Lec 4
Lec 4
Lec 4
RISK ?
The probability of an unwanted and / or unexpected
event to occur
Risk
Let us take the digital document (NDA) as an example.
We need to list down the threats to this Document.
Assessment
Disk failure
Virus
Unauthorized access
Power failures
Natural calamities
Risk Assessment
IDENTIFY SCOPE
OF THE SYSTEM
First step is to define the scope
the system to list down the assets
of an organization.
Asset Value
• Human Threats
• Technical threats
• Environmental threats
Vulnerability • Logically, without a vulnerability there is no risk.
• Are these vulnerabilities carried over from year to year without review and
Identification just accepted?
Risk
Vulnerability
Asset Threat
Existing Control Identificati
on
• To ensure control effectiveness and
sustainability it must be part of the overall
governance process.
• The control frameworks such as:
• COBIT 5 for Security,
• ISO/IEC 27001,
• NIST Cyber security Framework (and
NIST SP 800-53 controls mentioned
previously)
provide excellent controls to choose from at
the governance and detailed control levels.
DETERMINE BUSINESS IMPACT SEVERITY
The possibilities of failures are likely to be assessed in terms of their impacts in areas such as safety,
finances, marketing, business reputation, legal compliance and quality assurance.
Business Impact
• BIA is based on time. If there is a server
crash, let's take the NDA documents as
per the example above, how much
time can the organization go without an
NDAs. This is derived by doing the
business impact analysis.
• Scale 1-5
• Since NDA documents are critical to the
organization, we shall take 4 as the BIA
value
Probability of
Occurrence of Threat
•The probability of occurrence is required to
understand the frequency at which such
failures occur.
• This is based upon previous experiences and also
looking at the current implementation.
Probability of
Occurrence of
Threat
•This is based upon previous experiences
and also looking at the
current implementation.
•The probability of occurrence is measured
on a scale of 0.1 to 1.
•Let us consider the probability of
occurrence to be rated at medium i.e. 0.4
for NDA documents (based on the
situation)
Determine Risk Level
RISK
RISK SHARING
AVOIDANCE this means you transfer the
risk to another party
stop performing certain
Unfortunately, this option
tasks or processes if they
does not have any influence
incur such risks that are
on the incident itself, so the
simply too big to mitigate
best strategy is to use this
with any other options
option together with options 1)
and 2).
Before You Start the Risk Treatment
When selecting new controls, basically there are three types of controls:
1 2 3
Defining New Rules: Implementing New Changing the Organizational
Rules are documented through Technology: Structure:
plans, policies, procedures, For example, backup systems, In some cases, you will need to
instructions, etc., although you disaster recovery locations for introduce a new job function,
don’t have to document some alternative data centers, etc. or change the responsibilities
less complex processes. of an existing position.
Risk Treatment
Asset Threat Vulnerability Treatment option Means of implementation
Access by
Inadequate
Laptop unauthorized 1) Decrease risk Write Password Policy
password
persons