Lecture4.1

Lecture4.1 - TEL2813/IS2820 Security Management Risk...

Info iconThis preview shows pages 1–12. Sign up to view the full content.

View Full Document Right Arrow Icon
TEL2813/IS2820 Security Management Risk Management: Assessing and Controlling Risk Feb 7, 2006
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Introduction Competitive Disadvantage To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function This environment must Maintain confidentiality and privacy Assure the integrity and availability of organizational data Use principles of risk management
Background image of page 2
Risk Control Strategies Choose basic control risks strategy : Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Transference: shifting the risk to other areas or to outside entities Mitigation: reducing the impact should the vulnerability be exploited Acceptance: understanding the consequences and accept the risk without control or mitigation
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Avoidance Attempts to prevent the exploitation of the vulnerability Accomplished through: Application of policy Application of training and education Countering threats Implementation of technical security controls and safeguards
Background image of page 4
Transference Attempts to shift the risk to other assets, other processes, or other organizations May be accomplished by Rethinking how services are offered Revising deployment models Outsourcing to other organizations Purchasing insurance Implementing service contracts with providers
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Mitigation Attempts to reduce the damage caused by the exploitation of vulnerability by means of planning and preparation, Includes three types of plans: Disaster recovery plan (DRP) Incident response plan (IRP) Business continuity plan (BCP) Depends upon the ability to detect and respond to an attack as quickly as possible
Background image of page 6
Summaries of Mitigation Plans
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Acceptance Acceptance is the choice to do nothing to protect an information asset and to accept the loss when it occurs This control, or lack of control, assumes that it may be a prudent business decision to Examine alternatives Conclude the cost of protecting an asset does not justify the security expenditure
Background image of page 8
Acceptance (Continued) Only valid use of acceptance strategy occurs when organization has: Determined level of risk to information asset Assessed probability of attack and likelihood of a successful exploitation of vulnerability Approximated ARO of the exploit Estimated potential loss from attacks Performed a thorough cost benefit analysis Evaluated controls using each appropriate type of feasibility Decided that the particular asset did not justify the cost of protection
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Risk Control Strategy Selection Risk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization Acceptance of risk If the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs of the attack, Otherwise, one of the other control strategies will have to be selected
Background image of page 10
Risk Handling Action Points
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/27/2010 for the course IS 2820 taught by Professor Jameskoshi during the Spring '10 term at Webber.

Page1 / 60

Lecture4.1 - TEL2813/IS2820 Security Management Risk...

This preview shows document pages 1 - 12. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online