Lecture4

Lecture4 - TEL2813/IS2820 Security Management Risk...

Info iconThis preview shows pages 1–13. Sign up to view the full content.

View Full Document Right Arrow Icon
TEL2813/IS2820 Security Management Risk Management: Identifying and Assessing Risk Feb 7, 2006
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities of every manager within the organization In any well-developed risk management program, two formal processes are at work: Risk identification and assessment Risk control
Background image of page 2
Knowing Our Environment Identify, Examine and Understand information and how it is processed, stored, and transmitted Initiate an in-depth risk management program Risk management is a process means - safeguards and controls that are devised and implemented are not install-and-forget devices
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Knowing the Enemy Identify, examine, and understand the threats Managers must be prepared to fully identify those threats that pose risks to the organization and the security of its information assets Risk management is the process of assessing the risks to an organization’s information and determining how those risks can be controlled or mitigated
Background image of page 4
Risk Management The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected (NIST) Implement Risk Management Actions Re-evaluate the Risks Identify the Risk Areas Assess the Risks Develop Risk Management Plan Risk Management Cycle Risk Assessment Risk Control (Mitigation)
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Accountability for Risk Management All communities of interest must work together: Evaluating risk controls Determining which control options are cost- effective Acquiring or installing appropriate controls Overseeing processes to ensure that controls remain effective Identifying risks Assessing risks Summarizing findings
Background image of page 6
Risk Identification Process
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Risk Identification Risk identification begins with the process of self-examination Managers identify the organization’s information assets, classify them into useful groups, and prioritize them by their overall importance
Background image of page 8
Creating an Inventory of Information Assets Identify information assets, including people, procedures, data and information, software, hardware, and networking elements Should be done without pre-judging value of each asset Values will be assigned later in the process
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Organizational Assets
Background image of page 10
Identifying Hardware, Software, and Network Assets Inventory process requires a certain amount of planning Determine which attributes of each of these information assets should be tracked Will depend on the needs of the organization and its risk management efforts
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Attributes for Assets Potential attributes: Name IP address MAC address Asset type Manufacturer name Manufacturer’s model or part number Software version, update revision, Physical location Logical location Controlling entity
Background image of page 12
Image of page 13
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/27/2010 for the course IS 2820 taught by Professor Jameskoshi during the Spring '10 term at Webber.

Page1 / 49

Lecture4 - TEL2813/IS2820 Security Management Risk...

This preview shows document pages 1 - 13. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online