CGRC Week 6 Flashcards
What are the 5 risk control strategies and what each of them are?
Avoidance/Defend
- Prevent vulnerabilities via applying policies, training, and applying technology.
Transfer
- Shift risks to external parties (e.g., outsourcing or insurance) because they are more experience in dealing with those risks
Mitigate
- Incident Response Plan (IRP): Actions during an incident
- Disaster Recovery Plan (DRP): Recovery-post incident
- Business Continuity Plan (BCP): Ensures ongoing operations.
Accept
- Accept the risk if costs of mitigation exceed benefits. It is only valid if a particular asset does not justify the cost of protection
Terminate
- Avoid activities that pose uncontrollable risks. Seek for alternate methods/solutions to meet customer needs
What are Feasibility studies?
Provide a structured way to assess whether a proposed control is worth implementing
What are the items that affects the cost of control?
Cost of Development
Cost of Maintenance
Implementation Costs
Service Costs
Training Fees
What is Quantitative assessment?
Uses numerical data (e.g., Cost-Benefit Analysis)
Includes Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annual Loss Expectancy (ALE)
What is Qualitative assessment?
Uses non-numerical measures (e.g., scales, expert opinion).
What is Single Loss of Expectancy (SLE) formula? What does it associate with?
SLE = Asset Value x EF (Exposure Factor)
It is associated with the LOSS from an attack
EF (Exposure Factor): the expected percentage of loss that would occur
from a particular attack.
What is a Cost benefit Analysis?
A process where it evaluates the** worth of assets** to be protected and the** lost of value** when they get compromised
Is Qualitative or Quantitative Assessment best suited for organisations
Qualitative Assessment. because it provides scales and expert opinions rather than just an estimate of a numerical value
What is Single Loss Expectancy (SLE)?
It is a calculation of a LOSS from an attack
SLE = Asset Value x EF (Exposure Factor)
What is Annualised Rate of Occurrence (ARO)?
It indicates how often/likely an attack is expected to successfully occur in
A YEAR
Example: If an attack occurs once every 2 years ⇒ ARO = 0.5
What is Annualised Loss Expectancy (ALE)?
It is an overall expected loss (per risk) incurred by an attack (i.e. by exploiting a vulnerability) in each year
ALE = SLE x ARO
What is the Cost-Benefit Analysis (CBA) Formula?
CBA = ALE(Prior) - ALE (Post) - ACS
ALE (Prior): Before Implementation of Control
ALE (Post): Control in placed
ACS (Annualised Cost of the Safeguard)
What are some recommended Risk Control Practices?
1) Spend up to the value of an asset
2) Implementation of balanced security controls, maximising protection to MULTIPLE assets
3) Simpler, Straight-forward controls
What is benchmarking?
Observe how organizations handle risks by studying, seeking out and adopt their practices to your organization for improvement
It’s basically about learning from others. What you learn, apply it.
What are the 2 measures of benchmarking? What are they?
Metrics-based measures
- Focuses on numbers and data in the information to compare. Its purpose is to rank their company with others in the industry
Process-based measures
- Focuses on how things are done not just the outcomes of these goals. Instead the purpose is to help companies identify and bridge the gaps to achieve business goals
What are the 2 categories that benchmark uses? What are they?
1) Standards of:
Due Care:
- Shows it has already done what any other companies would do in similar circumstance. (Shows Evidence and proof that the organization tried this method)
Due Dillegence:
- Shows diligence in ensuring implemented standards and controls continue to be effective in protection
2) Best practices
Does your organization match with the target organization?
* Does your company look similar to the one using the best practice?
Do you have similar resources?
* Do you have the same level of e.g. budget, technology, and skills?
Are You in the Same Threat Environment?
* Are the risks you face similar to the company using the best practice?
What are some problems faced with benchmarking and best practices?
1) Organizations don’t talk to each other
2) No identical organizations
3) Best practices are moving targets
What to do once selection and a successful implementation of a control strategy that is in place.
Controls should be monitored and adjusted (if needed) on an on-going basis.
It process continues as long as the organization continues to function
