Lecture Professional practices in information technology - Lecture 32: Risk management. After studying this chapter you will be able to understand: Introduction, risk management, risk identification, risk assessment, documenting the results of risk assessment. | Lecture 32 Risk Management (Cont’d) Threat Identification (cont’d.) Management of Information Security, 3rd ed. Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security Threat Identification (cont’d.) Vulnerability Assessment Begin to review every information asset for each threat This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset At the end of the risk identification process, a list of assets and their vulnerabilities has been developed Management of Information Security, 3rd ed. Threat Identification (cont’d.) Vulnerability Assessment (cont’d.) This list serves as the starting point for the next step in the risk management process - risk assessment Management of Information Security, 3rd ed. Threat Identification (cont’d.) Management of Information Security, 3rd ed. Table 8-4 Vulnerability assessment of a DMZ router Source: Course Technology/Cengage Learning The TVA Worksheet At the end of the risk identification process, a list of assets and their vulnerabilities has been developed Another list prioritizes threats facing the organization based on the weighted table discussed earlier These lists can be combined into a single worksheet Management of Information Security, 3rd ed. The TVA Worksheet (cont’d.) Management of Information Security, 3rd ed. Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning Introduction to Risk Assessment The goal is to create a method to evaluate the relative risk of each listed vulnerability Management of Information Security, 3rd ed. Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning Likelihood The overall rating of the probability that a . | Lecture 32 Risk Management (Cont’d) Threat Identification (cont’d.) Management of Information Security, 3rd ed. Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security Threat Identification (cont’d.) Vulnerability Assessment Begin to review every information asset for each threat This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset At the end of the risk identification process, a list of assets and their vulnerabilities has been developed Management of Information Security, 3rd ed. Threat Identification (cont’d.) Vulnerability Assessment (cont’d.) This list serves as the starting point for the next step in the risk management process - risk assessment Management of Information