Lesson 1

Lesson 1
Risk Management
Visual 1. 1
Course Overview
Risk Management Definition
 Risk Management Terminology
 Risk Management Issues
 Process and Methodology for
Conducting Risk Management
Visual 1. 2
ISSO Strategic Goals, Objectives,
and Actions
Defining and institutionalizing risk
management for ISSO and their
Define the process
Get management support
Educate the workforce
Practice risk management
Visual 1. 3
Objective 1
At the end of this part of Lesson 1, you
will be able to describe what Risk
Management is the elements of the Risk
Management Process
Visual 1. 4
Security Management
Managing the risks to an
organization’s mission
Visual 1. 5
Risk Defined
“The combination of events harmful to
an entity’s desired state of affairs, the
chance that the events will take place,
and the consequences of their
occurrence, as a function of time.”
NSA Corporate Plan for INFOSEC Action, April 1996
Visual 1. 6
Management Defined
The art or manner of controlling the
movement or behavior of something
 To have charge of; direct; conduct;
New World Dictionary of the American Language
Visual 1. 7
Risk Management
“The total process to identify, control,
and manage the impact of uncertain
harmful events, commensurate with the
value of the protected assets.”
National Information Systems Security Glossary, NSTISSI No. 4009
and AFR 205-16, AFR 700-10
Visual 1. 8
Risk Management Simply Put
Determine what your risks are and then
decide on a course of action to deal with
those risks.
Visual 1. 9
Aim of Risk Management
To aid managers strike an economic
balance between the costs associated
with the risks and the costs of
protective measures to lessen those
Balance Sheet
Risk Costs Countermeasure
Visual 1. 10
Elements of the
Risk Management Process
Risk Assessment
Mission/Impact Analysis
Identification of Critical Assets
Threat Analysis
Attack/Vulnerability Analysis
Risk Mitigation
– Countermeasures Development
Risk Decision
– Management’s Selection of Countermeasures for
Visual 1. 11
Objective 2
At the end of this part of Lesson 1, you
will be able to match risk management
terms with their definitions.
Visual 1. 12
Risk Assessment
A study of threats and vulnerabilities,
the theoretical effectiveness of present
security mechanisms, and the potential
impact of these factors on an
organization’s ability to perform its
Visual 1. 13
Critical Asset
Something that when disclosed,
modified, destroyed, or misused will
cause harmful consequences to the
organization or its goals and mission, or
will provide an undesired and
unintended benefit to someone
Visual 1. 14
Critical Asset Examples
 People
 Software
 Hardware
 Facilities
 etc.
Visual 1. 15
The capabilities and intentions of
adversaries to exploit an information
system; or any natural or unintentional
event with the potential to cause harm
to an information system, resulting in a
degradation of an organization’s ability
to fully perform its mission
Visual 1. 16
Threat Examples
– Terrorists
– Foreign States
– Disgruntled
– Criminals
– Recreational Hackers
– Commercial
– Nature
– Unintentional
Human Acts
Visual 1. 17
A well-defined set of actions by the
threat (an active agent) that, if
successful, would damage a critical
asset -- cause an undesirable state of
affairs -- resulting in harm to an
organization’s ability to perform its
Visual 1. 18
A characteristic of an information
system or its components that could be
exploited by an adversary, or harmed
by a natural act or an act
unintentionally caused by human
Visual 1. 19
Vulnerability Examples
Inadequate password management
 Easy access to a facility
 Weak cryptography
 Software flaw
 Open port
Visual 1. 20
The harmful result of a successful
attack, degrading an organization’s
ability to perform its mission
Visual 1. 21
Consequence Examples
Harm to organization mission
– Loss of information confidentiality
– Loss of information integrity
– Loss of availability of information or
system functions
– Inability to correctly authenticate sender of
– Inability to verify receipt of information by
the intended recipient
Visual 1. 22
Risk Mitigation
Actions or countermeasures we can take
to lessen risk
– Affect threat agent or their capabilities
– Eliminate or limit our vulnerabilities
Visual 1. 23
Countermeasure Examples
Fix known exploitable software flaws
 Enforce operational procedures
 Provide encryption capability
 Improve physical security
 Disconnect unreliable networks
 Train system administrators
 Install virus scanning software
Visual 1. 24
Risk Management Decision
Determination by management or
command to
– take specific actions that will mitigate risk
to mission, or
– reject countermeasure recommendations
and accept risk to mission
Visual 1. 25
Residual Risk
That portion of risk that remains
Management decides to accept risk
Unconsidered threat factors
Unconsidered vulnerabilities
Incorrect conclusions
Visual 1. 26

similar documents