CGRC Week 3 Flashcards
What is the objective of Risk Management?
1) Better Secure IT Systems
2) Well-informed risk management DECISIONS
3) Authorizing IT Systems
4) CIA Triad
What is Risk Management?
Identifying, Assessing, Mitigating/Reduce/Control Risks to an acceptable level. This process includes Risk identification, assessment, control
What is risk identification?
Process of examining and documenting organisational assets both tangible and non-tangible. People, data, hardware, software, and systems, threats and vulnerabilities
What are the 9 steps of the NIST (SP 800-30) Methodology?
1) System Characterization
2) Threat Identification
3) Vulnerability Identification
4) Control Analysis
5) Likelihood Determination
6) Impact Analysis
7) Risk Determination
8) Control Recommendations
9) Results Documentation
What is the approach to risk identification
Know yourself & Know your enemy
Know yourself: Understand your assets and systems
Know your enemy: Identify threats to your organization
What are the steps of risk identification?
1) Identify & Inventory Assets
2) Identify & Prioritize Assets
3) Identify & Prioritize Threats
What is the risk identification process
Risk identification is process of self-examination of Identifying, Classifying, Prioritizing
Identifying your organizational assets
Classifying assets into groups
Prioritizing them by their overall importance
What does a threat assessment process do with risks?
It identifies and quantifies the risks facing each asset
What is the first step of the risk identification and the process?
Follow project management principles such as:
1) Organising a team
Planning the process includes:
1) Periodic Deliverables
2) Reviews
3) Presentation to the management
Basically, Tasks should be laid out, assignments made and timetables discussed.
Plan & Organise the process
What is asset Identification and Inventory
It is an iterative process; identification of assets, people, procedures, data/information, software & hardware and networking, both tangible and intangible assets.
At this stage it is just inventorying and categorizing the assets (value of it does not matter). Afterwards, it is asset classification.
Inventory & Categorize assets
What is a classification scheme?
It categorizes information assets based on their sensitivity and security needs
Classify & prioritise assets
What does Information Asset Valuation involve?
1) Assigning Relative Values
- Identified, Categorized, Classified
- Use comparative judgments to determine which information asset is of highest value/priority
2) Ask Relevant Questions
3) Information asset prioritisation
- List the assets in order of importance
- Creates weighting on each category based on the answers to questions
- Calculates and lists the relative importance of each asset using weighted factor analysis worksheet
Classify & prioritise assets
Under what circumstance your project scope becomes too complex?
If you assume that every threat can and will attack every information asset
Identify & prioritise threats
How to make projects less unweidly?
Threat identification and vulnerability identification processes must be managed separately then coordinated at the end
Identify & prioritise threats
What are the components of risk identification (In order). Give a brief description on them.
1) Plan & organise
- Organise a team and plan out deliverables, reviews, presentation to management.
2) Categorize system components
- e.g. IT System components (categorization name)
- e.g. Risk management components (categorization name)
3) Inventory & categorise assets
- Each categorized asset attributes
- People, procedures, data/information, software, hardware, and networking
Example:
People: position name/number/ID
Procedures: descriptions, purpose, elements tied to
Data: classification, owner/creator/manager, size, who used?
4) Classify & Prioritise assets
- Classification of information assets
- Reviewing classifications periodically
- Determine whether the asset categories are meaningful
Information Asset:
- Reflects asset sensitivity and security priority
- Information assets are identified, categorized, classified
- Uses comparative judgments to ensure the most valuable information assets are given the highest priority
- Ask relevant questions
- Prioritization of assets (In Order of Importance)
5) Identify & Prioritise threats
- Prioritize and identify Threats and Threat-agents
- Threat assessments
6) Specify asset vulnerabilities
- Review each asset against each threat (Creation of vulnerabilities that is a potential risk to the organization)
- This list serves the next step which is risk assessment
- TVA worksheet (List of assets and their vulnerabilties), weighted table on vulnerabilities
Plan & organise - Categorize system components - Inventory & categorize assets - Classify & Prioritise assets - Identify & Prioritise threats - Specify asset vulnerabilities
