Practical Risk Assessment And Mitigation
Description
Info
Level: Beginner
Presenter: Eli the Computer Guy
Date Created: October 13, 2010
Length of Class: 69 Minutes
Tracks
Computer Security /Integrity
Prerequisites
Introduction to Risk Assessment
Purpose of Class
This class teaches students how to conduct a Risk Assessment
Topics Covered
The Risk Assessment Process
What to Look for in a Risk Assessment
Class Notes
Introduction
Security is just good technology
Risk is a business decision
Assessment Process
Overview
Determine Vulnreabilities
Determine Threats
Determine Assets
Determine Buiness Justifications
Interview the Owner/ CEO
What's your business?
What do you do?
How computer dependant are you?
How comfortabale with technology are you?
How many employees?
How many employees with computers?
What problems are you currently having?
What are your concerns?
Do You have legal requirements for data?
How are your systems currently being used?
Do you own/ can you make changes to the building?
Do you have maintenance contracts with other IT companies.
Current Operational Security Procedures
Known Threats -- Natural/ Employees/ Outsiders
What is your Risk tolerance
What's you IT Budget?
Observer infrastructure
Quality of cabling?
Quality/ age of equipment
Physical Appearance of equipment?
Pointless equipment?
Physical Security
Talk with Employees
What problems are you having?
Is there something that can make your life better?
Documentation Analysis
Who/ What When/ Where /Why?
Is the software accessible
Systems Analysis
Sit down at the computers/ equipment and determine their current state
Not enough RAM can cause as much economic loss as a virus!
Create a Plan and Brief Client
Create a plan spelling out vulnerabilities, threats, assets
Plan should have as few options as possible
Plan should have steps -- first infrastructure, then computers, then policies
Focus on business reasons
Determine feasibility and Get buy in
Mitigation Process
As you work the plan continue to assess systems and situation
Is the planned solution still the best solution?