信息安全风险评估培训.ppt

Risk Assessment Components By communicating a consistent structure for evaluating the components of risk, digital asset owners and OTG have a common taxonomy to track the progress and contribute to the evaluation process. It is important to note that many stakeholders are required to sufficiently address each component. This is especially true for the more subjective areas of business impact costs, the likelihood of vulnerabilities occurring, and the larger cost/benefit analysis to evaluate new control solutions. Stakeholders can include risk management experts who are involved in calculating risk, security analysts who know specific vulnerabilities and threat probabilities, data owners who know the value of the digital assets under consideration, and security architects and engineers who can identify potential security controls to mitigate risk. Risk assessment for the IPsec project looked like the following: ? Asset: Protecting digital assets in the Highest Value and High Value data classes. ? Threat: Unauthorized access, compromise of data integrity “over the wire,” and information gathering that may lead to an expanded attack. ? Impact: Microsoft suffers lost revenue and reputation from stolen or damaged data and intellectual property. ? Vulnerability: Attacks may occur from network-level threats such as buffer overflow attacks, exploit of unpatched vulnerabilities, and exploit of system misconfiguration. Hackers could also introduce worms that infect unmanaged computers, which in turn could infect managed computers. ? Controls: Antivirus software, screening routers and firewalls, patch management, centrally managed security configurations, and other measures. ? Probability: High. Attacks have occurred and will likely happen again. ? Current Level of risk: There is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class. * * * 制定评估计划 评估计划分年度计划和具体的实施计划，前者通常是评估