Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Assessment & Security Planning (Steps involved to perform a risk…
Risk Assessment & Security Planning
IT security management framework
Organisational IT Security Policy
Objectives: wanted IT security outcomes.
Strategies - how to meet objectives
Policies - identify what needs to be done
Security Policy
Security policies needs to address requirements, scope, purpose, processes and management.
Risk Analysis
Most comprehensive approach
Assess using formal structured process
Significant cost in time, resources, expertise
May be a legal requirement to use
Suitable for large organisations with IT systems critical to their business objectives.
Security controls and categorised in classes
Control Classes
Operational Controls
Address correct implementation and use of security policies
Relate to mechanisms and procedures that are primarily implemented by people rather than systems
Technical Controls
Involve the correct use of hardware and software security capabilities in systems
Management Controls
Refer to issues that management needs to address
Focuses on reducing the risk of loss and protecting the organisation's mission
Steps involved to perform a risk assessment
Asset Identification
Threat Identification
Vulnerability Identification
Analyse Risks
Risk Likelihood
Risk Consequences
Risk Level
Risk Register
Four different approaches to risk assessment
Baseline Approach
Forms a good base for further security measures.
Use "industry best practice"
Implement agreed controls to provide protection against common threats.
Baseline approach is generally recommended to small organisations.
Informal Approach
Fairly quick and cheap
Exploits knowledge and expertise of analyst
Involves conducting an informal, pragmatic risk analysis on organisation's IT systems.
Judgments can be made about vulnerabilities and risks that baseline approach would not address.
Suitable for small to medium sized organisations where IT systems are not necessarily essential.
Some risks may be incorrectly assessed
Skewed by analyst's views, varies over time
Combined Approach
Combines elements of other approaches
Initial baseline on all systems
Informal analysis to identify critical risks
Formal assessment on these systems
The process of selecting suitable controls to address risks
Residual Risk
Cost-Benefit Analysis
Security plan
Implementation Plan
Risk, level of risk, recommended controls, priority, selected controls, required resources, responsible persons, start - end date and other comments
Security Plan Implementation
Identified personnel
When implementation is completed management authorises the system for operational use
Security Awareness and Training
Operational procedures
Details of design and implementation
The process of monitoring risks
Maintenance
Upgrade of controls to meet new requirements
System changes to not impact controls
Periodic review of controls
Address new threats or vulnerabilities
Security Compliance
Audit process to review security processess
Goal is to verify compliance with security plan
Use internal or external personnel
Usually based on use of checklists
Change and Configuration Management
Change management is the process to review proposed to changes to systems
Configuration management is specifically concerned with keeping track of the configuration of each system in use and the changes made to them