Name: Pankaj Kumar PRN: 13030264010

Information Risk Management

Assignmnet 2:
1) Role and Need for Risk Assessment Ans: Role of Risk Assessment is to provide a temporary view of assessed risks and while parameterizing the entire Risk Management process. It helps in analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. Need of risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level. The purpose of the risk management process varies from company to company, like reduce risk or performance variability to an acceptable level, prevent unwanted surprises, facilitate taking more risk in the pursuit of value creation opportunities, etc.

2) Basic Elements of the Risk Assessment process Ans: Initiation: Risk assessment spans the entire organization, including critical business units and functional areas. Identification: The second step of risk assessment process identifies and prioritizes a companys risks, providing quality inputs to decision makers for the purpose of formulating effective risk responses including information about the current state of capabilities around managing the priority risks. Assessment: Measurement methodologies may be simple and basic, e.g., risk rating or scoring, claims exposure and cost analysis, sensitivity analysis, stress testing and tracking key variables relating to an identified exposure. More complex methodologies for companies with more advanced capabilities might include value at risk, earnings at risk, rigorous analytics that are proprietary to the company and risk-adjusted performance measurement. Analysis: Based on the priority risks identified, their drivers or root causes and their susceptibility to measurement, management decides on the appropriate risk response. The organization first decides whether to accept or reject a risk based on an assessment of whether the risk is desirable or undesirable. Reporting: Finally, reports should be designed to address specific needs, including reporting to the board of directors. It also includes activities of an internal audit function. 3) Identify critical systems and assets, Identify threats

Ans:

Possible threats that on organization might face could be:

Human Illness, death, injury, or other loss of a key individual. Operational Disruption to supplies and operations, loss of access to essential assets, or failures in distribution. Reputational Loss of customer or employee confidence, or damage to market reputation. Procedural Failures of accountability, internal systems, or controls, or from fraud. Project Going over budget, taking too long on key tasks, or experiencing issues with product or service quality. Financial Business failure, stock market fluctuations, interest rate changes, or non-availability of funding. Technical Advances in technology, or from technical failure. Natural Weather, natural disasters, or disease. Political Changes in tax, public opinion, government policy, or foreign influence. Structural Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

4) Service Risk Ans: A cost overrun occurs when the expenses required completing a project or one aspect of a project exceeds the amount budgeted. This can happen for any number of reasons. One common cost overrun occurs when the cost of materials rises significantly between the time you finalize your budget and actually start making purchases. Time overruns occur when projects or tasks within a project is not completed by the time the project plan specifies. This can occur when materials to complete a project are back ordered and work cannot be completed until the materials arrive. Sometimes, labor shortages can cause work to be completed slower than anticipated.

5)

Challenges of assessing IS risks

Ans: A significant part of the IS risks involve identifying and correcting substandard conditions before some form of a loss (i.e., personnel, equipment, facility, public, currency, legal, etc.) occurs. The key to successfully identifying substandard conditions lies in a person possessing a wide range of knowledge in the areas of safety and health regulations, physics, chemistry, human anatomy, biology, as well as materials and processes. It also helps to have experience at studying the causes of industrial accidents so as to understand what it takes to prevent the occurrence of loss.

6) Ans:

9 steps of risk assessment (NIST approach) Following are i. System Characterization: As the risk assessment begins, the assessors must compile information about the specific business procedures. This includes gathering information about the organizations assets, and the processes they are used in. This usually includes physical and logical assets like hardware, software, and system interfaces. Threat Identification:

ii.

iii.

iv.

v.

vi.

vii.

viii.

ix.

With a full understanding of a systems assets, the assessors must now brainstorm threats that may hinder the systems goals by affecting those assets. The assessment team should spend plenty of time researching possible threats. At this point the likelihood of risk realization is not yet calculated; focus solely on identifying threats. Threats can be classified into three categories: human, environmental, natural. - See more at: http://securityreliks.securegossip.com/2011/01/introduction-to-the-risk-assessment-processaccording-to-nist/#sthash.vC8moIuG.dpuf Vulnerability Identification Not all threats present risk. In order for a risk to exist, there must be a vulnerability that the threat can exploit. The purpose of this step is to identify which threats may actually be realized due to the presence of vulnerabilities. Assessors can identify vulnerabilities in logical systems by utilizing vulnerability assessments, security requirement documents, and security tests of different forms. Control Analysis At this point of the risk assessment process, the assessors would now analyze the currently existing controls and those already being planned. A control is any system, policy or procedure that reduces the likeliness of a risk being realized. The assessors would then analyze the effect of those controls, and any needs to change, remove, or replace them. Likelihood Determination Likelihood of a threat-vulnerability (T-V) pair being realized is a fairly simple task. It is best to define likeliness levels for your organization and to classify T-Vs accordingly. When determining the likelihood there are several factors that you can take into consideration. Impact Analysis At this point the decision-making data begins to be calculated. An organizations livelihood is dependant upon the security triad. Their data must be confidential, have integrity, and be available for their customers. After having assembled the information about assets, threats, vulnerabilities, and the likelihood of their occurrence, the organization must now consider the impact of a threat being realized. Risk Determination Nearing the completion of the risk assessment process, assessors can now move on to calculating numbers for the decision makers. The actual risk can be determined by utilizing the likelihood of the threat (ARO), impact of an event (SLE), and the current controls. The outcome is an effective list of risks and the associated risk levels. Money is often used to determine risks effect upon an organizations livelihood. Control Recommendation There are many ways to utilize the calculated numbers to determine a control. However, there is one important thing to remember about the entire process. An organization would love to avoid all threats from being realized, however in certain cases it is not cost effective. In some cases, the cost to mitigate a threat costs more than recovering from it. Although there are other considerations to take into account (public perception, etc), it is generally a game of money, rather than real security. Result Documentation At this step the assessors compile their findings and report them to the organization. Generally the organization will take this data and use it to determine how to manage their risk. There are three ways they usually do this: mitigate the risk, accepting the risk and transferring the risk.

Assignmnet 3:
Risk Assessment Methodologies: Following are few methodologies of Risk Management: Australian IT Security Handbook Cramm Dutch A&K Analysis ISAMM ISO/IEC 27001 Mehari MIGRA Octave RiskSafe Assessment SP800-30

Tools for Risk Assessment: Following are few tools for Risk Management: i. ii. iii. iv. v. vi. vii. viii. ix. x. xi. xii. MIAGRA Tool Cobra Callio Casis Countermeasures ISAMM Mehari 2010 Basic Tool Octave Proteus RiskWatch TRICK Light Acuity Stream

Comparision between Octave Automated Tool and Mehari 2010 Basic Tool: Parameter Vendor name Country of origin Coverage Brief description of the tool Octave Automated Tool Advanced Technology Institute (ATI) USA Regional (e.g. European directive) Octave Automated Tool has been implemented by Advanced Technology Institute (ATI) to help users with the implementation of the Octave and Octave-S approach. The tool assists Mehari 2010 basic tool CLUSIF FRANCE World-wide (state oriented) ISO 27005 compliant The worksheet of the method contains multiple formulas allowing to display step by step the results of the RA and RM activities and to propose additional

the user during the data collection phase, organizes collected information and finally produces the study reports. A demonstration as well as a trial version is available for evaluation.

controls for risk reduction. An other tool (RISICARE) is also available for more complex environments

R.A. Method phases supported

Risk identification : Phase 1: Process 1-4, Phase2: Process 2 Risk analysis :Phase2: Process 1 Risk evaluation : Phase2: Process 1

Risk identification : Based on assets, threats and vulnerabilities Risk analysis : Through scenarios Risk evaluation : Quantification of the risk elements: stakes level and likelihood of threats Business stakes, lists of contributive assets : Base for impact assessment List of threats (accident, error, voluntary actions) : Likelihood is estimated and changes may be anticipated List of security controls and services : For risk reduction, current and future Target organizations

Information processed

List of critical assets / threats List of risks List of protection strategies

Target public: Scope Government, agencies Large scale companies SME Commercial CIEs Non commercial CIEs

Government, agencies Large scale companies Commercial CIEs Non commercial CIEs

Reference: http://rm-inv.enisa.europa.eu