NIPC Risk Management Randy Marchany VA Tech Computing

NIPC: Risk Management Randy Marchany VA Tech Computing Center Copyright 2003, Marchany

Introduction n n Risk avoidance focuses on preventing loss or damage without reference to the degree of risk. Risk Management is a systematic and analytical process by which an organization identifies, reduces and controls its potential risks and losses. Copyright 2003, Marchany

Introduction n Risk is a function of assets, threats and vulnerabilities. Risk is the potential for some unwanted event to occur. Threat is the capability and intention of an adversary to undertake actions that are detrimental to an org’s interests. Copyright 2003, Marchany

Introduction n n Vulnerability is any weakness in an asset or countermeasures that can be exploited by an adversary to cause damage to an org’s interests. Asset is anything of value n People, info, HW, SW, facilities, reputation, activities. Copyright 2003, Marchany

5 step Risk Assessment Model n n n Asset assessment Threat assessment Vulnerability assessment Risk assessment Countermeasure identification Risk = consequence X threat X vulnerability Copyright 2003, Marchany

Assessment, Threat Examples n n n Key personnel File Servers Customer data Production facility pipeline n n n Injury, death DOS attack Disclosure Natural disaster Sabotage Copyright 2003, Marchany

Assessment, Vulnerability Examples n n n Key personnel File Servers Customer data Production facility pipeline n n n No access controls Patch mgt Unchecked 3 rd party Physical access No roving guard force Copyright 2003, Marchany

Reference n “Risk Management: An Essential Guide to Protecting Critical Assets”, NIPC, 11/2002 Copyright 2003, Marchany