Visual 1. 1

Lesson 1Lesson 1

OverviewOverview andand

Risk Management Risk Management TerminologyTerminology

Visual 1. 2

Course OverviewCourse Overview Risk Management DefinitionRisk Management Definition Risk Management TerminologyRisk Management Terminology Risk Management IssuesRisk Management Issues Process and Methodology for Process and Methodology for

Conducting Risk ManagementConducting Risk Management

Visual 1. 3

ISSO Strategic Goals, ISSO Strategic Goals, Objectives, and ActionsObjectives, and Actions

Defining and institutionalizing risk Defining and institutionalizing risk management for ISSO and their management for ISSO and their customerscustomers– Define the processDefine the process– Get management supportGet management support– Educate the workforceEducate the workforce– Practice risk managementPractice risk management

Visual 1. 4

Objective 1Objective 1

At the end of this part of Lesson 1, At the end of this part of Lesson 1, you will be able to describe what you will be able to describe what Risk Management is the elements Risk Management is the elements of the Risk Management Processof the Risk Management Process

Visual 1. 5

Security ManagementSecurity Management

Managing the risks to Managing the risks to an organization’s an organization’s missionmission

Visual 1. 6

Risk DefinedRisk Defined

““The combination of events The combination of events harmful to an entity’s desired state harmful to an entity’s desired state of affairs, the chance that the of affairs, the chance that the events will take place, and the events will take place, and the consequences of their occurrence, consequences of their occurrence, as a function of time.”as a function of time.”

NSA Corporate Plan for INFOSEC Action, April 1996NSA Corporate Plan for INFOSEC Action, April 1996

Visual 1. 7

Management DefinedManagement Defined

The art or manner of The art or manner of controllingcontrolling the movement or behavior of the movement or behavior of somethingsomething

To have charge of; direct; conduct; To have charge of; direct; conduct; administeradminister

New World Dictionary of the American LanguageNew World Dictionary of the American Language

Visual 1. 8

Risk ManagementRisk Management

““The total process to identify, The total process to identify, control, and manage the impact of control, and manage the impact of uncertain harmful events, uncertain harmful events, commensurate with the value of commensurate with the value of the protected assets.”the protected assets.”

National Information Systems Security Glossary, NSTISSI No. 4009National Information Systems Security Glossary, NSTISSI No. 4009

and AFR 205-16, AFR 700-10and AFR 205-16, AFR 700-10

Visual 1. 9

Risk Management -Risk Management -Simply PutSimply Put

Determine what your risks are and Determine what your risks are and then decide on a course of action then decide on a course of action to deal with those risks.to deal with those risks.

Visual 1. 10

Aim of Risk ManagementAim of Risk Management To aid managers strike an To aid managers strike an

economic balance between the economic balance between the costs associated with the risks and costs associated with the risks and the costs of protective measures to the costs of protective measures to lessen those riskslessen those risksBalance Sheet

Risk CostsCountermeasure Costs

Visual 1. 11

Elements of the Elements of the Risk Management ProcessRisk Management Process

Risk AssessmentRisk Assessment– Mission/Impact AnalysisMission/Impact Analysis– Identification of Critical AssetsIdentification of Critical Assets– Threat AnalysisThreat Analysis– Attack/Vulnerability AnalysisAttack/Vulnerability Analysis

Risk MitigationRisk Mitigation– Countermeasures DevelopmentCountermeasures Development

Risk DecisionRisk Decision– Management’s Selection of Management’s Selection of

Countermeasures for ImplementationCountermeasures for Implementation

Visual 1. 12

Objective 2Objective 2

At the end of this part of Lesson 1, At the end of this part of Lesson 1, you will be able to match risk you will be able to match risk management terms with their management terms with their definitions.definitions.

Visual 1. 13

Risk AssessmentRisk Assessment

A study of threats and A study of threats and vulnerabilities, the theoretical vulnerabilities, the theoretical effectiveness of present security effectiveness of present security mechanisms, and the potential mechanisms, and the potential impact of these factors on an impact of these factors on an organization’s ability to perform its organization’s ability to perform its missionmission

Visual 1. 14

Critical AssetCritical Asset

Something that when disclosed, Something that when disclosed, modified, destroyed, or misused modified, destroyed, or misused will cause harmful consequences will cause harmful consequences to the organization or its goals and to the organization or its goals and mission, or will provide an mission, or will provide an undesired and unintended benefit undesired and unintended benefit to someoneto someone

Visual 1. 15

Critical Asset ExamplesCritical Asset Examples

InformationInformation PeoplePeople SoftwareSoftware HardwareHardware FacilitiesFacilities etc.etc.

Visual 1. 16

ThreatThreat

The capabilities and intentions of The capabilities and intentions of adversaries to exploit an adversaries to exploit an information system; or any natural information system; or any natural or unintentional event with the or unintentional event with the potential to cause harm to an potential to cause harm to an information system, resulting in a information system, resulting in a degradation of an organization’s degradation of an organization’s ability to fully perform its missionability to fully perform its mission

Visual 1. 17

Threat ExamplesThreat Examples

AdversarialAdversarial– TerroristsTerrorists– Foreign StatesForeign States– Disgruntled Disgruntled

EmployeesEmployees– CriminalsCriminals– Recreational Recreational

HackersHackers– Commercial Commercial

CompetitorsCompetitors

Non-AdversarialNon-Adversarial– NatureNature– Unintentional Unintentional

Human ActsHuman Acts

Visual 1. 18

AttackAttack

A well-defined set of actions by the A well-defined set of actions by the threat (an active agent) that, if threat (an active agent) that, if successful, would damage a critical successful, would damage a critical asset -- cause an undesirable state asset -- cause an undesirable state of affairs -- resulting in harm to an of affairs -- resulting in harm to an organization’s ability to perform its organization’s ability to perform its missionmission

Visual 1. 19

VulnerabilityVulnerability

A characteristic of an information A characteristic of an information system or its components that system or its components that could be exploited by an could be exploited by an adversary, or harmed by a natural adversary, or harmed by a natural act or an act unintentionally act or an act unintentionally caused by human activitycaused by human activity

Visual 1. 20

Vulnerability ExamplesVulnerability Examples Inadequate password managementInadequate password management Easy access to a facilityEasy access to a facility Weak cryptographyWeak cryptography Software flawSoftware flaw Open portOpen port

SECURITY

Visual 1. 21

ConsequenceConsequence

The harmful result of a successful The harmful result of a successful attack, degrading an attack, degrading an organization’s ability to perform its organization’s ability to perform its missionmission

Visual 1. 22

Consequence ExamplesConsequence Examples Harm to organization missionHarm to organization mission

– Loss of information confidentialityLoss of information confidentiality– Loss of information integrityLoss of information integrity– Loss of availability of information or Loss of availability of information or

system functionssystem functions– Inability to correctly authenticate Inability to correctly authenticate

sender of informationsender of information– Inability to verify receipt of Inability to verify receipt of

information by the information by the intended recipientrecipient

Visual 1. 23

Risk MitigationRisk Mitigation

Actions or countermeasures we can Actions or countermeasures we can take to lessen risk take to lessen risk

– Affect threat agent or their Affect threat agent or their capabilitiescapabilities

– Eliminate or limit our vulnerabilitiesEliminate or limit our vulnerabilities

Visual 1. 24

Countermeasure ExamplesCountermeasure Examples

Fix known exploitable software flawsFix known exploitable software flaws Enforce operational proceduresEnforce operational procedures Provide encryption capabilityProvide encryption capability Improve physical securityImprove physical security Disconnect unreliable networks Disconnect unreliable networks Train system administratorsTrain system administrators Install virus scanning softwareInstall virus scanning software

Visual 1. 25

Risk Management DecisionRisk Management Decision

Determination by management or Determination by management or command tocommand to– take specific actions that will mitigate take specific actions that will mitigate

risk to mission, orrisk to mission, or– reject countermeasure reject countermeasure

recommendations and accept risk to recommendations and accept risk to missionmission

Visual 1. 26

Residual RiskResidual Risk

That portion of risk that remainsThat portion of risk that remains– Management decides to accept riskManagement decides to accept risk– Unconsidered threat factorsUnconsidered threat factors– Unconsidered vulnerabilitiesUnconsidered vulnerabilities– Incorrect conclusionsIncorrect conclusions