Program Studi Sistem Informasi FTI – UAJY – 2018 Risk Assessment Steps 1. Identify assets and activities to address. 2. Identify and evaluate relevant threats. 3. Identify and evaluate relevant vulnerabilities. 4. Identify and evaluate relevant countermeasures. 5. Assess threats, vulnerabilities, and exploits. 6. Evaluate risks. 7. Develop recommendations to mitigate risks. 8. Present recommendations to management. Risk Assessment Steps • Before progressing with the RA, you need to complete two preliminary actions. • These are: 1. Define the assessment. 2. Review previous findings. Risk Assessment Steps 1. Defining the assessment • You need to clearly define what you’ll assess. If it’s a system, you need to describe the system. If it’s a process, you need to describe the process. • When describing the system or process, you will often focus on two primary areas: – Operational characteristics – Mission of the system Risk Assessment Steps • Operational characteristics – Operational characteristics define how the system operates in your environment. – It’s not enough to just name the system, such as “E-mail server.” Instead, you need to identify how the system is currently configured and operating. Risk Assessment Steps • Mission of the Systems – The mission of the system defines what the system does. – For example, an e-mail system could have the following mission: The e-mail server provides all e-mail services for the network. This includes the following functions: • Routing e-mail between internal clients • Accepting e-mail from external e-mail servers and routing to internal client • Accepting e-mail from internal clients and routing to external e-mail servers • Scanning all e-mail attachments and removing malware • Scanning all e-mail for spam and stripping out confirmed spam Risk Assessment Steps 2. Review Previous Finding • If previous audits or risk assessments are available, you should review them. Identifying the Management Structure • The management structure refers to how responsibilities are assigned. • A small organization may have a single IT section. This single section is responsible for all IT systems and processes. • However, a larger organization may have multiple IT sections or divisions. In this case, various managers or management teams oversee different IT systems. Each manager has different responsibilities. Identifying the Management Structure • A small organization may perform a risk assessment for many systems at the same time. However, a larger organization will likely separate the risk assessments. Identifying Assets and Activities Within Risk Assessment Boundaries
• Asset valuation is the process of determining
the fair market value of an asset. • This is one of the first priorities of risk management. • Once you know the value of your assets, you can then prioritize their importance. Identifying Assets and Activities Within Risk Assessment Boundaries • When considering the value of an asset, you can look at it from different perspectives: – Replacement value—This is the cost to purchase a new asset in its place. For example, if a laptop fails or is stolen, the price to purchase a new laptop with similar hardware and software may be $1,500. – Recovery value—This is the cost to get the asset operational after a failure. For example, if the hard drive on a server fails, you wouldn’t replace the entire server. Instead, you’d replace the hard drive and take steps to recover the system. This may require you to reinstall the operating system and restore data from a backup. You would also consider the time needed to perform the repair. For example, if a repair requires two hours, the system is not available for two hours. If it’s a Web server generating $10,000 an hour in revenue, you would include $20,000 as part of the recovery value. Identifying and Evaluating Relevant Threats
• A threat is any potential danger. The danger
can be to the data, the hardware, or the systems. • A threat assessment is the process of identifying threats. • It’s important to understand how threats interact with risks as a whole. Identifying and Evaluating Relevant Threats
• You can use one of two primary methods to
identify threats. They are: – Review historical data – Modeling Identifying and Evaluating Relevant Threats
• Review historical data
– History often repeats itself. This is true in so many areas of life. It’s also true with IT systems. – You can save yourself a lot of time by reviewing historical data to identify realistic threats. Identifying and Evaluating Relevant Threats
• Threat modeling is a process used to identify
possible threats on a system. • It attempts to look at a system from the attacker’s perspective. • The result of threat modeling is a document called a threat model. Identifying and Evaluating Relevant Threats
• The threat model provides information on:
– The system—This includes background information on the system. – Threat profile—This is a list of threats. It identifies what the attacker may try to do to the system, including possible goals of the attack. For example, one attack may attempt to take the system down. Another attack may attempt to access data in the system. – Threat analysis—Each threat in the threat profile is analyzed to determine if an asset is vulnerable. Threat analysis includes review existing controls to determine their effectiveness against the threat. Identifying and Evaluating Relevant Vulnerabilities Two things are certainly related to vulnerabilities: • All systems have vulnerabilities—You can’t eliminate all vulnerabilities any more than you can eliminate all risks. Your goal is to identify the relevant vulnerabilities. You can then choose to implement controls to reduce the weakness. • Not all vulnerabilities result in a loss—It’s only when the threat and vulnerability come together as a threat/vulnerability pair that a loss occurs. You only need to identify and evaluate the relevant vulnerabilities. Identifying and Evaluating Relevant Vulnerabilities • One of the ways to identify and evaluate vulnerabilities is by using assessments. • The two primary assessments are: – Vulnerability assessments A vulnerability assessment is a process used to discover weaknesses in a system – Exploit assessments An exploit assessment attempts to discover what vulnerabilities an attacker can exploit. Exploit assessments are also referred to as “penetration tests.” Identifying and Evaluating Countermeasures
• A countermeasure is a security control or a safeguard.
• You implement a countermeasure to reduce a risk. • You can reduce a risk by reducing vulnerabilities or by reducing the impact of the threat. • When identifying and evaluating the countermeasures, you should consider: – In-place controls—These are controls that are currently installed in the operational system. – Planned controls—These are controls that have a specified implementation date. – Control categories—Controls fall into three primary categories: administrative controls, technical controls, and physical controls. When reviewing all of the controls, you should consider the purpose. Discussion • Ambil contoh salah satu resiko yang telah anda identifikasi pada studi kasus anda, lalu identifikasilah: – Administrative control – Technical control – Physical control untuk resiko tersebut. Selecting a Methodology Based on Assessment Needs • Once you have identified and evaluated the elements individually, you need to calculate the associated risk. • The two primary methodologies that you can use: – Quantitative – Qualitative Develop Mitigating Recommendations • After performing the analysis, you can provide specific recommendations. • These recommendations should mitigate the risks. • You can include the data you’ve collected to support the recommendations. • Supporting data may include: – Threat/vulnerability pairs – Estimate of cost and time to implement – Estimate of operational impact – Cost-benefit analysis Present Risk Assessment Results • After you complete the RA, you create a report documenting the results. • This report should include two phases: – In the first phase, you present the recommendations to management. – In the second phase, you document the decisions made by management. You then create a plan of actions and milestones (POAM).