Risk Management

CRMP ® Certified Risk Management Professional
Charter and Certification ®

Preparation Exam Training
THE AMERICAN ACADEMY OF PROJECT MANAGEMENT
(AAPM)
THE AMERICAN ACADEMY OF PROJECT MANAGEMENT

Indonesia – Chapter Office:
Jl. Komplek IPB I No.2 Loji Sindang Barang-Bogor. Indonesia. Phone/Fax: (0251) 831 0930.
Head Office: Suite 293, 1670-F East Cheyene Mountain Blvd, Colorado Springs, Colorado-USA Phone: + 1 877-588-2698
Trainer Profile
Fauzi
2 Hasan,
 Professor in Project Management at American Academy, Colorado Springs,
Colorado; USA
 Doctor in MIS and Candidate Doctor in Finance University of Universitas
Persada Indonesia, Certified Information System Security consultant and
Trainer(CISA, CISSP, SSCP, ITIL, CISM, CGEIT, CSCP), Risk and Compliance
(CPRP)
 Certified Trainer and consultant in Project Management (PMP, CE-PM), and
Supply Chain Management (APICS, CMPP), IT Service Management (ITIL),
Change Management (APMG), Asia-Pacific MPM and PMI trainer.
 Lecturer at University of Indonesia (UI)and UIN –Jakarta, Project and Senior
Consultant (Key Note Consultant) for The Ministry of communications and
Telematics DEPKOMINFO), Change Management (Post Graduate Program-S2)
 Business Process Management consultant (eTOM and ITIL, TOGAF)
 Industrial exposure: IT, Manufacturing, Telecommunication, Chemicals, Oil &
Gas, Government, Banks, Hospital
 International exposures: Hoechs (Singapore), Magnus (The Nederland), STC
(Saudi Arabia), Horascom (Egypt), Mobili (Dubai), Etc.
Prof. Dr.Fauzi Hasan Class
 Specialist in IT Strategy and Master Plan and Business Process Modeling
3 Risk Management
American Academy of Project Management

Risk
4
“Take calculated risks. That is quite different from

being rash.” General George S. Patton
“Only those who risk going too far can possibly find
out how far they can go” T.S. Elliot
“Of course you have to go out on a limb sometimes;

that’s where the fruit is” Unknown

What is “Risk”?
5
 Risk is the net mission impact considering both the

likelihood that a particular threat-source will exercise
(accidentally trigger or intentionally exploit) a
particular information system vulnerability, and the
resulting impact on the organization if this should occur
(NIST)
 Risk is the probability of a vulnerability being
exploited in the current environment, leading to a
degree of loss of confidentiality, integrity, or
availability, of an asset. (Microsoft)
What is Risk Management?
6
 The total process of identifying, controlling, and

minimizing information system related risks to a
level commensurate with the value of the assets
protected
 The goal of a risk management program is to
protect the organization and its ability to perform
its mission from IT-related risk

Golden and Silver Rules of RM
7
All risk is owned!

Risk that is not assigned
is owned by the
organization’s Director

Why are we doing this?
8
 Why do we do risk management?

 Why does a car have brakes?
An organization that can take advantage of

opportunities (and the inherent risks) will
outlast an organization which cannot
Reactive Risk Management
9
1) Protect human life and people’s safety

2) Contain the damage
3) Assess the damage
4) Determine the cause of the damage
5) Repair the damage
6) Review response, and update policies
Proactive Risk Management
10
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Threat Sources that leading to

exploit Risk to
give rise that increase

to Threats
to
Assets
wish to abuse and/or may damage

11
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets

What Assets are we Protecting?
12
 Servers  Email
 Desktop Computers  Data Integrity
 Laptops and PDAs  All Files on the Server
 Switches and Routers  Consumer Information
 Application software  Network Infrastructure
 Development Tools  DHCP
 Source Code  Web Site Availability
 VPN Access  Reputation
 Backup Tapes  Employee Morale
13
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets

Protecting From What Threats?
14
 Human Threats – Carelessness, Shoulder Surfing, User

Abuse, Sabotage, Arson, Data Entry Errors, Intentional
and Unintentional Procedure Violations
 Technical Threats – Takeover of authorized session,
Intrusion, Keystroke Eavesdropping, System Failure,
Saturation of Resources
 Environmental Threats – Fire, Earthquake, Hurricane,
Tornado, Cable Cuts, Power Fluctuation, Hazardous
Material Accident, Overheating
15
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets

Threats to What Vulnerabilities?
16
 Unlocked doors
 Software Configuration
 Unlocked windows
 Systems not monitored
 Misconfigured systems
 Unnecessary protocols
 Missing patches
 Poorly defined procedures
 Antivirus out-of-date
 Stolen credentials
 Poorly written apps
 Poor password protection
 Vendor backdoors
 Poor Disaster Recovery
 Spyware
 Violations not reported
17
Owners
Controls
Vulnerabilities
Threat Sources
Risk
Threats
Assets

Vulnerabilities Protected by What
18
Security Controls?
Controls Physical Technical Administrative
Preventive Key-card access System & Network Security Awareness
to enter area Monitoring Training for staff
Detective Seals on archive Admin message on Audit of employee

file cabinets 3 incorrect logins exit procedures
Deterrent Closed-circuit Account lockout Data owner

camera monitor after 3 attempts approval of rights
Corrective Physical Isolation Firewall changes Arranging for day

of servers from past events time cleaning
Recovery Electronic records Netware’s file Contact police after

recreate physical “Salvage” option security breach
19
Owners
wish to
to reduce minimize
impose Controls
that may be value
reduced by
that may possess
Vulnerabilities
may be aware of
Threat Sources that leading to

exploit Risk to
give rise that increase

to Threats
to
Assets
wish to abuse and/or may damage

Two Approaches to Risk Assessment
20
1) Quantitative Risk Assessment

 Value your assets
 Determine the SLE (total amount lost from a single
occurrence of the risk) Single Loss Expectancy
 Determine the ARO (number of times you expect the
risk to occur during one year) Annual Rate of Occurrence
 Determine the ALE (amount you will lose in one year if
the risk is not mitigated) Annual Loss Expectancy
 Determine the ROSI (ALE before control) – (ALE after
control) – (annual cost of control) = ROSI Return On
Security Investment
Two Approaches to Risk Assessment
21
2) Qualitative Risk Assessment

 Estimate relative values
 Determine what threats each asset may be facing
 Determine what vulnerabilities those threats might
exploit in the future
 Determine controls which will mitigate the risks, and
the approximate cost of each control
 Management performs a cost-benefit analysis on the
results
Comparing the Two Approaches – the Benefits
22
Quantitative Qualitative
1) Risks and assets are 1) Enables visibility and
prioritized by financial understanding of risk ranking
values 2) Easier to reach consensus
2) Results facilitate 3) Not necessary to quantify
management of risk by threat frequency or determine
Return on Security Investment financial value of assets
3) Results expressed in terms 4) Easier to involve people who
management understands ($) are not experts on security or
4) Accuracy tends to increase computers
over time

Comparing the Two Approaches – the Drawbacks
23
Quantitative Qualitative
1) Impact values assigned to 1) Insufficient differentiation
risks are based on subjective between important risks
opinion 2) Difficult to justify investing in
2) Very time-consuming control implementation when
3) Calculations can be very there is no basis for a cost-
complex benefit analysis
4) Results are presented only in 3) Results are dependent on the
monetary terms, and can be quality of the Risk
difficult for non-technical Management Team that is
people to interpret created
5) Process requires expertise
24
Effective Risk Management
Attempts to Malicious Natural Sabotage
access private attacks disasters
information Threats User
Fraud Pranks error
Sensitive Services and Integrity of data

Assets lost information benefits and reports
disclosed interrupted compromised
:Public’s
Potential
Critical
Damage Failure to
Loss of operations meet contractual
confidence halted obligations
Know what to do now?
25

NIST Says
26
It’s a Management Function
 The goal of Risk Management is to protect
the organization and its ability to perform
its mission
 The focus is the mission; not IT assets
 Risk Management, therefore, is an essential
management function of the organization

NIST Says
Risk Management has Three Parts
27
 Risk Assessment - Determining where risks lie, and

how big they are
 Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing controls
 Evaluation and Assessment – Since Risk
Management is continuous and evolving, the past
year’s Risk Management efforts should be assessed
and evaluated prior to beginning the cycle again

Risk Management Process
28
Risk Risk RM
Assessment Mitigation Evaluation

National Institute of Standards and Technology SP 800-30
The Ten Steps of Risk Assessment
29
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Identify Threat-source/Vulnerability Pairs
6) Likelihood Determination
7) Impact Analysis
8) Risk Determination
9) Control Recommendations
10) Results Documentation
30
Risk Risk
Assessment Mitigation

Risk Mitigation
31
 Risk Mitigation is the process of identifying areas of

risk that are unacceptable; and estimating
countermeasures, costs and resources to be
implemented as a measure to reduce the level of
risk
 Determining “appropriate risk-reducing controls” is a
job for your Risk Management Committee

What is “Acceptable” Risk?
32
 Setting your agency’s “risk appetite” is up to your

Director and Senior Management
 Because elimination of all risk is impossible, we must
use the least-cost approach and implement the
most appropriate controls to decrease mission risk
to an acceptable level, with minimal adverse
impact on the organization’s resources and mission

Risk Mitigation Options
33
 Assume the Risk – Accept the risk and continue

operating (how big is your appetite?)
 Avoid the Risk – Stop running the program or
sharing the data
 Transfer the Risk – Use options to compensate for
the loss, such as insurance
 Lessen the Risk – Implement controls that lessen the
impact or lower the likelihood

Risk Mitigation Methodology
34
1) Prioritize based on risk levels presented

2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Cost-Benefit Analysis
35
 If control reduces risk more than needed, see if a

less expensive alternative exists
 If control would cost more than the risk reduction
provided, then find something else
 If control does not reduce risk sufficiently, look for
more controls or a different control
 If control provides enough risk reduction and is cost-
effective, then use it

Residual Risk
36
 The risk remaining after the implementation of new

or enhanced controls is the residual risk
 If the residual risk has not been reduced to an
acceptable level, the risk management cycle must
be repeated to identify a way of lowering the
residual risk to an acceptable level
 Understand that no IT system can be risk-free

37
Risk Risk RM

Evaluation and Assessment
38
 People, systems, and networks change, so

risk management must be ongoing
 Federal agencies must conduct risk
management at least every three years
 Stay flexible to allow changes when
warranted

NIST Says
Good Risk Management Depends Upon
39
1) Senior management’s commitment

2) Support of the IT Team
3) Competence of the Risk Management
Committee
4) Cooperation and education of the users
5) Ongoing assessment of IT-related mission
risks
40 Probability of Event Scale
Probability Frequency Rating
of Event
Negligible Unlikely to Occur 0
Very Low 2 to 3 times every 5 years 1
Low Less than or equal to once per year 2
Medium Once every 6 months or less 3
High Once every month or less 4
Very High More than once every month 5
Extreme Once per day or more 6
Risk Assessment Steps: ISO
41
27000/17799
1) Identify assets within the security perimeter

2) Identify threats to the assets
3) Identify vulnerabilities to the assets
4) Determine realistic probability
5) Calculate harm

ISO’s
42
Harm of Event Scale
Harm of Event Degree of Harm Rating
Insignificant Minimal to no impact 0
Minor No extra effort required to repair 1
Significant Tangible harm, extra effort required to repair 2
Damaging Significant expenditure of resources required; 3

Damage to reputation and confidence
Serious Extended outage and/or loss of connectivity; 4
Compromise of large amounts of data or services
Grave Permanent Shutdown; Complete compromise 5

ISO 17799 Risk Assessment Steps
43
1) Identify assets within the security perimeter

2) Identify threats to the assets
3) Identify vulnerabilities to the assets
4) Determine realistic probability
5) Calculate harm
6) Calculate risk (probability x harm)

ISO’s
44
Risk Scale
Risk Calculation Rating
(Probability times harm)
0 None
1–3 Low
4–7 Medium
8 – 14 High
15 – 19 Critical
20 – 30 Extreme
ISO 17799’s Information Security
45
Management Process
1) Obtain Upper Management Support
2) Define Security Perimeter
3) Create Information Security Policy
4) Create Info Security Management System
5) Perform Risk Assessment
6) Select and Implement Controls
7) Document in Statement of Accountability
8) Audit

Microsoft Says . .
46 Successful Risk Management Requires:
 Executive sponsorship
 A well-defined list of RM stakeholders
 Organizational maturity in terms of RM
 An atmosphere of open communication
 A spirit of teamwork
 A holistic view of the organization
 Security Risk Management Team authority

Microsoft Says . .
47 Risk Management Has Four Phases
1) Assessing Risk – Triage an entire list of security
risks, identifying the most important
2) Conducting Decision Support – Potential control
solutions are evaluated, and the best are
recommended for mitigating top risks
3) Implementing Controls – Control solutions are put
in place
4) Measuring Program Effectiveness – Checking to
make sure that the controls are providing the
expected protection
48
From Microsoft’s
Security Risk
Management Guide,
American Academy of Project Management Chapter 2
Microsoft Says . .
49 Assessing Risk Phase has Three Steps
1) Planning – Align your annual process with your
budget; Specify your scope; Identify and pre-sell
stakeholders; embrace subjectivity
2) Facilitated Data Gathering – Identify tangible and
intangible assets, threats, vulnerabilities, existing
controls, probable impact
3) Risk Prioritization – Determine probabilities, and
combine impact with probability to produce a risk
statement
Microsoft Says . .
50 Conducting Decision Support Phase
1) Determine functional requirements
2) Identify combinations of controls (Organizational,
Operational, Technological)
3) Compare proposed controls to functional
requirements
4) Calculate the probable overall risk reduction to the
organization
5) Estimate the cost of teach proposed control
6) Select which controls to implement
Microsoft Says . .
51 Implementing Controls Phase
Solid Building Structure
Good Network Design
Secure Wireless Segment
Disable LAN Services
Remove User Rights
Good Firewall Settings
Least Privilege Necessary
Small attack surface
Frequent Backups
Encryption
Microsoft Says . .
52 Measuring Program Effectiveness Phase
1) Ongoing – continues until next assessment phase
2) Should catch changes in the information systems
environment, and in applications
3) Includes creating and maintaining a security risk
scorecard that demonstrates the organization’s
current risk profile

53
From Microsoft’s
Security Risk
Management Guide,
American Academy of Project Management Chapter 2
NC ITS’s Risk Management Program
54
 Consists of two components: Pre-Risk Assessment, and

Risk Assessment (three phases), explained in a Risk
Management Guide
Phase I – Identify Risks
Phase II – Analyze Risks
Phase III – Manage Risks
 Heavily uses the NIST rating scale:
Low – Limited adverse effect on agency
Moderate – Serious adverse effect
High – Severe or catastrophic adverse effect
NC ITS’s RM – Pre-Risk Assessment
55
 Review lines of business service that have

automated systems that support the business service
 Determine if critical infrastructures are involved, or
if there are critical infrastructure dependencies
 Complete the Pre-Risk Assessment form

NC ITS’s RM – Phase I
56
 A Facilitator leads a team of people responsible for

delivery of a particular line of business through
completing the Phase I Questions of the ITS Risk
Assessment Questionnaire
 If the final score is “Low”, the risk assessment
process ends
 If the final score is “Moderate” or “High”, proceed
to Phase II for additional analysis

NC ITS’s RM – Phase II
57
 A Facilitator leads a team of people

knowledgeable in the particular line of business
through the Phase II Questions of the ITS Risk
Assessment Questionnaire
 If the final score is “Low”, the risk assessment
process ends
 If the final score is “Moderate” or “High”, proceed
to Phase III for mitigation

NC ITS’s RM – Phase III
58
 A Facilitator leads appropriate managers and staff

through an analysis that focuses on mitigation
 The team identifies options to mitigate the risk,
analyzes the cost implications, determines the benefits,
and balances the cost of implementing each option
against the benefits derived from it
 The result is completion of the Risk Analysis Results &
Mitigation Plans form found in the ITS Risk Assessment
Questionnaire

NC ITS’s Risk Management Training
59
 On March 31, 2004, ITS and its vendor partner,

Strohl Systems, presented a two hour agency
training session (introduced by Ann Garrett) which
covered both Business Impact Analysis and Risk
Management
 Let’s fast forward and view the Risk Management
part of the PowerPoint slide show presented there
 Let’s try working through an example

Pre-Risk Assessment Form
60
 Line of Business – Pharmacy

 Business Process Owner – Pharmacy Director
 Automated System Supporting – MCPlus
 Critical Infrastructure – Linux Server
 Critical Dependencies – Vendor

Risk Assessment Questionnaire
61
 20 Phase I Questions (Q1 – Q19)

 If one or more questions is answered as “Moderate”
or “High”, then proceed to Phase II questions
 65 Phase II Questions (Q1 – Q25)
 If one or more questions (except for Q3) is
answered as “Moderate” or “High”, then proceed to
Phase III
 Let’s try to fill out the Mitigation Plan now

(Based on June 15, 2005 DHHS Risk Management Policy)
62
What DHHS Says You Should Do
 Assign responsibility for managing risk to senior
management
 Provide a mechanism for tracking and reporting
risks
 Identify system threats in the environment
 Identify system vulnerabilities the threats could
attack
 Identify current security controls
 Identify current security gaps
NIST Says
Risk Management has Three Parts
63
 Risk Assessment - Determining where risks lie, and

how big they are
 Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing controls
 Evaluation and Assessment – Since Risk
Management is continuous and evolving, the past
year’s Risk Management efforts should be assessed
and evaluated prior to beginning the cycle again

64
Risk Risk RM

National Institute of Standards and Technology SP 800-30
65
4) Control Analysis
7) Impact Analysis
66
 Define the boundaries of the IT system you are

addressing, along with the resources and the
information that constitute the system, setting the
scope of the assessment effort
 Methods of gathering system characterization
information include the use of questionnaires,
interviews, and automatic scanning tools
 Output #1: A system characterization paragraph

67
 A threat is the potential for a particular threat-

source to successfully exercise a particular
vulnerability
 A threat-source is any circumstance or event with the
potential to cause harm to an IT system
 A vulnerability is a weakness that can be
accidentally triggered or intentionally exploited

Two Types of Threat-Sources
68
1) Intent and method

targeted at the intentional
exploitation of a
vulnerability
2) A situation and method
that may accidentally
trigger a vulnerability
Common Threat-Sources
69
 Natural Threats – Floods, earthquakes, tornadoes,

electrical storms, landslides, avalanches, etc.
 Human Threats – Events either enabled or caused
by human beings, including both unintentional acts
(inadvertent data entry) and deliberate actions
(unauthorized access)
 Environmental Threats – Long-term power failure,
pollution, chemicals, liquid leakage

Threat-Source Identification
70
 Humans are the most dangerous threat-source

 For each type of human threat-source, estimate the
motivation, resources, and capabilities that may be
required to carry out a successful attack (to be used
during the Likelihood Determination phase)
 Output #2: A list of threats
 Output #3: A chart showing motivation and
necessary threat actions for human threats

71
 A vulnerability is a flaw or weakness in system

security procedures, design, implementation, or
controls that could be exercised (accidentally
triggered or intentionally exploited) and result in a
security breach or a violation of an information
security policy
 Output #4: A list of vulnerabilities that could be
exploited by the potential threat-sources

Where Vulnerabilities are Found
72
1) Hardware Configuration – Servers, Workstations,

Routers, Switches, Firewalls
2) Software Applications – How installed, Where
installed, Rights granted
3) IS Policies and Procedures – How complete, How
up-to-date, How well known
4) Humans – Procedures not being followed, Staff
not being trained

How We Find Vulnerabilities
73
1) Hardware Configuration – Complete a System

Risk Analysis form for each network component,
arrange for penetration testing
2) Software Applications – Complete an Application
Criticality and Risk Analysis form for each
application
3) IS Policies and Procedures – Complete a review
of the quality of your Information Security Policies
and Procedures every year
4) Humans – Review log files, training records, and
incident reports
4) Control Analysis
74
 The goal of this step is to analyze the controls that

have been implemented to minimize the likelihood of a
threat exercising a vulnerability
 Output #5: A list of controls currently in use by
network hardware components
 Output #6: A list of controls currently in use by
applications

75
5) Threat-Source/Vulnerability Pairs
 Considering the controls in place, what are the
Threat-source/Vulnerability pairs which are of
most concern?
 A vulnerability with no threat-source is not a risk
 A threat-source with no vulnerability is not a risk
 Output #7: A list of Threat-source and
Vulnerability pairs of concern

76
 A determination of the probability that a

potential vulnerability will be exercised
 When determining likelihood, consider:
1) Threat-source motivation and capability

2) The nature of the vulnerability
3) The existence and effectiveness of current
controls
Likelihood Determination Results
77
 Output #8: For each identified vulnerability, a

determination of likelihood (H, M, or L)
High – The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from being
exercised are ineffective
Medium – The threat-source is motivated and capable, but
controls are in place that may impede successful exercise of
the vulnerability
Low – The threat-source lacks motivation or capability, or
controls are in place to prevent or significantly impede
exercising the vulnerability
7) Impact Analysis
78
 Determine the adverse impact

resulting from a successful
threat exercise of each threat-
source/vulnerability pair of
concern

Adverse Impact Comes From:
79
 Loss of Integrity
- Improper modification
 Loss of Availability
- System cannot be accessed or data cannot be
located
 Loss of Confidentiality
- Information classified as sensitive is disclosed
without authorization
Impact Analysis Needs
80
 For an Impact Analysis we must know:

1) The organization’s mission
2) The criticality of the data
3) The sensitivity of the data
Sensitivity is the sum of the potential injury from

a breakdown in confidentiality
Criticality is the sum of the potential injury from
a breakdownAmerican
in integrity and/or availability
Academy of Project Management
Impacts are High, Medium, or Low
81
 Output #9: For each identified vulnerability, an

estimation of the magnitude of probable impact
High – Exercise of the vulnerability may result in a highly costly
loss or may significantly impede an organization’s mission or
reputation
Medium – Exercise of the vulnerability may result in a costly
loss or may harm an organization’s mission or reputation
Low – Exercise of the vulnerability may result in the loss of some
assets, or may noticeably affect an organization’s mission or
reputation
82
 NIST says risk is the net mission impact considering

both the likelihood that a particular threat-source
will exercise (accidentally trigger or intentionally
exploit) a particular information system
vulnerability, and the resulting impact on the
organization if this should occur
 Likelihood x Impact = Risk

83
Use a Risk-Level Matrix
Impact
Threat Low Medium High
Likelihood (10) (50) (100)
High (1.0) Low Medium High
10 x 1.0 = 10 50 x 1.0 = 50 100 x 1.0 = 100
Medium (0.5) Low Medium Medium
10 x 0.5 = 5 50 X 0.5 = 25 100 x 0.5 = 50
Low (0.1) Low Low Low
10 x 0.1 = 1 50 x 0.1 = 5 100 x 0.1 = 10
Risk Scale: HighAmerican

(>50 to 100);of Project
Academy Medium (>10 to 50); Low (1 to 10)
Management
84
Risk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
High There is a strong need for corrective measures, the

system may continue to operate, but a corrective
action plan should be put in place as soon as possible
Medium Corrective actions are needed, and a plan

incorporating these actions should be developed in a
reasonable period of time
Low Additional controls may be implemented, or

management may decide to accept this risk
Assessing the Risk Level
85
 Final determination of mission risk is derived by

multiplying the threat likelihood and the threat
impact scores
 Output #10: A numeric risk score for each identified
vulnerability/threat-source pair
 The Vulnerability Analysis form can be used to
capture this information

86
 Finish your risk assessment by thinking of controls

which could help minimize the risk of the
vulnerability/threat-source combinations you are
most concerned about
 To determine which controls are appropriate to
add, perform a cost-benefit analysis
 Output #11: Recommendation of additional controls
based on risk assessment

87
 The Risk Assessment report should be of sufficient

detail to allow the organization’s management to
make informed decision on appropriate actions in
response to the risks identified
 Unlike an audit or investigative report that looks for
“wrong-doing”, the Risk Assessment report should be
not be presented in an accusatory manner

Risk Assessment Report
88
 Your Risk Assessment report should have:

A) An Introduction
B) A description of your Risk Assessment approach
C) A system characterization summary
D) A list of Threat-Sources
E) Vulnerability/Threat-Source analysis results
F) A summary of risk levels and recommendations
 Output #12: Risk Assessment Report that measures
risk and provides recommendations
Report - Introduction
89
 Purpose
 Scope
 Describe
* System Controls
* Elements
* Users
* Site Locations
* Other Details as necessary

90
Report – Risk Assessment Approach
 Describe Approach Used
Risk Assessment Team members
Techniques used to gather information
(use of tools, questionnaires, etc.)
Development and description of risk scale (3x3,
4x4, or 5x5 risk level matrix)

Report – System Characterization
91
 Describe the system

- Hardware (server, router, switch)
- Software (application, operating system)
- System Interfaces (communication link)
- Data
- Users
 Provide connectivity diagram or system

input and output flowchart

Report - Threat Statement
92
 Compile potential threat sources

 List associated threat actions
 Review Human Motivations

Report – Risk Assessment Results
93
 List observations (vulnerability/threat pairs)

 Observations contain
- Observation number and brief description
- Discussion of threat-source and vulnerability
- Identification of existing security controls
- Likelihood discussion and evaluation
- Risk rating
- Recommended controls or alternative options

Report - Summary
94
 Total number of threat-source/vulnerabilities pairs

identified (“observations”)
 Summarize
- Observations
- Associated risk levels
- Recommendations
- Any comments
 Organize into a table to facilitate implementation

95
4) Control Analysis
7) Impact Analysis
Reviewing NIST’s RA Output
96
1) System Characterization 7) List Threat-Source and

2) List of Threats Vulnerability pairs
3) Human Motivation Review 8) Likelihood determination for
each pair of concern
4) List of Vulnerabilities
9) Estimation of probable impact
5) Review Network
Hardware Controls 10) Identify risk scores
6) Review Application 11) Recommendations, if any, for
Controls additional controls

12) Risk Assessment Report

97
Risk Risk
Assessment Mitigation

Risk Mitigation
98
 Risk Mitigation is the process of identifying areas of

risk that are unacceptable; and estimating
countermeasures, costs and resources to be
implemented as a measure to reduce the level of
risk
 Determining “appropriate risk-reducing controls” is a
job for your Risk Management Committee

What is “Acceptable” Risk?
99
 Setting your agency’s “risk appetite” is up to your

Director and Senior Management
 Because elimination of all risk is impossible, we must
use the least-cost approach and implement the
most appropriate controls to decrease mission risk
to an acceptable level, with minimal adverse
impact on the organization’s resources and mission

Risk Mitigation Options
100
 Assume the Risk – Accept the risk and continue

operating (how big is your appetite?)
 Avoid the Risk – Stop running the program or
sharing the data
 Transfer the Risk – Use options to compensate for
the loss, such as insurance
 Lessen the Risk – Implement controls that lessen the
impact or lower the likelihood

Risk Mitigation Methodology
101
1) Prioritize based on risk levels presented

2) Evaluate recommended control options
3) Conduct a cost-benefit analysis
4) Select additional controls, as necessary
5) Assign responsibility
6) Develop an action plan, if necessary
7) Implement the selected controls
Possible Technical Controls
102
 User Identification
 Security Administration
 Authentication
 Authorization
 Nonrepudiation
 Transaction Privacy
 Restore Secure State
 Virus Detection and Eradication

Possible Management Controls
103
 Assign Security Responsibility

 Conduct Security Awareness Training
 Conduct end-user training for system users
 Implement personnel clearance procedures
 Perform periodic system audits
 Conduct ongoing risk management activities
 Establish incident response capability

Possible Operational Controls
104
 Control physical access

 Secure hub and cable wiring closets
 Establish off-site storage procedures
 Provide an uninterruptible power supply
 Control temperature and humidity
 Provide motion sensors or CCTV monitoring
 Ensure environmental security

Cost-Benefit Analysis
105
 If control reduces risk more than needed, see if a

less expensive alternative exists
 If control would cost more than the risk reduction
provided, then find something else
 If control does not reduce risk sufficiently, look for
more controls or a different control
 If control provides enough risk reduction and is cost-
effective, then use it

When Should Management Take Action?
106
Threat
Source
System Flaw or YES Can be YES Vulnerability

Design weakness? exercised? Exists &
NO NO
No Risk No Risk
YES Loss
Mission
Impact?
Risk Attacker’s YES Anticipated YES Unacceptable
Exists Cost < Gain > Threshold Risk
NO NO NO
No Risk Risk Accept Risk Accept

Residual Risk
107
 The risk remaining after the implementation of new

or enhanced controls is the residual risk
 If the residual risk has not been reduced to an
acceptable level, the risk management cycle must
be repeated to identify a way of lowering the
residual risk to an acceptable level
 Understand that no IT system can be risk-free

108
Risk Risk RM

109
Evaluation and Assessment
 People, systems, and networks change, so
risk management must be ongoing
 Federal agencies must conduct risk
management at least every three years
 Stay flexible to allow changes when
warranted

NIST Says
110
Good Risk Management Depends Upon
1) Senior management’s commitment

2) Support of the IT Team
3) Competence of the Risk Management
Committee
4) The cooperation of the users
5) Ongoing assessment of IT-related mission
risks
12 Steps Towards YOUR Program
111
1) Educate 7) Update Threats list

Management 8) Review IS P&P
2) Locate all assets 9) Complete
3) Assign all risk Vulnerability Analysis
4) Complete Network forms
Risk Analysis forms 10) RM Committee meets
5) Complete and decides on

Application Risk additional controls
Analysis forms 11) Report sent to Director
6) Penetration and 12) RM mid-year meeting

Vulnerability Testing
1) Educate Management
112
 Risk Management is one of a half dozen Information

Security projects which Management must be
educated about
 Consider an Information Security Training for
Management presentation
 Risk Management MUST be driven by management
if it is to be successful
 Don’t neglect training for “middle” managers,
including application owners and supervisors

2) Locate All Assets
113
 Hardware and Data - Start listing what you know

about, then find the rest
 Do searches on the network for file types
 Find out who has been storing data on local hard
drives (and stop it)
 List applications, including which have PHI
 Determine where Word, Excel, and Access files with
PHI are kept

3) Assign all Risk
114
 All applications have Data Owners

 If you created a file (not part of an application
program), then you own it
 If you own a file, you are responsible for protecting
it
 All network components – wiring, router, switches,
servers, concentrators – have a person assigned to
them who owns the risk

For Network Risk Analysis form instructions, click HERE
115
4) Network Risk Analysis Forms
 Complete one form for
each type of component
1) Windows XP Workstations
2) Windows 2000 workstations
3) Windows 98 workstations
4) File Servers
5) Firewall
6) Router
7) Core Switch
8) Workgroup Switches
9) Wireless Segment, etc.
For Application Risk Analysis form instructions, click HERE
116
5) Application Risk Analysis Forms
 Complete one form
for each application
1) HEARTS
2) MCPlus Pharmacy
3) NC Accounting
4) Personal Planning System
5) NCSnap
6) Restraint Tracking
7) Staff Development
Records
8) Staff Vacancies, etc.
6) Penetration and Vulnerability Tests
117
 DIRM may be willing to provide penetration and

vulnerability testing
 You may have to hire a firm to provide these
services
 Testing should be done from both inside your
firewall, and from outside your firewall
 If necessary, hire a teenager

7) Update Threats List
118
 Consider Natural Threats, Human Threats, and

Environmental Threats
 For Human Threats, consider sources of motivation
 Your Threats List will not be identical to others, since
local factors must be considered
 Provide this updated list to your Risk Management
Committee each year

119
8) Review IS Policies and Procedures
 Many risks are inherent in the absence of
information security policies and procedures
 Procedures must evolve as new policies develop and
old policies change
 Your IS Policy and Procedure review should be done
by someone other than the agency’s Information
Security Official
 The results of this review are presented at the Risk
Management Team meeting

For Vulnerability Analysis form instructions, click HERE
120
9) Vulnerability Analysis Forms
 Complete one form for
each vulnerability/
threat-pair combination
1) HEARTS PHI being disclosed
to or by the Client Data
Warehouse
2) Workgroup switch located in
unlocked wiring closet
3) Loss of application
availability due to file server
running out of disk space

10) Risk Management Team Meets
121
 RM Committee should be made up of senior managers,

such as the Assistant Director and Business Manager,
and at least one information system owner
 Team reviews all input, and makes decisions as to what
additional cost-effective controls should be
implemented
 Educating this team is an important part of improving
your risk management process
 It is the Team’s experience that sets priorities
122
11) Send RM Report to the Director
 The Risk Management Report should clearly list the
vulnerability/threat-source pairings of concern, and
any additional controls which are recommended
 The report should ideally include a cover letter to
the Director, signed by each member of the
Committee

123
12) The Committee’s Mid-Year Meeting
 The Risk Management Committee should meet at
least twice each year
 The mid-year meeting should be concerned about
evaluating the results of the recommendations which
emerged from the year’s first meeting, where
mitigation measures were discussed and decided
upon
 Minutes of your Risk Management Committee
meetings should be saved for 6 years

12 Steps Towards YOUR Program
124
1) Educate 7) Update Threats list

Management 8) Review IS P&P
2) Locate all assets 9) Complete
3) Assign all risk Vulnerability Analysis
4) Complete Network forms
Risk Analysis forms 10) RM Committee meets
5) Complete and decides on

Application Risk additional controls
Analysis forms 11) Report sent to Director
6) Penetration and 12) RM mid-year meeting

Vulnerability Testing
125
Risk Management Process Timeline
Risk Mitigation Meeting
Report Sent to Director

Implement Additional Controls
Risk Management Mid-Year Meeting
Penetration Testing
Network Risk Forms
Application Risk Forms
Update Threat List
Vulnerability Forms
126
THANKYOU

Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management

Uploaded by

Copyright:

Available Formats

CRMP ® Certified Risk Management Professional

Charter and Certification ®

THE AMERICAN ACADEMY OF PROJECT MANAGEMENT

American Academy of Project Management

“Take calculated risks. That is quite different from

“Of course you have to go out on a limb sometimes;

American Academy of Project Management

 Risk is the net mission impact considering both the

 The total process of identifying, controlling, and

American Academy of Project Management

All risk is owned!

American Academy of Project Management

 Why do we do risk management?

An organization that can take advantage of

1) Protect human life and people’s safety

Threat Sources that leading to

give rise that increase

American Academy of Project Management

American Academy of Project Management

American Academy of Project Management

 Human Threats – Carelessness, Shoulder Surfing, User

American Academy of Project Management

American Academy of Project Management

Detective Seals on archive Admin message on Audit of employee

Deterrent Closed-circuit Account lockout Data owner

Corrective Physical Isolation Firewall changes Arranging for day

Recovery Electronic records Netware’s file Contact police after

Threat Sources that leading to

give rise that increase

American Academy of Project Management

1) Quantitative Risk Assessment

2) Qualitative Risk Assessment

American Academy of Project Management

Sensitive Services and Integrity of data

American Academy of Project Management

 Risk Management, therefore, is an essential

management function of the organization

American Academy of Project Management

 Risk Assessment - Determining where risks lie, and

American Academy of Project Management

American Academy of Project Management

American Academy of Project Management

 Risk Mitigation is the process of identifying areas of

American Academy of Project Management

 Setting your agency’s “risk appetite” is up to your

American Academy of Project Management

 Assume the Risk – Accept the risk and continue

American Academy of Project Management

1) Prioritize based on risk levels presented

 If control reduces risk more than needed, see if a

American Academy of Project Management

 The risk remaining after the implementation of new

American Academy of Project Management

American Academy of Project Management

 People, systems, and networks change, so

American Academy of Project Management

1) Senior management’s commitment

1) Identify assets within the security perimeter

American Academy of Project Management

Insignificant Minimal to no impact 0

Minor No extra effort required to repair 1

Significant Tangible harm, extra effort required to repair 2

Damaging Significant expenditure of resources required; 3