[go: up one dir, main page]
Scribd
Upload
20 views17 pages

Week#04 Lecture #02

Uploaded by

graphicsra41
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
20 views17 pages

Week#04 Lecture #02

Uploaded by

graphicsra41
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17

Information Security

SE-308
Risk Management

– Introduction
– Overview of risk management
– Risk identification
– Risk Assessment
– Risk Control
Risk:
• A risk is a possible problem – it might
happen and it might not

• Conceptual definition of risk

– Risk concerns about future happenings


– Risk involves change in opinions, actions,
places, etc.
An Overview of Risk
Management
 manage the problems that can occur in the
future.
 For risk management, you need to:
Know yourself
• Understand the technology and systems in your
organization

Know the enemy


• Identify, examine, and understand threats

• Risk management involves identifying,


evaluating, and planning for possible challenges
or risks that may harm an organization.
Components of Risk
management
 Risk management has three main
components:
Risk Identification:

• Risk identification is the process of


identifying and listing potential problems
or risks that could harm an organization.

Risk identification is divided into three steps.


– Identify & inventory assets
– Classify & prioritize assets
– Identify & prioritize threats
Identify & Inventory Assets
• This step involves identifying all the
valuable assets in the organization that
need protection.

• Assets can be physical, such as computers


and servers, or non-physical, like data,
intellectual property, and customer
information.

• You need to know or list what you have


before you can protect it. If something isn't
listed, it may be left vulnerable to threats.
Risk Identification (Cont’d)
 Classify & Prioritize Assets:

• Once the assets are identified, the next step


is to classify and prioritize them based on
their importance to the organization.

• Develop a prioritization scheme (e.g., low,


medium, high) based on asset importance,
and sensitivity.

• Prioritization involves ranking assets based on


the potential impact (e.g., financial loss,
Risk Identification (Cont’d)
 Identify & Prioritize Threats:

• Threats are potential events or incidents that


could harm assets or disturb business operations.

• Identify potential threats that could harm the


organization's assets.

• Prioritize threats based on their potential impact


(e.g., high, medium, low) and likelihood of
occurrence.

• This can include natural disasters, cyber-attacks,


human errors, and malicious activities.
Risk Assessment

• Risk Assessment:
Understanding how much the organization's
data might be in danger.

Risk Assessment is divided into two steps:


– Identify vulnerabilities between assets &
threats
– Identify & quantify asset
Risk Assessment (Cont’d)
 Identify Vulnerabilities Between Assets &
Threats:

• Vulnerability is a weakness or gap in an asset or


system that could be used by a threat.

• Identification of vulnerabilities helps in


understanding where the organization can be
affected by risks.

• Document vulnerabilities along with their assets


and threats to create a clear picture of the
organization's risk.
Risk Assessment (cont’d)
 Identify & Quantify Asset exposure:

• First, make a list of important things your


business uses, like data, computers, software, or
people.

• Then, figure out how valuable each thing is


by asking how much it would cost to replace or
fix it and how bad it would be if you lost it.

• Measure how much at risk you are (quantify


exposure): Once you know the weaknesses,
think about how bad it would be if someone
attacked your assets.
Risk Control
 Risk Control:
Risk Control is the process of taking
actions to protect your data and systems

 Risk control is divided into three steps:


– Select Strategy
– Justify controls
– Implement & monitor controls
Risk Control (Cont’d)

 Select Strategy:

• Risk control strategies are methods or


techniques used to manage, reduce, or
eliminate risks.

• Evaluate risk control strategies based on


their effectiveness in mitigating or
reducing identified risks.
Risk Control (Cont’d)
 Justify Controls:

• To justify controls, we must explain our risk


management strategy, and explain how well they
reduce risks

• Clearly explain the reasons for choosing a risk


control measure or strategy, highlighting its
alignment with organizational objectives and risk
tolerance.

• Why it’s important: Not all controls are necessary


or affordable. You need to make sure the chosen
controls fit the organization’s needs and budget.
Risk Control (Cont’d)
 Implement & Monitor Controls:

• Put the selected strategies into action and


need to monitor them to ensure they are
effective and make updates as needed.

• Monitoring the performance and


effectiveness of implemented controls in
reducing identified risks.
Thank you!

You might also like