1 / 15

Unit Outline Information Security Risk Assessment

Unit Outline Information Security Risk Assessment. Module 1: Introduction to Risk  Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary. Module 2 Definitions and Nomenclature.

carol
Download Presentation

Unit Outline Information Security Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Unit OutlineInformation Security Risk Assessment Module 1: Introduction to Risk  Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

  2. Module 2Definitions and Nomenclature

  3. Definitions and NomenclatureLearning Objectives • Students should be able to: • Define information security risk formally • Understand the nomenclature of risk • Be able to identify threats, vulnerabilities, and assets • Understand different types of risk.

  4. Definitions and NomenclatureConcept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000

  5. Definitions and NomenclatureBasic Definitions • Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat.1 Consequence of weaknesses in controls. • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets.1 A threat is a manifestation of vulnerability. • Controls- Implementations to reduce overall risk and vulnerability. • Security Risk- is the probability that a specific threat will successfully exploit a vulnerability causing a loss. 1 http://www.oit.nsw.gov/au/pdf/4.4.16.IS1.pdf

  6. Definitions and NomenclatureInformation Security • Definition – protection of information systems and data from unauthorized (accidental or intentional) modification, destruction, or disclosure. • Protection includes confidentiality, integrity, authentication, access control and availability (CIA3) of these systems and data • Goals – identification, measurement, control, and minimization of security risks in information systems to a level commensurate with the value of the assets protected

  7. Definitions and NomenclatureAssets • Assets– things that agency values wants to protect. Includes all information and supporting items that an agency requires to conduct business. Asset Categories and Threats to Assets • Data • Breach of confidentiality • Loss of data integrity • Denial of service • Corruption of Applications • Disclosure of Data • Organization • Loss of trust • Embarrassment • Management failure • Personnel • Injury and death • Sickness • Loss of morale

  8. Definitions and NomenclatureAssets Cont’d • Operational • Interruption of services • Loss/Delay in Orders • Delay in Shipments • Infrastructure • Electrical grid failure • Loss of power • Chemical leaks • Facilities & equipment • Communications • Legal • Use or acceptance of unlicensed software • Disclosure of Client Secrets

  9. Definitions and NomenclatureVulnerabilities • Vulnerabilities –flaws within an asset (e.g. operating system, router, network, or application), that allow an asset to be exploited by a threat. • Examples • Software design flaws • Software implementation errors • System misconfiguration (e.g. misconfigured firewalls) • Inadequate security policies • Poor system management • Lack of physical protections • Lack of employee training (e.g. passwords on post-it notes in drawers or under keyboards)

  10. Definitions and NomenclatureThreats • Threats are potential causes of events which have a negative impact. • Threats exploit vulnerabilities causing impact to assets • Examples • Denial of Service (DOS) Attacks • Spoofing and Masquerading • Malicious Code • Human Error • Insider Attacks • Intrusion

  11. Definitions and NomenclatureSources of Threats

  12. Definitions and NomenclatureSecurity Risk • Risk –probability that a specific threat will successfully exploit a vulnerability causing a loss. • Evaluated by three distinguishing characteristics: • loss associated with an event, e.g., disclosure of confidential data, lost time, and lost revenues. • likelihood that event will occur, i.e. probability of event occurrence • Degree that risk outcome can be influenced, i.e. controls that will influence the event • Various forms of threats exist • Different stakeholders have various perception of risk • Several sources of threats exist simultaneously

  13. Definitions and NomenclatureTypes of Risk • Physical Asset Risks • Relating to items with physical and tangible items that have an associated financial value • Mission Risks • Relating to functions, jobs or tasks that need to be performed • Security Risks • Integrates with both asset and mission risks

  14. Definitions and NomenclatureWhy is security risk different? • Relatively new field • Constantly changing information systems & vulnerabilities • Human factors related to security • No standard of practice • Lack of formal models • Lack of data • Evolving threats

  15. Definitions and NomenclatureSummary • Assets are valuables which an organization wants to protect. • Vulnerabilities are weaknesses in assets that can be exploited by threats. • Threats exploit vulnerabilities to impact threats • Risk is the potential impact of threats resulting in a loss • Risk can be minimized through use of controls.

More Related