15. Risk Assessment
• The Process of Identifying the Threats , Vulnerabilities and the Impacts
of loss of the Data or the ability to Process Data .
• How to Determine the Risks Prioritization:
-Based on Cost of Assets or Threat to organization .
-Based on Likelihood of Occurrence .
-Coordination with BIA (Business Impact Analysis)
16. Practical Risk Assessment
You’ve been asked to do a quick assessment of the risks your company
faces from a security perspective. What steps might you take to develop
an overview of your company’s problems?
1. Interview the department heads and the data owners to determine what
information they feel requires additional security and to identify the exist
ing vulnerabilities from their perspective.
2. Evaluate the network infrastructure to determine known vulnerabilities
and how you might counter them.
3. Perform a physical assessment of the facility to evaluate what physical
risks must be countered Armed with this information, you have a place
to start, and you can determine which countermeasures may be approp
riate for the company to mitigate risk.
17. Risk Assessment Approaches
Qualitative Assessment
• Non-numerical values, levels, or
categories (low, medium, high)
• Assign numerical values for relative
calculations, but they are not meanin
gful outside of the assessment use
Quantitative Assessment
• Based on the use of numbers Values remain con
sistent regardless of context
– Financial costs
– Time measurements
18. Quantitative Risk Assessment
Calculation steps:
• Assign Asset Value (AV)
• Calculate the Exposure Factor (EF)
• Single-Loss Expectancy (SLE) for each threat = AV * EF
• Calculate the likelihood of each threat being realized in a single year, the Annualized Rate of Occurrence (ARO)
• Calculate Annualized Loss Expectancy (ALE), the overall loss potential per threat = SLE * ARO
• EEAKSA Website is Seeking DDOS Attack one every 4 Year Website Revenue is 400,000 SAR and Attack May Cause
1 % from the production of the Website what’s the Annual Loss Expectancy for the EEAKSA ?
1- AV = 400,000 SAR
2- EV= 1 % = .01
3- SLE = AV * EF = 400,00 * .01 = 4000
4- ARO = ¼ = .25
5- ALE = ARO * SLE = 4000 * .25 = 1000 SAR
21. Personnel Security Policy
• Hiring
Background checks:
– Credit history
– Driving record
– Criminal record
– Substance testing
– References
– Education/certification verification
Job descriptions
Employment agreements (NDA , AUP)
• Termination
How are employee resources handled
– Collection of computer, phone, badges
– Permission changes
Schedule of activities
22. Personal Security Policies
Least Privilege
Requires that each perso
n or process be able to a
ccess only the
information and resourc
es that are necessary for
their legitimate
Purpose
• Ex. IT manager does no
t require physical access
to data center
Separation
of duties(SOD)
Requires more than one person to
complete a task.
Two methods to implement are:
1. Split-knowledge: No one person
has sufficient knowledge or
capability to complete a task
2. Dual-control: Two people are
required to accomplish a task;
e.g., two locks on a safe and each
person only has one key
Job rotation
Assigns employees to
various jobs or
departments over time
to detect errors and
frauds.
Reduces the risk of
collusion between
individuals
Mandatory
vacations
Forced time off to allow
for audits and potential
discovery of illicit
Activities
Should not be planned
or announced in
advance
23. Business Continuity Planning
The process of implementing policies, controls, and
procedures to counteract the effects of losses, outages,
or failures of critical business processes.
BCP is primarily a management tool that ensures that
critical business functions can be performed when nor
mal business operations are disrupted
25. Disaster Recovery
A disaster-recovery plan, or scheme, helps an organization
respond effectively when a disaster occurs. Disasters may
include system failure, network failure, infrastructure failure
,and natural disaster. The primary emphasis of such a plan
is reestablishing services and minimizing losses.
DR Plan is Part of Larger Plan :
Business continuity planning (BCP)
26. Disaster Recovery Strategies
System design
-Redundancy.
-Resilience.
Protect the data
-Backup processing strategies.
-Data backup strategy.
-Use of RAID
Recovery considerations
-Recovery strategies
-Recovery sites
30. Business Impact Analysis (BIA)
Identifying Critical Functions
Any Function Critical for the Continuity of the Business
Ex : Webserver for Souq.com
Prioritizing Critical Business Functions
List of Functions based on Priority to Business .
Ex : Media Server , Active Directory , ERP System what’s the priority
Calculating a Timeframe for Critical Systems Loss:
MTD : Maximum Tolerable Downtime
RTO : Recovery Time Objective determines the maximum tolerable amount of time needed to bring all critical sy
stems back online.
RPO : Recovery Point Objective determines the maximum acceptable amount of data loss measured in time.
Estimate the Tangible and intangible impact on organizations
Tangible Losses : Lost Income , Production Downtime
Intangible : Loss of Customers , Damage to Company Image .