Lecture4 - TEL2813/IS2820 Security Management Risk...

Download Document
Showing pages : 1 - 12 of 49
This preview has blurred sections. Sign up to view the full version! View Full Document
    TEL2813/IS2820  Security Management Risk Management:  Identifying and Assessing Risk Feb 7, 2006
Background image of page 1
    Introduction Information security departments are created  primarily to manage  IT risk Managing risk  is one of the key  responsibilities of every manager within the  organization In any well-developed risk management  program, two formal processes are at work:  Risk identification and assessment  Risk control
Background image of page 2
    Knowing Our Environment Identify, Examine and Understand  information and how it is processed, stored, and  transmitted Initiate an in-depth risk management program Risk management is a process means - safeguards and controls that are devised  and implemented are not install-and-forget devices
Background image of page 3
    Knowing the Enemy Identify, examine, and understand  the threats Managers must be prepared  to fully identify those threats that pose risks to the  organization and the security of its information  assets Risk management is the process   of assessing the risks to an organization’s  information and determining how those risks can  be controlled or mitigated
Background image of page 4
    Risk Management The process concerned with identification, measurement,  control and minimization of security risks in information  systems to a level commensurate with the value of the  assets protected (NIST) Implement Risk Management Actions Re-evaluate the Risks Identify the Risk Areas Assess the Risks Develop Risk Management Plan Risk Management Cycle Risk Assessment Risk Control (Mitigation)
Background image of page 5
    Accountability for Risk  Management All communities of interest must work  together: Evaluating risk controls Determining which control options are cost- effective  Acquiring or installing appropriate controls Overseeing processes to ensure that controls  remain effective  Identifying risks Assessing risks Summarizing findings
Background image of page 6
    Risk Identification Process
Background image of page 7
    Risk Identification Risk identification  begins with the process of self-examination Managers  identify the organization’s information  assets,  classify them into useful groups, and  prioritize them by their overall importance
Background image of page 8
    Creating an Inventory of  Information Assets Identify information assets, including people, procedures, data and information,  software, hardware, and networking  elements Should be done without pre-judging  value of each asset Values will be assigned later in the process
Background image of page 9
    Organizational Assets
Background image of page 10
    Identifying Hardware,  Software, and Network Assets Inventory process requires a certain  amount of planning  Determine which attributes of each of 
Background image of page 11
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.
Ask a homework question - tutors are online