Tuesday, October 29, 2019

2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA


OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)


https://www.tagnw.org/events/


Risk in Infosec

 

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’


Risk Analysis - systemic examination of the components and characteristics of risk

 

Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?

       

           

        Identification

            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?

 

https://en.wikipedia.org/wiki/Routine_activity_theory

 

            Scope of risk analysis?

            Threat modeling to find risks?

                https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?

                https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

                https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

 

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration 

 

        Estimation

            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate

 

        Implementation

            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?

           

        Evaluation

            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making

           

 

Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?

 

Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing - 

   


Download here!

No comments: