Safety of Information Systems Risk Analysis and Management Overview
This content provides insights into risk analysis and management in ensuring the safety of information systems. It covers key aspects such as threats, vulnerabilities, countermeasures, and the impact of incidents. Understanding these elements is crucial for safeguarding valuable company assets and mitigating potential risks effectively.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Safety of information systems Risk Analysis and Management Roman Danel roman.danel@vsb.cz V B TU Ostrava
Risk Analysis What happens when information is not protected? How information security could be violated? How likely is it happen?
Steps of Risk Management 1. What are the key assets? (what we should protect) 2. Risk analysis what threats can occure? 3. Probability of threat occurrence 4. Measures to ensure safety 5. Limit of measures costs
Risk Analysis - terms Asset everything that has value for the company and should be adequately protected, Threat any event that may cause a breach of the confidentiality, integrity, and availability of the asset Vulnerability asset property or weakness at the level of physical, logical or administrative security that may be misused by a threat Countermeasure measures at the level of physical, logical or administrative security that reduce vulnerability and protect the asset against a given threat
Threat Incident Singl Point of Failure - critical infrastructure failure Single Point of Knowledge e.g. death of a key person
Damage Damage: Financial Legal damage Reputation Operational
Risk Probability of the event and its consequence
Risk Analysis Terms Exposure the fact that there is a vulnerability that can be misused by a threat Breach situations where privacy, integrity, or accessibility has been compromised as a result of overcoming security measures.
Risk Analysis Threats Software Human Physical Natural influences HW failure External (hackers) Failure and bugs External (viruses) Internal (employees) Power outage Intentional Unintentional
Examples of risks System: SM Coal Preparation Plant Information ALPHA Server DS-20 Threat: waste water from the roof (Cause: cracked pipe)
Most Common Risks Issues UPS without checking of Low Battery Backup without verification of recovery
Software Errors Syntactic Errors Errors During Processing Example: division by zero Logical Errors
Software Threat Viruses - stealth, boot, polymorphic, macrovirus, Trojan Horses Worms Back-doors Lost function from development time Phishing - a way of attempting to acquire sensitive information such as usernames, passwords and credit card details using social engineering Hoax - deliberately fabricated falsehood made to masquerade as truth Spyware Rootkit Botnet
Human Threats Unintentional Lack of training the users User interfaces mess (lack of system integration) Untreated user input Intentional Own Employee worst threat Example: Spain stealed credit cards numbers
What should be protected? Technical Resources - against technical defect, theft, ... Communication paths - avoid monitoring data to be transferred ... Software Data damage, theft
Defence mechanism Physical failure, natural influences: - Backup of data - Technical support UPS, overvoltage protection, - Systems resistant to failures: Fault-tolerant system Disaster Tolerant system Cloud computing
What is the aim of IT safety? Ensuring confidentiality of data Ensuring data integrity Ensuring data availability
Security Autentization Autorization Accountability
Norms BS 7799 ISO/IEC TR 13335
Methodology for Risk Analysis and Management ALE CRAMM (CCTA Risk Analysis and Management Method) BS7799 ISO/IEC 27001:2005 OCTAVE-S (Operationally Critical Threat, Asset and Vulnerability Evaluation) RISK IT Cobra, Marion, NetRecon, RiskPAC
Terms ARO Annualized Rate of Occurence probability of occurrence of threat per year SLE Single Loss Exposure loss at one occurrence of the threat ALE - Annualized Loss Expectancy - expected damage and recovery costs
Methodology CRAMM According BS7799, 1985 Current version 5 Complexly covers all phases of risk management, from the actual analysis of risks all the way to the proposal of countermeasures, including the generation of outputs for security documentation (emergency and continuity assurance planning). CRAMM also helps to prove the efficiency of the cost expended on risk management, security and emergency planning. It contains a unique broad library of security countermeasures.
Methodology Octave-S Octave is a security framework for determining risk level and planning defences against cyber assaults. The framework defines a methodology to help organizations minimize exposure to likely threats, determine the likely consequences of an attack and deal with attacks that succeed. Octave defines three phases: Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans
Risk IT Late project delivery Not achieving enough value from IT Compliance Misalignment Obsolete or inflexible IT architecture IT service delivery problems
What RiskIT offers? Provides guidance to help executives and management ask the key questions, make better, more informed risk-adjusted decisions and guide their enterprises so risk is managed effectively Helps save time, cost and effort with tools to address business risks Integrates the management of IT-related business risks into overall enterprise risk management Helps leadership understand the enterprise s risk appetite and risk tolerance Provides practical guidance driven by the needs of enterprise leadership around the world
RiscPAC Automated risk analysis program - can detect and help eliminate vulnerabilities in data security
Standard ISO 27001 ISO 27001 is a standard designation for information security management system in an organization. ISO 27001 belongs to the family of ISO 27000 and it is part of the international standards issued by the International Organization for Standardization (ISO). ISO 27001 has replaced a standard BS 7799 and became an international standard for information security management systems.
Standard ISO 27001 Principles of information protection according to ISO 27001 are based on three principles of information security: Confidentiality - which means that information is accessible only to those who are allowed ( who have authorized access) Integrity - which means that there is accuracy and completeness of the information Availability - which means that authorized users have access to information when they need it
OECD OECD 1992 Guidelines for the security of information systems http://www.oecd.org/sti/ieconomy/oecdguide linesforthesecurityofinformationsystems1992. htm 2015: http://www.oecd.org/sti/ieconomy/digital- security-risk-management.pdf
BCM Business Continuity Management BCM is a managerial discipline that focuses on identifying the potential impacts that the organization faces following a crash. It creates a framework to ensure a certain level of resilience and ability to respond to unexpected events. Emergency plans and recovery plans
Security implementation Creation of security documentation Introducing security processes and roles Implementation of specific mechanisms Implementation of security checks - Audit
