3.Risk Identification Flashcards

1
Q

Identification Of Assets

Input

A

Scope and boundaries for the risk assessment to be conducted, list of constituents with owners, location, function, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Action

A

The assets within the established scope should be identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Implementation guidance

A

An asset is anything that has value to the organization and which, therefore, requires protection. Asset identification should be performed at a suitable level of detail that provides sufficient information for the risk assessment.

The level of detail used on the asset identification influences the overall amount of information collected during the risk assessment. The level can be refined in further iterations of the risk assessment.
An asset owner should be identified for each asset, to provide responsibility and accountability for the asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Output

A

A list of assets to be risk-managed, and a list of business processes related to assets and their relevance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identification Of Threats

Input

A

Information on threats obtained from incident reviewing, asset owners, users and other sources, including external threat catalogues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Action

A

Threats and their sources should be identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Implementation guidance

A

A threat has the potential to harm assets such as information, processes and systems and, therefore, organizations. Threats can be of natural or human origin, and can be accidental or deliberate. Both accidental and deliberate threat sources should be identified.
A threat can arise from within or from outside the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Output

A

A list of threats with the identification of threat type and source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Identification of existing Controls

input

A

Documentation of controls, risk treatment implementation plans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Action

A

Existing and planned controls should be identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Implementation guidance

A

Identification of existing controls should be made to avoid unnecessary work or cost, e.g. in the duplication of controls.

In addition, while identifying the existing controls, a check should be made to
ensure that the controls are working correctly — a reference to already existing ISMS audit reports should limit the time expended in this task.

If a control does not work as expected, this can cause vulnerabilities.
An existing or planned control can be identified as ineffective, or not sufficient, or not justified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Output

A

A list of all existing and planned controls, their implementation and usage status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Identification Of Vulnerabilities

input

A

A list of known threats, lists of assets and existing controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Action

A

Vulnerabilities that can be exploited by threats to cause harm to assets or to the organization should be identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Implementation guidance:

A
Vulnerabilities can be identified in following areas:
— organization;
— processes and procedures;
— management routines;
— personnel;
— physical environment;
— information system configuration;
— hardware, software or communications equipment;
— dependence on external parties.

The presence of a vulnerability does not cause harm in itself, as there needs to be a threat present to exploit it. And can be found in physical environment, personnel, hardware, software and organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Output

A

A list of vulnerabilities in relation to assets, threats and controls.

17
Q

Identification Of Consequences

input

A

A list of assets, a list of business processes, and a list of threats and vulnerabilities, where appropriate, related to assets and their relevance.

18
Q

Action

A

The consequences that losses of confidentiality, integrity and availability may have on the assets should be identified.

19
Q

Implementation guidance

A

A consequence can be loss of effectiveness, adverse operating conditions, loss of business, reputation, damage, etc.
This activity identifies the damage or consequences to the organization that can be caused by an incident scenario.

An incident scenario is the description of a threat exploiting a certain vulnerability or set of vulnerabilities in an information security incident. The impact of the incident scenarios is to be determined considering impact criteria defined during the context establishment activity.

assets can have assigned values both for their financial cost and because of the business consequences if they are damaged or compromised.
Organizations should identify the operational consequences of incident scenarios in terms of (but not limited to):
— Investigation and repair time;
— (work)time lost;
— opportunity lost;
— health and safety;

20
Q

Output

A

A list of incident scenarios with their consequences related to assets and business processes.