Beruflich Dokumente
Kultur Dokumente
HELLO!
Mukesh Mahto
15030141036
Yogesh Khetan
150301401062
Sagar
Ramanandi
MBA-IT
Div
B
15030141117
Subject: ISM
Risk Management
Risk communication
Identification of Assets
Types of asset:
Hardware
Software: purchased or developed programs
Data
People: who run the system
Documentation: manuals, administrative
procedures, etc
Supplies: paper forms, magnetic media, printer
liquid, etc
Money
Intangibles
Organization confidence
Organization image
Impact Valuation
Identification and valuation of threats for each group of assets
Identify threats, e.g. for stored data
Loss
Loss
Loss
Loss
of
of
of
of
confidentiality
integrity
completeness
availability (Denial of Service)
Identification of Process
Every company or organisation has some
processes that are critical to its operation
The criticality of a process may increase
the impact valuation of one or more
assets identified
So
Identify critical processes
Review assets needed for critical
processes
Revise impact valuation of these assets
Identification of
Vulnerabilities
Identify vulnerabilities against a baseline
system
For risk analysis of an existing system
Existing system with its known security measures and
weaknesses
For development of a new system
Security facilities of the envisaged software, e.g.
Windows NT
Standard good practice, e.g. BS 7799
recommendations of good practice
Assessment of
Vulnerabilities
For each threat
Identify vulnerabilities
Combine them
Likelihood of Attempt
Risk Assessment
The process of evaluating the risk resulting
from a hazard
It is of two types:
1. Quantitative Risk Assessment.
2. Qualitative Risk Assessment.
Quantitative Risk
Assessment.
A quantitative analysis:
- This approach employs two fundamental elements; the
probability of an event occurring and the likely loss should
it occur.
Quantitative risk analysis makes use of a single figure
produced from these elements. This is called the 'Annual
Loss Expectancy (ALE)' or the 'Estimated Annual Cost
(EAC)'. This is calculated for an event by simply
multiplying the potential loss by the probability.
It is thus theoretically possible to rank events in order of
risk (ALE) and to make decisions based upon this.
For risk analysis:
RISK = LOSS ($) x PROBABILITY
Usually measured as $ per annum.
Expressed as Annual Loss Expectancy (ALE) expressed as:
Qualitative Risk
Assessment.
This is by far the most widely used approach to risk
analysis. Probability data is not required and only
estimated potential loss is used.
Most qualitative risk analysis methodologies make use of
a number of interrelated elements:
THREATS
These are things that can go wrong or that can 'attack' the
system.
Examples might include fire or fraud. Threats are ever present for
every system.
VULNERABILITIES
Threat
Vulnerability
Impact
Control
Risk Communication
Information exchange between risk assessors, risk
THANK
S!
Any questions?