Beruflich Dokumente
Kultur Dokumente
IT Risk Management
Session 6
Overview of Risk Management
• Risk Management:
– Formal process of identifying and controlling
risks to an organization’s information assets
• Risk Identification:
– Process of examining and documenting the
security posture of an organization’s
information technology
• Risk Control:
– Process of applying controls to reduce the
risks to data and information systems
BFS - Binus March 2011 2
Overview of Risk Management
3
Overview of Risk Management
(continued)
• Risk management:
– Process of identifying vulnerabilities and taking
carefully reasoned steps to ensure the
confidentiality, integrity, and availability of the
information system
11
Threat Categories (continued)
• Viruses:
– Segments of code that perform malicious actions
– Attached to existing programs
– Macro virus: embedded in automatically executing
macrocode; common in word processing
documents, spreadsheets, database applications
– Boot virus: infects key operating system files
• Worms:
– Malicious programs that replicate themselves
without requiring another program
– Can replicate through email, Web servers,
network shares
BFS - Binus March 2011 12
Threat Categories (continued)
14
Threat Categories (continued)
• Risk Management:
– Formal process of identifying and controlling
risks to an organization’s information assets
• Risk Identification:
– Process of examining and documenting the
security posture of an organization’s
information technology
• Risk Control:
– Process of applying controls to reduce the
risks to data and information systems
BFS - Binus March 2011 17
Overview of Risk Management
(continued)
• Threat Identification:
– Conduct a threat assessment
• Which threats present a danger to the assets
in the given environment?
• Which threats represent the most danger?
• What is the cost to recover from a successful
attack?
• Which threats require the greatest expenditure
to prevent?
31
Risk Identification (continued)
• Vulnerability Identification:
– Examine each threat and list the assets and
their vulnerabilities
– A threat may yield multiple vulnerabilities
– Diverse members of the organization should
participate in this activity
32