Risk Identification

Manajemen Risiko Siber – Pertemuan 2

1
What
• A risk management strategy requires that information security professionals know their organizations’ information assets—
that is, identify, classify, and prioritize them.
• Once the organizational assets have been identified, a threat assessment process identifies and quantifies the risks facing
each asset.

2
How To Do

3
Plan and organize the process
• Just as with any major information security undertaking, the first step in the Risk Identification process is to follow your
project management principles.
• You begin by organizing a team, typically consisting of representatives of all affected groups.
• With risk identification, since risk can exist everywhere in the organization, representatives will come from every
department from users, to managers, to IT and InfoSec groups.
• The process must then be planned out, with periodic deliverables, reviews, and presentations to management.

4
How To Do

5
Categorize system components
• Example of categorizing the component of an Information System

6
Inventory & Categorize asset
• This iterative process begins with the enumeration of assets, including all of the elements of an organization’s system, such
as people, procedures, data and information, software, hardware, and networking elements (Table slide 6)
• Then, you classify and categorize the assets adding details as you dig deeper into the analysis.
• The objective of this process is to establish the relative priority of the assets to the success of the organization.

7
People
• People comprise employees and nonemployees.
• There are two subcategories of employees: those who hold trusted roles and have correspondingly greater authority and
accountability, and other staff who have assignments without special privileges.
• Nonemployees include contractors and consultants, members of other organizations with which the organization has a trust
relationship, and strangers.

8
Procedures
• Procedures fall into two categories: IT and business standard procedures, and IT and business sensitive procedures.
• The business sensitive procedures are those that may enable a threat agent to craft an attack against the organization or
that have some other content or feature that may introduce risk to the organization.

9
Data
• Data components account for the management of information in all its states: transmission, processing, and storage.
• These expanded categories solve the problem posed by the term data, which is usually associated with databases and not
the full range of modalities of data and information used by a modern organization

10
People, procedures and data asset identification
• Identifying human resources, documentation, and data assets is more difficult than identifying hardware and software assets.
• People with knowledge, experience, and judgment should be assigned the task. As the people, procedures, and data assets are identified, they
should be recorded using a reliable data-handling process.
• Whatever record keeping mechanism you use, be sure it has the flexibility to allow the specification of attributes particular to the type of
asset. Some attributes are unique to a class of elements. When deciding which information assets to track, consider the following asset
attributes:
• People: Position name/number/ID (avoid names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills
• Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update
• Data: Classification; owner, creator, and manager; size of data structure; data structureused (sequential or relational); online or offline; location; backup procedures
employed

11
Software
• Software components are assigned to one of three categories: applications, operating systems, or security components
• Security components can be applications or operating systems, but are categorized as part of the information security
control environment and must be protected more thoroughly than other systems components.

12
Hardware
• Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and those devices that are
part of information security control systems.
• The latter must be protected more thoroughly than the former, since networking subsystems are often the focal point of
attacks against the system; they should be considered as special cases rather than combined with general hardware and
software components.

13
Hardware, software and network asset identification
• Which attributes of hardware, software, and network assets should be tracked? It depends on the needs of the organization
and its risk management efforts, as well as the preferences and needs of the information security and information
technology communities. You may want to consider including the following asset attributes:
• Name: Use the most common device or program name. Make sure that the names you choose are meaningful to all the groups that
use the information.
• IP address: This can be a useful identifier for network devices and servers, but does not usually apply to software. You can, however,
use a relational database and track software instances on specific servers or networking devices.
• Media access control (MAC) address: MAC addresses are sometimes called electronic serial numbers or hardware addresses.
• Element type: For hardware, you can develop a list of element types, such as servers, desktops, networking devices, or test equipment,
to whatever degree of detail you require.

14
Hardware, software and network asset identification
(cont’d)
• Serial number: For hardware devices, the serial number can uniquely identify a specific device.
• Manufacturer name: Record the manufacturer of the device or software component
• Manufacturer’s model number or part number: Record the model or part number of the element.
• Software version, update revision, or FCO number: Whenever possible, document the specific software or firmware revision number
and, for hardware devices, the current field change order (FCO) number.
• Physical location: Note where this element is located physically. This may not apply to software elements
• Logical location: Note where this element can be found on the organization’s network. The logical location is most useful for networking
devices and indicates the logical network where the device is connected
• Controlling entity: Identify which organizational unit controls the element. Sometimes a remote location’s onsite staff controls a
networking device, and at other times the central networks team controls other devices of the same make and model

15
How To Do

16
Categorize system components
• Example of categorizing the component of an Information System

17
Classifying and prioritizing information assets
• Some organizations further subdivide the categories listed in Table slide 17 For example, the category “Internet
components” can be subdivided into servers, networking devices (routers, hubs, switches), protection devices (firewalls,
proxies), and cabling. Each of the other categories can be similarly subdivided as needed by the organization.
• You should also include a dimension to represent the sensitivity and security priority of the data and the devices that store,
transmit, and process the data—that is, a data classification scheme.
• Examples of data classification categories are confidential, internal, and public.
• A data classification scheme generally requires a corresponding personnel security clearance structure, which determines
the level of information individuals are authorized to view, based on what they need to know
18
Classifying and prioritizing information assets
• Some organizations further subdivide the categories listed in Table slide 17 For example, the category “Internet
components” can be subdivided into servers, networking devices (routers, hubs, switches), protection devices (firewalls,
proxies), and cabling. Each of the other categories can be similarly subdivided as needed by the organization.
• You should also include a dimension to represent the sensitivity and security priority of the data and the devices that store,
transmit, and process the data—that is, a data classification scheme.
• Examples of data classification categories are confidential, internal, and public.
• A data classification scheme generally requires a corresponding personnel security clearance structure, which determines
the level of information individuals are authorized to view, based on what they need to know
19
 Information asset valuation
• To assign value to information assets for risk assessment
purposes, you can pose a number of questions and collect
your answers on a worksheet analysis.
• Before beginning the inventory process, the organization
should determine which criteria can best establish the value of
the information assets. Among the criteria to be considered
are:
• Which information asset is the most critical to the success of
the organization? When determining the relative importance of
each asset, refer to the organization’s mission

20
 Information asset valuation (cont’d)
• Which information asset generates the most revenue? You can also determine which information assets are critical by evaluating
how much of the organization’s revenue depends on a particular asset, or for nonprofit organizations, which are most critical to
service delivery
• Which information asset generates the most profitability? Organizations should evaluate how much of the organization’s profitability
depends on a particular asset. For instance, at Amazon.com, some servers support the sales operations and other servers support
the auction process, while other servers support the customer review database.
• Which information asset would be the most expensive to replace? Sometimes an information asset acquires special value because it
is unique.
• Which information asset would be the most expensive to protect? In this case, you are determining the cost of providing controls.
Some assets are by their nature difficult to protect.

21
Information asset valuation (cont’d)

22
How To Do

23
 Identifying and prioritizing threats
• After identifying and performing the preliminary
classification of an organization’s information assets,
the analysis phase moves on to an examination of the
threats facing the organization. As you discovered, a
wide variety of threats face an organization and its
information and information systems.
• The realistic threats must be investigated further while
the unimportant threats are set aside. If you assume
every threat can and will attack every information
asset, the project scope quickly becomes so complex it
overwhelms the ability to plan.
24
 Enemy at the Gates: Threats to Information Security”6
By Michael E. Whitman, Communications of the ACM, August 2003
• What are the threats to information security
according to top computing executives? A study
conducted in 2003 and repeated in 2009
asked that very question.
• Based on the categories of threats presented
earlier, over 1000 top computing executives
were asked to rate each threat category on a
scale of “not significant” to “very significant.”

25
 CSI Survey
• CSI Survey Results for Types of Attack or
Misuse (2000–2009)

26
How To Do

27
Specify asset vulnerability
• Once you have identified the organization’s information assets and documented some criteria for beginning to assess the
threats it faces, you then review each information asset for each threat it faces and create a list of vulnerabilities.
• What are vulnerabilities? They are specific avenues that threat agents can exploit to attack an information asset.
• They are chinks in the Armor
• a flaw or weakness in an information asset, security procedure, design, or control that could be exploited accidentally or on
purpose to breach security.

28
Tugas – pertemuan ke 2
• Buat kelompok yang terdiri dari 2 mahasiswa
• Pilih salah satu Perusahaan dari list berikut (berbeda untuk setiap kelompok)
• PT Anabatic Technologies Tbk. (ATIC) • PT Sentral Mitra Informatika Tbk. (LUCK)
• PT DCI Indonesia Tbk. (DCII)
• PT M Cash Integrasi Tbk. (MCAS)
• PT Distribusi Voucher Nusantara Tbk. (DIVA)
• PT Multipolar Technology Tbk. (MLPT)
• PT Digital Mediatama Maxima Tbk. (DMMX)’
• PT Metrodata Electronics Tbk. (MTDL)
• PT Envy Technologies Indonesia Tbk. (ENVY)
• PT Galva TechnologiesTbk. (GLVA) • PT NFC Indonesia Tbk. (NFCX)
• PT Hensel Davest Indonesia Tbk. (HDIT) • PT Sat Nusapersada Tbk. (PTSN)
• PT Kioson Komersial Indonesia Tbk. (KIOS) • PT Northcliff Citranusa Indonesia Tbk. (SKYB)
• PT Limas Indonesia Makmur Tbk. (LMAS) • PT Indosterling Technomedia Tbk. (TECH)

29
Task (Lanjutan)
• Cari Annual Report dari perusahaan yang anda pilih di google
• Contoh keyword: “Annual Report PT Envy Technologies Indonesia Tbk”
• Download Annual Report dan Pelajari terutama bagian “Profil Perusahaan” untuk menggali tentang bisnis/layanan yang
diberikan
• Lakukan tahapan yang tertera pada Slide “How to do”

30
Task (Lanjutan)
• Luaran yang dihasilkan:
• Kategori Komponen system yang ada (contoh table slide 6)
• Identifikasi komponen People, Procedure, Data, Software, Hardware
• Aset Informasi apa yang penting dan impactnya (contoh: slide 22)
• Identifikasi Ancaman dan Prioritasnya

31