Risk assessment steps
Risk assessment: determine likelihood and impact
- Risk mitigation: avoid, reduce, transfer, accept
- Communication and consultation
- Monitoring and review
Information security concerns
Confidentiality
Integrity
Availability
CIA: Confidentiality
Preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
CIA: Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
CIA: Availability
Ensuring timely and reliable access to and use of information
CIA: Auditability
Ensuring that evidence of all crucial transactions is stored reliably for auditing purposes
Risk assessment Refsdal
Step 1: Context establishment Step 2: Risk identification Step 3: Risk analysis Step 4: Evaluation Step 5: Risk treatment
Information Security as a process: Being in control
Plan Do Check Act
Security controls
- Organisational: functional, role, task (SoD)
- Procedural: verification, workflow
- Technical: basic security (separate networks, firewalls, routers, encryption techniques), access control, logging and monitoring
Access control
- Identification: unique way of identifying an entity (e.g. login)
- Authentication: proof of identity (e.g. password)
- Authorization: rights (read, write, execute) of person in role
- Nonrepudiation: receiver can’t deny receipt of message
Access control
- Identification: unique way of identifying an entity (e.g. login)
- Authentication: proof of identity (e.g. password)
- Authorization: rights (read, write, execute) of person in role
- Nonrepudiation: receiver can’t deny receipt of message
Resilience
Ability of assets, networks and systems to anticipate, absorb, adapt to (i.e. respond) and/or recover from a disruptive event or circumstance
Systematic risk
is the risk of having not just statistically independent failures, but interdependent, so-called ‘cascading’ failures in a network of N interconnected system components (Helbing 2013; p 51)
Hellbing writes
To cope with hyper-risks, it is necessary to develop risk competence and to prepare and exercise contingency plans for all sorts of possible failure cascades. […]. The aim is to attain a resilient (‘forgiving’) system design and operation. (Helbing p 55)
