Xem mẫu

Module 4: Analyzing Security Risks Contents Overview 1 Lesson: Introduction to Risk Management 2 Lesson: Creating a Risk Management Plan 9 Lab A: Analyzing Security Risks 19 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 4: Analyzing Security Risks iii Instructor Notes Presentation: 45 minutes Lab: 45 minutes This module teaches students how to determine the resources in their organization that require protection and how to prioritize those resources based on value. Students will then learn how to develop a risk management plan, based on the Microsoft Operations Framework (MOF) risk model. They will also learn to identify and analyze risks proactively and to determine an appropriate level of protection for each resource. After completing this module, students will be able to: ④ Explain the purpose and operation of risk management. ④ Draft the elements of a risk management plan. Required materials To teach this module, you need Microsoft® PowerPoint® file 2830A_04.ppt. Important It is recommended that you use PowerPoint version 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly. Preparation tasks To prepare for this module: ④ Read all of the materials for this module. ④ Complete the practices. ④ Complete the lab and practice discussing the answers. ④ Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD. ④ Visit the Web links that are referenced in the module. iv Module 4: Analyzing Security Risks How to Teach This Module This section contains information that will help you to teach this module. Lesson: Introduction to Risk Management How to Categorize Assets How to Calculate the Value of Assets Practice: Categorizing Assets This module, and Module 3, “Identifying Threats to Network Security,” combine to give students the information that they will use to justify to upper management the need to allocate time and resources on security. Risk management in particular enables IT professionals to document realistic needs based on threats and the likelihood and impact of those threats occurring. Students will likely debate the categories of the examples provided in the slide. Explain that the categories are relative and are intended as a starting point for beginning to prioritize the vast collection of assets on a typical network. Emphasize that business decision-makers often require financial justification for expenditures. Calculating asset values and performing quantitative risk analysis are two ways to use numbers to estimate risk. Acknowledge that the calculations are only as good as the original numbers used, so ensure that students do not rely too heavily on the numbers. Explain the term exposure in the context of this page; it is simply part of a more precise measurement of probability. The following lesson describes probability and impact in greater detail. Use the practices as an opportunity for discussion. Lesson: Creating a Risk Management Plan How to Identify Risks to Assets How to Analyze Risks to Assets How to Plan for the Management of Risks Practice: Analyzing a Risk Management Plan Assessment Be sure to read the white paper, MOF Risk Management, under Additional Reading on the Web page on the Student Materials CD, before teaching this module. Explain that risk statements are a useful way to state clearly what is at risk and why. Risk analysis can become complicated. This page lists examples of both qualitative and quantitative risk analysis. Explain the similarities between the two. Also emphasize that quantitative analysis can be performed in many different ways, and that the method shown on this page is intended as a very basic example. Students may confuse avoidance and mitigation. Avoidance seeks to remove the cause of the threat, sometimes by drastically restricting business operations. Mitigation seeks to minimize probability and impact through proactive efforts. In this context, avoidance is a form of severe mitigation. When discussing answers to lab and review questions, remember the distinction and allow for class discussion on the topic. Use the practices as an opportunity for discussion. There are assessments for each lesson, located on the Student Materials compact disc. You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Module 4: Analyzing Security Risks v Lab A: Analyzing Security Threats To begin the lab, open Microsoft Internet Explorer and click the name of the lab. Play the video interviews for students, and then instruct students to begin the lab with their lab partners. Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class. In this lab, students must perform both qualitative and quantitative risk analysis. The qualitative analysis is comprised of a list of risk statements regarding portable computers and a threat model of the portable computers. Have students use the risk statements to enter probability and impact values in the threat model spreadsheet in order to calculate the relative risks involved. Explain to students that portable computers include laptops, and for the purpose of the labs, are synonymous. Important For the qualitative risk analysis in this lab, students open a Microsoft Excel spreadsheet named R&D Portable Computer Threat Model.xls and add information to it. They may use this spreadsheet in a subsequent lab. Ensure that students rename the file and save the spreadsheet to the Lab Answers folder on their desktops for discussion. When discussing the qualitative answers, we included best estimates. If the numbers prove too confusing during lab discussion, use a low-medium-high range of ranking. Use discrepancies or disagreements among students to generate discussion. If some students believe that everything is a risk, play the part of a manager and respond by saying something like, “All of the risks may be important, but I can only afford to protect against five of them. Which ones are most important?” Important The answers to the qualitative risk analysis are located in the spreadsheet Lab 4 R&D Portable Computer Threat Model_Suggested Answers.xls, located in the Answers folder under Webfiles on the Student Materials CD. Be sure to print the answers out and study them before you conduct the lab. For the qualitative risk analysis, students use the values in the e-mails from Helmut Hornig to calculate the potential savings gained by each of the security measures listed. Ensure that students do not become hindered by the vagueness of the scenario. Acknowledge that several details, such as annual asset depreciation, and the value of the data on the laptops, have been omitted for the sake of brevity, and tell students to use the information provided to guide their efforts. General lab suggestions For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course. ... - tailieumienphi.vn
nguon tai.lieu . vn