Risk Management and Governance | My Assignment Tutor

Griffith University指导老师 Hui TianMod 5-1:Risk Management and Governance• Identify the best practices for the security in your case as a securityadministrator• Undertake a quantitative risk analysis• Identify which standard to follow in ISO/IEC seriesRisk Management & GovernanceRisk management:1. Identify on-premises and cloud assets2. Consider data privacy laws and regulations3. Identify threats against assets– Personnel safety– Data theft– System downtime4. Determine risk likelihood– Prioritize risks5. Implement cost-effective security controlsRisk Management & GovernanceSecurity ControlsDifferent Categories:• Physical• Technical• AdministrativeRisk Management & GovernanceDifferent functionalities:• Preventive• Detective• Corrective• Deterrent• Recovery• CompensatingCase study: Online kitchenware retail companyQuantitative Risk Analysis• Asset Value (AV): $ value of an information asset• Exposure Factor (EF): % of asset loss caused by a threat• Single Loss Expectancy (SLE): AV x EF• Annualised Rate of Occurrence (ARO): Frequency per year• Annualised Loss Expectancy (ALE) = SLE x ARO• A certain research data is worth $1 million (AV=$1M)• Ransomware might render 50% of data useless (EF=0.5)• SLE = AV x EF = $500K• Ransomware might hit once every two years (ARO=0.5)• Annualised Loss Expectancy ALE = SLE x ARO = $250KExample:Risk Management & GovernanceQuantitative Risk Analysis: Example 1Risk Management & GovernanceCost/Benefit analysis: Value of control to the companyALE before implementing control – ALE after implementing control – Annual cost of controlDetermine whether the safeguards are justifiable in costQuantitative Risk Analysis: Example 2Risk Management & GovernanceISO/IEC 27000 SeriesISO/IEC 27000 — ISMS— Overview and vocabularyISO/IEC 27001 — ISMS— Requirements.ISO/IEC 27002 — Code of practice for information security controlsISO/IEC 27003 — ISMS implementation guidanceISO/IEC 27004 — ISMS— Monitoring, measurement, analysis and evaluationISO/IEC 27005 — risk managementISO/IEC 27006 — ISMS Requirements for bodies providing audit and certificationISO/IEC 27007 — Guidelines for information security management systems auditingISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on auditing the informationsecurity controls)ISO/IEC 15408 — Information technology — Security techniques — Evaluation criteria for IT security.27011 telecom organizations, 27014 Information security governance, 27015 financial sector,27031 business continuity, 27032 Cybersecurity, 27033 IT Network security, 27034 Applicationsecurity, 27035, Incident management, 27037 Digital evidence collection and preservation, 27799Health organizationsRisk Management & GovernanceInformation Security FrameworkRisk Management & GovernanceReport requirement for Case Study• 1. Title (followed by your name and student ID)• 2. Executive Summary• 3.1 Case description• 3.2 Security Operations– W1: Privacy Impact Assessment– W2: Design a questionnaire to test the cyber security awareness for your case– W3: Risk Management and Governance• 4. Conclusion and Reflection• 5. ReferenceRisk Management & GovernanceRisk Management & GovernanceTASKS – For your “The Good Guys” Case:– Identify 5 most important assets in your case. Full table of quantitative risk analysis from thetemplate– After risk prioritization, what is the top risk in your list to be fixed most urgently?– Security control justification. For each proposed security control, a cost analysis needs to bedone before deciding if it should be deployed. In your report, use the 1st asset and 1st risk asan example, i.e. the one in the following table, analyse ALEs before applying a securitycontrol and after applying the control, and cost in this security control, and then make yourdecision if it’s worthwhile to spend money in the anti-virus software and its updates. Includethe steps involved in your analysis and the decision you made in your report.– Review your security control proposed, identify which ISO/IEC standard can help to improvethe security level for your case. List all ISO/IEC standards you can refer to for your case.