specify. py py– typically such threats would only be considered if the consequences to the organization of their occurrence are so severe that they have to be considered, even if extremely improbable.CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrieneed to determine consequenceSecurity Management and ControlDetermining ConsequenceRatingConsequence Expanded Definition.1 Insignificant Generally a result of a minor security breach in a single area.Impact is likely to last less than several days and requires onlyminor expenditure to rectify.2MinorResult of a securitybreachin one or two areas. Impact is likelytoypylast less than a week, but can be dealt with at the segment orprojectlevel without management intervention. Can generally be rectifiedwithin project or team resources.3 Moderate Limited systemic (and possibly ongoing) security breaches. Impactis likely to last up to 2 weeks and generallyrequires managementypgyqgintervention. Will have ongoing compliance costs to overcome.4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeksand require significant management intervention and resources toovercome, and compliance costs are expected to be substantial.Loss of business ororganizational outcomes ispossible,but notgp,expected, especially if this is a once off.5 Catastrophic Major systemic security breach. Impact will last for 3 months ormore and senior management will be required to intervene for theduration of the event to overcome shortcomings. Compliance costsareexpectedto be very substantial. Substantial public orpoliticalpyppdebate about, and loss of confidence in, the organization is likely.Possible criminal or disciplinary action is likely.6 Doomsday Multiple instances of major systemic security breaches. Impactduration cannot be determined and senior management will berequiredto place the companyunder voluntary administration orCSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, Lawrieqppyyother form of major restructuring. Criminal proceedings againstsenior management is expected, and substantial loss of business andfailure to meet organizational objectives is unavoidable.Security Management and ControlResultant RiskHow CTOs/ CIO make the big bucks Once the likelihood and consequence of each specific threat have been identified, a final level of risk needs to be assigned. Thi i t i ll d t i d itblth t th l t i kThis is typically determined using a tablethat maps these values to a risk levelThis table details the risk level assigned to each combinationThis table details the risk level assigned to each combination.  Such a table provides the qualitative equivalent of performing the ideal risk calculation using quantitative valuescalculation using quantitative values.  It also indicates the interpretation of these assigned levels.CSCI 415: Computer and Network Security Dr. Nazli HardyPartially adapted from Computer Security: Principles & Practices, Stallings, LawrieSecurity Management and ControlResultant Risk RegisterConsequencesLikelihood Doomsday Catastrophic Major Moderate Minor InsignificantAlmostCertainE E E E H HLiklEEEHHMLikelyEEEHHMPossible E E E H M LUnlikely E E H M L LRare E H H M L LRisk Level DescriptionExtreme (E) Will require detailed research and management planning at an execu tive/directorlevelOngoingplanning andmonitoringwillbe requiredwithregularreviewslevel. Ongoingplanning andmonitoringwill be requiredwithregularreviews.Substantial adjustment of controls to manage the risk are expected, with costspossibly exceeding original forecasts.High (H) Requires management attention, but management and planning can be left to seniorprojectorteamleadersOngoing planningandmonitoring withregularreviewsareproject orteamleaders. Ongoing planning and monitoring with regular reviews arelikely, though adjustment of controls are likely to be met from within existingresources.Medium (M) Can be managed by existing specific monitoring and