Visual 1. 1
Lesson 1Lesson 1
OverviewOverview andand
Risk Management Risk Management TerminologyTerminology
Visual 1. 2
Course OverviewCourse Overview Risk Management DefinitionRisk Management Definition Risk Management TerminologyRisk Management Terminology Risk Management IssuesRisk Management Issues Process and Methodology for Process and Methodology for
Conducting Risk ManagementConducting Risk Management
Visual 1. 3
ISSO Strategic Goals, ISSO Strategic Goals, Objectives, and ActionsObjectives, and Actions
Defining and institutionalizing risk Defining and institutionalizing risk management for ISSO and their management for ISSO and their customerscustomers– Define the processDefine the process– Get management supportGet management support– Educate the workforceEducate the workforce– Practice risk managementPractice risk management
Visual 1. 4
Objective 1Objective 1
At the end of this part of Lesson 1, At the end of this part of Lesson 1, you will be able to describe what you will be able to describe what Risk Management is the elements Risk Management is the elements of the Risk Management Processof the Risk Management Process
Visual 1. 5
Security ManagementSecurity Management
Managing the risks to Managing the risks to an organization’s an organization’s missionmission
Visual 1. 6
Risk DefinedRisk Defined
““The combination of events The combination of events harmful to an entity’s desired state harmful to an entity’s desired state of affairs, the chance that the of affairs, the chance that the events will take place, and the events will take place, and the consequences of their occurrence, consequences of their occurrence, as a function of time.”as a function of time.”
NSA Corporate Plan for INFOSEC Action, April 1996NSA Corporate Plan for INFOSEC Action, April 1996
Visual 1. 7
Management DefinedManagement Defined
The art or manner of The art or manner of controllingcontrolling the movement or behavior of the movement or behavior of somethingsomething
To have charge of; direct; conduct; To have charge of; direct; conduct; administeradminister
New World Dictionary of the American LanguageNew World Dictionary of the American Language
Visual 1. 8
Risk ManagementRisk Management
““The total process to identify, The total process to identify, control, and manage the impact of control, and manage the impact of uncertain harmful events, uncertain harmful events, commensurate with the value of commensurate with the value of the protected assets.”the protected assets.”
National Information Systems Security Glossary, NSTISSI No. 4009National Information Systems Security Glossary, NSTISSI No. 4009
and AFR 205-16, AFR 700-10and AFR 205-16, AFR 700-10
Visual 1. 9
Risk Management -Risk Management -Simply PutSimply Put
Determine what your risks are and Determine what your risks are and then decide on a course of action then decide on a course of action to deal with those risks.to deal with those risks.
Visual 1. 10
Aim of Risk ManagementAim of Risk Management To aid managers strike an To aid managers strike an
economic balance between the economic balance between the costs associated with the risks and costs associated with the risks and the costs of protective measures to the costs of protective measures to lessen those riskslessen those risksBalance Sheet
Risk CostsCountermeasure Costs
Visual 1. 11
Elements of the Elements of the Risk Management ProcessRisk Management Process
Risk AssessmentRisk Assessment– Mission/Impact AnalysisMission/Impact Analysis– Identification of Critical AssetsIdentification of Critical Assets– Threat AnalysisThreat Analysis– Attack/Vulnerability AnalysisAttack/Vulnerability Analysis
Risk MitigationRisk Mitigation– Countermeasures DevelopmentCountermeasures Development
Risk DecisionRisk Decision– Management’s Selection of Management’s Selection of
Countermeasures for ImplementationCountermeasures for Implementation
Visual 1. 12
Objective 2Objective 2
At the end of this part of Lesson 1, At the end of this part of Lesson 1, you will be able to match risk you will be able to match risk management terms with their management terms with their definitions.definitions.
Visual 1. 13
Risk AssessmentRisk Assessment
A study of threats and A study of threats and vulnerabilities, the theoretical vulnerabilities, the theoretical effectiveness of present security effectiveness of present security mechanisms, and the potential mechanisms, and the potential impact of these factors on an impact of these factors on an organization’s ability to perform its organization’s ability to perform its missionmission
Visual 1. 14
Critical AssetCritical Asset
Something that when disclosed, Something that when disclosed, modified, destroyed, or misused modified, destroyed, or misused will cause harmful consequences will cause harmful consequences to the organization or its goals and to the organization or its goals and mission, or will provide an mission, or will provide an undesired and unintended benefit undesired and unintended benefit to someoneto someone
Visual 1. 15
Critical Asset ExamplesCritical Asset Examples
InformationInformation PeoplePeople SoftwareSoftware HardwareHardware FacilitiesFacilities etc.etc.
Visual 1. 16
ThreatThreat
The capabilities and intentions of The capabilities and intentions of adversaries to exploit an adversaries to exploit an information system; or any natural information system; or any natural or unintentional event with the or unintentional event with the potential to cause harm to an potential to cause harm to an information system, resulting in a information system, resulting in a degradation of an organization’s degradation of an organization’s ability to fully perform its missionability to fully perform its mission
Visual 1. 17
Threat ExamplesThreat Examples
AdversarialAdversarial– TerroristsTerrorists– Foreign StatesForeign States– Disgruntled Disgruntled
EmployeesEmployees– CriminalsCriminals– Recreational Recreational
HackersHackers– Commercial Commercial
CompetitorsCompetitors
Non-AdversarialNon-Adversarial– NatureNature– Unintentional Unintentional
Human ActsHuman Acts
Visual 1. 18
AttackAttack
A well-defined set of actions by the A well-defined set of actions by the threat (an active agent) that, if threat (an active agent) that, if successful, would damage a critical successful, would damage a critical asset -- cause an undesirable state asset -- cause an undesirable state of affairs -- resulting in harm to an of affairs -- resulting in harm to an organization’s ability to perform its organization’s ability to perform its missionmission
Visual 1. 19
VulnerabilityVulnerability
A characteristic of an information A characteristic of an information system or its components that system or its components that could be exploited by an could be exploited by an adversary, or harmed by a natural adversary, or harmed by a natural act or an act unintentionally act or an act unintentionally caused by human activitycaused by human activity
Visual 1. 20
Vulnerability ExamplesVulnerability Examples Inadequate password managementInadequate password management Easy access to a facilityEasy access to a facility Weak cryptographyWeak cryptography Software flawSoftware flaw Open portOpen port
SECURITY
Visual 1. 21
ConsequenceConsequence
The harmful result of a successful The harmful result of a successful attack, degrading an attack, degrading an organization’s ability to perform its organization’s ability to perform its missionmission
Visual 1. 22
Consequence ExamplesConsequence Examples Harm to organization missionHarm to organization mission
– Loss of information confidentialityLoss of information confidentiality– Loss of information integrityLoss of information integrity– Loss of availability of information or Loss of availability of information or
system functionssystem functions– Inability to correctly authenticate Inability to correctly authenticate
sender of informationsender of information– Inability to verify receipt of Inability to verify receipt of
information by the information by the intended recipientrecipient
Visual 1. 23
Risk MitigationRisk Mitigation
Actions or countermeasures we can Actions or countermeasures we can take to lessen risk take to lessen risk
– Affect threat agent or their Affect threat agent or their capabilitiescapabilities
– Eliminate or limit our vulnerabilitiesEliminate or limit our vulnerabilities
Visual 1. 24
Countermeasure ExamplesCountermeasure Examples
Fix known exploitable software flawsFix known exploitable software flaws Enforce operational proceduresEnforce operational procedures Provide encryption capabilityProvide encryption capability Improve physical securityImprove physical security Disconnect unreliable networks Disconnect unreliable networks Train system administratorsTrain system administrators Install virus scanning softwareInstall virus scanning software
Visual 1. 25
Risk Management DecisionRisk Management Decision
Determination by management or Determination by management or command tocommand to– take specific actions that will mitigate take specific actions that will mitigate
risk to mission, orrisk to mission, or– reject countermeasure reject countermeasure
recommendations and accept risk to recommendations and accept risk to missionmission
Visual 1. 26
Residual RiskResidual Risk
That portion of risk that remainsThat portion of risk that remains– Management decides to accept riskManagement decides to accept risk– Unconsidered threat factorsUnconsidered threat factors– Unconsidered vulnerabilitiesUnconsidered vulnerabilities– Incorrect conclusionsIncorrect conclusions