Risk Assessment - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Risk Assessment

Description:

COBRA. 3. Scoping the project. Company mission / values? Qualitative or ... Functional Areas (King to Stable boy?) Asset Categories (Financial / Reputation? ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 39
Provided by: rosew
Category:
Tags: assessment | cobra | king | risk

less

Transcript and Presenter's Notes

Title: Risk Assessment


1
Risk Assessment A powerful weapon in modern
eSecurity warfare
2
DISCLAIMER
Craig Rosewarne
  • Concilium
  • - Security Analyst
  • - ISO 90012000 company
  • Whitehat InfoSec Group
  • Chairman Founder of Section 21 Co.
  • InfoSec user group of -800 volunteers
  • Host monthly security forums / workshops
  • Focus on security awareness
  • Initiated project Mamba

DISCLAIMER THIS PRESENTATION IS BASED ON BOTH MY
PERSONAL PREFERENCES AND WORK EXPERIENCE AND
INCLUDES INPUT FROM A VARIETY OF SOURCES
ACCUMULATED OVER THE YEARS.
3
(No Transcript)
4
ASSETS
5
THREATS
6
VULNERABILITIES
7
SAFEGUARDS
8
The Core function of Information Security
-ISO/IEC 17799-
9
Security programs need a Risk Management approach
  • IF YOU CANT MEASURE IT
  • YOU CANT MANAGE IT!

10
Definition
  • Risk assessment is the cornerstone of any
    information security program, and it is the
    fastest way to gain a complete understanding of
    an organisations security profile its
    strengths and weaknesses, its vulnerabilities and
    exposures.
  • -Riskwatch-

11
Example how used
LEVEL 1 Risk assessment LEVEL 2
Vulnerability scan LEVEL 3 Penetration test
12
Why perform a RA?
  • ID gaps in security framework
  • ID risksthen YOU decide action plan
  • Accurate IT asset valuation
  • Better utilisation of InfoSec budget
  • Assists with security budget justification
  • Compliance with laws regulations
  • Benchmark against industry best practices

13
How do modern kings undertake a Risk Assessment?
14
The battlefields of today
15
1. First steps
And
Vs
16
2. Manual versus Automated
Vs
17
Manual RAs
  • The Operationally Critical Threat, Asset, and
    Vulnerability EvaluationSM (OCTAVE) approach
  • Number of different workbooks presentations
  • Variety of different RA spreadsheets available
    some free / some commercial / some proprietary IP

18
RA Software tools
  • Variety of different tools on market to suite
    individual preferences / budgets
  • COBRA

19
3. Scoping the project
  • Company mission / values?
  • Qualitative or Quantitative? (Gap vs ALE/ROI?)

Vs
20
3. Scoping the project
  • Qualitative or Quantitative? (Gap analysis vs
    ALE/ROI?)
  • Benchmark? (7799 / NIST / HIPAA / GLB?)

21
Select Benchmark
22
3. Scoping the project
  • Qualitative or Quantitative? (Gap analysis vs
    ALE/ROI?)
  • Benchmark (7799 / NIST / HIPAA / GLB?)
  • Functional Areas (King to Stable boy?)

23
Select Functional Areas
24
3. Scoping the project
  • Qualitative or Quantitative? (Gap analysis vs
    ALE/ROI?)
  • Benchmark (7799 / NIST / HIPAA / GLB?)
  • Functional Areas (King to Stable boy?)
  • Asset Categories (Physical / Reputation?)
  • Threats (Type / Occurrence / Damage?)
  • Vulnerabilities (Weakness e.g. Physical security)

25
Linking ALTV
26
3. Scoping the project
  • Qualitative or Quantitative? (Gap analysis vs
    ALE/ROI?)
  • Benchmark (7799 / NIST / HIPAA / GLB?)
  • Functional Areas (King to Stable boy?)
  • Asset Categories (Financial / Reputation?)
  • Threats (Type / Occurrence / Damage?)
  • Vulnerabilities (Weakness e.g.. Physical
    security)
  • Safeguards (Archers vs Ballista?)

27
Call to arms
28
4. Questionnaire time
29
5. Report generation
30
Important info a typical RA report can highlight?
31
Qualitative 1/2
32
Qualitative 2/2
33
Quantitative 1/4
34
Quantitative 2/4
35
Quantitative 3/4
36
Quantitative 4/4
37
Quantitative 5/6
38
Quantitative 6/6
39
Components of Risk
40
Summary
  • A risk assessment is the cornerstone of any
    information security program
  • Fastest way to gain insight into an
    organisations security profile
  • A RA is recommended at least every 6 months or
    when re-evaluating security profile after major
    changes
  • ----------------Craig Rosewarne ----------------
    craig_at_concilium.co.za
  • craig_at_whitehat.org.za
  • 27 83 231 4707
  • -----------------------------------------------
Write a Comment
User Comments (0)
About PowerShow.com