Risk Management The Big Picture – Part VI

Now that we know the tools and the primary concepts, this part of the course is designed to help youpull everything together. This section is especially important if you need to present securityproposals to management. Your next slide, titled Risk Management – Where do I Start presents theroadmap we showed you almost at the beginning of the course. We will bet you have a much cleareridea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a lookat the roadmap!...
Nội dung trích xuất từ tài liệu:
Risk Management The Big Picture – Part VI Risk Management The Big Picture – Part VI Risk Assessment and Auditing Information Risk Management - SANS ©2001 1Now that we know the tools and the primary concepts, this part of the course is designed to help youpull everything together. This section is especially important if you need to present securityproposals to management. Your next slide, titled Risk Management – Where do I Start presents theroadmap we showed you almost at the beginning of the course. We will bet you have a much cleareridea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a lookat the roadmap! 6-1 Risk Management – Where do I Start? • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 2This slide is the result of a long international flight. Several top experts in information security wereon the plane and this is the roadmap they developed. So far in the entire course, we haven’t read aslide to you so please relax and listen: • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident responseStudents that complete Security Essentials certification are well on their way to accomplishing eachof these tasks, you will learn how to do policy and about the tools you can use for controls and tests.As we enter this last section, we are going to change our approach. So far in the courseware youhave seen a lot of tools, now let’s work to bring these tools into a framework for risk management. 6-2 The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 3It is critical to have an understanding of risk management to properly choose and deploy intrusiondetection and response assets. To manage risk, one must be able to assess it. In this section of thecourse we will cover the basic theory of risk assessment. We will also talk about three methods ofrisk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices).Whether or not we explicitly choose, we have exactly three options and we do choose between:Acceptance, mitigation, and transference.When we accept the risk, this means we make no changes in policy or process. This decision meansthat we judge the risk of a given threat to be inconsequential in the greater scheme of things.If we feel the threat is significant and could cause harm to our business or enterprise, then we havethe option of taking action to protect operations by reducing the risk. A firewall or system patch areobvious examples of risk mitigation.Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for afee you pass this risk to a risk broker that insures you up to some limit against the threat. A realworld example of this is hacker insurance. The insurance company still expects you to have afirewall and patches, but insures you should these fail. 6-3 Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How rel ...