|
|
|
|
|
|
Lesson#36
|
Risk Management
|
|
|
|
Risk Management
Risk Management is the process of measuring, or assessing risk
and then developing strategies
to manage the risk. In general, the strategies employed include
transferring the risk to another
party, avoiding the risk, reducing the negative effect of the
risk, and accepting some or all of the
consequences of a particular risk. Risk management is a general
concept which can encompass
various aspects or issues to be catered for. For example risk
management against natural
disasters, financial risk management, knowledge risk management,
relationship risk
management. No matter what aspect of risk is being covered the
general approach is quite the
same. Here since we are more focused on study of information
systems, we would try to relate
more to the risks related to proper working of information
systems.
Managing the security risks associated with reliance on
information technology is a continuing
challenge. Many private organizations, have struggled to find
efficient ways to ensure that they
fully understand the information security risks affecting their
operations and implement
appropriate controls to mitigate these risks. In recent years,
systems have become more
susceptible to virus because computers have become more
interconnected and, thus, more
interdependent and accessible to a larger number of individuals.
Incorporating Risk management in SDLC
For each phase of SDLC, the process of risk management is no
different. Rather it is iterative
process which can be performed at each major phase. Every step
of development has its own
risks which need to be handled and addressed separately. Hence
managing risk in SDLC means
managing risk of each phase of life cycle.
36.1 Phases of Risk Management
Following are various phases of SDLC
• System Characterization
• Threat Identification
• Vulnerability Identification
• Control Analysis
• Likelihood Determination
• Impact Analysis
• Risk Identification
• Control Recommendation
• Results Documentation
• Implementation
• Monitoring
This can also be presented as a separate diagram.
153
36.2 What is focal Point?
A corporate-level facilitator may serve as a focal point for
assessments throughout the company,
including those pertaining to information security because of
familiarity with the tools and the
reporting requirements. Each business unit in an organization
may have a designated individual
responsible for the business unit's risk assessment activities.
The computer hardware and
software company, may also create a team for the purpose of
improving the overall risk
assessment process and reviewing results of risk assessments in
the hardware and software
systems from the perspective of offering a better, reliable and
risk free product.
36.3 System Characterization
In assessing risks for an IT system, the first step is to define
the scope of the effort. The
resources and information that constitute the system are
identified. The system related
information is documented which includes.
1. Hardware
2. Software
3. System Interface
4. Data & Information
5. People (Who support and use IT)
6. Systems Mission (Processes performed by IT system)
Additional information that may help in characterizing the
system are:
1. Functional requirements of IT system
2. Users of system (technical support and application users)
3. System Security Policy
4. System Security Architecture
As an output to this phase we would get:
1. System Boundary
2. System function
3. System and Data criticality – System’s value to the
organization
4. System and data sensitivity – Level of protection required to
maintain system, data
integrity, confidentiality and availability.
Following methods can be used to gather information on the IT
system within its operational
boundary.
1. Filling up Questionnaire
2. On-site interviews
3. Document Review
4. Use of automated scanning tools
36.4 Steps in threat identification
Following steps are followed in this phase
1. Threat source identification – sources vary from being human
to natural threats
2. Motivation and threat actions – Reasons why someone should
instigate a threat and what
actions he can take in such instigation are discovered.
Examples
Information is used as an input to determine and identify what
kind of threats the system is
exposed to history of system attack, data from intelligence
agencies. The out put of this phase is a
threat statement identifying and defining threats.
36.5 Vulnerability Assessment
Vulnerability is a weakness that can be accidentally triggered
or intentionally exploited. This phase
helps in building up a list of weaknesses and flaws that could
be exploited by the potential threat
sources.
Example
•System
tampering
•Assault on an
employee
Blackmail
Destruction
Exploitation
Terrorist
•Hacking
•System intrusion
•Computer Crime
Challenge
Ego
Rebellion
Hacker,
cracker(already
discussed)
Threat Source Motivation Threat Actions
155
Following information is used as an input
1. Reports of prior risk assessments
2. Any audit comments
3. Security requirements
4. Security test results
The out put of this phase is a list of potential
vulnerabilities. |
|
|
|
|
|
|