SRM IST

School of Computing
Department of Networking and Communications

21CSE282T - INFORMATION SECURITY

Dr.V.Nallarasan
Assistant Professor / NWC
 Course Content
Unit 3
Risk Management: Identifying and Assessing Risk, Assessing and

Controlling Risk - Systems: Access Control Mechanisms, Information Flow and

Confinement Problem

CO3: Demonstrate the Aspects of Risk Management

2
 Risk Management

Risk management in information security is a critical aspect of ensuring

the confidentiality, integrity, and availability of an organization's information

assets. It involves identifying, assessing, prioritizing, and mitigating risks to protect

sensitive data and prevent security breaches. Here's an overview of the key steps

involved in risk management in information security:

3
 Risk Management

Risk Identification

This step involves identifying potential threats and vulnerabilities that

could affect the security of the organization's information assets. This may include

external threats such as cyberattacks, malware, and phishing, as well as internal

risks such as unauthorized access, human error, and system failures.

4
 Risk Management

Risk Assessment

Once risks are identified, they need to be assessed in terms of their

likelihood and potential impact on the organization's information assets. This step

helps prioritize risks based on their severity and likelihood of occurrence.

5
 Risk Management

Risk Analysis

Risk analysis involves analyzing the identified risks to determine their

potential consequences and the effectiveness of existing controls in mitigating

those risks. This step helps in understanding the potential loss associated with each

risk and aids in decision-making regarding risk treatment.

6
 Risk Management

Risk Treatment

After analyzing the risks, organizations need to develop and implement

strategies to treat or mitigate the identified risks. Risk treatment options may

include risk avoidance, risk reduction, risk transfer, or risk acceptance. This step

aims to reduce the likelihood and impact of identified risks to an acceptable level.

7
 Risk Management

Risk Monitoring and Review

Risk management is an ongoing process, and it's essential to continuously

monitor and review the effectiveness of risk mitigation measures. This involves

regularly assessing the changing threat landscape, evaluating the effectiveness of

existing controls, and making adjustments to the risk management strategies as

necessary.

8
 Risk Management

Documentation and Communication

Proper documentation of the risk management process is crucial for

maintaining transparency and accountability within the organization. It involves

documenting risk assessment findings, risk treatment plans, and any decisions

made regarding risk management. Effective communication of risks and risk

management strategies is also essential to ensure that stakeholders are aware of

potential threats and their respective roles in mitigating those risks.

9
 Risk Management

Compliance and Governance

Organizations must ensure that their risk management practices comply

with relevant laws, regulations, and industry standards governing information

security. This involves establishing robust governance frameworks and

incorporating risk management into the organization's overall governance structure.

10
 Risk Management

Training and Awareness

Employees are often the weakest link in an organization's security posture.

Therefore, providing regular training and awareness programs on information

security best practices and the importance of risk management is crucial in

mitigating human-related risks.

11
Risk Management

12
Risk Management

13
Risk Management

14
 Identifying and Assessing Risk

Identifying and assessing risk is a fundamental step in the risk

management process, particularly in information security. Here's a detailed

breakdown of how organizations typically approach these aspects:

Identifying Risks

 Asset Inventory

 Threat Identification

 Vulnerability Assessment

15
 Identifying and Assessing Risk
Asset Inventory

Begin by identifying all the assets within the organization that need

protection. This includes physical assets like servers and computers, as well as

intangible assets like data and intellectual property.

Threat Identification

Identify potential threats that could exploit vulnerabilities in the

organization's assets. These threats could be external (e.g., hackers, malware) or

internal (e.g., disgruntled employees, accidental data breaches).

16
 Identifying and Assessing Risk

Vulnerability Assessment

Assess the vulnerabilities or weaknesses in the organization's systems,

processes, and controls that could be exploited by threats. This includes

vulnerabilities in software, hardware, network configurations, and human factors.

17
 Identifying and Assessing Risk

Assessing Risk:

Four different types of Assessing the Risk as follows

 Risk Analysis

 Risk Prioritization

 Risk Evaluation

 Risk Acceptance

18
 Identifying and Assessing Risk
Risk Analysis

Analyze the likelihood and potential impact of identified risks. This

involves evaluating the probability of a threat exploiting a vulnerability and the

potential consequences if it were to occur. Risk analysis can be qualitative (e.g.,

low, medium, high) or quantitative (e.g., using mathematical models and metrics).

19
 Identifying and Assessing Risk

Risk Prioritization

Prioritize risks based on their significance and potential impact on the

organization. Risks with high likelihood and high impact should be given higher

priority for mitigation.

20
 Identifying and Assessing Risk
Risk Evaluation

Evaluate the organization's current controls and mitigation measures in

place to address identified risks. Determine whether these controls are adequate and

effective in mitigating the risks to an acceptable level.

Risk Acceptance

Some risks may be deemed acceptable if their likelihood and potential

impact are low, and the cost of mitigation outweighs the potential loss. However,

this decision should be made consciously and documented.

21
 Identifying and Assessing Risk
Techniques and Tools for Risk Identification and Assessment

Risk Registers

Maintain a risk register or database to document identified risks along

with their attributes such as likelihood, impact, and mitigation measures.

Risk Assessment Methods

Use various risk assessment methods such as qualitative risk assessment

(e.g., risk matrices, risk scoring), quantitative risk assessment (e.g., Monte Carlo

simulation, financial impact analysis), and semi-quantitative methods.

22
 Identifying and Assessing Risk

Threat Modeling

Employ threat modeling techniques to systematically identify and analyze

potential threats to specific assets or systems. This helps in understanding attack

vectors and prioritizing security controls.

23
 Identifying and Assessing Risk

Continuous Monitoring and Review

 Risk identification and assessment are not one-time activities. They should be

performed periodically or in response to significant changes in the

organization's environment (e.g., new technology deployments, regulatory

changes, security incidents).

 Continuous monitoring helps in identifying emerging risks and ensuring that

existing risk mitigation measures remain effective over time.

24
Identifying and Assessing Risk

25
Identifying and Assessing Risk

26
 Assessing and Controlling Risk

Assessing and controlling risk is a critical aspect of managing information

security effectively. Once risks have been identified and assessed, organizations

need to implement strategies to mitigate, transfer, or accept these risks based on

their severity and potential impact. Here's how organizations typically assess and

control risk in the context of information security:

27
 Assessing and Controlling Risk

Risk Assessment

Three different types of Risk Assessments are as follows

 Quantitative Analysis

 Qualitative Analysis

 Threat Modeling

28
 Assessing and Controlling Risk
Quantitative Analysis

Involves assigning numerical values to the likelihood and impact of

identified risks. This can be done using various mathematical models and metrics to

calculate the potential financial impact of a security breach.

Qualitative Analysis

Involves assessing risks based on subjective criteria such as likelihood,

impact, and severity. This method often uses risk matrices or risk scoring systems

to prioritize risks based on predefined criteria.

29
 Assessing and Controlling Risk

Threat Modeling

A systematic approach to identifying and analyzing potential threats to a

system or application. Threat modeling helps in understanding attack vectors and

designing appropriate security controls.

30
 Assessing and Controlling Risk

Risk Controls

Four different types of Risk Assessments are as follows

 Preventive Controls

 Detective Controls

 Corrective Controls

 Compensating Controls

31
 Assessing and Controlling Risk
Preventive Controls

Aimed at preventing security incidents from occurring. These controls

include measures such as access controls, encryption, firewalls, intrusion detection

systems, and security awareness training.

Detective Controls

Focus on detecting security incidents that have occurred. Examples

include security monitoring, log analysis, intrusion detection systems, and security

incident response procedures.

32
 Assessing and Controlling Risk
Corrective Controls

Aimed at responding to and mitigating the impact of security incidents.

These controls include incident response plans, data backup and recovery

procedures, and system restoration processes.

Compensating Controls

Implemented to provide an alternative or additional layer of security when

primary controls are not feasible or effective. Compensating controls are often used

to address specific risks that cannot be fully mitigated by other controls.

33
 Assessing and Controlling Risk

Risk Treatment Strategies

Four different types of Risk Treatment Strategies are as follows

 Risk Avoidance

 Risk Reduction

 Risk Transfer

 Risk Acceptance

34
 Assessing and Controlling Risk

Risk Avoidance

Involves avoiding activities or situations that could potentially lead to

security risks. For example, avoiding the use of certain technologies or

discontinuing high-risk business activities.

Risk Transfer

Involves transferring the financial impact of a risk to a third party,

typically through insurance or contractual agreements.

35
 Assessing and Controlling Risk

Risk Reduction

Involves implementing measures to reduce the likelihood or impact of

identified risks. This may include implementing security controls, conducting

security training and awareness programs, and regularly updating software and

systems.

36
 Assessing and Controlling Risk

Risk Acceptance

Involves acknowledging the existence of a risk and accepting the potential

consequences without implementing additional risk mitigation measures. This

approach is typically taken for risks with low likelihood and impact or when the

cost of mitigation outweighs the potential loss.

37
 Assessing and Controlling Risk

Monitoring and Review

 Once risk controls are implemented, organizations need to continuously monitor

and review their effectiveness. This includes regular security assessments,

vulnerability scanning, penetration testing, and security incident response

exercises.

 Monitoring helps in identifying emerging risks, detecting security incidents, and

ensuring that controls remain effective over time.

38
 Assessing and Controlling Risk

By assessing risks and implementing appropriate controls and treatment

strategies, organizations can effectively manage information security risks and

reduce the likelihood and impact of security incidents. However, it's essential to

continuously monitor and review the effectiveness of these measures to adapt to

evolving threats and vulnerabilities.

39
Assessing and Controlling Risk

40
Assessing and Controlling Risk

41
Assessing and Controlling Risk

42
Assessing and Controlling Risk

43
 Systems: Access Control Mechanisms

Access control mechanisms play a critical role in risk management by

ensuring that only authorized individuals or systems can access resources, thereby

reducing the likelihood of unauthorized access, data breaches, and other security

incidents. These mechanisms help organizations enforce security policies and

mitigate various risks associated with unauthorized access. Here are some

common access control mechanisms used in risk management:

44
 Systems: Access Control Mechanisms

Authentication

Authentication is the process of verifying the identity of users or systems

attempting to access resources. This can be achieved through various methods

such as passwords, biometrics (fingerprint, iris, etc.), security tokens, smart cards,

or multi-factor authentication (MFA) which combines two or more authentication

factors for added security.

45
 Systems: Access Control Mechanisms

Authorization

Authorization determines what actions an authenticated user or system is

permitted to perform on a resource. Access control lists (ACLs), role-based access

control (RBAC), and attribute-based access control (ABAC) are common

authorization mechanisms used to define and enforce access rights based on user

roles, attributes, or specific conditions.

46
 Systems: Access Control Mechanisms

Encryption

Encryption is the process of encoding data in a way that only authorized

parties can access it. By encrypting sensitive data at rest (stored data) and in transit

(data being transmitted over a network), organizations can mitigate the risk of

unauthorized access even if the data is compromised.

47
 Systems: Access Control Mechanisms

Access Control Lists (ACLs)

ACLs are lists of permissions attached to an object that specify which

users or systems are granted access rights to that object and what operations they

can perform. ACLs are commonly used in file systems, network devices, and

databases to control access at a granular level.

48
 Systems: Access Control Mechanisms

Firewalls and Network Segmentation

Firewalls are security devices or software that monitor and control

incoming and outgoing network traffic based on predetermined security rules.

Network segmentation involves dividing a network into smaller, isolated segments

to restrict unauthorized access and limit the potential impact of security breaches.

49
 Systems: Access Control Mechanisms

Intrusion Detection and Prevention Systems (IDPS)

IDPS monitor network traffic for signs of malicious activity or policy

violations and can automatically take action to block or mitigate threats. They help

detect and prevent unauthorized access attempts, data breaches, and other security

incidents in real-time.

50
Systems: Access Control Mechanisms

Identity and Access Management (IAM)

IAM systems centralize the management of user identities, credentials,

and access rights across an organization's IT infrastructure. IAM solutions help

streamline access control processes, enforce security policies, and ensure

compliance with regulatory requirements.

51
Systems: Access Control Mechanisms

Physical Access Controls

Physical access controls include measures such as locks, access cards,

biometric scanners, and surveillance systems to regulate access to physical

facilities, equipment, and resources. These controls help prevent unauthorized

individuals from physically accessing sensitive areas or assets.

52
Systems: Access Control Mechanisms

By implementing and effectively managing these access control

mechanisms, organizations can reduce the likelihood and impact of security

breaches, data leaks, and other risks associated with unauthorized access to

resources. Additionally, regular monitoring, updates, and audits are essential to

ensure the ongoing effectiveness of access controls in mitigating risks.

53
Systems: Access Control Mechanisms

54
Systems: Access Control Mechanisms

55
Systems: Access Control Mechanisms

56
 Information Flow

Information flow in risk management refers to the process of collecting,

analyzing, communicating, and acting upon information related to potential risks

faced by an organization. Effective information flow is crucial for identifying,

assessing, and mitigating risks in a timely manner. Here's how information flows

within the context of risk management:

57
 Information Flow

Data Collection

The first step in managing risks is to collect relevant data from various

sources within the organization and from external sources such as industry reports,

regulatory bodies, and threat intelligence feeds. This data may include information

about assets, vulnerabilities, threats, controls, incidents, and business processes.

58
 Information Flow

Risk Identification

Once data is collected, it is analyzed to identify potential risks that could

impact the organization's objectives. This involves systematically assessing the

likelihood and potential impact of various threats and vulnerabilities on the

organization's assets, operations, and goals.

59
 Information Flow

Risk Assessment

Risk assessment involves evaluating the identified risks based on their

severity, likelihood, and potential impact. This may include using risk assessment

methodologies such as qualitative risk analysis, quantitative risk analysis, or a

combination of both to prioritize risks and determine the appropriate level of

response.

60
 Information Flow

Risk Treatment

After assessing risks, organizations develop and implement risk treatment

plans to mitigate, transfer, accept, or avoid the identified risks. This involves

implementing controls and measures to reduce the likelihood and impact of risks

to an acceptable level while considering cost, resources, and other constraints.

61
 Information Flow

Monitoring and Review

Risk management is an ongoing process, and organizations need to

continuously monitor and review the effectiveness of their risk management

efforts. This includes monitoring changes in the risk landscape, assessing the

effectiveness of implemented controls, and updating risk management strategies as

needed.

62
 Information Flow

Communication

Effective communication is essential for ensuring that relevant

stakeholders are informed about the organization's risk management activities.

This includes communicating risk assessment findings, risk treatment plans, and

other relevant information to decision-makers, employees, partners, regulators,

and other stakeholders.

63
 Information Flow

Reporting

Organizations need to report on their risk management activities to

internal and external stakeholders, including management, board of directors,

regulatory authorities, and shareholders. This includes providing regular updates

on the organization's risk profile, risk treatment progress, and any significant

changes in the risk landscape.

64
 Information Flow

Learning and Improvement

Lastly, organizations should foster a culture of continuous learning and

improvement by capturing lessons learned from past risk management activities

and using them to enhance future risk management efforts. This includes

analyzing past incidents and near misses, identifying root causes, and

implementing corrective actions to prevent recurrence.

65
Information Flow

66
 Confinement Problem

The "confinement problem" in information security refers to the

challenge of ensuring that a program or process can only access resources and

perform operations that it is authorized to perform, while preventing it from

accessing unauthorized resources or performing unauthorized operations. This

problem is particularly relevant in multi-user or multi-process environments, such

as operating systems and networked systems, where multiple entities with

different levels of privilege interact.

67
 Confinement Problem

The confinement problem is critical in ensuring the security and integrity

of systems and data. Failure to adequately confine processes can lead to various

security vulnerabilities, including unauthorized access to sensitive information,

data leakage, privilege escalation, and exploitation of system vulnerabilities by

malicious actors.

68
 Confinement Problem
There are several approaches to addressing the confinement problem in

information security:

Access Control Mechanisms

Access control mechanisms, such as access control lists (ACLs), role-

based access control (RBAC), and mandatory access control (MAC), are used to

enforce policies that specify which users or processes are authorized to access

specific resources and perform certain operations. These mechanisms help restrict

access based on user identities, roles, or other attributes.

69
 Confinement Problem

Privilege Separation

Privilege separation involves dividing system components or processes

into separate entities with different levels of privilege. By running processes with

minimal privileges necessary to perform their tasks, privilege separation reduces

the potential impact of security breaches and limits the ability of attackers to

exploit vulnerabilities.

70
 Confinement Problem

Sandboxing

Sandboxing involves isolating untrusted or potentially malicious

processes in a restricted environment, known as a sandbox, where they can be

safely executed without posing a risk to the rest of the system. Sandboxing

techniques include containerization, virtualization, and application sandboxing,

which restrict the resources and system calls available to sandboxed processes.

71
 Confinement Problem

Code and Data Validation

Validating code and data inputs can help prevent unauthorized access

and exploitation of vulnerabilities. Techniques such as input validation, data

sanitization, and code signing can help ensure that only trusted and properly

formatted data and code are processed, reducing the risk of security breaches.

72
 Confinement Problem

Secure Development Practices

Incorporating secure development practices, such as secure coding

guidelines, code reviews, and vulnerability assessments, can help mitigate the risk

of security vulnerabilities that could be exploited to bypass confinement

mechanisms. By designing and implementing secure software, developers can

reduce the likelihood of unauthorized access and privilege escalation.

73
 Confinement Problem

Monitoring and Auditing

Monitoring and auditing systems can help detect and mitigate security

breaches by monitoring system activity, logging relevant events, and alerting

administrators to suspicious behavior. By analyzing logs and audit trails,

organizations can identify unauthorized access attempts and take appropriate

action to address security incidents.

74
 Confinement Problem

Addressing the confinement problem requires a multi-faceted approach

that combines technical controls, secure development practices, and ongoing

monitoring and auditing to ensure that systems and data are adequately protected

from unauthorized access and misuse.

75
Confinement Problem in Risk Analysis

76