News:Tech News
2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA
2019-10-30
OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE
https://www.owasp.org/index.php/Women_In_AppSec
OWASP Women in AppSec
Twitter: 2013_Nayak (reach and ask to be added)
https://www.tagnw.org/events/
Risk in Infosec
Risk - a situation which involves extreme danger and extensive amount of unrecovered loss
What about risks that are positive in nature? PMP calls them ‘opportunities’
Risk Analysis - systemic examination of the components and characteristics of risk
Analysis Steps -
Understanding and Assessment
Understand there is a risk
What if a company does not have security standards?
Identification
Identify and categorize risk -
Informational risk
Network risk
Hardware risk
Software risk
Environment risk?
https://en.wikipedia.org/wiki/Routine_activity_theory
Scope of risk analysis?
Threat modeling to find risks?
https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling
SWOT (strength/weakness/opportunities/threats) analysis will discover risks?
Risk analysis methodologies?
https://www.project-risk-manager.com/blog/qualitative-risk-techniques/
https://securityscorecard.com/blog/it-security-risk-assessment-methodology
https://en.wikipedia.org/wiki/Probabilistic_risk_assessment
https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration
Estimation
Chance that risk will occur (once a decade, once a week)
Design controls to remediate
Implementation
Risk assessment is a combined approach
Combined approach for a risk analysis
You mentioned a lot of people, what’s the scope?
How do you do the risk assessment? Framework?
Evaluation
Evaluation approach
Like an agile approach
Provides an informed conclusion
Report must be clear (no jargon)
Decision Making
Examples to Reduce Risk
Training and education
what kind of testing? Annual Security training?
Publishing policies
Agreement with organization
BAA with 3rd parties
Timely testing -
More Episodes
Get this podcast on your
phone, FREE
