Lesson 1

Report
Lesson 1
Overview
and
Risk Management
Terminology
Visual 1. 1
Course Overview
Risk Management Definition
 Risk Management Terminology
 Risk Management Issues
 Process and Methodology for
Conducting Risk Management

Visual 1. 2
ISSO Strategic Goals, Objectives,
and Actions

Defining and institutionalizing risk
management for ISSO and their
customers
–
–
–
–
Define the process
Get management support
Educate the workforce
Practice risk management
Visual 1. 3
Objective 1

At the end of this part of Lesson 1, you
will be able to describe what Risk
Management is the elements of the Risk
Management Process
Visual 1. 4
Security Management

Managing the risks to an
organization’s mission
Visual 1. 5
Risk Defined

“The combination of events harmful to
an entity’s desired state of affairs, the
chance that the events will take place,
and the consequences of their
occurrence, as a function of time.”
NSA Corporate Plan for INFOSEC Action, April 1996
Visual 1. 6
Management Defined
The art or manner of controlling the
movement or behavior of something
 To have charge of; direct; conduct;
administer

New World Dictionary of the American Language
Visual 1. 7
Risk Management

“The total process to identify, control,
and manage the impact of uncertain
harmful events, commensurate with the
value of the protected assets.”
National Information Systems Security Glossary, NSTISSI No. 4009
and AFR 205-16, AFR 700-10
Visual 1. 8
Risk Management Simply Put

Determine what your risks are and then
decide on a course of action to deal with
those risks.
Visual 1. 9
Aim of Risk Management

To aid managers strike an economic
balance between the costs associated
with the risks and the costs of
protective measures to lessen those
risks
Balance Sheet
Risk Costs Countermeasure
Costs
Visual 1. 10
Elements of the
Risk Management Process

Risk Assessment
–
–
–
–

Mission/Impact Analysis
Identification of Critical Assets
Threat Analysis
Attack/Vulnerability Analysis
Risk Mitigation
– Countermeasures Development

Risk Decision
– Management’s Selection of Countermeasures for
Implementation
Visual 1. 11
Objective 2

At the end of this part of Lesson 1, you
will be able to match risk management
terms with their definitions.
Visual 1. 12
Risk Assessment

A study of threats and vulnerabilities,
the theoretical effectiveness of present
security mechanisms, and the potential
impact of these factors on an
organization’s ability to perform its
mission
Visual 1. 13
Critical Asset

Something that when disclosed,
modified, destroyed, or misused will
cause harmful consequences to the
organization or its goals and mission, or
will provide an undesired and
unintended benefit to someone
Visual 1. 14
Critical Asset Examples
Information
 People
 Software
 Hardware
 Facilities
 etc.

Visual 1. 15
Threat

The capabilities and intentions of
adversaries to exploit an information
system; or any natural or unintentional
event with the potential to cause harm
to an information system, resulting in a
degradation of an organization’s ability
to fully perform its mission
Visual 1. 16
Threat Examples

Adversarial
– Terrorists
– Foreign States
– Disgruntled
Employees
– Criminals
– Recreational Hackers
– Commercial
Competitors

Non-Adversarial
– Nature
– Unintentional
Human Acts
Visual 1. 17
Attack

A well-defined set of actions by the
threat (an active agent) that, if
successful, would damage a critical
asset -- cause an undesirable state of
affairs -- resulting in harm to an
organization’s ability to perform its
mission
Visual 1. 18
Vulnerability

A characteristic of an information
system or its components that could be
exploited by an adversary, or harmed
by a natural act or an act
unintentionally caused by human
activity
Visual 1. 19
Vulnerability Examples
Inadequate password management
 Easy access to a facility
 Weak cryptography
 Software flaw
 Open port

Visual 1. 20
Consequence

The harmful result of a successful
attack, degrading an organization’s
ability to perform its mission
Visual 1. 21
Consequence Examples

Harm to organization mission
– Loss of information confidentiality
– Loss of information integrity
– Loss of availability of information or
system functions
– Inability to correctly authenticate sender of
information
– Inability to verify receipt of information by
the intended recipient
Visual 1. 22
Risk Mitigation
Actions or countermeasures we can take
to lessen risk
– Affect threat agent or their capabilities
– Eliminate or limit our vulnerabilities
Visual 1. 23
Countermeasure Examples
Fix known exploitable software flaws
 Enforce operational procedures
 Provide encryption capability
 Improve physical security
 Disconnect unreliable networks
 Train system administrators
 Install virus scanning software

Visual 1. 24
Risk Management Decision

Determination by management or
command to
– take specific actions that will mitigate risk
to mission, or
– reject countermeasure recommendations
and accept risk to mission
Visual 1. 25
Residual Risk

That portion of risk that remains
–
–
–
–
Management decides to accept risk
Unconsidered threat factors
Unconsidered vulnerabilities
Incorrect conclusions
Visual 1. 26

similar documents