Risk Presentation

5/24/2018 Risk Presentation

1/49

Risk Assessment

By:AshwinVignesh

Madhu


2/49

Overview

Objective Introduction

Risk

Risk Management Cycle

RA Methodologies

CRAMM

COBRA

RuSecure

British Standard

Hierarchical Criteria

Model

Common Failures in RA

Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples

OCTAVE Methodology Choosing Methodology

Our Methodology


3/49

Overview


Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


4/49

Object ive

Risk Assessment Process

Not unique to the IT environment

Provide the desired level of mission support

depending on the budget

Well-structured risk management

methodology


5/49

Overview


Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


6/49

In t roduct ion

The process of enumerating risks

Determining their classifications

Assigning probability and impact scores Associating controls with each risk


7/49

Overview


Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


8/49

Risk

Risk Assessment measures

Magnitude of the potential loss L

Probability p that the loss will occur

Risk R can be expressed as

R = L * p (or)

Risk = Impact * Likelihood


9/49

Risk (Con t..)

Risk = PA * (1-PE) * C PAthe likelihood of adversary attack

PE - the security system effectiveness

(1- PE) - the adversary success Cconsequence of loss of the asset

High L and low plow L and high p

Treated differently in practice

Given nearly equal priority in dealing


10/49

Risk Management Cyc le


11/49

Overview


Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


12/49

RA Methodolog ies

CCTA Risk Analysis and Management Method

(CRAMM)

Consultative, Objective and Bi-functional Risk

Analysis (COBRA) RuSecure

Operationally Critical Threat, Asset, and Vulnerability

Evaluation (OCTAVE)

Failure Mode and Effects Analysis (FMEA)

British Standard (BS)


13/49

RA Methodo log ies (Con t..)

Methods support in

Detecting critical places and parts in organization

Detecting risk factors

Collecting data about risk factors

Evaluation and estimation of risk

Generate report of risk management process


14/49

Overview

Objective

Introduction

Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


15/49

CRAMM


16/49

Overview

Objective

Introduction

Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


17/49

COBRA

COBRA Two modules

COBRA Risk Consultant

ISO Compliance Analyst

Support in process of evaluating risk security

Evaluation steps

Building queries

Risk evaluation Constructing reports

Contains library of countermeasures


18/49

Overview

Objective

Introduction

Risk


RA Methodologies

CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


19/49

RuSecure


20/49

RuSecure


21/49

RuSecure


22/49

Overview

Objective

Introduction

Risk


RA Methodologies CRAMM

COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


23/49

Bri tish Standard


24/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


25/49

Hierarch ical Criteria Model


26/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process

Criteria

Examples


Our Methodology


27/49

Common Fai lures in RA

Poor executive support

High cost of implementation

Untimely response

Insufficient accountability

Inability to qualitatively measure control

environment

Infrequent in assessment Inaccurate data


28/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples


Our Methodology


29/49

Elements o f good RA

Provides clear instructions Simplifies user Response

Identifies support contacts

Focuses on leaders as well as executors Provides feedback to users and Risk leaders

Has a broad Scope

Identifies User for follow up if necessary andapplicable


30/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples


Our Methodology


31/49

OCTAVE

Operationally Critical Threat, Asset, and Vulnerability

Evaluation (OCTAVE)

Effective security risk evaluation

Considers both organizational and technologicalissues

Self-directed


32/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples


Our Methodology


33/49

Character ist ics

Identify information-related assets

Focus risk analysis activities on critical assets

Consider the relationships among critical assets, the

threats to those assets, and vulnerabilities Evaluate risks in an operational context - how they

are used to conduct an organizations business

Create a protection strategy for risk mitigation


34/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples


Our Methodology


35/49

OCTAVE Process


36/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples


Our Methodology


37/49

Criteria

Principle Fundamental concepts driving the nature of the

evaluation, and defining the philosophy behind

the evaluation process

Attribute

Distinctive qualities, or characteristics, of the

evaluation

Output Define the outcomes that an analysis team must

achieve during each phase


38/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples

OCTAVE Methodology

Choosing Methodology

Our Methodology


39/49

Examples


40/49

Examples

O i


41/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples

OCTAVE Methodology


Our Methodology

OCTAVE M th d P


42/49

OCTAVE Method Process

Phase 1: Build Asset-Based Threat Profiles

Process 1: Identify Senior Management

Knowledge

Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge

Process 4: Create Threat Profiles

OCTAVE M th d P


43/49

OCTAVE Method Process

Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components

Process 6: Evaluate Selected Components

Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk AnalysisAn organizational set

of impact evaluation criteria are defined to establish the

impact value

Process 8: Develop Protection StrategyThe team

develops an organization-wide protection strategy to

improve the organizations security practices

O i


44/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples

OCTAVE Methodology


Our Methodology

Ch i M th d


45/49

Choosing Methods

Depending on organization size

Depending on organization hierarchical structure

Structured or Open-Ended Method

Analysis team composition

IT resources

Overview


46/49

Overview

Objective

Introduction

Risk



COBRA

RuSecure

British Standard


Model


Elements of Good RA

OCTAVE

Characteristics

Process Criteria

Examples

OCTAVE Methodology


Our Methodology

Our Methodology


47/49

Our Methodology

Policies and procedures

Requirement analysis

Network Topology

Categorizing the network

Scanning based on categorization

Analysis of vulnerabilities

Use different scanning tools

Penetration testing

Risk strategy

Mitigation of risk

References


48/49

References

NISTRisk Management Guide for Information

Technology Systems

http://www.gao.gov/special.pubs/ai00033.pdf

http://en.wikipedia.org/wiki/Risk_management http://en.wikipedia.org/wiki/Risk_assessment

http://www.sandia.gov/ram

http://www.carnet.hr/CUC/cuc2004/program/radovi/a

5_baca/a5_full.pdf

http://www.octave.org


49/49

Thank You

Risk Presentation

Documents

Transcript of Risk Presentation