Report by

Sudesh .R. Agrawal

RI SK MANAGEMENT
What is Risk?
A risk is a potential problem it might happen and it might not
Conceptual definition of risk
Risk concerns future happenings
Risk involves change in mind, opinion, actions, places, etc.
Risk involves choice and the uncertainty that choice entails
Two characteristics of risk
Uncertainty the risk may or may not happen, that is, there are no 100% risks (those,
instead, are called constraints)
Loss the risk becomes a reality and unwanted consequences or losses occur
Risk Identification and Management
The process of examining and documenting the security posture of an organizations information
technology is called Risk Identification.
Risk Identification is conducted within the larger process of identifying and justifying risk
controls, known as Risk Management.
Risk Management is a broad process which includes Identification, Assessment and Control
within it.
Steps to perform Risk Management
Know your organization
Identify your organizations enemies
Involve relevant groups within the organization





Know yourself:
In order to protect assets, which are defined as information and the systems that use, store and
transmit information, everything about them must be understood.
Once an understanding is achieved, protection of the data from threats can be done.
Protection of the data doesnt only mean installing a mechanism and then never looking back.
Each policies, education and training programs and technologies that protect information must be
carefully maintained and administered to ensure that they are still effective.
Know the enemy:
Once organizations assets and weaknesses is known, we move forward to knowing the attacks
that can take place i.e. knowing the enemy.
The threats that most directly affect the organization and the security of the organizations
information assets must be determined.
Based on priority of the threat, they should be controlled or handled.
Relevant groups:
Involving groups like information security and information technology helps in managing the risk
more efficiently.
Information security members best understand the threats and attacks that introduce risk into the
organization.
IT group assist in building secure systems and operating them safely. For example, they ensure
good backups to control the risk from hard drive failures.










Steps to perform Risk Identification
Plan and organize the risk identification process.
Categorize system components/assets.
Identify threats to the categorized assets.
Tie specific threats to specific, vulnerable assets.

Asset Identification and Valuation
This process begins with the identification of assets, including all of the elements of an
organizations system: people, procedures, data and information, software, hardware and
networking elements. Then classification and categorization of the assets is done.
According to SecSDLC, people are categorized in employees and nonemployees. Each of them
are further divided based on trust factor.
Procedures are standard and sensitive procedures; data is transmission, processing and storage
and so on.
Hardware is assigned to either the usual systems devices and peripherals or the devices that are
part of information security control systems.
Categorization of asset:
Categorization is done on the basis of following data gathering questions:
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset would be the most expensive to replace?
Which information asset would be the most expensive to protect?
Categorization of threat:
Categorization of threat is done on the basis of following data gathering questions:
Which threat present a danger to an organizations assets in given environment?
Which threats represent the most danger to the organizations information?
How much would it cost to recover from a successful attack?
Which of the threats would require the greatest expenditure to prevent?
According to study by Professor Mike Whitman, highest weighted threat is Deliberate software attack
followed by Act of human error or failure and lowest weighted is forces of natures followed by
compromises to intellectual property.

Threat Identification:









Risk Assessment
After the assets are identified, along with their threats and vulnerabilities, risk assessment is done.
It assigns a risk rating or score to each specific information asset.
This number is useful in gauging the relative risk introduced by each information and facilitates
making comparative rating later in the risk control process.
For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence
times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
Risk Control
After identifying and assessing the risk, the task is to control the risk.
Following are the four risk control strategies:
Apply safeguards that eliminate or reduce the remaining uncontrolled risks for the
vulnerability (avoidance).
Transfer the risk to other areas or to outside entities (transference).
Reduce the impact should the vulnerability be exploited (mitigation).
Understand the consequences and accept the risk without control or mitigation
(acceptance).





Avoidance:
Avoidance is the risk control strategy that attempts to prevent the exploitation of the
vulnerability.
This is the preferred approach, as it seeks to avoid risk in its entirety rather than dealing with it
after it has been realized.
It is accomplished through countering threats, removing vulnerabilities in assets, limiting access
to assets and adding protective safeguards.
Transference
Transference is the control approach that attempts to shift the risk to other assets, other processes
or other organizations.
This may be accomplished through rethinking how services are offered, revising deployment
models, outsourcing to other organizations, purchasing insurance or by implementing service
contracts with providers.
Mitigation
Mitigation is the control approach that attempts to reduce the impact caused by the exploitation of
vulnerability through planning and preparation.
This approach includes three types of plan:
The disaster recovery plan,
Incident response plan and
Business continuity plan
Each of these strategies depend on the ability to detect and respond to an attack as quickly as
possible.
Mitigation begins with the early detection that an attack is in progress.
Acceptance
In contrast to mitigation, acceptance of risk the choice is to do nothing to protect vulnerability
and to accept the outcome of its exploitation. This may or may not be a conscious business
decision.
This control or rather lack of control is based on the assumption that it may be a prudent business
decision to examine the alternatives and determine that the cost of protecting an asset doesnt
justify the security expenditure.
For example, it would cost an organization $100,000 per year to protect a server whereas
for $10,000, the server information can be replaced, replacing the server itself and cover
associated recovery costs.


Conclusion
The management of the organization must structure the IT and information security functions to
lead a successful defense of the organizations information assets.
To achieve this goal, risk management process is to be used to build up the defense, so that no
matter how strong the offense of enemy is, organization stand in its position.