Step by-step for risk analysis and management-yaser aljohani

Lewis University   Information Security Practicum Step-by-Step of Conducting Risk Analysis and Management to Digital Zone Corporation Spring 2013       Student’s name: Yaser Aljohani Student’s ID # 210996289 Instructor’s name: Dr. Faisal Abdullah Lewis University   Information Security Practicum Step-by-Step of Conducting Risk Analysis and Management to Digital Zone Corporation Spring 2013      Student’s name: Yaser Aljohani Instructor’s name: Dr. Faisal Abdullah 1 1 Introduction of Risk Analysis and Management Risk analysis and management is a very significant part to any organization that wants to have a secure computing environment. It helps organizations to improve their security against any threats or risks that could harm their sensitive information, assets, and business. 2 Digital Zone Corporation It is an organization for computer & digital services It provides different kinds of IT services to their customers such as, computer repair, computer upgrade, wireless/wired network setup for home or business, troubleshooting, and establish web site. To provide services to their customer, they collect customer information such as, first name, last name, phone number, home address, and email address, and store them in their system. 3 Goals and objectives Assets evaluation and their values: number of servers, computers, networks…etc. Using risk assessment tools and security checklist Finding all vulnerabilities Finding all threats Finding all risks 4 Goals and objectives Cont. Finding top 5 risks Finding all mitigations or remedies for risks and all suggestions and recommendations Establishing Information Risk Management (IRM) policy Establishing security awareness program for both employees and customers Establishing Insurance and contingency plan or recovery plan 5 What is Risk Analysis? Risk analysis is the process of analyzing and defining the dangers to businesses, individuals, and government agencies posed by potential natural and human-caused adverse events. In IT, the report of risk analysis can be used to align company's business objectives with technology-related objectives. The report of risk analysis can be either qualitative or quantitative. 6 What is the difference between Risk analysis and Risk management? Risk analysis includes assess and identifying the levels of risks estimated from the known values of assets, vulnerabilities of assets, and the levels of threats. Risk management includes selecting, identifying, and adopting of countermeasures that is justified by the identified risks to assets and the mitigation of risks to the acceptable level. 7 Why we use it and When? We used Risk Analysis because it helps us understand risk, so that we can manage it, and minimize its disruption. We used risk analysis when we plan projects, improving safety and managing potential risks in the workplace, preparing for events such as theft, equipment or technology failure, natural disasters, or planning for changes in our environment. 8 Where we use it and how? We can use risk analysis in any place that have assets such as computers, servers, networks, sensitive information…. etc. We use the Risk Analysis for many different Components such as, assets, threats, vulnerabilities, likelihoods, impacts, and safeguards 9 How to Calculate the Risk? Two kinds of risk assessment: Quantitative risk assessment and Qualitative risk assessments. Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies and it considered as the standard way of measuring risk in many fields. Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defines them, and thus risk, in somewhat subjective or qualitative terms and it gives risk results of “High”, “Moderate” and “Low”. 10 Steps for Risk analysis and management Systems inventory : identify all the assets that are involved in critical business processes support. Threat analysis: identify the potential threats to the critical systems Infrastructure vulnerability assessment: identify technology vulnerabilities that could be exploited. 11 Steps for Risk analysis and management Cont. 4. Develop the security control suggestions: link the risk management strategy recommendations to the results of the assessment. 5. Decision: act or accept (Risk management decision) 6. Monitoring and communication: management and user support are important to make the control implementation successfully. 12 Risk, Threats, and Vulnerabilities Risk is the possible damage that could result from some current or future process/event . Threats are defined as any act that could assist to the tampering, damaging or denial of service. Examples of threats: Floods, Fire, Natural Disasters, Heat, Freezing, Manmade threats, Malware, Virus, Worms, Trojans, and Spyware Vulnerability is any weakness or flaw in the design, procedures of system security, internal controls, or implementation that can be used and result in violation of the system’s security policy or a security breach. 13 Threats elements Three critical elements of threat: The profile of threat- what threats and risks that could affect the asset? The probability of threat- what is the threats occurrence likelihood? The consequence of Threat- what would the loss of the asset effect or impact on the organization operations or its employees? 14 The Information Risk Management (IRM) policy It explains the role of security and the acceptable level of risk It should address the following issues: The IRM team Objectives What is considered as an acceptable risk the formal processes of risk identification 15 The Information Risk Management (IRM) policy Cont. The connection between the organization's strategic planning processes and the IRM policy It’s roles and responsibilities Mapping of risk to the internal controls Mapping of risks to budgets and performance objectives Key indicators to monitor the effectiveness of controls The approach that would change resource allocation and staff behaviors in response to risk assessment 16 Security Checklists There are security checklists in many different components such as, networks, computers, servers, switches, firewall, routers, copiers, workstations, scanners…etc. Each one of these components provide recommendations that could help security specialists to find out all vulnerabilities and threats that could happen to system. by applying all these suggested recommendations, this will reduce and mitigate all risks that could results from threats. 17 Contingency plan Disaster recovery plan: It relates with the recovery that will occur on-site.(long- term service interruption) Incident response plan: includes recovering from an incident, identifying, and responding .(short-term events). Business continuity plan: It relates with the long-term incidents that require the organization to do the recovery to the off-site locations. (long- term service interruption) 18 Security Assurance Program It helps both of employees and customers to understand risks and the consequences of risks and how they could avoid them. It gives guidelines and instructions for many different elements such as, E-mail security, username and password security, acceptable use of technology, mobile devices, staying safe and secure online, remote access, network, and sensitive information. It helps for reducing the probability of risks occurrence 19 Cycle of Risk Management The U.S government Accounting Office has recommended for organizations a cycle of risk management activities for managing their information security risks which are as follows: Conducting risk assessments for all their systems Establishing information security policies and procedures that are commensurate with risk and that comprehensively address significant threats Providing sufficient computer security training to their employees 20 Cycle of Risk Management Cont. Testing and evaluating controls as part of their management assessments 5. Implementing documented incident handling procedures 6. Identifying and prioritizing their critical operations and assets and determine the priority for restoring these assets should a disruption in critical operations occur 21 Advantages of Risk Analysis and Management It builds strong IT infrastructure in organization It increases the confidence between organization and customers It builds a good communication between management, IT department, and end users. Customers will have a good quality of services. It will increase profits of organization Organization will have an Information Risk management (IRM) policy, Security Assurance Program, and Contingency plan. 22 Security Assessment Methodologies and tools 23 Nessus SAINT OCTAVE FRAP Practical Threat Analysis (PTA) Sara NIST COBRA Microsoft Baseline Security Analyzer Risk Watch Whisker PTA- Assets 24 PTA-Vulnerabilities 25 PTA-Threats 26 PTA-Countermeasures 27 PTA-Results 28 NESSUS 29 Nessus-Scan list 30 Nessus-Vulnerabilities Summary 31 Nessus-Host Summary 32 Nessus-Filters options 33 Nessus- Result after filters 34 Nessus- Description of Vulnerability 35 Baseline Security Analyzer 36 Adjusting settings of scan 37 Scanning process 38 Result after Scan 39 Conclusion There are three critical elements that should be considered in the risk analysis and management, which are, information confidentiality, system availability, and information integrity. 40 Thank you 41