Scribd Logo
Upload

Welcome to Scribd!

  • Emasters Net Pvt. LTD.: Risk Assessment

    Uploaded by

    Henny Seb
    5 views18 pages

    Original Title

    riskassessment

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views18 pages

    Emasters Net Pvt. LTD.: Risk Assessment

    Uploaded by

    Henny Seb

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    E

    Emasters Net Pvt. Ltd.


    RISK ASSESSMENT E
    Objective

    • What is Security Risk?


    • Why assess the Risk?
    • How to assess the Risk?

    E
    What is Security Risk?

    • A security risk is the potential that a given


    threat will exploit vulenerabilities to cause
    loss/damage to asset and hence
    directly/indirectly to the organization
    • It is function of the impact of the
    undesirable event and the likelihood of the
    event occuring.
    E
    The Nature Of Risk

    • Risk is present in all corporate systems and is


    applicable to all business processes.
    • Risk associated with
    -- Competitive environment
    -- Complince with legislation
    -- Reliability & availability of business critical information.
    Risk related to corporate policies & strategies
    -- Expansion, restructuring the business
    -- Developing new products
    -- Protecting information systems including their use and related business
    activities E
    The Nature Of Information Security
    Risk

    • Corporate information
    --The life blood of business
    --The survival & success of business depends on it
    • Information security is concerned with
    -- Confidentiality
    -- Integrity
    -- Availability

    E
    What Is Risk Assessment

    • The process of identitying security risks, and


    determining their magnitude
    • It produces an estimate of the risk to an asset at
    agiven point in time, It answers the following
    questions
    • --What can go wrong
    • --How bad it could be
    • --How likely is it occur
    • --How to manage risk
    E
    The Purpose Of Risk Assessment

    • To identify the requirements for protecting the


    organization’s information assests
    • To reveiw the cosequences of the risks I.e
    impact/damage to the business
    • To make decisions on how to manage risks
    --Accept or Tolerate
    --Avoid
    --Transfer the responsibility
    --Reduce or control
    E
    Risk Assessment Process

    Asset identification Vulnerability


    and valuation assessment

    Identificatin of
    Threat assessment Existing and planned
    Security controls

    Risk assessment E
    Risk Management Process

    Identificaion and selection


    Of security controls

    Risk Reducing the risk


    Assessment
    Output
    Risk Acceptance

    Risk Management Process E


    Basis Of Selection Of Risk Assessment
    Approach

    • Business environment
    • Nature and Importance of business
    • The dependency on technology and non
    technology based information system
    • The complexity of the business, supporting
    systems, applications and services
    • The number of trading partners and external
    business and contractual relationships E
    Risk Assessment Approaches

    • Basic risk assessment


    -- This approach enables an organisation to establish its ISMS by
    achieving a basic level protection or baseline level security
    --The list of generalized or commonly known threats and vulenarabilities
    are used for risk assessment
    Detailed risk assessment
    --Ths approach involves detailed identification and valuation
    of assets and and assessment of its threats and
    vulenerabilities
    E
    Combined Approach Of Risk Assessment

    • Carry out a basic risk assessment


    • Based on above the assets are categorised
    into those which require special treatment
    (assets critical to business) and which
    require general treatment
    • Carry out detailed risk assessment for the
    assets which require special treatment.
    E
    Risk Assessment Methods

    •Matrix with predefined values


    •Ranking of threats by measure of risk
    •Risk grading

    E
    Risk Assessment Output

    • The outcome of the risk assessment process is list


    of risks, ranked according to some scale and
    associated to the assets they relate to
    • The risk assessment output needs to be reviewed
    and decisions need to be made “How to manage
    the risk by implementing e.g. BS7799
    CONTROLS”
    • This is input to risk management process
    E
    Risk Assessment Helps To Select Controls
    •• The
    Wherevalue
    a high of an assetisshows
    vulnerability how
    identified muchremoval
    protection/ resources
    of the (time, money
    vulnerability can
    etc) should
    reduce be spent
    the associated risk(s)toe.g.
    protect it
    • to
    Thereduce the possibility of an attack by cracker implement a firewall
    security requirements of an asset identify applicable
    for total removal of the threat disconnect the network from the internet
    controls e.g.
    • Details of the existing controls can have a strong influence on the selection of further
    For controls,
    availability, information
    since may be
    all the controls protected
    should by backupe.g.
    be compatible
    For by
    integrity, suitableaudit
    implementing mechanism may
    trails the be employed
    already existing to avoidofunauthorized
    control changes.
    access through unique
    For user
    confidentiality, information may be protected by encryption
    ID may be inhanced
    •• Information
    The on the
    access measures assessed
    of risk threats
    can be used can risk
    to prioritise the inbasis
    order of controls
    to decide whiche.g.
    should be dealt with first, and how to allocate limited resourses.
    To reduce likelihood of unauthorized access employ suitable access control
    To reduce damage due to power failure install UPS

    E
    Identified Possible Threats

    FIRE MISUSE OF RESOURCES

    USER ERROR UNAUTHORIZED ACCESS

    ADMINISTRATOR ERROR EAVESDRODDING

    EQUIPMENT Failure REPUDIATION

    SOFTWARE FAILURE ILLEGAL USE OF SOFTWAERE

    MALICIOUS SOFTWARE POWER FLUCTUATION E


    Common Vulenrabilities

    ••Succeptibility
    •Wrong of equipment to voltage fluctuation & spikes
    Lack of proper
    allocation
    policies
    of access
    for the
    rights
    correct use of the resourses
    ••Lack
    •Lackofofperiodic replacement of medias,e.g., floppies, cd
    UnprotectedAudit
    communication
    Trail lines
    roms,etc.
    •Lack
    •Lackofofproof
    off-site
    of receiving
    storage oforbackups
    sending of messages
    •Lack of validation mechanisms in the I/O of the Custom
    •Application
    •Lack of regular
    Uncontrolled copying
    updations
    Software of softwares
    of the anti-virus software
    •Lack of the Security awareness

    E
    Planned Security Controls

    Backups aresoftware
    Anti-virus done once a week
    should and stored
    in place, in takes
    which the network
    care of all
    management
    servers and clients
    Access to network
    Anti-virus should isberesources
    of reputedcontrolled
    company.by the ACL of
    the network OS
    Firewall should be in place in the internet access gateway
    Internet access details can be displayed using the internet
    Network
    logging should
    facility ofbe
    theunder
    proxymaintenance
    server contract.
    Administrators sre trained to manage networks

    You might also like