Title: Risk Assessment
1Risk Assessment A powerful weapon in modern
eSecurity warfare
2DISCLAIMER
Craig Rosewarne
- Concilium
- - Security Analyst
- - ISO 90012000 company
- Whitehat InfoSec Group
- Chairman Founder of Section 21 Co.
- InfoSec user group of -800 volunteers
- Host monthly security forums / workshops
- Focus on security awareness
- Initiated project Mamba
DISCLAIMER THIS PRESENTATION IS BASED ON BOTH MY
PERSONAL PREFERENCES AND WORK EXPERIENCE AND
INCLUDES INPUT FROM A VARIETY OF SOURCES
ACCUMULATED OVER THE YEARS.
3(No Transcript)
4ASSETS
5THREATS
6VULNERABILITIES
7SAFEGUARDS
8The Core function of Information Security
-ISO/IEC 17799-
9Security programs need a Risk Management approach
- IF YOU CANT MEASURE IT
-
-
-
- YOU CANT MANAGE IT!
10Definition
- Risk assessment is the cornerstone of any
information security program, and it is the
fastest way to gain a complete understanding of
an organisations security profile its
strengths and weaknesses, its vulnerabilities and
exposures. - -Riskwatch-
11Example how used
LEVEL 1 Risk assessment LEVEL 2
Vulnerability scan LEVEL 3 Penetration test
12Why perform a RA?
- ID gaps in security framework
- ID risksthen YOU decide action plan
- Accurate IT asset valuation
- Better utilisation of InfoSec budget
- Assists with security budget justification
- Compliance with laws regulations
- Benchmark against industry best practices
13How do modern kings undertake a Risk Assessment?
14The battlefields of today
151. First steps
And
Vs
162. Manual versus Automated
Vs
17Manual RAs
- The Operationally Critical Threat, Asset, and
Vulnerability EvaluationSM (OCTAVE) approach - Number of different workbooks presentations
- Variety of different RA spreadsheets available
some free / some commercial / some proprietary IP
18RA Software tools
- Variety of different tools on market to suite
individual preferences / budgets
193. Scoping the project
- Company mission / values?
- Qualitative or Quantitative? (Gap vs ALE/ROI?)
Vs
203. Scoping the project
- Qualitative or Quantitative? (Gap analysis vs
ALE/ROI?) - Benchmark? (7799 / NIST / HIPAA / GLB?)
21Select Benchmark
223. Scoping the project
- Qualitative or Quantitative? (Gap analysis vs
ALE/ROI?) - Benchmark (7799 / NIST / HIPAA / GLB?)
- Functional Areas (King to Stable boy?)
23Select Functional Areas
243. Scoping the project
- Qualitative or Quantitative? (Gap analysis vs
ALE/ROI?) - Benchmark (7799 / NIST / HIPAA / GLB?)
- Functional Areas (King to Stable boy?)
- Asset Categories (Physical / Reputation?)
- Threats (Type / Occurrence / Damage?)
- Vulnerabilities (Weakness e.g. Physical security)
25Linking ALTV
263. Scoping the project
- Qualitative or Quantitative? (Gap analysis vs
ALE/ROI?) - Benchmark (7799 / NIST / HIPAA / GLB?)
- Functional Areas (King to Stable boy?)
- Asset Categories (Financial / Reputation?)
- Threats (Type / Occurrence / Damage?)
- Vulnerabilities (Weakness e.g.. Physical
security) - Safeguards (Archers vs Ballista?)
27Call to arms
284. Questionnaire time
295. Report generation
30Important info a typical RA report can highlight?
31Qualitative 1/2
32Qualitative 2/2
33Quantitative 1/4
34Quantitative 2/4
35Quantitative 3/4
36Quantitative 4/4
37Quantitative 5/6
38Quantitative 6/6
39Components of Risk
40Summary
- A risk assessment is the cornerstone of any
information security program - Fastest way to gain insight into an
organisations security profile - A RA is recommended at least every 6 months or
when re-evaluating security profile after major
changes - ----------------Craig Rosewarne ----------------
craig_at_concilium.co.za - craig_at_whitehat.org.za
- 27 83 231 4707
- -----------------------------------------------