SlideShare a Scribd company logo

Ir s 1_2_1_kovacs

Stefan Kovacs
Stefan Kovacs

Vulnerability analysis and management- presentation at the 5 th iNTeg-Risk Conference

TechnologyBusiness
1 of 29
Download to read offline
Vulnerability analysis and management - a step forward towards improving the optimal management of new and emergent risks Prof. Dr. Stefan KOVACS INCDPM ”Alexandru Darabont”,Bucharest, Romania E-mail: stefan_agk@yahoo.com
Vulnerability ? • The term of vulnerability was used to define the exposure of an individual or of a facility to a potential aggression. • An individual could be exposed to illnesses, a facility to natural disasters, decay or malevolence.
Individual vulnerability could be: • 1. physical-takes into account the genetic aspects and also the acquired work consequences like stressed. • 2. social-takes into account the position of the individual on the social ladder, his life goals and expectations, his relationship with colleagues and supervisors. • 3. economic vulnerability -if the individual is exposed he would try a strategy in order to find the necessary money. This strategy could be based on own work (to optimize his activity, to work supplementary hours) or could be based on antisocial and malevolent acts.
Other vulnerabilities • -vulnerability of facilities -here being included from hand tools (being vulnerable to decay if not maintained properly) to complex process installations. Facilities are vulnerable to natural and malevolent agression.In between they are also vulnerable to decay or damage occurring from work acts; • -vulnerability of community -communities are an aggregate of individuals and facilities .The individuals could lead to a vulnerability profile for the community if they have common characteristics-for example populations from a certain area are more exposed to specific aggressors than other populations. The facilities could have certain characteristics that could also increase the community vulnerability (for example nuclear facilities, process facilities near the houses, etc).A community could also be affected by natural disasters like the Katrina.
Vulnerability treatment
Vulnerability assessment • A vulnerability analysis or assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. • Examples of systems for which vulnerability assessments are performed could be found in every economic domain- they include, but are not limited to, nuclear power plants, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
Vulnerability assessment • Why analise vulnerabilities and not risks? Vulnerability analysis and research could be a preliminary phase of risk analysis. It involves lesser costs and also could be done more quickly and with lesser resources. As risk is more general notion vulnerabilities could be specifically targeted. Usually, the elimination of vulnerability leads to the elimination of the linked risks. The notion of vulnerability, by itself supposes that some actions should be taken in order to eliminate or mitigate the vulnerability.
Vulnerability assessment • Vulnerability assessment focus both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents. • In general, a vulnerability analysis serves to "categorize key assets and drive the risk management process." (United States Department of Energy, 2002)
Vulnerability management • Vulnerability management should include the main steps of : – identification and learning about vulnerabilities; – mitigation; – monitoring;
Vulnerability management-mitigation • The mitigation phase should include: – Collection – The company collects vulnerability reports in two ways: monitoring public sources of vulnerability information and processing reports sent directly to the company. – Analysis - Once the vulnerabilities are cataloged, the company determines general severity, considering factors such as the number of affected systems, impact, and attack scenarios. Based on severity and other attributes, they select vulnerabilities for further analysis. – Coordination - When handling direct reports, the company works privately with suppliers and clients to address vulnerabilities before widespread public disclosure. – Disclosure - After coordinating with all the stakeholders, the company take steps to notify critical audiences and the public about the vulnerabilities. To the best of their ability, they produce accurate, objective technical information focused on solutions and mitigation techniques.
Vulnerability management • An optimal management methodology could be based upon the Improved Vulnerability Assessment Framework (IVAF) which was developed and improved as a response to the US Presidential Decision Directive 63. • The Improved Vulnerability Assessment Framework (IVAF) would act through a three-step process and will enable an economic entity: – to define its Minimum Essential Infrastructure (MEI), – identify and locate interdependencies and vulnerabilities of MEI; – provide the basis for developing mitigation and management plans.
Vulnerability management • The methodology primarily consists of three major steps, as shown in the next figure • Each step consists of a series of activities. • Using these assessment steps, the assessment team will compile a list of vulnerabilities for the organization to evaluate and determine appropriate next steps. Next steps include determining the order in which vulnerabilities should be addressed, the resources required, and the level of investment necessary to meet the management’s objectives.
Vulnerability management
Vulnerability management • In the first phase the assessment team will define the Minimum Essential Infrastructure for the enterprise. The focus is on the specific infrastructure components that support Mission Essential Processes (MEP) that are absolutely fundamental to achieving an enterprise’s main activities . Once the MEI is identified, the vulnerabilities that potentially affect it are the most important starting points for vulnerability mitigation and minimization plans.
Vulnerability management • In the second phase the IVAF evaluation will review actions, devices, procedures, techniques and other measures that potentially place the organization’s MEI resources at risk. The outcome will be the identification and reporting of flaws or omissions in controls (e.g. vulnerabilities) that may affect the integrity, confidentiality, accountability, and/or the availability of resources that are essential to achieving the organization’s core mission(s).
Vulnerability management • In the last phase the team will define and analyze the vulnerabilities identified in IVAF Phase 2 and MEI external dependencies from IVAF Phase 1, thereby enabling at least a first order of prioritization for purposes of remediation or minimization.
Vulnerability management • Each step of the IVAF will be outlined in the following format: -Objectives -Critical Success Factors -Expected Outcomes -Activities
Vulnerability management Minimum Essential Infrastructure (MEI)
Vulnerability management • There are primarily nine activities necessary to complete the phase 1. • -1.1 Identify the core mission(s) of the organization • -1.2 Identify the threat environment • -1.3 Identify the core processes and activities supporting the core mission(s) • -1.4 Analyze the value of each core process, categorizing them as Code Red, Code Amber, and Code Green • -1.5 Identify organizational structure and customers as well as roles and responsibilities • -1.6 Identify facilities • -1.7 Map architecture and systems • -1.8 Link physical, organizational and architecture components to core processes valued “Code Red” • -1.9 Identify external resources upon which the enterprise MEI is dependent
Vulnerability management • The three codes had the following semnifications: • Code Red: Prevent the enterprise from fulfilling its mission.From the perspective of an attacker, this would constitute a “Kill.” • Code Amber: Significantly debilitate or interfere with the ability of the enterprise to fulfill its mission, or economic security functions or provide continuity of core services. • Code Green: No appreciable impact on enterprise missions.
Vulnerability management • The activities that comprise Phase 2 are essentially the data gathering and analyses necessary to evaluate each of the six areas of control. Each area of control has an assessment questionnaire designed to gather information pertinent to that area of control. • Risk assessments should consider data sensitivity and the need for integrity and the range of risks that an entity’s MEI resource elements may be subject to, including those risks posed by authorized internal and external users, as well as unauthorized outsiders who may try to “break into” the cyber systems. Such analyses should also draw on reviews of system and network configurations and observations and testing of existing security controls for cyber systems, as well as reviews and testing of controls for the other resource elements.
Vulnerability management
Vulnerability management • A Code Red is assigned if: • -a vulnerability is caused by a lack of accountability i.e. if ownership of the process, system or inputs/outputs is not clearly or appropriately defined; or • -a vulnerability is exploited and controls are not in place to warn those accountable.
Vulnerability management No. Control Objectives Control Tehnique Compliance Procedures Maintain a positive information control environment. Does Management create a framework and an wareness program fostering a positive control environment throughout the entire organization by addressing aspects such as: integrity,ethical values and competence of the people; management philosophy and operating style; Review related policies and procedures. Review Senior Management roles and responsibilities. Review objectives and long/short range plans. A checklist example is given in the following table.
Vulnerability management • A detailed vulnerability checklist would take into account three component elements: risk, probability and readiness to act. – Issues to consider for probability include, but are not limited to: • 1. Known risk • 2. Historical data • 3. Manufacturer/vendor statistics
Vulnerability management • Issues to consider for risk include, but are not limited to: – 1. Threat to life and/or health – 2. Disruption of services – 3. Damage/failure possibilities – 4. Loss of community trust – 5. Financial impact – 6. Legal issues
Vulnerability management • Issues to consider for readiness include, but are not limited to: – 1. Status of current plans – 2. Training status – 3. Insurance – 4. Availability of backup systems – 5. Community resources
Vulnerability management No Vulnerability assessment for: Probability Risk Readiness Total 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 The next template shows how these elements would be integrated into the assessment of vulnerability.
Conclusion • Vulnerability analysis could be a solution for the understanding of the roots of loss, incidents and accidents that are occuring day by day in enterprises across Europe, SME or big societies. To be vulnerable- is a big risk for every enterprise on a concurential market. Even if not atacked directly a vulnerable enterprise could compete more difficult on this market than a non-vulnerable one. • Connecting vulnerability and risk analysis could give to the management a global image on causes and effects of unexpected events that could disturb the normal enterprise activity.

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM PlanAnkit Bahuguna
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM PlanAnkit Bahuguna
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Disaster recovery & business continuity
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuityDhani Ahmad
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Risk crisis nad management
Risk crisis nad managementRisk crisis nad management
Risk crisis nad managementPasangdolmoTamang
 
Risk assesment
Risk assesmentRisk assesment
Risk assesmentArvind Kumar
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Topic 3 swiss cheese model
Topic 3 swiss cheese modelTopic 3 swiss cheese model
Topic 3 swiss cheese modelBasitali Nevarekar
 
risk analysis
risk analysis risk analysis
risk analysisArvind Kumar
 
Dj24712716
Dj24712716Dj24712716
Dj24712716IJERA Editor
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachn|u - The Open Security Community
 
Risks in cc
Risks in ccRisks in cc
Risks in ccRubaNagarajan
 
Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14Corina Curta
 
Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4Corina Curta
 

More Related Content

What's hot

Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successClaus Thaudahl Hansen
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyLindsey Landolfi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 

What's hot (20)

Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Risk crisis nad management
Risk crisis nad managementRisk crisis nad management
Risk crisis nad management
 
Risk assesment
Risk assesmentRisk assesment
Risk assesment
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
 
Topic 3 swiss cheese model
Topic 3 swiss cheese modelTopic 3 swiss cheese model
Topic 3 swiss cheese model
 
risk analysis
risk analysis risk analysis
risk analysis
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risks in cc
Risks in ccRisks in cc
Risks in cc
 
Communicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for successCommunicating with stakeholders on cybersecurity risk-a road map for success
Communicating with stakeholders on cybersecurity risk-a road map for success
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 
Administering security
Administering securityAdministering security
Administering security
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 

Viewers also liked

Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14Corina Curta
 
Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4Corina Curta
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3Stefan Kovacs
 
Aspirina cu management de proiect 2015 #2
Aspirina cu management de proiect 2015 #2Aspirina cu management de proiect 2015 #2
Aspirina cu management de proiect 2015 #2Corina Curta
 
Aspirina cu management de proiect 2014 #12
Aspirina cu management de proiect 2014 #12Aspirina cu management de proiect 2014 #12
Aspirina cu management de proiect 2014 #12Corina Curta
 
Aspirina cu management de proiect 2014 #16
Aspirina cu management de proiect 2014 #16Aspirina cu management de proiect 2014 #16
Aspirina cu management de proiect 2014 #16Corina Curta
 
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...Biblioteca Municipala "B.P. Hasdeu"
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2Stefan Kovacs
 
Implementarea sistemului de management al calitatii la sc best quality srl
Implementarea sistemului de management al calitatii la sc best quality srlImplementarea sistemului de management al calitatii la sc best quality srl
Implementarea sistemului de management al calitatii la sc best quality srlboldanovidiu
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4Stefan Kovacs
 
Managementul calitatii suport de curs oprean c_titu m
Managementul calitatii suport de curs oprean c_titu mManagementul calitatii suport de curs oprean c_titu m
Managementul calitatii suport de curs oprean c_titu mcsvsergiu
 
Cerinte 9001 2008-2015- suport - iz- 20.11.2016
Cerinte 9001 2008-2015- suport - iz- 20.11.2016Cerinte 9001 2008-2015- suport - iz- 20.11.2016
Cerinte 9001 2008-2015- suport - iz- 20.11.2016Marius Petru Bocor
 
Curs de management integrat modul 1
Curs de management integrat modul 1Curs de management integrat modul 1
Curs de management integrat modul 1Stefan Kovacs
 

Viewers also liked (16)

Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14Aspirina cu management de proiect 2014 #14
Aspirina cu management de proiect 2014 #14
 
Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4Aspirina cu management de proiect 2015 #4
Aspirina cu management de proiect 2015 #4
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 3
 
Aspirina cu management de proiect 2015 #2
Aspirina cu management de proiect 2015 #2Aspirina cu management de proiect 2015 #2
Aspirina cu management de proiect 2015 #2
 
Aspirina cu management de proiect 2014 #12
Aspirina cu management de proiect 2014 #12Aspirina cu management de proiect 2014 #12
Aspirina cu management de proiect 2014 #12
 
Aspirina cu management de proiect 2014 #16
Aspirina cu management de proiect 2014 #16Aspirina cu management de proiect 2014 #16
Aspirina cu management de proiect 2014 #16
 
5.Standardele de mediu şi dezvoltarea durabilă
5.Standardele de mediu şi dezvoltarea durabilă5.Standardele de mediu şi dezvoltarea durabilă
5.Standardele de mediu şi dezvoltarea durabilă
 
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...
Lidia KULIKOVSKI. Inovaţia în management ca factor de supravieţuire şi schimb...
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 2
 
SISTEME DE MANAGEMENT DE MEDIU
SISTEME DE MANAGEMENT DE MEDIUSISTEME DE MANAGEMENT DE MEDIU
SISTEME DE MANAGEMENT DE MEDIU
 
Implementarea sistemului de management al calitatii la sc best quality srl
Implementarea sistemului de management al calitatii la sc best quality srlImplementarea sistemului de management al calitatii la sc best quality srl
Implementarea sistemului de management al calitatii la sc best quality srl
 
4. Metode de Economisire a Energiei
4. Metode de Economisire a Energiei4. Metode de Economisire a Energiei
4. Metode de Economisire a Energiei
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 4
 
Managementul calitatii suport de curs oprean c_titu m
Managementul calitatii suport de curs oprean c_titu mManagementul calitatii suport de curs oprean c_titu m
Managementul calitatii suport de curs oprean c_titu m
 
Cerinte 9001 2008-2015- suport - iz- 20.11.2016
Cerinte 9001 2008-2015- suport - iz- 20.11.2016Cerinte 9001 2008-2015- suport - iz- 20.11.2016
Cerinte 9001 2008-2015- suport - iz- 20.11.2016
 
Curs de management integrat modul 1
Curs de management integrat modul 1Curs de management integrat modul 1
Curs de management integrat modul 1
 

Similar to Ir s 1_2_1_kovacs

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversitySwaminath Sam
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
Operations Risk Management
Operations Risk ManagementOperations Risk Management
Operations Risk ManagementMedlin Rozario
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...samahhamed3
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdfIntuitiveCloud
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision fileVithyea You
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 

Similar to Ir s 1_2_1_kovacs (20)

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Operations Risk Management
Operations Risk ManagementOperations Risk Management
Operations Risk Management
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
Octav ethreat profiles
Octav ethreat profilesOctav ethreat profiles
Octav ethreat profiles
 
Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...Introduction to quality management system • Product quality review (PQR) • Qu...
Introduction to quality management system • Product quality review (PQR) • Qu...
 
Vulnerability Management.pdf
Vulnerability Management.pdfVulnerability Management.pdf
Vulnerability Management.pdf
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Level 2
Level 2Level 2
Level 2
 
Level 2
Level 2Level 2
Level 2
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
Risk Based Supervision file
Risk Based Supervision fileRisk Based Supervision file
Risk Based Supervision file
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 

More from Stefan Kovacs

MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1Stefan Kovacs
 
Occupational health and safety- basic concepts
Occupational health and safety- basic concepts Occupational health and safety- basic concepts
Occupational health and safety- basic concepts Stefan Kovacs
 
Managementul proiectelor
Managementul proiectelorManagementul proiectelor
Managementul proiectelorStefan Kovacs
 
A tale about safety for hammers
A tale about safety for hammersA tale about safety for hammers
A tale about safety for hammersStefan Kovacs
 
All you need to know about risk factors
All you need to know about risk factorsAll you need to know about risk factors
All you need to know about risk factorsStefan Kovacs
 
Metode de evaluare PHA
Metode de evaluare PHAMetode de evaluare PHA
Metode de evaluare PHAStefan Kovacs
 
How to perform (or at least try) LOSS CONTROL
How to perform (or at least try) LOSS CONTROLHow to perform (or at least try) LOSS CONTROL
How to perform (or at least try) LOSS CONTROLStefan Kovacs
 
Development of a risk assessment system based on pattern matching of behaviou...
Development of a risk assessment system based on pattern matching of behaviou...Development of a risk assessment system based on pattern matching of behaviou...
Development of a risk assessment system based on pattern matching of behaviou...Stefan Kovacs
 
Cum se produce un accident de muncă
Cum se produce un accident de muncăCum se produce un accident de muncă
Cum se produce un accident de muncăStefan Kovacs
 
How to solve problems (or at least try) with 8D
How to solve problems (or at least try) with 8DHow to solve problems (or at least try) with 8D
How to solve problems (or at least try) with 8DStefan Kovacs
 

More from Stefan Kovacs (15)

Riscuri mecanice
Riscuri mecaniceRiscuri mecanice
Riscuri mecanice
 
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1
MANAGEMENTUL SECURITĂȚII ȘI SĂNĂTĂȚII PRODUSELOR-Modul 1
 
John the Employee
John the EmployeeJohn the Employee
John the Employee
 
Occupational health and safety- basic concepts
Occupational health and safety- basic concepts Occupational health and safety- basic concepts
Occupational health and safety- basic concepts
 
Managementul proiectelor
Managementul proiectelorManagementul proiectelor
Managementul proiectelor
 
A tale about safety for hammers
A tale about safety for hammersA tale about safety for hammers
A tale about safety for hammers
 
All you need to know about risk factors
All you need to know about risk factorsAll you need to know about risk factors
All you need to know about risk factors
 
Metode de evaluare PHA
Metode de evaluare PHAMetode de evaluare PHA
Metode de evaluare PHA
 
How to perform (or at least try) LOSS CONTROL
How to perform (or at least try) LOSS CONTROLHow to perform (or at least try) LOSS CONTROL
How to perform (or at least try) LOSS CONTROL
 
INITIERE IN HAZOP
INITIERE IN HAZOPINITIERE IN HAZOP
INITIERE IN HAZOP
 
Bazele auditului
Bazele audituluiBazele auditului
Bazele auditului
 
Development of a risk assessment system based on pattern matching of behaviou...
Development of a risk assessment system based on pattern matching of behaviou...Development of a risk assessment system based on pattern matching of behaviou...
Development of a risk assessment system based on pattern matching of behaviou...
 
Eduknowledge
EduknowledgeEduknowledge
Eduknowledge
 
Cum se produce un accident de muncă
Cum se produce un accident de muncăCum se produce un accident de muncă
Cum se produce un accident de muncă
 
How to solve problems (or at least try) with 8D
How to solve problems (or at least try) with 8DHow to solve problems (or at least try) with 8D
How to solve problems (or at least try) with 8D
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Ir s 1_2_1_kovacs

  • 1. Vulnerability analysis and management - a step forward towards improving the optimal management of new and emergent risks Prof. Dr. Stefan KOVACS INCDPM ”Alexandru Darabont”,Bucharest, Romania E-mail: stefan_agk@yahoo.com
  • 2. Vulnerability ? • The term of vulnerability was used to define the exposure of an individual or of a facility to a potential aggression. • An individual could be exposed to illnesses, a facility to natural disasters, decay or malevolence.
  • 3. Individual vulnerability could be: • 1. physical-takes into account the genetic aspects and also the acquired work consequences like stressed. • 2. social-takes into account the position of the individual on the social ladder, his life goals and expectations, his relationship with colleagues and supervisors. • 3. economic vulnerability -if the individual is exposed he would try a strategy in order to find the necessary money. This strategy could be based on own work (to optimize his activity, to work supplementary hours) or could be based on antisocial and malevolent acts.
  • 4. Other vulnerabilities • -vulnerability of facilities -here being included from hand tools (being vulnerable to decay if not maintained properly) to complex process installations. Facilities are vulnerable to natural and malevolent agression.In between they are also vulnerable to decay or damage occurring from work acts; • -vulnerability of community -communities are an aggregate of individuals and facilities .The individuals could lead to a vulnerability profile for the community if they have common characteristics-for example populations from a certain area are more exposed to specific aggressors than other populations. The facilities could have certain characteristics that could also increase the community vulnerability (for example nuclear facilities, process facilities near the houses, etc).A community could also be affected by natural disasters like the Katrina.
  • 6. Vulnerability assessment • A vulnerability analysis or assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. • Examples of systems for which vulnerability assessments are performed could be found in every economic domain- they include, but are not limited to, nuclear power plants, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
  • 7. Vulnerability assessment • Why analise vulnerabilities and not risks? Vulnerability analysis and research could be a preliminary phase of risk analysis. It involves lesser costs and also could be done more quickly and with lesser resources. As risk is more general notion vulnerabilities could be specifically targeted. Usually, the elimination of vulnerability leads to the elimination of the linked risks. The notion of vulnerability, by itself supposes that some actions should be taken in order to eliminate or mitigate the vulnerability.
  • 8. Vulnerability assessment • Vulnerability assessment focus both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents. • In general, a vulnerability analysis serves to "categorize key assets and drive the risk management process." (United States Department of Energy, 2002)
  • 9. Vulnerability management • Vulnerability management should include the main steps of : – identification and learning about vulnerabilities; – mitigation; – monitoring;
  • 10. Vulnerability management-mitigation • The mitigation phase should include: – Collection – The company collects vulnerability reports in two ways: monitoring public sources of vulnerability information and processing reports sent directly to the company. – Analysis - Once the vulnerabilities are cataloged, the company determines general severity, considering factors such as the number of affected systems, impact, and attack scenarios. Based on severity and other attributes, they select vulnerabilities for further analysis. – Coordination - When handling direct reports, the company works privately with suppliers and clients to address vulnerabilities before widespread public disclosure. – Disclosure - After coordinating with all the stakeholders, the company take steps to notify critical audiences and the public about the vulnerabilities. To the best of their ability, they produce accurate, objective technical information focused on solutions and mitigation techniques.
  • 11. Vulnerability management • An optimal management methodology could be based upon the Improved Vulnerability Assessment Framework (IVAF) which was developed and improved as a response to the US Presidential Decision Directive 63. • The Improved Vulnerability Assessment Framework (IVAF) would act through a three-step process and will enable an economic entity: – to define its Minimum Essential Infrastructure (MEI), – identify and locate interdependencies and vulnerabilities of MEI; – provide the basis for developing mitigation and management plans.
  • 12. Vulnerability management • The methodology primarily consists of three major steps, as shown in the next figure • Each step consists of a series of activities. • Using these assessment steps, the assessment team will compile a list of vulnerabilities for the organization to evaluate and determine appropriate next steps. Next steps include determining the order in which vulnerabilities should be addressed, the resources required, and the level of investment necessary to meet the management’s objectives.
  • 14. Vulnerability management • In the first phase the assessment team will define the Minimum Essential Infrastructure for the enterprise. The focus is on the specific infrastructure components that support Mission Essential Processes (MEP) that are absolutely fundamental to achieving an enterprise’s main activities . Once the MEI is identified, the vulnerabilities that potentially affect it are the most important starting points for vulnerability mitigation and minimization plans.
  • 15. Vulnerability management • In the second phase the IVAF evaluation will review actions, devices, procedures, techniques and other measures that potentially place the organization’s MEI resources at risk. The outcome will be the identification and reporting of flaws or omissions in controls (e.g. vulnerabilities) that may affect the integrity, confidentiality, accountability, and/or the availability of resources that are essential to achieving the organization’s core mission(s).
  • 16. Vulnerability management • In the last phase the team will define and analyze the vulnerabilities identified in IVAF Phase 2 and MEI external dependencies from IVAF Phase 1, thereby enabling at least a first order of prioritization for purposes of remediation or minimization.
  • 17. Vulnerability management • Each step of the IVAF will be outlined in the following format: -Objectives -Critical Success Factors -Expected Outcomes -Activities
  • 19. Vulnerability management • There are primarily nine activities necessary to complete the phase 1. • -1.1 Identify the core mission(s) of the organization • -1.2 Identify the threat environment • -1.3 Identify the core processes and activities supporting the core mission(s) • -1.4 Analyze the value of each core process, categorizing them as Code Red, Code Amber, and Code Green • -1.5 Identify organizational structure and customers as well as roles and responsibilities • -1.6 Identify facilities • -1.7 Map architecture and systems • -1.8 Link physical, organizational and architecture components to core processes valued “Code Red” • -1.9 Identify external resources upon which the enterprise MEI is dependent
  • 20. Vulnerability management • The three codes had the following semnifications: • Code Red: Prevent the enterprise from fulfilling its mission.From the perspective of an attacker, this would constitute a “Kill.” • Code Amber: Significantly debilitate or interfere with the ability of the enterprise to fulfill its mission, or economic security functions or provide continuity of core services. • Code Green: No appreciable impact on enterprise missions.
  • 21. Vulnerability management • The activities that comprise Phase 2 are essentially the data gathering and analyses necessary to evaluate each of the six areas of control. Each area of control has an assessment questionnaire designed to gather information pertinent to that area of control. • Risk assessments should consider data sensitivity and the need for integrity and the range of risks that an entity’s MEI resource elements may be subject to, including those risks posed by authorized internal and external users, as well as unauthorized outsiders who may try to “break into” the cyber systems. Such analyses should also draw on reviews of system and network configurations and observations and testing of existing security controls for cyber systems, as well as reviews and testing of controls for the other resource elements.
  • 23. Vulnerability management • A Code Red is assigned if: • -a vulnerability is caused by a lack of accountability i.e. if ownership of the process, system or inputs/outputs is not clearly or appropriately defined; or • -a vulnerability is exploited and controls are not in place to warn those accountable.
  • 24. Vulnerability management No. Control Objectives Control Tehnique Compliance Procedures Maintain a positive information control environment. Does Management create a framework and an wareness program fostering a positive control environment throughout the entire organization by addressing aspects such as: integrity,ethical values and competence of the people; management philosophy and operating style; Review related policies and procedures. Review Senior Management roles and responsibilities. Review objectives and long/short range plans. A checklist example is given in the following table.
  • 25. Vulnerability management • A detailed vulnerability checklist would take into account three component elements: risk, probability and readiness to act. – Issues to consider for probability include, but are not limited to: • 1. Known risk • 2. Historical data • 3. Manufacturer/vendor statistics
  • 26. Vulnerability management • Issues to consider for risk include, but are not limited to: – 1. Threat to life and/or health – 2. Disruption of services – 3. Damage/failure possibilities – 4. Loss of community trust – 5. Financial impact – 6. Legal issues
  • 27. Vulnerability management • Issues to consider for readiness include, but are not limited to: – 1. Status of current plans – 2. Training status – 3. Insurance – 4. Availability of backup systems – 5. Community resources
  • 28. Vulnerability management No Vulnerability assessment for: Probability Risk Readiness Total 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 The next template shows how these elements would be integrated into the assessment of vulnerability.
  • 29. Conclusion • Vulnerability analysis could be a solution for the understanding of the roots of loss, incidents and accidents that are occuring day by day in enterprises across Europe, SME or big societies. To be vulnerable- is a big risk for every enterprise on a concurential market. Even if not atacked directly a vulnerable enterprise could compete more difficult on this market than a non-vulnerable one. • Connecting vulnerability and risk analysis could give to the management a global image on causes and effects of unexpected events that could disturb the normal enterprise activity.