Use of standardized matrix makes the matrix list more repeatable between projects. Data is collated for the identified risks. The project manager will try to find the precision of the data that must be analyzed for completing the qualitative analysis of risks. For each risk, in Risk Data Quality Assessment, the project manager needs to determine:.
The next step of Qualitative risk analysis is to analyze the probability and impact of risks in Perform Quantitative Risk. The purpose of Quantitative Risk Analysis is:. Determine cost and schedule reserves that could be required if risk occurs. Some of the techniques of quantitatively determining probability and impact of a risk include:. Expected Monetary Value is a good measure to determine the overall ranking of risks. The formula is:.
The Monte Carlo analysis simulates the cost or schedule results of the project. The primary inputs for this analysis are the network diagram and estimates to perform the project. Determines the probability of completing the project on any specific day, or for any specific cost. Determines the probability of any activity actually being on critical path. Decision tree helps to analyze many alternatives at one single point of time.
They are models of real situation. A decision tree takes into account future events in making the decision today. It helps calculate Expected Monetary Value in more complex situations. Try out PMC Labs and tell us what you think. Learn More. Risk assessment has become a standard phrase in health, safety, and environment HSE management over the last couple of decades.
Although many people have heard of it, not so many know what it really means. Risk assessment is nothing more than a careful examination of what, in our work, could cause harm to people, so that we can weigh up whether we have taken enough precautions or should do more to prevent harm.
The aim is to make sure that no one gets hurt or becomes ill. It involves identifying the hazards present in any undertaking whether arising from work activities or from other factors, e. Unknown, hidden, undetected or unrelated risks cause more uneasiness. Moreover, employees use their own procedures when not being directed or when not being supervised. We look for unsafe conditions but not for unsafe acts, may be because of ignorance, arrogance, apathy or complacency.
We need to uncover unsafe practices during our rounds to understand the reasons for such practices. What we find depends upon what we look for. The main use of quantitative analysis is to understand risk and how best to reduce it and not to prove that something is safe.
Risk cannot be managed or addressed unless it is first identified. Risk assessment is a proactive process, not a reactive one—prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies before things go wrong. It is important for all of us to be aware of the intentions behind risk assessment. This is not sufficient. It should also be understood that severity of a risk cannot be reduced. We can only bring down the probability or likelihood down to an acceptable level.
It is a first step towards systematic, successful occupational HSE management. We start of by getting basics right. The only alternative to risk management is crisis management and crisis management is more expensive, time consuming, and embarrassing. A risk is something that can be a problem in the future. Risks may turn into problems. We can reduce or avoid future problems by reducing their probabilities or consequences.
Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.
The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test. Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate.
The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems IDSs may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDSs help determine if necessary safeguards are in place and are protecting the system as intended.
In addition, they can be configured to automatically respond to intrusions. Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDSs automate the review of logs and audit data, which increases the review's overall efficiency by reducing costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur.
Depending on the complexity of the IDS, there can be multiple agent and manager components. Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access FILes or disallowed traffic inside the firewall.
Third, they can look for activities that are different from the user's or system's normal pattern. These "anomaly-based" products which use artificial intelligence are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring.
Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses. Although IDSs may be an integral part of an institution's overall system security, they will not protect a system from previously unknown threats or vulnerabilities.
They are not self-sufficient and do not compensate for weak authentication procedures e. Also, IDSs often have overlapping features with other security products, such as firewalls.
IDSs provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDSs need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.
IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.
As with vulnerability assessment tools, there are generally two types of IDS products: host-based and network-based. A third product category is sometimes used for IDSs that look for unusual application events application-based on a host.
Both network- and host-based tools offer valuable features, and the risk assessment process should help institutions determine if either, or a combination of both, is best for their needs. Host-Based IDSs.
A host-based IDS will look for potential intrusions or patterns of misuse by monitoring host event activities, audit logs, and other security-related activities. The tools will track audit trails from operating systems, applications, Web servers, routers, and firewalls, as well as monitor critical FILes for Trojan horses and unauthorized changes.
This can provide valuable evidence of a break-in and can assist in assessing damage because the intruder's actions are logged on the specific hosts. If done in real-time, the IDS can promptly notify the bank of unauthorized attempts to gain system administrator root controls, access or change critical files, or replace log-in programs. An important benefit of host-based IDSs is that they are effective in detecting insider misuse because they monitor activities on the specific hosts.
For example, they can monitor a user's attempt to access a restricted file, or an attempt to execute a system administrator's command. In addition, they can monitor encrypted transmissions as the data is generally decrypted before it is logged at the host.
A problem with host-based systems is that notification of the attack is delayed if an agent does not examine the audit trail in real-time. This problem relates to the relatively large consumption of computer processing speed and disk space that is required to run these programs in real-time. If not run in real-time, they still allow a bank to identify larger trends and problems with system security.
Network-Based IDSs. With network-based IDSs, software or sniffers are placed on one or multiple points. The sniffer agent analyzes packets of information moving across the network for potential intrusions. Network packets contain data, including the message and headers that identify the sending and receiving parties. Network-based IDSs look for patterns of misuse, specific types of attacks, and unusual activity such as unexpected volume and types of network traffic.
Compared to host-based IDSs, certain types of network-orientated attacks such as IP spoofing, packet floods, and denial of service, are best detected through packet examination. Network-based IDSs can detect potential intrusions in real-time, and offer concurrent notification and response capabilities to potential intrusions. The software does not need to be put on the various hosts throughout the network, thus it is generally easier to monitor and may be less expensive than host-based IDSs.
Network-based IDSs sometimes mistakenly identify normal traffic as an intrusion "false positives" and vice versa "false negatives". They can have difficulties detecting slow attacks and experience problems with busy networks. Network-based IDSs cannot monitor encrypted transmissions only detect that data is being transferred across the network , and are less effective at detecting insider misuse because network packet analysis does not monitor the activities on specific hosts.
Once it is determined that an IDS is necessary to detect possible security breaches, several factors should be considered in evaluating IDSs, including: The comprehensiveness of the attack signature database, including the frequency of updates that incorporate newly identified concerns.
Most products rely on vendor updates, so banks need to assess the timeliness of the IDS vendor's updates. Products can be updated through Internet downloads, CD-ROM or floppy disk updates, or even manually if the user has a sufficient degree of technical knowledge. The effectiveness of the IDS in protecting an institution from both internal and external threats to a computer system.
The IDS should limit the number of false positives incorrectly identifying an attack when none has occurred and false negatives not identifying an attack when one has occurred. Generally, IDSs work on a real-time basis. Real-time analysis provides quicker notification of potential intrusions; however, it can reduce system performance due to the additional memory and processing requirements. Non-real-time analysis generally consumes fewer resources, but has the disadvantage that the potential intrusion has already occurred.
Knowledgeable intruders, moreover, can manipulate audit trails, making the after-the-fact analysis useless in detecting these particular intruders. The security of the IDS itself and how secure the update process is, especially if updated remotely.
The reporting and automated response capabilities. IDSs will sometimes generate more information than can be reviewed by present qualified staff. Also, for privacy reasons, management should consider informing all affected system users about the scope and type of monitoring being conducted. Other things to consider include training and support from the vendor, cost of hardware, software, and maintenance agreements, integration with vulnerability assessment tools, and configuration capabilities.
Determining Which is Best for an Institution. An institution's risk assessment process should first determine whether an IDS is necessary. Next, the type or placement of an IDS depends on the priority of identified threats or vulnerabilities. If one or a few hosts contain information that management views as critical, a host-based IDS may be warranted. If an institution is primarily concerned with attacks from the outside or views the entire network system as critical, a network-based product may be appropriate.
A combination of host- and network-based IDSs may also be appropriate for effective system security. Management should be aware that even after an IDS is in place, there may be other access points to the bank's systems that are not being monitored. Management should determine what types of security precautions are needed for the other access points. The placement of the IDS within the institution's system architecture should be carefully considered.
The primary benefit of placing an IDS inside a firewall is the detection of attacks that penetrate the firewall as well as insider abuses. The primary benefit of placing an IDS outside of a firewall is the ability to detect such activities as sweeping, which can be the first sign of attack; repeated failed log-in attempts; and attempted denial of service and spoofing attacks.
Placing an IDS outside the firewall will also allow the monitoring of traffic that the firewall stops. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution.
In developing a response strategy or plan, management should consider the following: The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity.
The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents. The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse. Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuses.
0コメント