Homework: ■ Send Alex a private message asking what section of HiTrust to look at – 1 pa page resp sponse onse about out a HiTrus ust Objec ecti tive – Su Submit mit PDF F to home mewor ork k eng ngine – HiTrus ust PDF on n home mework eng ngine e + ■ Submit your UPDATED resume to be reviewed by SecDev by Sunday 11:59pm (October 28, 2018)
RI RISK SK MAN MANAGE GEME MENT NT BY ALE LEXAND NDER ER BITAR
Who I Am ■ B.S. S. Bus usine ness ss Admini inist stra rati tion on – Spring ing 2017 – Concentration: MIS – IS & T Auditor Internship – Sodexo – 2017 ■ Master er of Scien ence ce in MIS – Spring ng 2019 – Security Development Track – Certificate in Information Assurance – TA for MGS 351 – Information Risk Assurance Internship - Blue Cross Blue Shield of WNY – 2018 – President of ISACA Student Group UB
What is ri risk sk?
Is Skydiving risky?
Skydiving Statistics Skydiving Estimated Fatalities Per Year Fatalities in U.S. Annual Jumps 1,000 Jumps 2017 24 3.2 million 0.0075 2016 21 3.2 million 0.0065 2015 21 3.5 million 0.0061 2014 24 3.2 million 0.0075
Agenda ■ What is risk? ■ What do we do with Risks? – Personally – An organization
Risk ■ The pot poten entia ial l of losin ing g something of value. ■ Informati rmation on sec ecurit urity y ris isks – are risks as they apply to data assets.
Risk Management ■ Information Security Policies ■ Communications Security ■ System Acquisition, Development, ■ Organization of Information and Maintenance Security ■ Supplier Relationships ■ Human Resources Security ■ Information Security Incident ■ Asset Management Management ■ Access Control ■ Information Security Aspects of Business Continuity Management ■ Encryption ■ Compliance ■ Physical and Environmental Security ■ Career and Workforce Development ■ Operations Security ■ Security Awareness
Risks are not only external or technical.. ■ Financial ■ Vendor Driven ■ Accidental ■ Internal ■ Civil ■ Legal ■ Natural Disasters or Environmental
Impact x Likelihood ■ Impa mpact ct - If a threat were to materialize, how could it affect our business? ■ Likel eliho hood d – what is the probability of a threat materializing? ■ Risk = Likel eliho ihood od X Impa mpact ct – Likelihood - chanc nce of a risk event occurring – Impact - Fina nanc ncial ial impact of the risk event
What Do We Do With Risk? ■ Take the risk ■ Avoid the risk ■ Accept the risk ■ Ignore the risk ■ Transfer the risk ■ Exploit the risk
How do we measure risk? ■ Threat eat Agents ents- Malicious hacker, Employees, Other Organizations, etc. ■ Threats eats – something that can cause harm to an organization. Can be internal or External – DDOS Attack – Snow storm ■ Owners ers- People within the organization that are responsible for an asset or process – Director of Payroll ■ Asset ets – anything of value to an organization – Web Servers – Payroll Applications ■ Count nter er Measure sures – Any controls that are put in place to reduce the threat – MFA – Privileged Access Management process
What should we do about risk? ■ Coun unter r Measures res – Any contr ntrols s that are put in place to reduce the threat – MFA – Privileged Access Management process ■ Contr ntrols ols – Put in place to mitig igat ate risk
Driving a car ■ What risk do we deal with when driving a car? ■ How to deal with those risks? – What controls are in place to mitigate those risks?
Case Study: University at Buffalo ■ Your team (4 people) have been hired by SUNY UB to implement a security framework for various compliance. ■ First things first, you will need to setup a risk management plan. ■ SUNY UB is a large organization, one of the largest university of the SUNY system. ~30,000 Students; ~6,000 Employees, ~2,500 Faculty, ~$716M Budget, ~12 Schools, ~40 Departments. ■ Let’s discuss
Planning ■ Scope & boundary – What are we working within? ■ Resources – What resources do we have at our disposal? – 1 vs 100 ■ Criteria – What constitutes a risk to the organization? Is it being measured consistently? ■ Policy – Do we have policy in place? ■ Enforcement – Who will enforce this? ■ Information Classification and Handling – Do we know what we need to protect?
Assets Invent entor ory Physical Access Own wnership hip Network User Ac Accep cepta tabl ble Use Software Imp mpact ct to the busine usiness ss Hardware Operational Procedural and Policy Information and Data
5 Min – Brainstorm what assets UB has + uses ● Quick list of 4-6 assets with your group
Mini Case-Study Active Directory (User Management) Students’ Computers Exchange (Email) Wifi File Servers UBLearns Print Servers Research Assets VoIP System Hypervisor (Virtualization) Network (Switches & Routers) Classrooms Workstations Software Server Rooms Sensitive Data/Information Offices UBHub
Mini Case-Study Asset Asset Invent ntor ory y & Us & Use UBHub Students’ PII, Grades, Schedule - Employee Info - Databases & ODBC - Multiple Privilege & Regular Users - Exchange (Email) PII?, Privacy, Grades? - Conversations - Personal & Business - Research - Multiple Privilege & Regular Users - Server Rooms Hypervisor (Virtual Machines) - Network Equipment - Users with Physical Access - Data & Info -
Threats ■ Internal ernal to our organization ■ Externa Ex ernal to our organization o Budget loss for needed projects o Regulatory o Systems growing overly complex o Legal o System failures o Environmental / Weather related o Staff turnover o Utility related o Insider threats o Natural disasters o Politics/Agendas o Economic o Geo-political o Civil unrest o Cybersecurity events
Vulnerabilities ■ Similar to Threats, But within our control ■ Weaknesses or gap ■ Not just techn hnical cal controls ■ Usually specific ■ What t is the e Likel eliho ihood od of exploi loita tati tion on? ■ How w can it be exploit loited ed?
5 min – Brainstorm what threats and vulnerabilities the assets maybe affected by
Threats and Vulnerabilities Asset et Asset et Invent ntor ory & Use Thre reats ats Vulnera erabiliti ties UBHub Students’ PII, Grades, Schedule Failure - - Employee Info Insider Threats - - Databases & ODBC Overly Complex - - Multiple Privilege & Regular Users Regulations and - - Legal Exchang ange PII, Privacy, Grades Regulations and Misconfigured, Patching - - - (Email) Conversations - Personal & Business Legal behind - Research System Failure Too much access - - - Multiple Privilege & Regular Users Complexity Lack of knowledge - - - Staff Turnover Stored PII - - Insider Threats - Server r Hypervisor (Virtual Machines) Natural Disasters Physical Access - - - Rooms Ro Network Equipment Utilities Location - - - Physical Access Needed Civil Unrest Older HVAC - - - Data & Info Staff Turnover Older equipment - - - Budgets, $$$$ No Documentation - -
Risk Identification & Risk Analysis ■ Follow consistent criteria and measurements ■ Prioritize and plan (risk treatment) ■ Risk Register & Matrix ■ Impact ■ Likelihood ■ Security Frameworks
5 min – What is the impact and likelihood of each threat/vulnerabilities? ■ Qualitative - Impact + Likelihood ■ Quantitative – Using #’s
Qualatative Risk Assesment Asset Threat ats Vulnerab erabil iliti ties es Impa mpact ct Likelihood ihood Risk UBHub Hub Failure Too much access Medium Low Medium um - - Insider Threats No Documentation - - Overly Complex Misconfigured - - Regulations and Lack of Knowledge - - Legal Exch chan ange ge Regulations and Misconfigured, Patching Medium Low Medium um - - (Email) il) Legal behind System Failure Too much access - - Complexity Lack of knowledge - - Staff Turnover Stored PII - - Insider Threats - Server er Natural Disasters Physical Access High Medium High - - Rooms oms Utilities Location - - Civil Unrest Older HVAC - - Staff Turnover Older equipment - - Budgets, $$$$ No Documentation - -
Quantitative Assessment Asset et Thre reats ats Vulnera erabiliti ties Imp mpact ct Likeli elihoo hood Risk sk UBHub Failure Too much access $1.5M 3 $4.5M - - Insider Threats No Documentation - - Overly Complex Misconfigured - - Regulations and Lack of Knowledge - - Legal Exchange Regulations and Misconfigured, Patching $1M 2 $2M - - (Email) Legal behind System Failure Too much access - - Complexity Lack of knowledge - - Staff Turnover Stored PII - - Insider Threats - Server Natural Disasters Physical Access $3M 6 $18M - - Rooms Utilities Location - - Civil Unrest Older HVAC - - Staff Turnover Older equipment - - Budgets, $$$$ No Documentation - -
Risk Response Avoid Transfer/Share Mitigate Accept
Recommend
More recommend
