CGRC Week 4 Flashcards
What is Risk Assessment?
To determine the extent of the potential threat and risk associated with IT systems. Evaluates the relative risk for vulnerabilities by assessing threats, their likelihood, and potential impact.
1.
What is Control Analysis?
To analyze existing or planned controls to reduce the likelihood of vulnerability exploitation.
Step 4: Control Analysis
What are the 2 types of control methods. What are they?
1) Technical Controls
- Safeguards that are incorporated into computer hardware, software, or firmware (Access control, who can access what thing? Encryption method, IDS/IPS)
2) Non-Technical Controls
- Management and operational controls (Framework, policies, training, physical security)
Step 4: Control Analysis
Technical and Non-Technical Controls can be classified as?
Preventive Controls (Prevent)
- Access controls, encrypting data. Access Restrictions to any violation of security policies
Detective Controls
- Audit logs, login, date, time, modifications and changes, etc. Monitoring Violations of security policies
Step 4: Control Analysis
What is the Control Analysis Techniques
A security requirements checklist to verify compliance and identify gaps using an efficient and systematic manner
Step 4: Control Analysis
What is Likelihood Determination?
Likelihood determination is about estimating how likely it is that a threat could successfully exploit a vulnerability in your system with the given threat-source
Step 5: Likelihood Determination
Factors to consider for the likelihood determination?
Threat-source motivation and capability
- How determined and capable is the attacker or threat to exploit the vulnerability?
Nature of the vulnerability
- How severe and easily exploitable is the vulnerability in your system?
Existence and effectiveness of current controls
- Are there any security measures (controls) in place to prevent or reduce the risk? Are they effective?
Step 5: Likelihood Determination
What is Impact Analysis?
Impact Analysis is about understanding how much damage (or adverse impact) could result if a threat successfully exploits a vulnerability in a system. This could affect the loss/degradation of the CIA Triad
Step 6: Impact Analysis
What is Risk Determination?
To evaluate how much risk an IT system faces from the threats and vulnerabilities
Threat/Vulnerability pair can be expressed as a function of:
1) Likelihood of a specific threat that will take advantage of a vulnerability
2) Magnitude of the impact
3) Adequacy of security controls
Step 7: Risk Determination
What is the formula for Risk Determination?
Risk = (Likelihood of vulnerability occurrence x Value (Impact)) - Risk under control + Uncertainty
Step 7: Risk Determination
What is the goal of the possible controls?
To reduce the level of risk that is associated with the IT system/data to an acceptable level
Step 8: Control Recommendations
What are the factors to consider for possible controls?
Effectiveness of recommended options (e.g., system compatibility)
- Are the controls compatible with existing systems?
Legislation and regulation
- Are the controls compliant with laws and regulations?
Organizational policy
- Do the controls align well with organization’s policies and standards?
Operational impact
- Will the controls disrupt operations?
Safety and reliability.
- Are the controls safe to implement?
Cost-benefit analysis should be conducted for the recommended controls
Step 8: Control Recommendations
What are residual risks?
Risk that remains to information asset even after existing controls has been applied
Step 8: Control Recommendations
What are the 3 categories of controls?
Policies
Programmes
Technologies
Step 8: Control Recommendations
What do you have to document in the results of Risk assessment?
1) Identification of information assets and their vulnerabilities
2) Ranking them according to the the importance and need for protection
3) Factual information about the assets and the threats they face
4) Information about the existing controls
Step 9: Results Documentation
Why is risk assessment report important?
To help senior management to make informed decisions such as budget, policies, system and management changes
Step 9: Results Documentation
