Chapter 1: Information Security & Risk Management Flashcards
Understanding an organizations mission, objectives, and goals…
are necessary to protecting their assets.
Mission
Statement of ongoing purpose and reason for existence
Objectives
Statements of activities or end-states that the org wishes to achieve.
Observable & measurable
Goals
Specify specific accomplishments that enable the org to meets its objectives
–1– enable org to meet –2– which support the –3– and describe how it will be fulfilled
1-Goals
2-objectives
3-mission
Risk Management (RM)
“Process of determining the max acceptable level of overall risk to and from a proposed activity, then, then using risk assessment techniques to determine the initial level of risk and, if it is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”
(Find the level of risk associated with a given asset or activity and do something about it if needed)
Risk Assessment (RA)
Activities used to discover, analyze, and describe risks.
Qualitative Risk Assessment (QualRA)
Assets (software apps, info systems, business equipment, or buildings, etc.) are reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability
QLRA typically identifies
Vulnerabilities
Threats
Threat probability
Countermeasures
Vulnerabilities
Weakness in design, configuration, documentation, procedure, or implementation
Threats
Activities (if they occurred) that would exploit specific vulnerabilities
Threat probability
An expression of likelihood that a specific threat will occur
Low-Medium-High
(1-5 or 1-10)
Countermeasures
Actual or proposed measures that reduce the risk associated with vulnerabilities or threats
Quantitative Risk Assessment (QNRA)
Extension of QLRA that includes additional elements
QNRA includes…
Asset value Exposure factor Single loss expectancy Annualized rate of occurrence Annual loss expectancy
Asset Value (AV)
$ represents replacement cost of an asset or income derived from using an asset
Exposure Factor (EF)
Proportion of an asset’s value (%) that is likely to be lost through a particular threat
(Impact of a specific threat on an asset)
Single Loss Expectancy(SLE)
Cost of a single loss through the occurrence of a particular threat
SLE =
asset value ($) X exposure factor (%)
AV x EF
Annualized Rate of Occurrence (ARO)
Probability (%) that a loss will occur within a years time
Can be greater than 100% if it may occur more than once
Annual Loss Expectancy (ALE)
Yearly estimated loss of an asset
ALE =
ARO x SLE
Quantifying countermeasures can include…
costs of countermeasures, changes in exposure factor, changes in single loss expectancy.
(Geographical considerations can also be used if pertinent)
Specific risk assessment methodologies
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
FRAP (Facilitated Risk Analysis Process)
Spanning Tree Analysis
NIST 800-30, Risk Management Guide for Information Technology Systems
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation: analysts identify assets and their criticality, identity vulnerabilities and threats, evaluate risks, and create a protection strategy to reduce risk
FRAP
Facilitated Risk Analysis Process: QLRA used to pre-screen a subject and determine if a full blow QNRA is needed
Spanning Tree Analysis
Visual method do identifying categories of risks as well as specific ones
NIST 800-30
Risk Management Guide for Information Technology Systems: document that describes a formal approach to RA that includes Threat and vulnerability identification, control analysis, impact analysis, and a matrix depiction of risk determination and control recommendations
Risk Treatment
After QLRA and/or QNRA are performed, the four general ways to handle the risks are: Risk acceptance Risk avoidance Risk reduction Risk transfer
Risk Avoidance
Most extreme; associated activity is discontinued
Risk Reduction
“Risk Mitigation “; uses countermeasures to reduce risk
Risk Reduction techniques include:
Firewalls
Intrusion detection systems
DMZ networks
Risk Acceptance
In a typical LOW-MEDIUM-HIGH ranking, risks labeled as LOW may be accepted
Risk Transfer
Typically uses insurance as a means of mitigating risks; usually involves a cost (insurance premiums) that would need to be included in QNRA
Residual Risk
This is the risk that is left after the other four techniques have been implemented