Scribd Logo
Upload

Welcome to Scribd!

  • Is Security & Risk: Management

    Uploaded by

    hilda_oktavianni5178
    11 views25 pages
    IS Security

    Original Title

    Presentation Kelompok4

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IS Security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views25 pages

    Is Security & Risk: Management

    Uploaded by

    hilda_oktavianni5178
    IS Security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    IS SECURITY

    & RISK
    MANAGEMENT
    SESSION 7 & 8

    Fenita Suprapto 1901809371 Group: 4


    Hilda Oktavianni JM 1901809384
    Khoerintus 190180
    Magister Manajemen Sistem Informasi / LMC3
    Universitas Bina Nusantara
    1 OPERATIONAL ASSESSMENTS

    OUTLINE
    RISK ASSESSMENT TECHNIQUE AND 2 PROJECT-BASED ASSESSMENTS
    THREAT AND VULNERABILITY MANAGEMENT

    3 THIRD-PARTY ASSESSMENTS
    4 BUILDING BLOCKS AND THREAT
    IDENTIFICATION

    5 ADVISORIES & TESTING

    6 THE FAIR APPROACH


    OPERATIONAL
    ASSESSMENTS

    What is Risk Assessment?


    Systematic method for determining whether a system has risks that
    need to be corrected.
    OPERATIONAL TECHNIQUE

    Questionnaire and Active and Passive Third Party Reviews


    Interview Testing and Certification

    Arrange questions then disseminate Use tools to test system security Third party assessment of the level of
    orally or in writing system security and provision of
    certification
    2

    PROJECT-BASED ASSESSMENTS

    • Project must have a clear timeline and result


    • Assessment is done early
    • The final decision is based on the result of the joint
    discussion through analysis and recommendation
    PROJECT-BASED ASSESSMENTS
    RUNNING THE SESSION
    REPORTING
    Prepare reports within 4 to 6 days D C The session takes place according
    after the project risk assessment to the initial target, which is 4 to 8
    session is complete hours.

    PREP WORK
    Pre-session meeting to discuss the B
    objectives of risk assessment,
    agenda, and format which will be THE FRAAP APPROACH
    discussed later A • Implemented within a
    predetermined period of time
    • Encourage teams to raise problems
    and identify risks
    THIRD-PARTY
    ASSESSMENTS
    MAIN ISSUES
    - Lack of an industry standard format for vendor risk assessment questionnaires
    - Lack of a universally accepted certification

    INDUSTRY STANDARD ASSESSMENTS


    - Create a standardized set of vendor due diligence questions in common format
    - Use existing standard questionnaire, such as Standardized Information Gathering
    (SIG)
    LEVEL OF ASSESSMENTS
    - SIG Version 5 (level 1, level 2, detailed version)
    - SIG Version 6 (SIG-Lite, topic-based questionnaires [SIG-F. Physical and Environmental Security, SIG-G.
    Communications and Operations Management])

    IMPROVING THE PROCESS


    - Create document that summarizes security program
    - Create repository of past questionnaires and answers
    - Certification and accreditation review or internal audit
    - Adjusting internal policy and standard governance process
    BUILDING BLOCKS
    AND THREAT
    IDENTIFICATION

    Threat & Vulnerability


    Management (TVM)
    Identify, assess, classify, restore, and
    minimize security weaknesses.
    TVM DEVELOPMENT STEPS

    Asset Inventory Resource Profiling


    Arrange inventory Determine risk sensitivity assets

    1 2

    Risk Scale
    Establish a risk scale qualitatively
    3 4 Workflow
    Determine workflow in processing
    new risks
    THREAT
    IDENTIFICATION
     Identify sources of threats that have the potential to exploit system
    weaknesses
     How to identify:
    1. Focus on certain aspects such as the magnitude of the threat
    then internal / external threats
    2. Look at threat intelligence reports to observe threat activities
    3. Using observed internal security incident statistics
     Source of threat information
    1. Certain Organizational Periodic Reports
    2. Vendor
    3. Internal Testing
    ADVISORIES & TESTING
    RATING VULNERABILITIES

    A vulnerability that can allow full access or control


    CRITICAL to the application

    A vulnerability that can allow limited access or


    HIGH control to the application

    MODERATE
    A vulnerability that can indirectly contribute to
    illegal or unknown activities

    LOW A vulnerability whose security process or procedure


    is lacking to regulate or manage security-related
    activities.
    THE FAIR APPROACH
    WHAT IS IT?
    Factor Analysis of Information Risk (FAIR) is a model of risk assessment published by Jack Jones, that breaking risk down
    into various components and keeps analysis steps simple.
    FAIR Loss Event Frequency (LEF)
    Probable frequency that a threat will cause loss within a

    APPROACH
    timeframe.

    FAIR has 2 basic factors for Probable Loss Magnitude (PLM)


    Estimate probable magnitude of worst-case loss or future
    measuring risk loss.
    Risk

    Loss Event Probable Loss


    Frequency Magnitude

    Threat Event
    Vulnerability
    Frequency

    Threat
    Capability
    Control
    Strength
    THREAT EVENT FREQUENCY
    (TEF)
    THREAT CAPABILITY
    CONTROL STRENGTH
    VULNERABILITY
    LOSS EVENT FREQUENCY
    (LEF)
    PROBABLE LOSS MAGNITUDE
    (PLM)
    RISK EXPOSURE
    THANK YOU

    You might also like