Académique Documents
Professionnel Documents
Culture Documents
4- 1
Agenda
4- 2
4- 3
What is Risk ?
4- 4
Vulnerabilities / Threat
Vulnerabilities
Vulnerabilities associated with assets include weakness in physical layout, organization, procedures, personnel, management, administration, hardware, software or information. They may be exploited by a threat that may cause harm to the IT system or business objectives. A vulnerability in itself does not cause harm
ISO/IEC TR 13335 page 8, 8.3
Threat
A threat has the potential to cause an unwanted incident which may result in harm to a system or organization and its assets.
Risk
Risk is the potential that a given threat exploits vulnerabilities to cause loss or damage to an asset or group of assets, and hence directly or indirectly to the organization.
Ref: ISO/IEC TR 13335, page 8
4- 6
Risk Treatment
Risk Assessment
Identify and evaluate options for the treatment of risks Analyse and evaluate the risks Identify the risks (threats and vulnerabilities)
4- 7
4- 8
4- 9
4- 10
4- 12
4- 13
.. 2550
4- 14
.. 2550
4- 15
.. 2550
4- 16
Threat Identification
The following are threat examples derived from ISMS
4- 17
4- 18
4- 20
misuse of resources or assets network access by unauthorized persons operational support staff error power fluctuation security failure software failure system failure system misuse (accidental or deliberate) theft unauthorized access unauthorized access to audit logs
4- 22
unauthorized access to audit tools unauthorized modification of audit logs unauthorized or unintentional modification unauthorized physical access unauthorized use of IPR material unauthorized use of software unavailability unsuccessful changes
4- 23
use of network facilities in an unauthorized way use of software by unauthorized users use of software in an unauthorized way user error vandalism ( ) violation of intellectual property rights wilful damage ()
4- 24
4- 25
4- 26
4- 27
4- 28
4- 29
4- 30
5-Level Likelihood
Likelihood
Very Low Low Medium
Description
An event that is highly unlikely to occur, if ever or without an appropriate control, there is no reason/motive for an attacker to attack/damage/compromise a system.
An event that is unlikely to occur, perhaps once every 3 years or without an appropriate control, there might be some reasons/motives for an attacker to attack/damage/compromise a system.
An event likely to occur relatively infrequently, perhaps once a year or without an appropriate control, there may be some reasons/motives for an attacker to attack/damage/compromise a system. An event that is fairly probable, and could be expected to occur several times a year or without an appropriate control, there may be good reasons/motives for an attacker to attack/damage/compromise a system. An event that could be reasonably expected to occur at least every month or more frequently or without an appropriate control, there may be strong reasons/motives for an attacker to attack/damage/compromise a system.
High
Very High
4- 31
Asset Valuation
One way to express asset values is to use the business impacts that unwanted incidents, such as disclosure, modification, non-availability and/or destruction, would have to the asset and the related business interests that would be directly or indirectly damaged. These incidents could, in turn, lead to loss of:
revenue, profit, or market share, life, image and reputation customer confidence maximum tolerable downtimes
4- 32
Asset Valuation
The input for asset valuation should be provided by owners and users of assets, who can speak authoritatively about the importance of assets particularly information, to the organization and its business, and how the assets are used to support the business processes and objectives. Examples of asset valuation scales could be:
a distinction between low, medium and high in more detail, a distinction between negligible, low, medium, high and very high.
4- 33
Personal Information
No distress or embarrassment caused Minor embarrassment or distress to an individual Serious embarrassment or distress Widespread and serious embarrassment or distress
4- 34
Risk calculation
Risk Value = Likelihood * Impact
Likelihood
Very low Very Low 1 Low Middle High Very High 5
Impact
Low Medium
2
3 4
4
6 8
6
9 12
8
12 16
10
15 20
High
telnet
4- 36
b. c. d.
Reduce risks by applying appropriate controls Transfer risks Avoid risks Accept risks
4- 37
Reduce risks
For all those risks where the option to reduce the risk has been chosen, appropriate controls should be implemented to reduce the risks to the level that has been identified as acceptable, or at least as much as is feasible towards that level. Controls can reduce the assessed risks in many different ways, for example by:
reducing the likelihood of the vulnerability being exploited; reducing the possible impact if the risk occurs by detecting unwanted events, reacting, and recovering from them (e.g., virus incident handling procedure).
4- 38
Transfer risks
Risk transfer is an option where it is difficult for the company to reduce or control the risk to an acceptable level or it can be more economically transferred to a third party.
There are several mechanisms for transferring risk to another organization, for example, the use of insurance.
4- 39
Avoid risks
Risk avoidance describes any action where the business activities or ways to conduct business are changed to avoid any risk occurring.
4- 40
In these cases, a decision may be made to accept the risk and live with the consequences if the risk occurs. Organizations should document these decisions, so that management is aware of its risk position, and can knowingly accept the risk.
4- 42
4- 43
1. 2. 3. 4.
The method selected for treating the risk What controls are in place What additional controls are proposed Time frame over which the proposed controls are to be implemented. 5. Degree of assurance
4- 44
Threat
Asset
Action plan
secure shell
Controls
A.10.5.1 Information back-up
Resources
1. 2.
Cost
$xxxx
Implement Schedule
Phase 1: Phase 2:
telnet
1. 2.
$xxxx
4- 45
Degree of Assurance (Risk Appetite) Is a definition of the overall level of risk exposure that an entity is prepared to expose itself to Is the acceptable level of risk at corporate level It is not possible to achieve 100% security There is always a residual risk remaining What degree of risk above the residual risk is acceptable to the organization?
100% Security?
4- 46