Risk Identification and Assessment

Risk Management
Identifying and Assessing Risk
1
Outline
• Introduction
• Risk Management
• Risk Identification
• Risk Assessment
• Documenting the Results of Risk Assessment
2
In the News
• “Imprudent curiosity” and ample warning?
"Every single time they access a computer there's a
reminder that comes up that says: The
information you are about to access has Privacy
Act restrictions on it and you are acknowledging
that you have a need to know in order to do your
job to access this file; and that if you are
accessing it in an unauthorized manner, then
there are potential penalties."
http://www.cnn.com/2008/POLITICS/03/21/passport.breach/index.html
3
Introduction
• Information security departments are created primarily to
manage IT risk
• Risk management program has two formal processes
» Risk identification and assessment
» Risk control
4
Knowing Ourselves
• Identify, Examine and Understand
» information at rest, in motion, and in use (stored,
transmitted, and processed)
• Initiate an in-depth risk management program
• Risk management is a process
» It is the safeguards and controls that are devised and
implemented (due diligence is required)
5
Knowing the Enemy
• Identify, examine, and understand
» the threats
• Managers must be prepared
» to fully identify those threats that pose risks to the
organization and the security of its information assets
• Risk management is the process
» of assessing the risks to an organization’s information
and determining how those risks can be controlled or
mitigated
6
Risk Management
• The process concerned with identification,
measurement, control and minimization of security risks
in information systems to a level commensurate with the
value of the assets protected (NIST)
Identify
Identify
the
the
Risk
RiskAreas
Areas
Re-evaluate
Re-evaluate
the Assess
Assessthe
theRisks
Risks Risk Management Risks
the
Risks
Cycle
Implement Risk Assessment

ImplementRisk
Risk
Management
Management Develop
DevelopRisk
Risk Risk Control (Mitigation)
Actions
Actions Management
Management
Plan
Plan
7
Accountability for Risk Management
• All three communities of interest bear
responsibility (IT, InfoSec, Management & Users)
» Evaluating risk controls
» Determining which control options are cost-effective
» Acquiring or installing appropriate controls
» Overseeing processes to ensure that controls remain
effective
» Identifying risks
» Assessing risks
» Summarizing findings
8
Risk Identification Process
9
Risk Identification
• Risk identification
» begins with the process of self-examination
• Managers
» identify the organization’s information assets,
» classify them into useful groups, and
» prioritize them by their overall importance
10
Creating an Inventory of Information
Assets
• Identify information assets
» people, procedures, data and information, software,
hardware, and networking elements
» values will be assigned later in the process
11
Organizational Assets
12
Identifying Hardware, Software, and
Network Assets
• Many organizations use purchased asset inventory
systems
• Determine which attributes of each of these information
assets should be tracked
» Will depend on the needs of the organization and
» its risk management efforts
13
Attributes for Assets
• Potential attributes:
» Name
» IP address
» MAC address
» Asset type
» Manufacturer name
» Manufacturer’s model or part number
• Software version, update revision,
» Physical location
» Logical location
» Controlling entity
14
Commercial Products
• Altiris
• Novell Zenworks
• Microsoft SMS
• CA Asset Management
15
Identifying People, Procedures, and
Data Assets
• Whose Responsibility ?
» managers who possess the necessary knowledge,
experience, and judgment
• Recording
» use reliable data-handling process
16
People, Procedures, and Data
Assets
• People
Suggested Attributes
Procedures 
 Description
» Position  Intended purpose
name/number/ID  Software/hardware/ networking
» Supervisor elements to which it is tied
name/number/ID  Location where it is stored for
reference
» Security clearance  Location where it is stored for update
level purposes
» Special skills
17
People, Procedures, and Data
Assets
• Data Suggested Attributes
» Classification
» Owner/creator/manager
» Size of data structure
» Data structure used
» Online or offline
» Location
» Backup procedures
18
Classifying and Categorizing Assets
• Determine whether its asset categories are
meaningful
» After initial inventory is assembled
• Inventory should also reflect sensitivity and
security priority assigned to each asset
• A classification scheme categorizes these
information assets based on their sensitivity and
security needs
» One exmple: confidential, internal, and public
19
Classifying and Categorizing Assets
(Continued)
• Categories
» designates level of protection needed for a particular
information asset
• Classification categories must be comprehensive
and mutually exclusive
• Personnel may require alternative classification
» identifies the clearance needed to use the asset type
» Need-to-know, right-to-update
20
Assessing Values for Information
Assets
• Assign a relative value
» to ensure that the most valuable information assets are
given the highest priority, for example:
• Which is the most critical to the success of the organization?
• Which generates the most revenue?
• Which generates the highest profitability?
• Which is the most expensive to replace?
• Which is the most expensive to protect?
• Whose loss or compromise would be the most embarrassing or
cause the greatest liability?
• Final step in the Risk Identification process is to
list the assets in order of importance
» Can use a weighted factor analysis worksheet
21
Weighted Factor Analysis Worksheet
Risk Management for IT Systems
(NIST SP 800-30)
22
Data Classification Model
• Data owners must classify information assets for which
they are responsible and review the classifications
periodically
• Example:
» Public
» For official use only
» Sensitive
» Classified
23
Data Classification Model
• US Military uses a five-level classification scheme as
defined in Executive Order 12958:
» Unclassified Data
» Sensitive But Unclassified (SBU) Data
» Confidential Data
» Secret Data
» Top Secret Data
24
Security Clearances
• Personnel Security Clearance Structure:
» Complement to data classification scheme
» Each user of information asset is assigned an
authorization level that indicates level of information
classification he or she can access
• Most organizations have developed a set of roles
and corresponding security clearances
» Individuals are assigned into groups that correlate with
classifications of the information assets they need for
their work
25
Management of
Classified Information Assets
• Managing an information asset includes
» the storage, distribution, portability, and destruction of
that information asset
• Information asset that has a classification
designation other than unclassified or public:
» Must be clearly marked as such
» Must be available only to authorized individuals
26
Management of
Classified Information Assets
• Clean Desk policy
» To maintain confidentiality of classified documents,
managers can implement a clean desk policy
• Destruction of sensitive material
» When copies of classified information are no longer valuable
or too many copies exist, care should be taken to destroy
them properly to discourage dumpster diving
27
Threat Identification
• Assess potential weaknesses in information assets
• Requires experience and good judgment
• Cannot assume that each and every threat will lead to an
attack
• Need to prioritize and identify threats and threat agents
28
29
Threat Assessment
• Which threats present a danger to this organization’s
information assets in its current environment?
» Eliminate any threats that do not impact your organization.
» Provide specific examples for the threats those that do
impact
30
• Which threats represent the gravest danger to the
organization’s information assets?
» Consider probability of threat, amount of damage, or
frequency that an attack can occur
» Based on existing level of preparedness and used for
improving information security strategy
31
Top three threats identified by top computing
executives:
• Deliberate software attacks
• Technical software failures or errors
• Acts of human error or failure
• Do you agree?
Threats to Information Security: Survey of Industry
32
Top four types of attack or misuse:
• Virus
• Laptop/mobile theft
• Insider abuse of Net access
• Unauthorized access to information
• Any thoughts?
CSI/FBI Survey Results for Types of Attack or Misuse (1999-2006)

2007 updates availables
33
Frequency of Attacks
Ask the following questions:
• How much would it cost to recover from a successful
attack?
» Can rank potential costs (1-5) or assign raw values
» Want rough assessments, not full blown analysis
• Which threats would require the greatest expenditure to
prevent?
34
Frequency of Attacks
• Detected attacks have been decreasing*
• Some organizations also do not know if they have been
attacked or not
*CSI Survey 2007 (http://gocsi.com )
35
Vulnerability Assessment
• Create asset-threat pairs.
• Use the table of threats to analyze and list
possible vulnerabilities for each specific asset.
• Process can be somewhat subjective and based
on experience/knowledge.
• Use teams with diverse backgrounds (specialists,
management, technically proficient users) to
conduct assessment.
36
Threat Vulnerability Asset Worksheet
(TVA)
• TVA => Prioritized list of assets and their vulnerabilities +
Threats prioritized by weights
• X-axis => Prioritized set of assets with most valuable asset
listed on the extreme left
• Y-axis => Prioritized set of threats with most important or
dangerous threat listed at the top
• A grid that provides a convenient method of examining the
exposure of assets
• Provides a simplistic vulnerability assesment
• Created in “triples”
37 EECS 711 Spring 2008 Chapter 7

37
38
Risk Assessment Process
• Many believe the most difficult aspect of risk assessment
is uncovering the large number of systems and their
configuration vulnerabilities that put a system at risk
• In reality the challenge is deciding organization wide the
value of information and intellectual property
• Without this knowledge and the systems that ensure this
information flows it is impossible to make a decision on
how much can reasonably spent in protecting this
information

39
Risk Assessment Process (contd)
• In assessing risk one must know what needs to be
protected and how much the information is worth
• Challenges:
» What system needs protection?
» Which vulnerabilities pose the greates threat?

40
Risk Assessment
• Process of assessing relative risk for each vulnerability
• Assigns a risk rating or score to each vulnerability
• No meaning in absolute terms but helps gauge relative risk
associated with each vulnerable information asset
• Model to evaluate risk for each info asset

41
Risk Assessment (contd)
Risk Rating = Likelihood of occurrence of a vulnerability x

Value of information asset - % of risk mitigated by current
controls + Uncertainty of current knowledge of the
vulnerability

42
• Likelihood of vulnerability
» Probability that a specific vulnerability will be exploited
» NIST 800-30 recommends values between 0.1(low) and
1.0(high)
» Cannot be 0, because vulnerabilities with a likelihood of 0
should have been removed from the asset vulnerability list
» External references for many asset/vulnerability
combinations already exist and should be used whenever
possible

43
• Potential loss
» Done by weighted scores based on the value of information
asset
» NIST 800-30 assigns weights in broad categories 100(high
value) 1(low value) 50(medium value)
» Other scales use 1 to 10 or assigned values of 1(low),
3(medium) and 5(high)

44
• Percentage of risk mitigated by current controls
» If vulnerability is fully managed by an existing control, it can
set aside
» If vulnerability is partially controlled, estimate what % of
vulnerability has been controlled

45
• Uncertainty
» It is not possible to know everything about an vulnerability
» How likely is an attack against a vulnerability
» How great of an impact would a successful attack have on
an organization
» It is an estimate made by the manager using good judgment
and experience

46
• Identify possible controls
» For each threat and its associated vulnerabilities that have
residual risk create a list of control ideas
» List begins with identifying existing controls, this is to
identifying areas of residual risk that may or may not need to
be reduced
» Residual risk is risk that remains even after existing control
has been applied

47
Controls
• Three categories of controls exist:
» Policies
» Programs (like education, training and awareness)
» Technical controls (security technologies)

48
Access Controls
• Addresses the admission of users into a trusted area of an
organization
• Each category of access control regulates access to a
particular type or collection of information
• Types of access controls:
» Mandatory Access Control (MAC)
» Non-discretionary Control
» Discretionary Control (DAC)

49
Access Controls
MAC
• Required and Structured
• Coordinated with data classification scheme
• When implemented users and data owners have limited control over
their access to information access
• Rates information and each user to a specific level of information
• Rating is called sensitivity level and a variation of this is called Lattice
Based Access Control
• In lattice based access controls users are assigned a matrix of
authorizations for particular areas of access
• Structure contains subjects and objects and boundaries associated with
each subject/object pair is clearly demarked
• Column attributes associated with objects are called ACL’s
• Row attributes associated with subjects are called Capability Tables

50
Access Controls
• Non Discretionary Controls
» Determined by central authority
» Can be based on roles a user plays in an organization called
roles based access control
» Can be based on set of tasks tied to a certain assignment or
responsibility called task based access control
» It makes it easier to maintain control and restrictions if
individuals performing the task or role changes frequently

51
Access Controls
• Discretionary Access Control (DAC)
» Implemented at the discretion or option of the users
» Ability to share resources in a peer to peer configuration
» Allows users to control and possibly provide access to
information or resources at their disposal

52
Documenting Results of Risk
Assessment
• Ranked vulnerability risk worksheet
» Asset: List of each vulnerable asset
» Asset Impact: Shows results for the asset from the weighted
factor analysis (1-100)
» Vulnerability: List each uncontrolled vulnerability for that
asset
» Vulnerability Likelihood: Likelihood of the realization of the
vulnerability by threat agent as indicated in the vulnerability
analysis step (0.1-1.0)
» Risk Rating Factor: Calculated by multiplying the asset
impact and a vulnerability’s likelihood

53
Documenting Results of Risk
Assessment
• Risk identification and assessment deliverables
» Information asset classification worksheet (information
assets and impact on or value to organization)
» Weighted criteria analysis worksheet (assigns a ranked
value or impact weight to each asset)
» TVA worksheet
» Ranked vulnerability risk worksheet (assigns a risk rating
ranked value to each uncontrolled asset vulnerability pair)

54
Conclusion
• Risk management examines and
documents an organizations
information assets to classify, prioritize
and assess risk that needs to be
controlled
• The presence of uncontrolled
vulnerabilities in high ranking assets
are the 1st priority of new controls as
part of risk management
Spring
55 2008 EECS 711 Spring 2008 Chapter 7 55
55
Questions
56
57
Risk Management: Controlling Risk
“Weakness is a better teacher than strength.

Weakness must learn to understand the
obstacles that strength brushes aside.”
….Mason Cooley (1927 – 2002)
Presented by:
Molly Coplen, Dan Hein, and Dinesh Raveendran
EECS
58 711 Chapter 8 Risk Management: Controlling Risk
Chapter Overview
• Risk Control Strategies
• Managing Risk
• Feasibility and Cost-Benefit Analysis
• Recommended Control Practices
• The OCTAVE Method
• Microsoft Risk Management Approach
EECS
Risk Management
Risk management is the process used by managers,

auditors, and other professionals to identify vulnerabilities
in an organization’s information systems and to assure
the confidentiality, integrity, and availability of all the
components in the organization’s information system.
EECS
Risk Control Strategies
Four strategies:
• Avoidance
• Transference
• Mitigation
• Acceptance
EECS
Avoidance
– applying safeguards that eliminate or reduce the remaining
uncontrolled risks
– attempts to prevent the exploitation of the vulnerability
Avoidance is the preferred approach as it seeks to avoid risk
rather than deal with it after it has been realized.
6EECS 711 Chapter 8 Risk Management: Controlling Risk

2
Avoidance is accomplished
through……..
1. Policy
2. Training and education
3. Countering threats
4. Implementation of technical security
controls and safeguards
EECS
3
Transference
The control approach that attempts to shift the risks to other
assets, other processes, or other organizations.
EECS
Mitigation
The control approach that attempts to reduce, by means of
planning and preparation, the damage caused by the
exploitation of a vulnerability.
EECS
66 EECS 711 Chapter 8 Risk Management: Controlling Risk
Acceptance
Acceptance is the choice to do nothing to
protect an information asset from risk, and to
accept the outcome from any resulting
exploitation.
The control assumes that it can be a prudent

business decision to examine the alternatives
and conclude that the cost of protecting an
asset does not justify the security expenditure.
EECS
Acceptance
Valid practice if management has ….
• Determined the level of risk posed to the information asset
• Assessed the probability of attack and the likelihood of a
successful exploitation of a vulnerability
• Approximated the potential loss that could result from
attacks
EECS
Acceptance
Valid practice if management has ….

• Performed a thorough cost-benefit analysis
• Evaluated controls using each appropriate type of
feasibility analysis report
• Determined that the particular function, service,
information, or asset did not justify the cost of protection
EECS
Managing Risk
Risk appetite (or risk tolerance) describes the quantity
and nature of the risk that organizations are willing to accept,
as they evaluate the trade-offs between perfect security and
unlimited accessibility.
EECS
71
Managing Risk
Residual risk is what is left after vulnerabilities
have been controlled as much as possible – the risk
that has not been completely removed, shifted, or
incorporated into plans.
The goal of information security is not to bring

residual risk to zero, rather it is to bring residual risk
in line with an organization’s risk appetite.
72
EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk – Strategy
Selection
• When a vulnerability (flaw or weakness) exists,
implement security controls to reduce the
likelihood of a vulnerability being exercised.
• When a vulnerability can be exploited, apply
layered protections, architectural designs, and
administrative controls to minimize the risk or
prevent the occurrence of an attack.
EECS
Managing Risk – Strategy
Selection (continued)
• When the attacker’s potential gain is greater than
the cost of attack, apply protections to increase
the attacker’s costs, or reduce the attacker’s gain
by using technical or managerial controls.
• When the potential loss is substantial, build
protections to limit the extent of the attack,
thereby reducing the potential for loss.
EECS
Managing Risk
The control strategy articulates which of the four fundamental
risk-reducing approaches will be used, how the various
approaches might be combined, and justifies the findings by
referencing the feasibility studies.
EECS
Managing Risk
Once a control strategy has been selected and implemented,
controls should be monitored and measured on an ongoing
basis to determine their effectiveness and to estimate the
remaining risk.
EECS
EECS
Managing Risk
At a minimum, each information asset-threat pair should
have a documented control strategy that clearly identifies any
residual risk that remains after the proposed strategy has
been executed.
EECS
Feasibility Studies and Cost-
Benefit Analysis
• Determines the level of risk posed to the information asset
• Identifying the advantages and disadvantages of
implementing a control
• Value of information assets
• Dollar-denominated expenses and savings from economic cost
avoidance
• Non economic feasibility criteria

Cost-Benefit Analysis (CBA)
• Economic feasibility:
• Evaluating a project that implements information security
controls and safeguards.
• Start this analysis by valuing the information assets and
determine the loss in value if compromised.
• Decision making process of not spending more to
protect an asset is CBA or an economic feasibility
study.

Cost
• Difficult to determine the cost for safeguarding
• Items that could affect the cost:
• Cost of development or acquisition of hardware, software, and
services.
• Training fees
• Cost of implementation
• Service costs
• Cost of maintenance

Benefit
• Value to the organization of using controls to prevent
losses associated with a specific vulnerability
• Determined by
• Valuing the information asset or asset exposed by the
vulnerability
• How much of that value is at risk
• How much risk exists for the asset
• The result is expressed as annualized loss expectancy

Asset Valuation
• Process of assigning financial value to each information
asset
• Involves the estimation of actual or perceived costs
• It can be selected from any or all of those associated -
• Design, development, installation, maintenance, protection,
recovery and defense against loss or litigation

Asset Valuation
• Value retained from the cost of creating the information asset
• Value retained from past maintenance of the information
asset
• Value implied by the cost of replacing the information
• Value from providing the information
• Value acquired from the cost of protecting the information
• Value to owners
• Value of intellectual property
• Value to adversaries
• Loss of productivity while the information assets are
unavailable
• Loss of revenue while the information assets are unavailable

Asset Valuation
• This process yields the estimate of potential loss
per risk
• A single loss expectancy (SLE) is the calculation
of the value associated with the most likely loss
from an attack
» SLE = asset value (AV) * exposure factor (EF)
where
EF = the percentage loss that would occur from a
given vulnerability being exploited

Asset Valuation
• Annualized rate of occurrence (ARO) indicates how
often you expect a specific type of attack to occur
• Annualized loss expectancy (ALE) indicates the overall
loss potential per risk
» ALE = SLE * ARO

The CBA formula
• CBA determines whether a control alternative is worth its
associated cost
» CBA = ALE (pre-control) – ALE (post-control) –ACS
where
ALE (pre-control) = ALE of the risk before the implementation of
the control
ALE (post-control) = ALE examined after the control has been in
place for a period of time
ACS = annual cost of the safeguard

Asset Valuation
As Frederick Avolio states in his article “Best Practices in
Network Security”
Security is an investment, not an expense. Investing in
computer and network security measures that meet
changing business requirements and risks makes it possible
to satisfy changing business requirements without hurting
the business’s viability.

Other Feasibility Studies
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility

Organizational Feasibility
• Examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness,
and overall operation of an organization
• Organization should not invest in technology that changes its
fundamental ability to explore certain avenues and
opportunities.

Operational Feasibility
• Known as Behavioral feasibility
• Refers to user acceptance and support, management
acceptance and support and the system’s compatibility
with the requirements of the organization’s
stakeholders.
• User involvement
– method to obtain user acceptance and support
– can be achieved by three simple actions; Communicate,
educate and involve
– Can reduce resistance to change, and build resilience for
change

Technical Feasibility
• Examines whether the organization has or can acquire
the technology necessary to implement and support
them
• Also examines whether the organization has the
technological expertise needed to manage the new
technology

Political Feasibility
• Considers what can and cannot occur based on the
consensus and relationships among the communities of
interest.
• Information security community is assigned a budget,
which they then allocate to activities and projects,
making decision about how to spend the money using
their own judgment.

Alternatives to Feasibility Analysis
• Benchmarking
• Adopt a certain minimum level of security
• Best business practices, balancing the need to access
information with adequate protection
• Gold standard
• Government recommendations and best practices
• A baseline is derived by comparing measured actual
performance against established standards for the
measured category

Viewpoint – Risk Management
By Dr.Whitman
• In world of InfoSec, there are three types of peoples-
• Those who understand the importance of InfoSec
• Those who don’t
• Those who think they do but really don’t
• Top 5 threats to InfoSec are all people problems.
• SETA are designed for the second type of people.
• The third type represent the biggest threat as they are
misinformed or misguided.

Recommended Risk Control
Practices
Cost benefit and feasibility analysis,
focused on controlling individual asset-
threat pairs can quickly become complex:
• Each control affects more than one asset-threat pair.
• As each control is applied, ALE must be recomputed as

threats to down-stream (e.g. behind a firewall) assets
may have also been mitigated.

Recommended Risk Control
Practices: Continued
The complexity of risk control, such as CBA, motivates
alternatives:
• Qualitative measures – scales (for example 1-10),
representing relative degrees of threat likelihood, asset
exposure, and/or asset value.
• Delphi Technique – Group consensus with respect to

establishing values/scales used in both quantitative and
qualitative assessment.

Risk Management Approaches
Existing risk management approaches provide a tried
and true pattern to follow.
• OCTAVE – Operationally Critical Threat, Asset, and

Vulnerability Evaluation
• Microsoft Risk Management Approach

OCTAVE Overview
OCTAVE uses a three-phase approach to
provide comprehensive situational awareness:
Phase 1 – Build Asset-Based Threat Profiles: What are our assets,
what threats exist, and what countermeasures already exist?
Phase 2 – Identify Infrastructure Vulnerabilities: What are the

operational and technological vulnerabilities allowing unauthorized
action?
Phase 3 – Develop Security Strategy and Plans: What are the

impacts (from 1 & 2) to the corporate mission? What are the needed
mitigation options?

OCTAVE: Important Aspects
1. Self-directed – organization’s personnel are
involved (via analysis team) in process
management and information analysis
2. Analysis team – interdisciplinary team
representing various communities of interest
3. Workshop-based – information gathering and
decision making done using workshops
organized by analysis team
4. Catalogs of information – catalogs of
practices, threats, and vulnerabilities
0
OCTAVE: Analysis Team
Tasks of the analysis team:
1. Facilitate knowledge elicitation workshops
2. Gather necessary supporting data
3. Analyze threat and risk information
4. Develop a protection strategy
5. Develop mitigation plans

1
Process and Activities Per
Phase
Preparing for OCTAVE
Phase 1: Build Asset-Based Threat Profiles
» Process 1: Identify Senior Management Knowledge
» Process 2: Identify Operational Area Management
Knowledge
» Process 3: Identify Staff Knowledge
» Process 4: Create Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities
» Process 5: Identify Key Components
» Process 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and Plans
» Process 7: Conduct Risk Analysis
» Process 8: Develop Protection Strategy

2
Preparing for OCTAVE
Preparation is critical for a successful
evaluation. Required activities follow:
1. Obtain senior management sponsorship of OCTAVE
2. Select analysis team members
3. Train analysis team
4. Select operational areas to participate in OCTAVE
5. Select participants
6. Coordinate logistics
7. Brief all participants

3
OCTAVE: Phase 1
• The analysis team holds level-tailored workshops with staff members to
identify important assets and business impact if the assets are
compromised.
• The management level workshops are separate from the staff level
workshops.
• The purpose of the workshops are to elicit:
– Important assets and their relative values
– Perceived threats to the assets
– Security requirements
– Current protection strategy practices
– Current organizational vulnerabilities

4
Phase 1 Processes
Process 1-3: Common activities:
• Identify assets and relative priorities.
• Identify areas of concern.
• Identify security requirements for the
most important assets.
• Capture knowledge of protection strategy
and organizational vulnerabilities.

5
Phase 1 Processes Continued
Process 4: Create threat profiles from earlier
process steps.
• Group assets, security requirements, and
areas of concern by organizational level.
• Select critical assets.
• Refine security requirements for critical
assets.
• Identify threats to critical assets.

6
OCTAVE: Phase 2
Perform a technology evaluation, often using a catalog of vulnerabilities
such as CVE to identify vulnerabilities in key systems and components.
Example tests:
• Reviewing firewall configuration

• Checking the security of public Web servers
• Performing a comprehensive review of all operating systems
• Identifying services running and/or available on hosts
• Listing all system user accounts
• Identifying known vulnerabilities in routers, switches, remote
access servers, operating systems, and specific services and
applications
• Identifying known configuration errors
• Looking for signs of intrusion (Trojans, system file alteration)
• Checking file ownership and permissions

7
OCTAVE: Phase 2 Processes
• Process 5: Identify Key Components
» Identify system of interest.
» Identify key classes of components.
» Identify infrastructure components to examine.
• Process 6: Evaluate Selected components
» Run vulnerability evaluation tools (e.g. Metasploit) on
selected infrastructure components.
» Review technology vulnerabilities and summarize
results.

8
OCTAVE: Phase 3
Develop security strategy and plans by analyzing
how specific threats affect specific assets with
respect to confidentiality, availability, and/or integrity.
The goal of this phase is to reduce risk.
» Implementing new security practices within the
organization
» Taking the actions necessary to maintain the existing
security practices
» Fixing identified vulnerabilities

9
OCTAVE: Phase 3 Process
• Process 7: Conduct Risk Analysis
» Identify the impact of threats to critical assets.
» Create risk evaluation criteria.
» Evaluate the impact of threats to critical assets.
• Process 8: Develop Protection Strategy
» Consolidate protection strategy information (WS1).
» Create protection strategy (WS1).
» Create mitigation plans (WS1).
» Create an action list (WS1).
» Review risk information (WS2).
» Review and refine protection strategy, mitigation plans, and action list
(WS2).
» Create next steps (WS2).

0
Microsoft Risk Management
Risk management should be integrated with the
general governance program for better
operational decision support. Microsoft’s
approach consists of for phases.
1. Assessing risk
2. Conducting decision support
3. Implementing controls
4. Measuring program effectiveness

1
Assessing Risk
The first step in most risk management frameworks
is identification and prioritization of risks facing the
organization.
1. Plan data gathering. Discuss keys to success and
preparation guidance.
2. Gather risk data. Outline the data collection process and
analysis.
3. Prioritize risks. Outline prescriptive steps to qualify and
quantify risks.

2
Conducting Decision Support
The second step in Microsoft’s risk management
approach is the identification and evaluation of controls.
Microsoft stresses cost-benefit analysis.
1. Define functional requirements. Create the
necessary requirements to mitigate the risks.
2. Select possible control solutions. Outline

approach to identify mitigation solutions.

3
Conducting Decision Support
Continued
3. Review solution. Evaluate proposed controls against
functional requirements.
4. Estimate risk reduction. Endeavor to understand

reduced exposure or probability of risks.
5. Estimate solution cost. Evaluate direct and indirect

costs associated with mitigation solutions.
6. Select mitigation strategy. Complete cost-benefit

analysis to identify the most cost-effective mitigation
solution.

4
Implementing Controls
Phase 3 of Microsoft’s approach involves deployments and
operation of selected controls.
1. Seek holistic approach. Incorporate people,
process, and technology in mitigation solution.
2. Organize by defense-in-depth. Arrange
mitigation solutions across the business.

5
Measuring Program
Effectiveness
As controls are used, and the organization evolves,
the process must be closely monitored to ensure the
controls continue to protect.
1. Develop a risk scorecard. Understand risk posture and

progress.
2. Measure program effectiveness. Evaluate the risk

management program for opportunities to improve.

6
7
Preliminary Tasks
• Microsoft suggests the organization consider effort
involved and the organizations’ own experience level.
• Microsoft suggests an organization first determine its “risk
management maturity”.
• How is risk management maturity determined?

8
COBIT: Determining Risk
Management Maturity
A series of questions (Table 8-3, page 329) results in a score
between 0 and 85. COBIT defines the following maturity
levels:
Level 0 – Lack of recognizable process; no recognition that there is even
an issue.
Level 1 “Ad-Hoc” – Organization recognizes issues that must be

addressed, however, no standardized process is in place.
Level 2 “Repeatable” – Awareness of issues. Performance indicators are

being developed. Basic measurements have been identified as well as
assessment methods/techniques.

9
COBIT Levels Continued
Level 3 “Defined” – The need to act is understood. Procedures have
been standardized, documented and implemented. Balanced scorecard
ideas are being adopted.
Level 4 “Managed” – Full understanding of issues on all levels. IT is fully

aligned with the business strategy. Continuous improvement is
addressed.
Level 5 “Optimized” – Continuous improvement, a forward-looking

understanding of issues and solutions. Processes have been refined to a
level of external best practice.

0
Roles and Responsibilities
Another preliminary task before implementing the Microsoft

process is the definition and assignment of roles and
responsibilities of individuals who will participate in the risk
analysis process. See Table 8-4 on page 330 and 331.

1
Questions

2
Personnel and Security
EECS 711
Philip Mein
"Prakash" Pallavur Sankaranaraynan
Annette Tetmeyer
Outline
• Introduction
• Staffing the Security Function
• Information Security Professional Credentials
• Employment Policies and Practices
• Conclusion
• Questions

4
Introduction
• InfoSec department must be carefully
structured and staffed with appropriately
skilled and screened personnel
• Requires Human Resources to have the
proper policies integrated into its procedures
(hiring, training, promotion, and termination)
• What to look for in personnel (certifications)
• IT security job descriptions
• How to integrate InfoSec policies into an
organizations hiring practices

5
Staffing the Security Function
• Supply and Demand of qualified staff
» many economic forecasters expect the deferred demand
to become active in the InfoSec field

6
Qualifications and
Requirements
• General management community of interest
should learn more about the requirements and
qualifications for both IT and InfoSec positions
• Upper management should learn more about
InfoSec budgetary and personnel needs
• The IT and general management communities
of interest must grant the InfoSec function an
appropriate level of influence and prestige

7
Hiring InfoSec Professionals
• Understand how organizations are structured and operated
• Recognize the InfoSec is a management task that cannot
be handled with technology alone
• Work well with people in general (written and verbal)
• Acknowledge the role of policy in guiding security efforts
• Understand the essential role of InfoSec education and
training
• Perceive the threats facing an organization, understand
how these threats can be transformed into attacks, and
safeguard the organization from these attacks
• Understand how technical controls can be applied to solve
specific information security problems
• Demonstrate familiarity with mainstream information
technologies
• Understand IT and InfoSec terminology and concepts

8
Entering the InfoSec Profession
• Traditional Career Path to InfoSec was from
Technology or Military/Law enforcement
• Modern Path to InfoSec is from a security education
background
EECS 711 Spring 2008 Chapter 10

Information Security Positions
• Complete job descriptions for InfoSec positions can be
found in Charles Cresson Wood's book Information Security
Roles and Responisibilities Made Easy
• Definers
» Provide the policies, guidelines and standards
» Do the consulting and risk assessment
» Develop the product and technical architectures
• Builders
» Techies who create and install security solutions
• Administrators
» Operate and administer the security tools
» Security monitoring function
» Continuously improve the process
0
InfoSec Positions
• CISO
» Top InfoSec officer
» Must be conversant in all areas (technology, planning, and policy)
» Responsible for the overall InfoSec program
• Security Manager
» Responsible for policy development, risk assessment, contingency
planning, and operational and tatical planning
» Understanding of technology administered but not necessarily
proficiency in its configuration or operation
• Security Technician
» Technically qualified individuals who configure and maintain security
technology
» Are likely to be IT technicians who have adopted a different career
path

1
Other Position Titles
• Many noninformation security job descriptions must define information
security roles and responsibilities
• Community of interest with security roles and responsibilites
» Information Security Community
» IT Community
» General Business Community
• Building and Facilities Guard
• Office Maintenance Worker
• Human Resources Dept manager
• CFO
• CEO

2
Social Engineering
• An attacker uses human interaction (social skills) to obtain or
compromise information about an organization or its computer systems
• Top 4 hacking moments on film
1. Independence Day: Using an old space ship as cover for two humans to
infiltrate the alien mother ship and upload a virus to destroy it.
2. Hackers: Dumpster diving in the target company's trash in order to obtain
financial data from printouts.
3. War Games: Password cracking the military computer system by studying its
creator.
4. Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend
excused from school through multiple phone calls and answering machine
recordings.
5. Sneakers: Intercepting the call from the security guard to bypass the alarm
and rob the bank. <Sneakers>
Question: Which of the above hacks did not employ a social engineering
technique?

3
Social Engineering
• SE Attack Detection
» Employees need to be trained to detect anomalies in
conversation, e-mail, and pop-up windows
• SE Attack Prevention
» Preparation (SETA)
» Table 10-3
• SE Attack Defense
» Organizations should have an established procedure for
reporting suspected SE attacks
» IR team should log attacks and treat them no differently
than other attacks

4
Information Security
•
Professional Credentials
Professional certifications ascertain the level of proficiency
possessed by different candidates.
• Employers struggle to match certifications to position
requirements.
• Potential infosec workers try to determine which
certificates will help them in the job market
EECS 711 Spring 2008 Chapter 10 135

Information Security
• Professional Credentials
The widely recognized certification programs are:
» Certified Information Systems Security Professional
(CISSP)
» Systems Security Certified Practitioner (SSCP)
» Certified Information Systems Auditor (CISA)
» Certified Information Security Manager (CISM)
» Global Information Assurance Certification (GIAC)
» Security Certified Program (SCP)
» Security+
» Certified Computer Examiner (CCE)
» Certified Forensics Investigator (CIFI)

Certified Information Systems
Security Professional (CISSP)
• Considered the most prestigious certification for
Security Managers and CISO’s.
• Offered by the International Information Systems
Security Certification Consortium (ISC)2.
• Recognizes mastery of an internationally identified
common body of knowledge (CBK) in information
security.
• Candidates must have at least 3 years of direct, full-time
security professional work experience.
• The test covers 10 domains of information security and
consists of 250 multiple choice questions to be
completed in 6 hours.

• The 10 domains of information security knowledge are:
1. Access control systems and methodology
2. Applications and systems development
3. Business continuity planning
4. Cryptography
5. Law, investigation and ethics
6. Operations security
7. Physical security
8. Security architecture and models
9. Security management practices
10. Telecommunications, network and Internet security

• CISSP certification requires the successful
completion of the exam and an endorsement
by a qualified 3rd party to ensure that the
applicant meets the experience requirement.
• It is the most challenging of information
security certifications.
• Holders of the CISSP must earn a specific
number of continuing education credits every 3
years to retain their certification.

Systems Security Certified Practitioner (SSCP)
• Also offered by the (ISC)2.

• Less rigorous than the CISSP.
• More applicable to security managers than the
technicians.
• Most of the questions focus on the operational
nature of information security.
• Focuses on practices, roles and responsibilities as
defined by experts from major IS industries.
• The SSCP exam consists of 125 multiple-choice
questions covering 7 domains on information
security to be completed in 3 hours.
Spring 2008 EECS 711: Security Management and Audit 14

Systems Security Certified Practitioner
(SSCP)
• The 7 domains are:
1. Access controls
2. Administration
3. Audit and monitoring
4. Risk, response and recovery
5. Cryptography
6. Data communications
7. Malicious code/malware

Systems Security Certified Practitioner (SSCP)
• Like the CISSP, a SCCP holder must earn continuing

credits to retain certification, or else retake the exam.
• Slightly more technical than the CISSP.

CISSP Concentrations
• ISSAP: Information Systems Security Architecture
Professional
• ISSEP: Information Systems Security Engineering
Professional
• ISSMP: Information Systems Security Management
Professional

Certified Information Systems Auditor (CISA)
• Not specifically a security certification but includes many
information security components.
• Sponsored by the Information Systems Audit and Control
Association (ISACA).
• Certification appropriate for auditing, networking and security
professionals.
• Requires experience as an information systems auditor, with a
minimum of 5 years professional experience.
• Requires agreement to the Code of Professional Ethics.
• Requires a minimum of 20 hours of continuing education
annually and 120 hours during a fixed 3 year period.
• Adherence to the Information Systems Auditing Standards.

Certified Information Systems Auditor (CISA)
• The exam covers the following areas:
1. IS audit process (10%)
2. IT governance (15%)
3. Systems and infrastructure lifecycle management (16%)
4. IT service delivery and support (14%)
5. Protection of information assets (31%)
6. Business continuity and disaster recovery (14 %)

Certified Information Security Manager (CISM)
• Also offered by the ISACA.
• Geared towards the experienced information security manager
and other with information security management
responsibilities.
• This certification assures executive management that the
candidate has the required background knowledge needed for
effective security management and consulting.
• The exam is offered annually.
• Requires the applicant to adhere to ISACA code of ethics.
• Requires pursuing continuing education.
• Applicants must have at least 5 years of information security
experience with at least 3 years in information security
management.

Certified Information Security Manager (CISM)
• The CISM exam covers:
1. Information security governance (21%)
2. Risk management (21%)
3. Information security program management (24%)
4. Response management (13%)

Global Information Assurance Certification (GIAC)
• Developed by Systems Administration, Networking and
Security (SANS) organization.
• Tests both for knowledge and applicants ability to
demonstrate application of that knowledge.
• Offers the only advanced technical certifications.
• The GIAC family of certifications can be pursued
independently or combined to earn a comprehensive
certification called GIAC Security Engineer (GSE).
• Only when practical assignment is complete is the
candidate allowed to take the online exam.
• GIAC now offers two types of certifications: Silver and
Gold.

• Requirements for Silver certification:
» Completion of exams
» Full certifications require 2 exams; certificates require a
single exam
• Requirements for Gold certification:
» Complete Silver certification
» Passing a technical paper review, the paper demonstrates
real world, hands on mastery of security skills

• The individual GIAC certifications are as follows:
1. GIAC Information Security Fundamentals (GISF)
2. GIAC Security Essentials Certification (GSEC)
3. GIAC Certified Firewall Analyst (GCFW)
4. GIAC Certified Intrusion Analyst (GCIA)
5. GIAC Certified Incident Handler (GCIH)
6. GIAC Certified Windows Security Administrator (GCWN)
7. GIAC Certified UNIX Security Administrator (GCUX)
8. GIAC Certified Forensics Analyst (GCFW)
9. GIAC Securing Oracle Certification (GSOC)
10. GIAC Intrusion Prevention (GIPS)
11. GIAC Cutting Edge Hacking Techniques (GHTQ)
EECS 711EECS
Spring711
2008 Chapter
Spring 200810Chapter 10 150
150
Security Certified Program (SCP)
• SCP offers two tracks: Security Certified Network Professional

(SCNP) and the Security Certified Network Architect (SCNA).
• Both designed for the security technician.
• While not as detailed as the GIAC certifications, these programs
provide the knowledge needed to work in new areas of security, while
developing a vendor neutral core of practitioner knowledge evaluation.
• The SCNP track targets firewalls & intrusion detection, and requires 2
exams:
» Hardening The Infrastructure (HTI)
» Network Defense & Countermeasures (NDC)
• The SCNA program includes the following:
» Enterprise Security Implementation (ESI) which covers:
• Advanced Security Implementation (ASI)
• Enterprise Security Solutions (ESS)
» The Solution Exam (TSE) covering all facets of the SCP courses

Security+
• Offered by CompTIA a vendor neutral certification program.
• Tests for security knowledge mastery of an individual with 2
years on the job networking experience.
• CompTIA Security+ curricula is being taught at colleges,
universities and commercial training centers.
• Exam covers industry-wide topics including:
1. General Security Concepts
2. Communication Security
3. Infrastructure Security
4. Basics of Cryptography
5. Operational/Organizational Security

Certified Computer Examiner (CCE)
• Is a computer forensics certification provided by the
International Society of Forensic Computer
Examiners
• To complete the certification the applicant must:
» Have no criminal record
» Meet minimum experience, training or self-training
requirements
» Abide by certification’s code of ethical standards
» Pass an online exam
» Successfully perform actual forensic exams on 3 test
media

Certified Computer Examiner (CCE)
• The CCE certification process covers the following areas:
1. Acquisition, marking, handling, and storage of evidence procedures
2. Chain of custody
3. Essential “core” forensic computer examination procedures
4. The “rules of evidence” as they relate to computer examinations
5. Basic PC hardware construction and theory
6. Very basic networking theory
7. Basic data recovery techniques
8. Authenticating MS word documents and accessing and interpreting
metadata
9. Basic optical recording processes and accessing data on optical media
10. Basic password recovery techniques
11. Basic internet issues

Certified Information Forensics Investigator (CIFI)
• The Information Security Forensics Association (ISFA) is
developing an examination for a Certified Information
Forensics Investigator (CIFI).
• This program will evaluate expertise in tasks and
responsibilities of a security administrator or security
manager, including incident response, working with law
enforcement, and auditing.

Certified Information Forensics Investigator (CIFI)
• Although the certification exam has not been

finalized, the body of knowledge has been
tentatively defined to include the following
aspects of information security:
1. Countermeasures
2. Auditing
3. Incident response teams
4. Law enforcement and investigation
5. Traceback
6. Tools and techniques

Certification Costs
• Certifications can be expensive.
• The high costs deter those who might take the
exam just to see if they can pass.
• Most experienced professionals find it difficult
to do well on them without at least some
review.
• Most programs require between 2 & 3 years of
work experience.
• Often structured to reward candidates who
have significant hands-on experience.

Approaches to prepare for security certification

Employment Policies and
Practices

Employment Policies and
• Hiring and Firing
Practices
• Contracts
• Personnel Security Practices
• Security Considerations for Nonemployees

Hiring
• Job Descriptions
• Interviews
• New Hire Orientation
• On-the-Job Security Training
• Security Checks

Security Checks
• Identity checks
• Education and credentials
• Previous employment
• Reference checks

Security Checks
• Worker’s compensation history
• Motor vehicle records Drug history
• Medical
• Credit
• Civil Court
• Criminal Court
Make sure to comply with regulations

Contracts and Employment
• Require employees to agree in writing by signing
monitoring and nondisclosure agreements
• Sign before other employment contracts are made
• Existing employees may not be compelled to sign

Security as Part of Performance
Evaluations
• How can performance evaluations be used to motivate
employees concerning security practices?

Termination Issues
Need to protect information to which an employee
had access
• Disable system access
• Retrieve removable media
• Secure hard drives (network drives?)
• Change locks: file cabinets, offices, etc.
• Revoke keycard access
• Remove personal items
• Finally, escort from premises

Termination Issues
• Conducting Exit Interviews
» Remind of contractual obligations
» Discuss consequences if failure to comply with contractual
obligations
» Gather feedback from employee
• Termination brings a level of risk exposure to the
organization, regardless of level of trust in employee

Immediate Severance
• Forgo the customary two-week notice
• Sensitive areas or positions of trust may require this
• Do you have any experience with this?

Outprocessing
Hostile or friendly departure?
• Hostile – termination, downsizing, lay-off, quitting
» Revoke system access first, then notify employee
» Collect sensitive items
» Escort from facility

Outprocessing
• Friendly – retirement, promotion, relocation
» May be a bit tricky to manage
» Set expirations dates for system access or phase out access
» Collect company assets
» Employees typically have more latitude in removing personal
items

Outprocessing
• For both scenarios complete the following:
» Inventory offices and info
» Archive, return to stores or destroy
» Review logs for possible system misuse (and follow-up as
an incident if warranted)
» What do you do about materials at the employees home?

Personnel Security Practices
Monitor and control employees to minimize opportunities for
misuse of info
• Separation of duties
» Checks and balances mitigates collusion
• Two-person control
• Job and task rotation
• Mandatory vacations
• Least privilege

Personnel Security Practices

Security of Personnel and
Personal Data
Comply with laws regarding protecting sensitive or personal
info (employees, customers, business partners, etc.)
• Names, addresses, phone numbers
• SSN
• Medical info
There are more regulations that tend to cover this type
of information

Security Considerations for
•
Nonemployees
Nonemployees may have access to sensitive info
• Need to carefully manage these relationships

Temporary Workers
• Brought in to fill positions temporarily or to supplement
workforce
• Usually retained through an outside agency
• Contractual obligations/polices may not apply or may not
be enforceable
• Agencies may not be liable for lossses

Temporary Workers
To mitigate security concerns
• Follow good security practices
» Clean desk
» Securing classified data
• Least privileges, limited access to data
Temps should not be employed at the cost of sacrificing

information security

Contract Employees
• Hired to perform specific services via third party
organizations
• Escort employees in secure areas
• Background check all employees
• Require advance notice for maintenance visits or
cancellation/rescheduling

Consultants
• Self-employed
• Hired for a specific task or project
• Pre-screen and require nondisclosure agreements
• Explicitly give permissions to use company info for
marketing/references
• Apply least privileges

Business Partners
• Strategic alliances for the sake of:
» Information exchange
» Systems integration
» Other mutual advantage
• Specify levels of exposure that the organization will endure
» What info will be exchanged?
» With whom?
» In what format?

Business Partners
System connection means that a vulnerability on one system
becomes a vulnerability for all linked systems

Conclusion
• Use standard job descriptions to increase the degree of
professionalism in staffing
• Professional certifications help to identify levels of
proficiency
• Integrate security concepts and practices into employment
activities

Questions

References

Risk Identification and Assessment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Identification and Assessment

Uploaded by

Copyright:

Available Formats

Risk Management

Identifying and Assessing Risk

Implement Risk Assessment

Threats to Information Security: Survey of Industry

CSI/FBI Survey Results for Types of Attack or Misuse (1999-2006)

*CSI Survey 2007 (http://gocsi.com )

37 EECS 711 Spring 2008 Chapter 7

39 EECS 711 Spring 2008 Chapter 7

40 EECS 711 Spring 2008 Chapter 7

41 EECS 711 Spring 2008 Chapter 7

Risk Rating = Likelihood of occurrence of a vulnerability x

42 EECS 711 Spring 2008 Chapter 7

43 EECS 711 Spring 2008 Chapter 7

44 EECS 711 Spring 2008 Chapter 7

45 EECS 711 Spring 2008 Chapter 7

46 EECS 711 Spring 2008 Chapter 7

47 EECS 711 Spring 2008 Chapter 7

48 EECS 711 Spring 2008 Chapter 7

49 EECS 711 Spring 2008 Chapter 7

50 EECS 711 Spring 2008 Chapter 7

51 EECS 711 Spring 2008 Chapter 7

52 EECS 711 Spring 2008 Chapter 7

53 EECS 711 Spring 2008 Chapter 7

54 EECS 711 Spring 2008 Chapter 7

“Weakness is a better teacher than strength.

Risk management is the process used by managers,

6EECS 711 Chapter 8 Risk Management: Controlling Risk

The control assumes that it can be a prudent

Valid practice if management has ….

The goal of information security is not to bring

79 EECS 711 Chapter 8 Risk Management: Controlling Risk

80 EECS 711 Chapter 8 Risk Management: Controlling Risk

81 EECS 711 Chapter 8 Risk Management: Controlling Risk

82 EECS 711 Chapter 8 Risk Management: Controlling Risk

83 EECS 711 Chapter 8 Risk Management: Controlling Risk

84 EECS 711 Chapter 8 Risk Management: Controlling Risk

85 EECS 711 Chapter 8 Risk Management: Controlling Risk

86 EECS 711 Chapter 8 Risk Management: Controlling Risk

87 EECS 711 Chapter 8 Risk Management: Controlling Risk

88 EECS 711 Chapter 8 Risk Management: Controlling Risk

89 EECS 711 Chapter 8 Risk Management: Controlling Risk

90 EECS 711 Chapter 8 Risk Management: Controlling Risk

91 EECS 711 Chapter 8 Risk Management: Controlling Risk

92 EECS 711 Chapter 8 Risk Management: Controlling Risk

93 EECS 711 Chapter 8 Risk Management: Controlling Risk

94 EECS 711 Chapter 8 Risk Management: Controlling Risk

95 EECS 711 Chapter 8 Risk Management: Controlling Risk

• As each control is applied, ALE must be recomputed as

96 EECS 711 Chapter 8 Risk Management: Controlling Risk

• Delphi Technique – Group consensus with respect to

97 EECS 711 Chapter 8 Risk Management: Controlling Risk

• OCTAVE – Operationally Critical Threat, Asset, and

• Microsoft Risk Management Approach

98 EECS 711 Chapter 8 Risk Management: Controlling Risk

Phase 2 – Identify Infrastructure Vulnerabilities: What are the

Phase 3 – Develop Security Strategy and Plans: What are the

99 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

10 EECS 711 Chapter 8 Risk Management: Controlling Risk

• Reviewing firewall configuration