mss JBP \ - ' •v; i i it } '-' V '• n i V-, !S nformation Security : v;; and HttRisk Management b i ‘ (Sj I® ,u L lu :.'*ÿ IP - SMB! % wmn From the CISSP® CBK®, the definition of this domain—Information Security & Risk Management entails the identifica¬ tion of an organization’s information assets and the development, documentation, and implementation of policies, stan¬ dards, procedures and guidelines that ensure confidentiality, integrity and availability Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vul¬ nerabilities so that effective security controls can be implemented Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks It includes overall security review, risk analysis; selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security awareness training to make aware of the importance of information security, its significance, and the specific secu¬ rity-related requirements relative to their position; the importance of confidentiality, proprietary and private informa¬ tion; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources i DOMAIN ; OBJECTIVES ; ® Security Planning and Organization ; Roles of Individuals in a Security Program : •Differences between Policies, Standards, Guidelines, Domain Objectives—This slide provides good insight to what the CISSP candidate should understand and be able to at the end of this domain and Procedures as related to Security i ® Security Awareness throughout the Organization Risk Management Practices and Tools INFORMATION SECURITY TRIAD Availability Aw-A • Availability—The concept of availability refers to the providing of access to the information system and data when required by the business Availability is different for each organization and, often, for each department in an organization Some departments may require continuous availability where an outage of seconds is already a crisis, whereas other areas may be content with a basic level of availability, for example during normal business hours, where a system failure would be seen as an inconvenience and not cause a critical impact on the operations A complete information security program must understand and address these differences Integrity Confidentiality AIC TRIAD—The overarching goals of information security efforts are addressed through the AIC TRIAD Nearly all infor¬ mation security efforts are based on one or more of the ele¬ ments of the TRIAD The AIC TRIAD forms the foundation of what we are trying to accomplish through our security poli¬ cies, standards, procedures, baselines, and guidelines It’s important to remember this includes all IT security efforts including outsourcing * Integrity—There are two concepts we will address through integrity, theproteetioiLofJatajmtfprocesses from improper modFIciHoiTrahdlhe concept of ensur¬ ing the operations of the information system are reli¬ able and performing as expected This means that the system will process transactions correctly and pre¬ serve the confidence of the organization in the quality of the data and processing • Confidentiality—Is the concept of protecting informa¬ tion from improper disclosure and protecting the secrecy and privacy of sensitive data so that the intel¬ lectual property, and reputation of an organization is not damaged and that data related to individuals is not released in violation of regulations or the privacy policy of the organization V/ U i 14 (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT J gr This fairly basic, but authoritative document provides the foundations for the security management program within the organization From the overarching security policy flows a rather long list of functional policies These notes provide a list of what is normally considered as the minimum functional policies required in a good security management program Naturally they are tailored to the organization and reflect the organization’s priorities Additional functional policies may exist depending on the requirements of the organization INTRODUCTION ® Information Security Management includes: — Governance Structure — Policies — Standards — Procedures — Baselines — v V S It ii Guidelines J ° Introduction—Information security management includes many areas It begins with a formal governance structure which provides authority and responsibility to different staff members and sections It also includes an overarching secu¬ rity policy that is endorsed/signed by senior management DOMAIN AGENDA Principles and Requirements Policy Organizational Roles and Responsibilities ® Risk Management and Analysis Information Security Management includes— Governance Structure Policies Standards Procedures Baselines Guidelines Principles and Requirements—Address the core objectives of an information security program Here are the main learn¬ ing points you should get from this section: Describe the two types of requirements for a good secu¬ rity solution Understand and explain the major concepts of IT Security Governance • Understand and be able to explain differences between key international IT security standards Ethics (ISC)1 — Understand the types of security blueprints and how they support a strong security policy INFORMATION SECURITY AND RISK MANAGEMENT i5 i: 1, Ip H the considerations for functional controls We will talk aboutlheselrTgreater detail on later slides IT SECURITY REQUIREMENTS * Defines the Complete Security Solutions security behavior of the control measure Provides confidence that security function is performing as expected Critical part of the security program ° Security Solutions—All security solutions should be designed with two focus areas; the functional requirements of the solution, and the assurance requirements that the func¬ tional solution is working correctly No solution is complete unless it addresses both of these two areas For example: a complete “firewall solution" would be having the firewall han¬ dling traffic and denying or permitting access correctly—the functional requirement—and, the “logging and monitoring” aspect addressing the assurance requirements of the firewall solution by ensuring that the firewall is working properly and providing the expected level of protection in relation to the risks that the firewall was intended to control Focus on the mission of the organization Each type of organization has differing security Security must make sense and be cost They should fail safe, that is that, in the event of a failure, they maintain the security of the systems Assurance Requirements—Assurance mechanisms confirm that security solutions are selected appropri¬ ately, performing as intended, and are having the desired effect Many assurance mechanisms will be reviewed throughout this course within their respec¬ tive domains i.e., IDS’s, Audit logs, BCP Tests, etc However, some are applicable especially to the area of IT security, such as internal and external audits Internal/External Audit Reports IIA’s Red Book, Yellow Book, etc (the Institute of Internal Auditors, www.theiia.org) Security Reviews (Internal), Checklists, Supervision Third Party Reviews Attack and Penetration Tests Policy Review Threat Risk Assessments Each type of organization has differing security requirements—Information security requirements differ greatly between government, military, and commercial ventures Each has a different set of priorities depending on their overall mission Even in the commercial world, it’s very unlikely that two businesses will have exactly the same security require¬ ments Businesses within the same type of industry may not have similar requirements since their business flows and information access requirements may be very different Furthermore, their company culture may limit or dictate what is, or is not acceptable All these and many other considera¬ tions weigh into the selection of security controls and assur¬ ance mechanisms effective Focus on the mission of the organization—IT Security must focus on and address the requirements of the organiza¬ tion’s mission, goals, and objectives 16 They should not be depend on another control ° Periodic Review by Management requirements 0 Some criteria are used to evaluate the operation of security solutions: Functional Requirements—Functional requirements are the things most often thought about when consid¬ ering security controls The risk assessment provides ORGANIZATIONAL & BUSINESS REQUIREMENTS They should be layered and meet a specific security requirement A » Selected based on risk assessment (ISC)a — Security must make sense and be cost effective—Security solutions must be developed with due consideration of the mission and environment of the business.-Hisk analysis, determining the value of information systems anffassets, and cggt-benefit analysis will justify the adoption and implementatiwfoTlecurity controls and risk mitigation efforts INFORMATION SECURITY AND RISK MANAGEMENT IT SECURITY GOVERNANCE # Integral Part of Overall Corporate Governance Three Major Parts — Leadership — Structure — Processes W if m m i Structure—IT governance occurs at many different levels of the organization and is a layered approach The Board of Directors provide direction to the executives within the com¬ pany The executives turn that direction into policies S; Managers take those policies and produce standards, base¬ lines, and guidelines Team leaders take tjjese standards, baselines, and guidelines and form procedures within their organizations The individual workers are critical to this lay¬ ered structure as they are not only the ones that must imple¬ ment these procedures, but are also most likely to be the ones who first notice violations and unusual events within the operations of our IT systems 8 IT Security Governance—The bullets on this slide cover the goals of IT security governance IT security governance is part of the overall governance of the company In years gone by, many executives considered IT security as being too difficult, technical, and well below their areas of responsibility Therefore, many passed these responsibilities to their already overworked IT departments who were neither trained nor struc¬ tured for these duties Often, the end result was not favorable J Integral Part of Overall Corporate Governance—IT security governance must be fully integrated into the overall riskbased threat analysis of the company It goes well beyond the traditional threats to the IT assets and actually considers the potential damage to the information on those IT assets and the effects that such damage may have on the organization and its ability to accomplish its goals and objectives reflected throughout the organization Processes—The security professional should have a good understanding of the security principles mentioned below Processes should follow internationally accepted “Best Practices." ° Job rotation ° Separation of duties Least privilege Mandatory, vacations Brewer-Nash model Supervision (logs and monitoring) Governance ensures that the IT infrastructure of the company: Meets the A.I.C requirements Three Major Parts— Leadership—IT security requires technical skills, but it also requires much more It requires the ability to earn the trust and confidence of the decision makers within the company Security leaders must be fully integrated into the company leadership, where their voices can be heard without filtering by competing interests Lastly, the IT security leader must understand the company—probably better than anyone else This is because the IT professional must understand the information/data, who produces it, where it is stored, who needs it—when and how, and everything about how the company operates If that is true, then the IT security professionafmust certainly understand everything already mentioned as well as all the IT networks that provide these services, their strengths and weaknesses, as well as all the threats to them The successful IT security professional must also understand the networks that connect to theirs and the risks these connections bring This quick look at the requirements for IT security professionals indicates that it certainly takes a strong, confident, and technically proficient professional to accomplish this job (ISC)1 — INFORMATION SECURITY Security audits and reviews (including penetration tests) Supports the strategies and objectives of the company • Includes service level agreements when outsourced * Stakeholders and their values play a key role in the IT gov¬ ernance structure as well Stakeholders include stockhold¬ ers, managers, employees, customers of the company, suppliers, and possibly the government and public at large The value these individuals place on the trust, confidence, and security of the company’s IT infrastructure will be I/O controls Antivirus management The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 17799:2005 Code of Practice for Security Information Management pro¬ vides a broad base of security controls that provides a point of reference for completeness of the components within the blue¬ prints The ISO/IEC 17799:2005 reference standard does not however, provide all of the guidance that is' required for an effective, holistic security architecture International Security Standard ISO 27001, titled “Information Security Management—Specification With Guidance for Use,” has been launched in replacement of BS7799-2 ISO 27001 provides the foundation for third party audit, and is integrated with several other ISO management standards such as ISO 9001 and ISO 14001 On the next slide we will briefly talk about IS017799:2005 and 27001:2005 AND RISK MANAGEMENT 1 ISO I77QQ & ISO 27001 •ISO 17799 — Code of Practice—Guidance and Support — Management Focus ISO 17799—Is based upon the British Standard 7799-1, which was published in May 1999 The first version of ISO 17799 was published and adopted in December 2000 The most current version is ISO 17799:2005 ISO 27001:2005—Is the first in the new 27000 series of ISO standards and replaces the older BS 7799-2 •ISO 27001:2005 — Management System Standard (Certifiable and Measurable Requirements) — Assurance Focus • Technical architecture SECURITY BLUEPRINTS * Normally cover several security domains Used to identify and design security requirements •Infrastructure Security Blueprints Used to identify and design security requirements—Each component should directly reflect a policy decision The plans should be mutually supportive All areas should be considered even if they not apply to that specific topic „ ' [i I An effective security architecture will always be able to “con¬ nect the dots” between the business decisions of the organi¬ zation, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements, and how the requirements map to the blueprints IO • eCommerce Solutions • Data Warehouses • Supply Chain Management systems Security Blueprints—Provide a structure for organizing require¬ ments and solutions They are used to ensure that security is considered from a holistic view A holistic security architecture can only be created by a professional security architect (such as an Information Systems Security Architecture Professional (ISSAP®)) after carefully considering a wide range of threats, vulnerabilities, and organizational requirements A comprehensive way to look at security • Production systems, etc • The Security Blueprints provide a method of organizing the requirements and the resulting components of a secu¬ rity architecture This approach can be used to address the security requirements of a specific topic or across the enterprise Certainly not all topics will apply equally or even at all in the different areas of the company However, blueprints give us a way to think about them and to make an informed decision as opposed to having an item over¬ looked by mistake Security blueprints are discussed in both ISO 17799:2005 and ISO 27001:2005 However, many vendors are now using the term “security blueprint” to reference a wide range of documents relating to their products • Normally used by architects when designing an overall layơ ered security solution Tailored security best practices that combine to form a com¬ prehensive security structure Infrastructure Security Blueprints—Reflect: Security requirements of a specific company/infrastructure * Policy * • Program • Specific business priorities and decisions 18 (IS C)’ — INFORMATION SECURITY AND RISK MANAGEMENT # Regulatory requirements All aspects of security across the entire infrastructure The security policy approved by senior management a policy around e-mail usage; subscribe to news services that warn of new threats; reevaluate the network architecture; host best practices seminars for users; oh, and use virus blocking software, and, probably, firewalls.” A definition of Holistic Security Architecture, from the CIO website, The ABCs of Security, by Scott Berinato and Sarah Scalet, would be: “Holistic security means making security part of everything and not making it its own thing It " means security isn’t a~ddedTolhe“enterprise; it’s woven into the fabric of the application Here’s an example The nonholistic thinker sees a virus threat and immediately starts spending money on virus¬ blocking software The holistic security guru will set » DOMAIN AGENDA ® Principles and Requirements Policy ® Organizational Roles and Responsibilities Policy—Here are the objectives for our next section: Describe the purpose of organizational policy List the supporting elements of policy implementation Understand the purpose and differences of guidelines, policies, procedures, baselines and standards * Describe the environment within which the security • policy exists Risk Management and Analysis •Ethics II t (ISC)1 — INFORMATION SECURITY AND RISK MANAGEMENT 19 POLICY OVERVIEW THE “ENVIRONMENT” Regulations / , Organizational Goals Overarching Organizational Policy Laws Security Statement) Organizational Objectives Shareholders’ Interests Policy Overview—The environment within which every com¬ pany operates is a complex web of laws, regulations, require¬ ments, competitors, and partners These are changing frequently and interact with each other; often in unpredictable ways In addition to these outside forces, senior management must consider those within the organization such as morale, labor relations, productivity, cost, cash flow, and many oth¬ ers Within this environment, management must develop and publish the overall security statement and directives From the security team perspective, these directives should be addressed through security policies and their- supporting ele¬ ments such as standards, baselines and guidelines, to ensure a proper implementation of a security program 12 — Policy Overview Standards, baselines, procedures, and guidelines will be discussed in the next few slides POLICY OVERVIEW (CONT .) Dverarching Organizational Policy (Management’s Security Statement) I Functional Implementing Policies (Management’s Security Directives) Standards Guidelines Baselines Procedures 13 20 (ISC)a — INFORMATION SECURITY AND RISK MANAGEMENT understood If its too generic, it may be meaningless and irrelevant The length and content of this critical document is as unique as the company itself, and must be created with that in mind One size does not fit all—or even two MANAGEMENT’S SECURITY POLICY * Provides Management’s Goals and Objectives in # Writing O Documents compliance •Creates security culture Security • Policies are of no value if not read, available, and current Poticyj I Policies must be posted in a location that is available to every employee for review They must be current, and reflect new laws and regulations All employees must be kept aware of the policies through an annual review A record of this review with each employee should be maintained “Security is essential to this company and its future ” J.T Lock, CEO 14 ° Provides Management’s Goals and Objectives in Writing—The organizational policy mandates the security needs within the company One policy does not fit every com¬ pany’s requirements Although two firms may be similar, as we discussed earlier—they are unique and then also are their security requirements The overarching security policy should be kept “high-level” and short If it is too complex, it will be difficult to get staffed and approved and it may not be read or It is good to introduce an appendix outlining the “terms of reference.” This is an authoritative document and as such will be referenced frequently if written properly Therefore, anything we can that reduces confusion without adding complexity is an advantage Documents compliance—Policy documents how the company is complying with laws, regulations, and standards of due care Creates security culture Policy establishes the internal environment for the security program Explains what assets and principles the organization considers valuable — \ MANAGEMENT’S SECURITY POLICY (CONT $ • Establishes the security activity/function—It should also establish a security group within the company and grant it appropriate levels of responsibility One must be careful not to get too specific to address every detail One problem with being too detailed is that if a situation arises later and it is not clearly stated in the policy, then many will assume that it is not covered by the intent of the policy and what they will Therefore, it is normally a good proactive measure to include a “catch all clause” that explains how issues not specifically addressed in the policy will be adjudicated .) •Anticipates and protects from surprises Establishes the security activity/function •Holds individuals personally responsible/accountable * Addresses potential future conflicts Holds individuals personally responsible/accountable A good security policy makes each employee accountable for their actions, from top management to the new hire It's important for senior management to set a good example and follow their own policies After all, if they are unwilling to follow the policy then maybe no one else is either s Addresses potential future conflicts—A well thought-out security policy anticipates situations and provides guidance to protect the organization It should establish provisions for resolving conflicts between competing interests or people wondering what is, or is not, permitted j J Anticipates and protects from surprises—Anticipates situations and protects the company and employees from 'surprises’ caused by lack of awareness of management expectations or ethical guidelines — § (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT 21 I employment The security policy is a key document that must be read/re-read as part of the awareness training MANAGEMENT’S SECURITY POLICY (CONT ® Ensures employees and contractors are aware of ) Mandates an incident response plan—Generically covers incident response and mandates the authority for, and devel¬ opment of, a detailed incident response plan The security policy should also contain overall information/instructions on how incidents will be handled Establishes processes for exception handling, rewards, discipline—A policy provides the authority for the security and human resources areas to enforce good practice and dis¬ ciplinary action if necessary Naturally, this should be a last resort because good employees are expensive to hire and hard to find in most cases However, the policy should pro¬ vide the H.R department and management that final option A policy of this nature is a reference point for other persons and agencies to know the intent of management—this can be important in a legal setting which could certainly occur for a variety of reasons Security Violation Reprimand organizational policy and changes TO: I.M Wrong FOR: Falling to follow established policies Mandates an incident response plan •Establishes processes for exception handling, rewards, discipline 16 Ensures employees and contractors are aware of organi¬ zational policy and changes—Establishes a process that ensures all employees and contractors are aware of organiza¬ tional policy and changes as they occur The security awareness program must begin the day an individual is hired and contin¬ ually provide refresher training throughout the period of POLICY INFRASTRUCTURE đ Functional Policies Implement and interpret the high level security policies of the organization Functional Policies Functional Policies : Management's Security Policy Policy Infrastructure—The high level policies of the organiza¬ tion are then interpreted into a number of functional policies that assist in the implement of the intent of the overall policy Depending on the culture and the risks faced by the organization, there may be numerous functional policies "Security is essential to this company andits future" J.T Lock Functional Policies—Flow from the overarching policy of the organizations and create the foundation for the proce¬ dures, standards, and baselines to accomplish the security objectives Functional policies gain their credibility from sen¬ ior management’s signature on the overarching policy that established the goal or objective CEO Examples of functional policies could include: 17 Data Classification • Certification and Accreditation Access Control • Outsourcing • Remote Access * internet and Acceptable Use • Privacy 33 (ISC)3 — INFORMATION SECURITY AND RISK MANAGEMENT QUANTITATIVE RISK ANALYSIS © ® Assign independently objective numeric monetary values Assign independently objective numeric monetary values— To the elements of the risk assessment and to the assess¬ ment of potential losses Fully quantitative if ail elements of the risk analysis are quantified—When all elements (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncer¬ tainty and probability) are quantified, the process is consid¬ ered to be fully quantitative The easy way to remember this method is that EVERYTHING gets a dollar value—or at least that is the objective Difficult to achieve—It is very difficult (most say impossible) to a purely quantitative risk analysis This is because many items, such as company reputation, are hard to place a monetary value on in the process These items lend them¬ selves better to qualitative analysis Requires substantial time and personnel resources— Quantitative risk analysis is very labour and time intensive However, it does have its place in the risk management field and plays a valuable role Quantitative Analysis Steps—Three steps of a quantitative risk analysis process These slides are very important to fully understand and study as they form a very important part of information security risk management Fully quantitative if all elements of the risk analysis are quantified •Difficult to achieve ° Requires substantial time and personnel resources RISK = MONEY 52 QUANTITATIVE ANALYSIS STEPS •Three primary steps Estimate potential losses Conduct a threat analysis r 0- Determine annual loss expectancy 53 40 (ISC)’ — INFORMATION SECURITY AND RISK MANAGEMENT DETERMINING ASSET VALUE •Cost to acquire, develop, and maintain ® Value to owners, custodians, or users Liability for protection Recognize cost and value in the real world ° Value to owners, custodians, or users—The value to the owners is related to the impact on productivity, lost time, customer satisfaction, and confidence e Liability for protection—Mishandling of data may leave an organization liable for financial or criminal penalties a Recognize cost and value in the real world— v J P' /rÿtCÿ Value of intellectual property (trade secrets, patents, copyrights, etc.)—A company that fails to protect its intellectual property, research, trademarks, and patents may jeopardize their future financial opportunities Convertibility/negotiability—The theft of electronic funds transfer, or credit card information, and other negotiable items such as checks, gift vouchers, and share certificates may result in significant financial loss 54 Determining Asset Value—The value of information and infor¬ mation systems is often dependent on several factors: i Cost to acquire, develop, and maintain—The cost of recov¬ ering or rebuilding lost data or processing power Quantitative Risk Analysis—Step One—This slide describes the SLE calculation You should study and learn this formula so you can calculate SLE if needed The calculation of SLE is simply the amount oXjMxagfi4exposure-la&tQr-)"that~an.asset suffers due to a single event QUANTITATIVE RISK ANALYSIS-STEP ONE Estimate potential losses SLE - Single Loss Expectancy ° Types of loss to consider— • Physical destruction/theft of assets SLE = Asset Value ($) x Exposure Factor (%) * Loss of data ° Exposure Factor is percentage of • Theft of information asset loss when threat is successful Types of loss to consider 55 (ISC)3 — Price others are willing to pay (mailing lists, etc.)—The value of information for adversaries may be far greater than the perceived value of the data to the original organi¬ zation An organization may also realize additional revenue through the sale of customer data Indirect theft of assets • Delayed processing INFORMATION SECURITY AND RISK MANAGEMENT 41 _ Quantitative Risk Analysis— Step Two—Pay close attention to the difference between ARO and SLE These are two different things and one must be careful not to get them confused ARO is simply the number of times per year (incidents/year) SLE is the amount for a SINGLE loss Let’s see how these work together in our risk analysis QUANTITATIVE RISK ANALYSIS-STEP TWO Conduct threat analysis •ARO—Annual Rate of Occurrence — The ARO can be difficult to predict—it is often based on historical data but changes to the environ¬ ment will often affect future predictions Number of exposures or incidents that could be expected per year — Likelihood of an unwanted event happening 56 — 7'' — QUANTITATIVE RISK ANALYSIS-STEP THREE Determine Annual Loss Expectancy (ALE) ; •Combine potential loss and rate/year • The ALE provides an estimated amount of damage (in moneơ I //Purpose of ALE Quantitative Risk Analysis Step Three—This formula is very important as it uses the ARO and SLE information to provide us the ALE Understanding ALE, cost/benefit analysis and quan¬ titative risk analysis is important to ensure that the security professional can obtain the support from senior management and users for security solutions and risk mitigation efforts tary terms) the organization can be expected to lose per year due to a risk It indicates, therefore, how much the organiza¬ tion is justified in spending on countermeasures to reduce the likelihood or impact of an incident A direct correlation should be shown between the amount spent on security and the amount of benefit realized through the reduction in risk Magnitude of risk = Annual Loss Expectancy — Justify security countermeasures ALE = SLE * ARO au-A, ne'e 57 L- QUALITATIVE RISK ANALYSIS-SECOND TYPE i — j I | ; Scenario Oriented ' Does not attempt to assign absolute numeric values to risk components [ I * Does not attempt to assign absolute numeric values to risk components—Each threat is described in a threat scenario and the expected impact from that threat is graded on a scale that indicates the severity of that threat Each risk is ranked per department according to the effect of that risk on their business functions The cumulative, weighted ranking of the risk across all departments then indicates the severity of the total risk Purely qualitative risk analysis is possible I Qualitative Risk Analysis—Second Type—The second method of risk assessment is a “qualitative risk analysis.” 42 (IS G)a — Scenario Oriented—Qualitative risk analysis is scenario oriented Instead of applying monetary values, as done with quantitative risk analysis, it evaluates the impact or effect of threats on the business process or the goals of the organization Purely qualitative risk analysis is possible—It is possible to conduct a PURE qualitative risk analysis because the impact on the assets is evaluated by a weighted ranking instead of absolute dollar values INFORMATION SECURITY AND RISK MANAGEMENT QUALITATIVE RISK ANALYSIS CRITICAL FACTORS ® ® Rank seriousness of threats and sensitivity of assets * Perform a carefully reasoned risk assessment Perform a carefully reasoned risk assessment—This is a carefully reasoned process and requires a good deal of judge¬ ment The input is often derived from many sources such as technical people as well as representatives of the business functions The advantage of this process is that it results in greater understanding of the process by the system owners and business units as well as improved communications between the parties working on the risk analysis efforts When determining the impact of a risk through the scenario, the existing controls that are in place also need to be consid¬ ered and measured for their effectiveness to address or miti¬ gate the threat i J* A s 59 U y' tv; c- - v Ay L V Rank seriousness of threats and sensitivity of assets— When conducting a qualitative risk analysis, the assessments are ranked by criteria, such as high, medium, and low instead of numeric values In addition, the likelihood of an event occurring is ranked using criteria such as high, probable, unlikely, etc As will be seen from the ANZ 4360 standard, this can be combined into a matrix that guides the risk miti¬ gation effort - ; Vsr V ' S' C e° £i/ / v- v-\ tV (A O'' -> RISK LEVELS (ANZ Risk Levels (ANZ 4360 Standard)—This is the matrix used in the Australian/New Zealand Standard 4360 to determine risk management priorities through placing risks assessments on a table (matrix) and using this to highlight areas of most critical importance as compared to less critical risks 6o STANDARD) £ Consequence: MoinaX, Inntmfinn, Major ‘ Catastrophic j Each risk is weighed both from the aspect of impact (consequence) with a rating of 1-5; and likelihood with a rating from almost certain to rare It is placed on the table according to its calculated risk level Those risks that fall into the extreme risk cat¬ egory are the first risks that should be addressed in the risk mitigation effort Likelihood: B(Kktlj) U C(po*Ms) B(nuo) HHHGnaui Ritlc Immediate aeden retried t o m>h|ate die nik or decide Is not proceed Hitil Ride Action thouldbe taken to compensate Tortile risk M j Moderate Risk Actioniltouldbe taken to monitorl 6o Low Risk: Routine acceptance of the risk IA- 9ÿ t, J r f y