chao-hsien chu, ph.d. college of information sciences and technology
DESCRIPTION
Risk Management. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 [email protected]. Theory Practice. Learning by Doing. IST 515. Objectives. This module will familiarize you with the following: - PowerPoint PPT PresentationTRANSCRIPT
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
Risk ManagementRisk Management
LearningbyDoing
Theo
ry
Practi
ce
IST 515
ObjectivesObjectives
This module will familiarize you with the following:
• The basic terminology used in risk management
• The role and importance of risk management practices.
• The identification of asset, threat, and vulnerability.
• Risk assessment methodologies.
• Risk assessment process.
• Risk management principles.
• Controls to identify, rate, and reduce the risk to specific information assets.
ReadingsReadings
• Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required).
• Stoneburner, G., Goguen, A. and Feringa, A., “Risk Management Guide for Information Technology Systems,” NIST SP 800-30, July 2002. (Required)
• Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J., “Guide for Mapping Types of Information and Information Systems to Security Categories,” NIST SP 800-60, August 2008.
• Wikipedia, “Failure Mode and Effects Analysis,” http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis
• Marquis, H., “Ten Steps to Do It Yourself CRAMM,” 2006. http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm
Readings - ExamplesReadings - Examples
• Tan, D., “Quantitative Risk Analysis Step-By-Step,” SANS Institute, 2002.
• R. Marchany, “Conducting a Risk Analysis,” in Mark Luker and Rodney Petersen (Eds), Computer and Network Security in Higher Education, Chapter 3, EDUCAUSE. (STAR Project).
• H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A Security Risk Analysis Model for Information Systems," D.-K. Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp. 505513, 2005. (� Quantitative Method)
Essential TerminologiesEssential Terminologies
Vulnerability: A flaw or weakness in a system security procedures,
design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy.
Threat: The potential for a threat-source to exercise (accidentally
trigger or intentionally exploit) a specific vulnerability.
Threat-Source: Either (1) intent and method targeted at the intentional
exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
Elements of Risk ManagementElements of Risk Management
Threat
Vulnerability
VulnerabilityS
afeg
uard
sS
afeg
uard
s
Threat
Threat
Assets
DataFacilitiesHardwareSoftware
Risk
Risk Assessment Risk Management
• Risk avoidance.• Risk transfer.• Risk mitigation.• Risk acceptance.
(NIST-SP-800-12)
Essential TerminologiesEssential Terminologies
Risk: The possibility of loss (American Heritage Dictionary). The net negative impact of the exercise of a vulnerability, considering
both the probability and the impact of occurrence (NIST SP 800-30). A function of the likelihood of a given threat-source’s exercising a
particular potential vulnerability, and the resulting impact of the adverse event on the organization.
Risk Management: The technique or profession of assessing, minimizing, and preventing
accidental loss to a business, as through the use of insurance, safety measures (Random House Dictionary).
Reduces risks by defining and controlling threats and vulnerabilities ((ISC)2).
The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level (NIST SP 800-30).
Examples of Critical AssetsExamples of Critical Assets
People and skills Goodwill Intellectual Property Hardware/Software Data Documentation Supplies Physical plant Money
LogicalAsset
PhysicalAsset
Value
Common Computer ThreatsCommon Computer Threats
Errors and omissions. Fraud and theft. Employee sabotage. Loss of physical and infrastructure support. Malicious hackers. Industrial espionage. Malicious code. Threats to personal privacy. Insider threats.
Common Threat SourcesCommon Threat Sources
Natural Threats. Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
Human Threats. Malicious outsider or insider, terrorist, spy political, human intervention.
Environmental Threats. Long-term power failure, pollution, chemicals, liquid leakage.
Technical Threats. Hardware/software failure, malicious code, unauthorized use.
Physical Threats. Closed-circuit TV failure, perimeter defense failure.
Operational Threats. Automated or manual process.
Human ThreatsHuman Threats
Threat-Source Motivation Threat Actions
• Hacker• Cracker
• Challenge• Ego• Rebellion
• Hacking• Social engineering• System intrusion, break-ins• Unauthorized system access
• Computer criminal
• Destruction of information• Illegal information
disclosure• Monetary gain• Unauthorized data alteration
• Computer crime• Fraudulent act• Information bribery• Spoofing• System intrusion
• Terrorist
• Blackmail• Destruction• Exploitation• Revenge
• Bomb/Terrorism• Information warfare• System attack• System penetration• System tampering
Threat-Source Motivation Threat Actions
• Industrial espionage
• Competitive advantage• Economic espionage
• Economic exploitation• Information theft• Intrusion on personal privacy• Social engineering• System penetration• Unauthorized system access
• Insider
• Curiosity• Ego• Intelligence• Monetary gain• Revenge• Unintentional errors and
omissions
• Assault on an employee• Blackmail• Browsing of proprietary
information• Computer abuse• Fraud and theft• Information bribery• Input of falsified, corrupted data• Interception• Malicious code• Sale of personal information• System bugs• System intrusion• System sabotage• Unauthorized system access
VulnerabilitiesVulnerabilities
• Flaw or weakness in system that can be exploited to violate system integrity.– Security Procedures– Design– Implementation
• Threats trigger vulnerabilities:– Accidental– Malicious
Vulnerability SourcesVulnerability Sources
Previous risk assessment document of the IT system assessed.
Audit reports, system anomaly reports, security review reports, and system test and evaluation reports.
Vulnerability lists such as NIST I-CAT vulnerability database (http://icat.nist.gov)
Security advisors. Vendor advisories. Commercial computer/incident/emergency response teams
and post list (e.g., SecurityFocus.com) Information Assurance Vulnerability Alert and bulletins
for military systems. System software security analyses.
Vulnerability/Threat PairsVulnerability/Threat PairsVulnerability Threat-Source Threat Action
Terminated employee’s system ID are not removed from the system
Terminated employeesDialing into the company’s network and assessing company proprietary data
Company firewall allows inbound telnet and guest ID enabled on XYZ server
Unauthorized usersUsing telnet to XYZ server and browsing system files with the guest ID
The vendor has identified flaws in the security design of the system
Unauthorized users
Obtaining unauthorized access to sensitive system files based on known system vulnerabilities
Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place
Fire, negligent personsWater sprinklers being turned on in the data center
Types of Risk AnalysisTypes of Risk Analysis
• Quantitative:– Assigns real numbers to costs of safeguards and damage– Annual loss exposure (ALE)– Probability of event occurring– Can be unreliable/inaccurate
• Qualitative:– Judges an organization’s risk to threats– Based on judgment, intuition, and experience– Ranks the seriousness of the threats for the sensitivity of
the asserts– Subjective, lacks hard numbers to justify return on
investment
Process of Quantitative AnalysisProcess of Quantitative Analysis
• Seek initial management approval.• Establish a risk assessment team.• Review information currently available within the
organization. • Estimate the loss – SLE (Single Loss Expectancy )
SLE = asset value (in $) × exposure factor (loss in successful threat exploit, as %)
• Calculate the Annualized Rate of Occurrence (ARO) - how often a threat will be successful in exploiting a vulnerability over the period of a year (or Likelihood of Exploitation)
• Calculate the Annualized Loss Expectancy (ALE):ALE = ARO × SLE
Example of Quantitative AnalysisExample of Quantitative Analysis
• Risk = Risk-impact x Risk-Probability– Loss of car: risk-impact is cost to replace car,
e.g. $10,000– Probability of car loss: 0.10 – Risk = 10,000 x 0.10 = 1,000
• General measured per year– Annual Loss Exposure (ALE)
Elements of Security RisksElements of Security Risks
Classification of Assets, Threats and Classification of Assets, Threats and VulnerabilitiesVulnerabilities
Asset Threat Vulnerability
1. Information/Data 1. Human/Non-human 1. Administering
2. Documents 2. Network/Physical Documents, Personnel,
3. Hardware 3.Technical/Environment Regulation
4. Software 4. Inside/Outside 2. Physical Circumstances
5. Human Resource 5. Accidental/Deliberate or Facilities
6. Circumstances 3. Technical Hardware,
Software, Communication/
Network
Example of Risk AnalysisExample of Risk Analysis
Logic of Risk AnalysisLogic of Risk Analysis
• RISK = Loss * Probability• Loss means the decline of asset value when an asset
is exposed to some vulnerabilities.• Probability means the probability of threat-
occurrence from the corresponding vulnerabilities.• Total Risk of AM3
= 100 x (0.8 x 0.5 + 0.9 x 0.7 + 0.6 x 0.4) / 3
= 100 x 1.27 / 3
= 42.3
The effectiveness of Risk Mitigation The effectiveness of Risk Mitigation MethodsMethods
Mitigation Method
Vulnerability Model Vaccine Smart Card Firewall
VM1 (unprotected major communication facilities)
0.2 0.6 0.1*
VM2 (unfit network management) 0.6 0.5 0.5
VM3 (unprotected storage devices) 0.3 0.2 0.1
Mitigation EffectMitigation Effect
• Applying a risk mitigation method to some vulnerabilities can reduce the rate of not only one vulnerability but also several related vulnerabilities simultaneously.
• We can get the rate of risk reduction effectively with considering which vulnerabilities can be affected by selecting some risk mitigation methods.
• Risk reduction after applying firewall
= 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3
= 100 * 0.44 / 3 = 14.7
Risk AnalysisRisk Analysis
• What kind of threats can be reduced? • What are residual risks if the risk mitigations are
applied? • What is the ROI of each risk mitigation?• ROI = Benefit / Cost• Benefit = (initial risk) - (residual risk after the risk
mitigation method is applied)• Total Cost = Acquisition Cost + Operation Cost +
Business Opportunity Cost
Process of Qualitative AssessmentProcess of Qualitative Assessment
• Seek management approval to conduct analysis.• Form a risk assessment team.• Request related documents.• Setup interviews with organizational members to identify
vulnerabilities, threats and countermeasures.• Analyze the data. Matching the threat to a vulnerability,
matching threats to assets, determining how likely the threat is to exploit the vulnerability, determining the impact to the organization in the event an exploit is successful and matching current and planned countermeasures (that is, protection) to the threat–vulnerability pair.
• Calculate risk.• Recommend countermeasures and calculate residual risk.
Likelihood DefinitionsLikelihood Definitions
Likelihood Level
Likelihood Definition
HighThe threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
MediumThe threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
Low
The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
Magnitude of Impact DefinitionsMagnitude of Impact Definitions
Magnitude of Impact
Impact Definition
High
Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Medium
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
LowExercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.
Risk-Level MatrixRisk-Level Matrix
Threat
Likelihood
Impact
Low
(10)
Medium
(50)
High
(100)
High (1.0)Low
10 x 1.0 = 10
Medium
50 x 1.0 = 50
High
100 x 1.0 = 100
Medium (0.5)Low
10 x 0.5 = 5
Medium
50 x 0.5 = 25
Medium
100 x 0.5 = 50
Low (0.1)Low
10 x 0.1 = 1
Low
50 x 0.1 =5
Low
100 x 0.1 = 10
Risk Scale and Necessary ActionsRisk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
High
If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Medium
If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
LowIf an observation is described as low risk, the system’s DAA must determine whether corrective actions are still required or decide to accept the risk.
Example of Risk ScalesExample of Risk Scales
Impact
Likelihood
1 Rare
2Unlikely
3Moderate
4Likely
5AlmostCertain
5. Extreme
4. Very High
3. Medium
2. Low
1. Negligible
Comments
Because of the time constraint, I will not continue to cover the remaining slides. As you can see, there are more materials and examples that we can cover in a class lesson. If you are
interested in the topic, please read the materials by yourself or consider to take an in-depth
course like IST 564 or SRA 330. Both courses cover extensively on risk management.
Assets and Their PriorityAssets and Their Priority
Description of Asset Machine Name Priority+Authentication-authorization services host1.dept.edu CDNS name server host2.dept.edu CPhysical plant, environmental servers host3.dept.edu CDNS name server (secondary) host4.dept.edu CNetwork (routers, servers, modems, etc.) host5.dept.edu CHR database server host6.dept.edu EPayroll server host7.dept.edu EProduction control servers host8.dept.edu NClient systems (Win95/NT, Macs) host9.dept.edu NDatabase group “crash-and-burn” system host10.dept.edu N
+ C, critical element; E, essential; N, normal STAR Project
Definition of PriorityDefinition of Priority
• Critical: If the loss of its function would result in the university ceasing to function as a business entity.
• Essential: The loss of asset would cripple the university’s capacity to function, but it could survive for a week or so without the asset. All effort would be made to restore the function within a week.
• Normal: If the loss of asset resulted in some inconvenience.
STAR Project
Asset Weight Matrix to Prioritize IT AssetsAsset Weight Matrix to Prioritize IT Assets
A/A DNS(p) Plant DNS(s) Network HRAuthentication-authorization services
9 9 4.5 9 5
DNS name server (primary) 0 9 0 9 5
Physical plant, environmental Servers
0 0 2 9 4.5
DNS name server (secondary)
3.5 9 7 9 5
Network (routers, servers, modems, etc.)
0 0 0 0 0
HR database server 4 4 3.5 4 9
Total Votes 7.5 22 28.5 10.5 45 19.5
STAR Project
List of Controls for Critical Risks List of Controls for Critical Risks
Risk DescriptionClear text Clear text data moving among our systems and networks
Client system access control Control of access to distributed desktop client workstations
Construction mistakes Service interruptions during construction, renovations
Key person dependency Too few staff to cover critical responsibilities
Natural disaster Flood, earthquake, fire, etc.
Passwords Selection, security, number of passwords, etc.
Physical security (IS internal) IS private space (machine room, wire closets, offices, etc.)
Physical security (IS external) IS public space (laboratories, classrooms, library, etc.)
Spoofing E-mail and IP address forgery or circumvention
Data disclosure Inappropriate acquisition or release of university data
System administration practices Adequacy of knowledge, skills, and procedures
Operational policies Appropriate strategies, directions, and policies
STAR Project
Summary of Compliance Matrix Summary of Compliance Matrix
STAR Project
Risk Assessment MethodologiesRisk Assessment Methodologies
• NIST SP 800-30 and 800-66 (HIPAA).• OCTAVE (Operationally Critical Threat, Asset
and Vulnerability Evaluation). Carnegie Mellon University.
• FRAP (Facilitated Risk Analysis Process). Tom Peltier.
• CRAMM (CCTA Risk Analysis and Management Method).
• Spanning Tree Analysis.• Failure Modes and Effect Analysis.
Risk Assessment MethodologiesRisk Assessment Methodologies
Method Source Feature Industry
NIST SP 800-30; 800-66 NIST QualitativeHealthcare; HIPAA
OCAVECarnegie Mellon Univ.
Software InstituteQualitative Software
FRAP (Facilitated Risk Analysis Process)
Tom Peltier, 2005 Qualitative General
CRAMM (CCTA Risk Analysis and Management Method)
Central Computing and Telecommunications Agency, 2007
QualitativeNATO; Unisys; RAC
Spanning Tree Analysis(ISC)2 Information Systems Security Engineering Professional
QuantitativeHardware & software systems
FMEA (Failure Modes and Effect Analysis)
US Military, 1940 QuantitativeAerospace; Automotive
Risk Assessment Process -NISTRisk Assessment Process -NIST
System characterization. Vulnerability identification. Threat identification. Countermeasure identification. Likelihood determination. Impact determination. Risk determination. Additional countermeasures recommendations. Document results.
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
Risk Assessment Activities
• Hardware/software• System interfaces• Data & information• People• System mission
• History of attack• Data from intelligence
agencies
• Reports from prior risk assessment
• Audit comments• Security requirements• Security test results
• Current controls• Planned controls
• Threat-source motivation• Threat capacity• Nature of vulnerability• Current controls
• System boundary• System functions• Systems and data
criticality• System and data
sensitivity
• Threat statement
• List of potential vulnerabilities
• List of current and planned controls
• Likelihood rating
Input Output
6. Impact Analysis• Loss of integrity
• Loss of availability• Loss of confidentiality
7. Risk Determination
8. Control Recommendation
9. Result Documentation
Risk Assessment Activities
• Mission impact analysis• Asset criticality
assessment• Data criticality• Data sensitivity
• Likelihood of threat exploitation
• Magnitude of impact• Adequacy of planned or
current controls
• Risk and associated risk levels
• Recommended controls
• Risk assessment report
Input Output
• Impact rating
Risk Mitigation Action PointsRisk Mitigation Action Points
Vulnerable Exploitable
Attacker’sCost < Gain
LossAnticipated> Threshold
Vulnerabilityto attack exists
UnacceptableRisk
Accept RiskAccept Risk
ThreatSource
SystemDesign &
No Risk No Risk
NoNo
Yes Yes
RiskExists
YesYes
No No
Uncertaint
y
Uncertaint
y
Uncertaint
y
How Risk Management Work?How Risk Management Work?
DefineBoundaries,Scope, andmethodology
Collect andSynthesizeData
InterpretResults
Risk Assessment Risk Mitigation
Uncertaint
y* There are many approaches to safeguard selection
SelectSafeguard*
AcceptResidual
Risk
Implement
Control
Risk Management CycleRisk Management Cycle
From GAO/AIMD-99-139
Risk Management PrinciplesRisk Management Principles
Risk Avoidance. Is the practice of coming up with alternatives so that the risk in question is not realized.
Risk Transfer. Is the practice of passing on the risk in question to another entity, such as an insurance company.
Risk Mitigation. Is the practice of eliminating or significantly decreasing the level of risk presented. E.g., company can put countermeasure such as firewall, IDS etc. in place to deter malicious from accessing the highly sensitive information.
Risk Acceptance. Is the practice of simply accepting certain risk (s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
Risk Mitigation OptionsRisk Mitigation Options
Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level.
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls).
Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.
Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
Risk Management ActionsRisk Management Actions
ImpactLikelihood
Low Medium High
SignificantConsiderablemanagement
required
Must manageand monitor risks
Extensivemanagement
essential
Moderate
Risks may be worth accepting
with monitoring
Managementeffort worthwhile
Managementeffort required
Minor Accept risks Accept, but monitor risks
Manage and monitor risks
ControlsControls
• Mechanisms or procedures for mitigating vulnerabilities
– Prevent
– Detect
– Recover
• Understand cost and coverage of control
• Controls follow vulnerability and threat analysis
Risk Mitigation StrategyRisk Mitigation Strategy
When vulnerability (or flaw, weakness) exists implement assurance techniques to reduce the likelihood of a vulnerability’s being exercised.
When a vulnerability can be exercised apply layered protections, architectural designs, and administrative controls to minimize the risk of or prevent this occurrence.
When the attacker’s cost is less than the potential gain apply protections to decrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system controls such as limiting what a system user can access and do can significantly reduce an attacker’s gain).
When loss is too great apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.
1. Prioritize Actions
2. Evaluate RecommendedControl Options
3. Conduct Cost-Benefit Analysis
4. Select Controls
5. Assign Responsibility
Risk Mitigation Activities
• Risk levels from the risk assessment report
• Risk assessment report
• Actions ranking from high to low
• List of possible controls
• Cost-benefit analysis
• Selected controls
• List of responsible persons
Input Output
7. Implement Selected Controls
6. Develop SafeguardImplementation Plan
• Safeguard implementation plan
• Residual risks
• Feasibility• Effectiveness
• Impact of implementing• Impact of not implementing• Associated costs
• Risks and associated risk levels
• Prioritized actions• Recommended controls• Selected planned controls• Responsible persons• Start date• Target completion date• Maintenance requirements
Categories of Security ControlCategories of Security Control
Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission. An organization should consider technical, management, and operational security control, or a combination of such controls, to maximum the effectiveness of controls for their IT systems and organization.
Technical Controls. These controls usually involve system architecture, engineering disciplines, and security packages with a mix of hardware, software, and firmware.
Management Controls. These controls focus on the stipulation of information protection policy, guidelines, and standards.
Operational Controls. These controls ensure that security procedures are properly enforced and implemented in accordance with the organization’s goals and mission.
Framework of Technical Security ControlsFramework of Technical Security Controls
Cryptographic Key Management
Security Administration
System Protections(least privilege, object reuse, process separation)
Identification
Protected Communications(Safe from disclosure, substitution, modifications & replay)
Intrusion Detectionand Containment
Access ControlEnforcement
Authorization
Authentication
State Restore
Proof of Wholeness
Audit
Non-repudiation
TransactionPrivacy
Useror
Process
Resource
Prevent
Detect, Recover
Support
Management Security ControlsManagement Security Controls
Preventive: Assign security responsibility. Develop and maintain system security plan. Implement personnel security controls such as separation of
duties, least privilege, and user computer access registration and termination.
Conduct security awareness and technical training.Detection: Implement personnel security controls such as personnel
clearance, background investigations, rotation of duties. Conduct periodic review of security controls. Perform periodic system audits. Conduct ongoing risk management. Authorize IT systems to address and accept residual risk.
Management Security ControlsManagement Security Controls
Recovery: Provide continuity of support and develop, test, and
maintain the continuity of operations plan. Establish an incident response capability to prepare for,
recognize, report, and respond to the incident and return the system to operational status.
Operational Security ControlsOperational Security Controls
Preventive: Control data media access and disposal (e.g., physical access
control, degaussing method) Limit external data distribution (e.g., use of labeling) Control software viruses Safeguard computing facility Secure wiring closets that house hubs and cables Provide backup capability Establish off-site storage procedures and security Protect laptops, personal computers (PC), workstations Protect IT assets from fire damage Provide emergency power source Control the humidity and temperature of the computing facility Detection: Provide physical security Ensure environmental security.
Potential ProjectsPotential Projects
• Developing a risk management plan.• A qualitative risk assessment approach to xxx• A quantitative risk assessment approach to xxx• A comparative analysis of risk assessment
methods.