Risk Assessment Frameworks - PowerPoint PPT Presentation

1 / 23
About This Presentation

Risk Assessment Frameworks


Risk Assessment Frameworks Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE Overview Definition(s) of Risk Management & Risk ... – PowerPoint PPT presentation

Number of Views:694
Avg rating:3.0/5.0
Slides: 24
Provided by: rpe60


Transcript and Presenter's Notes

Title: Risk Assessment Frameworks

Risk Assessment Frameworks
  • Rodney Petersen
  • Government Relations Officer
  • Security Task Force Coordinator

  • Definition(s) of Risk Management Risk
  • Impact(s) of Risk
  • Enterprise Risk Management
  • ERM Frameworks
  • DHS Risk Management Framework
  • NIST Risk Assessment Framework
  • STF Risk Assessment Framework

Definition of Risk Management
  • Risk management is a scientific approach to
    dealing with pure risks by anticipating possible
    accidental losses and designing and implementing
    procedures that minimize the occurrence of loss
    or the financial impact of the losses that do
    occur. (Fundamentals of Risk and Insurance,
    Vaughan and Vaughan)
  • Meaning Risk as uncertainty concerning the
    occurrence of a loss.

Risk Equation
  • Risk Vulnerability x Threat x Impact
  • Vulnerability An error or a weakness in the
    design, implementation, or operation of a system.
  • Threat An adversary that is motivated to
    exploit a system vulnerability and is capable of
    doing so
  • Impact the likelihood that a vulnerability will
    be exploited or that a threat may become harmful.
  • Probability likelihood already factored into

Types of Risk
  • Strategic Goals of the Organization
  • Operational Processes that Achieve Goals
  • Financial Safeguarding Assets
  • Compliance Laws and Regulations
  • Reputational Public Image

Responses to Risk
  • Severity
  • Frequency

High Transfer Avoid
Low Accept Accept/Transfer
Low High
Enterprise Risk Management (ERM)
  • A process, effected by an entitys board of
    directors, management and other personnel,
    applied in strategy setting and across the
    enterprise, designed to identify potential events
    that may affect the entity, and manage risks to
    be within its risk appetite, to provide
    reasonable assurance regarding the achievement of
    entity objectives. (COSO)
  • A rigorous approach to assessing and addressing
    the risks from all sources that threatent he
    achievement of an organizations strategic
    objectives. In addition, ERM identifies those
    risks that represent corresponding opportunities
    to exploit for competitive advantage.
    (Tillinghast-Towers Perrin consultancy group)
  • Any issue that impact an organizations ability
    to meet its objectives. (Developing A Strategy to
    Manage Enterprisewide Risk in Higher Education,

ERM Frameworks
  • COSOs ERM Integrated Framework
  • Australia/New Zealand Standard Risk Management
  • ISO Risk Management - Draft Standard
  • The Combined Code and Turnbull Guidance
  • A Risk Management Standard by the Federation of
    European Risk Management Associations (FERMA)

COSO Integrated Control Framework
  • Committee of Sponsoring Organizations of the
    Treadway Commission (COSO)

COSOs ERM Integrated Framework
  • Entity objectives can be viewed in the
  • context of four categories
  • Strategic
  • Operations
  • Reporting
  • Compliance
  • ERM considers activities at all levels of the
  • Enterprise-level
  • Division or subsidiary
  • Business unit processes

Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Australia/New Zealand Standard (ASS/NZS
43602004) Risk Management
ISO Risk Management - Draft Standard
The Combined Code and Turnbull Guidance
  • Risk assessment
  • Does the company have clear objectives and have
    they been communicated so as to provide effective
    direction to employees on risk assessment and
    control issues? For example, do objectives and
    related plans include measurable performance
    targets and indicators?
  • Are the significant internal and external
    operational, financial, compliance and other
    risks identified and assessed on an ongoing
    basis? These are likely to include the principal
    risks identified in the Operating and Financial
  • Is there a clear understanding by management and
    others within the company of what risks are
    acceptable to the board?

A Risk Management Standard by the Federation of
European Risk Management Associations (FERMA)
Risk Management Framework for Critical
Infrastructure Protection
  • National Infrastructure Protection Plan, 2006

NIST Risk Management Framework
SP 800-37 / SP 800-53A
MONITOR Security Controls
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
Risk Assessment Framework Security Task Force
  • Purpose of Framework to provide a high-level
    overview on the subject of conducting a risk
    assessment of information systems within higher
  • Points to Consider
  • Risk Assessment (RA) is an ongoing process
  • RA requires strong commitment from senior
    administration and collaboration between
    cross-functional units
  • RA is part of strategic and continuity planning
  • RA requires planning and strategy that
    systematically increases the scope
  • RA needs to become a part of the culture of the
    university community
  • Effective Risk Management (RM) practices require
    a "risk aware" culture
  • Effective RM can provide the basis for
    prioritizing and resolving possible funding
  • policy supporting ongoing risk assessment should
    be developed

Phases ofRisk Assessment
  • Phase 0 Establish Risk Assessment Criteria for
    the Identification and Prioritization of Critical
    Assets (a one-time process)
  • Phase 1 Develop Initial Security Strategies
  • Phase 2 Technological View - Identify
    Infrastructure Vulnerabilities
  • Phase 3 Risk Analysis - Develop Security
    Strategy and Plans

Phase 0 Establish Risk Assessment Criteria
  • Goal to quickly establish the overall criteria
    for the identification of critical data assets
    and their appropriate priority level and to
    obtain senior management's perspective on issues
    of strategic importance.
  • Process 1 Establish Risk Assessment Criteria
  • Process 2 Apply the Critical Asset Criteria to
    Classify Data Collections and Related Resources

Phase 1 Develop Initial Security Strategies
  • Goal Once the information assets have been
    classified, strategic planning for the rest of
    the risk management process can begin.
    Vulnerabilities can be identified, and the
    process of mitigating the threats that can
    exploit those vulnerabilities can begin. An
    institution can decide to specifically focus on
    the very highest risks, or it may decide to focus
    first on mitigating risks broadly (or both). The
    mere process of bringing management together to
    discuss the organization's strategy about risk
    mitigation can be extremely fruitful.
  • Process 1 Strategic Perspective - Senior
  • Process 2 Operational Perspective - Departmental
  • Process 3 Practice Perspective Staff
  • Process 4 Consolidated View of Security

Phase 2 Identify Infrastructure Vulnerabilities
  • Goal To identify areas of potential exposure
    associated with the systems architecture.
  • Process 1 Evaluation of Key Technology
  • Process 2 Evaluation of Selected Technology

Phase 3 Develop Security Strategy and Plans
  • Goal After identifying key information systems
    resources and evaluating the degree of
    vulnerability with the systems, quantitatively
    determine the level of risk associated with each
    system and system component. This information may
    then be used to prioritize the allocation of
    resources to ensure appropriate mitigation of the
    highest risks and to make appropriate management
    decisions about the degree of risk that the
    organization will be willing to accept.
  • Process 1 Risk AssessmentSteps
  • 1. Assess the potential impact of threats (and
    vulnerabilities) to critical assets (qualitative
    and/or quantitative)
  • 2. Evaluate the likelihood of occurrence of the
    threats (high, medium, low)
  • 3. Create a consolidated analysis of risks,
    based on the impact value to critical assets and
    the likelihood of occurrence
  • Process 2 Protection Strategy and Mitigation

  • It is important to note that this is a process
    that has no finish line. While a risk assessment
    - the process of identifying and quantifying
    risks - might take place on an infrequent basis
    (e.g., annually), the risk management process -
    the ongoing process of mitigating the risks to
    the organization - should be ingrained into the
    institution's culture to be most effective.
Write a Comment
User Comments (0)
About PowerShow.com