Informtion Risk Management
Informtion Risk Management
Management
IRM
• Information risk management (IRM) is the process of
identifying and assessing risk, reducing it to an acceptable
level, and implementing the right mechanisms to maintain
that level
Safeguards
Data
Facilities
Hardware
Software
Vulnerability
Threat Risk
Vulnerability
Safeguards
• Risk avoidance.
• Risk transfer.
• Risk mitigation.
• Risk acceptance.
How IRM Works
RiskAssessment Risk Mitigation
Select
Implement
Safeguard*
Define
Boundaries, Collect and Interpret
Scope, and Synthesize Results
methodology Data Accept
Control
Residual
Risk
IRM Policy
• Proper risk management requires a strong commitment from
senior management, a documented process that supports the
organization’s mission, an information risk management (IRM)
policy, and a delegated IRM team
• If a company does not know the value of the information and the
other assets it is trying to protect, it does not know how much
money and time it should spend on protecting them
• The value of the company’s facilities must be assessed, along with all
printers, workstations, servers, peripheral devices, supplies, and
employees. You do not know how much is in danger of being lost if
you don’t know what you have and what it is worth in the first place
Cost That Makes up the Value
• An asset can have both quantitative and qualitative
measurements assigned to it, but these measurements need
to be derived
• The actual value of an asset is determined by the importance
it has to the organization as a whole
• The value of an asset should reflect all identifiable costs that
would arise if the asset were actually impaired
• If a server cost $4,000 to purchase, this value should not be
input as the value of the asset in a risk assessment
• Rather, the cost of replacing or repairing it, the loss of
productivity, and the value of any data that may be corrupted
or lost must be accounted for to properly capture the amount
the organization would lose if the server were to fail
• The following issues should be considered when assigning
values to assets:
• Cost to acquire or develop the asset
• Cost to maintain and protect the asset
• Value of the asset to owners and users
• Value of the asset to adversaries
• Price others are willing to pay for the asset
• Cost to replace the asset if lost
• Operational and production activities affected if the asset is
unavailable
• Liability issues if the asset is compromised
• Usefulness and role of the asset in the organization
Why to determine Asset Value?
• It helps
• Delayed Loss
• Delayed loss is secondary in nature and takes place well after a
vulnerability is exploited. Delayed loss may include damage to the
company’s reputation, loss of market share, civil suits, the
delayed collection of funds from customers, and so forth
Risk Analysis Approaches
• The two approaches to risk analysis are quantitative and
qualitative.
• The risk analysis team will determine the best technique for the
threats that need to be assessed, as well as the culture of the
company and individuals involved with the analysis
• The team that is performing the risk analysis gathers
personnel who have experience and education on the threats
being evaluated. When this group is presented with a scenario
that describes threats and loss potential, each member
responds with their gut feeling and experience on the
likelihood of the threat and the extent of damage that may
result.
Impact 1 2 3 4 5
Rare Unlikely Moderate Likely Frequent
5. Extreme
4. Very High
3. Major
2.
Low/Minor
1. Negligible
Catastrophic
(5)
Material
(4)
Major
Impact
(3)
Minor
(2)
Insignificant
(1)
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Likelihood
• The benefit of this type of analysis are that communication
must happen among team members to rank the risks,
safeguard strengths, and identify weaknesses, and the people
who know these subjects the best provide their opinions to
management
• Residual risk is different from total risk, which is the risk a company
faces if it chooses not to implement any type of safeguard. A
company may choose to take on total risk if the cost/benefit analysis
results indicate this is the best course of action
49
• Risk Avoidance. Is the practice of coming up with
alternatives so that the risk in question is not realized.
• Risk Transfer. Is the practice of passing on the risk in
question to another entity, such as an insurance company.
• Risk Mitigation. Is the practice of eliminating or
significantly decreasing the level of risk presented. E.g.,
company can put countermeasure such as firewall, IDS etc.
in place to deter malicious from accessing the highly
sensitive information.
• Risk Acceptance. Is the practice of simply accepting
certain risk (s), typically based on a business decision that
may also weigh the cost versus the benefit of dealing with
the risk in another way.
Avoidance
Attempts to prevent exploitation of the vulnerability
51
Transference
Control approach that attempts to shift risk to other assets,
processes, or organizations
52
Mitigation
Attempts to reduce impact of vulnerability exploitation
through planning and preparation
54