Chapter 2 - Information Risk Flashcards
Threat Categories
Physical Threats
Physical threats - include deliberate forms of threat, such as theft and vandalism, and also accidental threats, such as trackside cables becoming damaged for example
Threat Categories
Outages and Failures
Outages and Failures - Include such things as the absence of vital personnel, loss of power, hardware failures, software failures, And Human error
Threat Categories
Hacking and Abuse
Hacking and Abuse - amongst the most serios threat. Includes social engineering, DDOS, Malware, - from mainly outside the organization. Inside organization could include the likes of ease dropping and information theft.
Threat Categories
Legal and Contractual
Legal and Contractual - Essentially threats include an organisations failure to meet legal or contractual obligations.
Threat Categories
Accidents and Disasters
Accidents and Disasters - most of these are accidental in nature, and will include natural disasters such as floods, tsunami, storms etc. - can also include environmental disasters such as chemical leaks
Accidental Vs Deliberate Threats
Accidental - Sometimes referred to as Hazards, especially when concerned with extrenal factors. The implication is that no deliberate attempt has been made to carry out a threat.
Deliberate - Occur when someone sets out with every intention of carrying out a threat.
Vulnerability Categorization
General Vulnerabilities
General Vulnerabilities - Include basic weaknesses in software, hardware, buildings, people, processes, or procedures.
Vulnerability Categorization
Information-specific Vulnerabilities
Information Specific Vulnerabilities - Include unsecured computers, including personal computers, hand held devices, servers, unpatchs apps and OS, unsecured network boundaries, etc etc
Business Impact Assessment (BIA)
Calculates the impact on one or more business assets for each threat can be determined. Once completed, the assessment is made of the likelihood or probability that vulnerabilities might be exploited, allowing the threats to be realized.
Risk Management - Risk Management Standards & Frameworks
There are several national and international standards for risk management including:
- Nist
ISO/IEC 27005
Risk Management Methodologies Include:
- SABSA, OCTAVE, FAIR
Risk Management Process
Which Areas are included?
- Context Establishment
- Risk Assessment (Includes Risk Identification, Risk Analysis, Risk Evaluation)
- Risk Treatment
- Communication and consultation
- Ongoing monitoring and review
Context Establishment
Process of understanding what the organizations information assets are and how they fit into the overall business model.
Risk Identification
Identifying the threats - this should be carried out in conjunction with the understanding of any known vulnerabilities.
Risk Analysis
Having identified the impacts of each threat, the next task is to assess the likelihood of each occurring. Once this stage is complete then a risk matrix can be drawn - generally this is a 3 by 3 with likihood (not likely, likely, highly likely) and impact (low, medium, high).
Risk Appetite
The degree of risk and organization is willing to accept
Risk Treatment
Having decided from the output of the risk matrix the priorities in which to treat the risks identified, a risk treatment plan must be produced. This is when the decision to accept, avoid, reduce, or transfer is made.
Communication and Consultation
It is essential throughout the entire risk management process that those conducting the work maintain good communications with other parts of the business, especially to those who the risks pertain.
Monitoring and Review
The final stage is to continue to monitor the findings and update these with the landscape changing over time.
What are the four options for treating risks? (strategic controls)
Avoid
Reduce
Transfer
Accept
Tactical risk management controls
Detective Controls
Preventative Controls
Corrective Controls
Directive Controls
- Detective controls - designed to identify information security incidents
- Preventative Controls - Designed to stop an incident from taking place (firewalls)
- Corrective Controls - Having identified an incident/error - these are controls made to correct/patch the vulnerability
- Directive Controls - Also referred to as personnel controls these are intended to inform users about what they may and may not do
Operational Risk Management Controls
- Physical Controls
- Procedural Controls
- Technical Controls
- Physical controls - place some form of device between an orgs assets and possible intrusion, (barries, restricted areas etc)
- Procedural Controls - Controls aimed to guide users on the correct way of undertaking their work. (PROCEDURAL DOCUMENTS, POLICIES, or training)
- Technical Controls - Based on both hardware and software (activity logging, detection systems, firewalls)
Approaches to Risk Assessment
Qualitative Risk Assessment
While essentially subjective, it may be the best course of action when hard facts relating to impacts and frequency of events are hard to come by.
Approaches to Risk Assessment
Quantitative Risk Assessment
This take a much more factual approach and can use statistical evidence to support both impact and likelihood assessments
Approaches to Risk Assessment
Semi-quantitavive risk assessment
Alternatively - if facts and stats are not easily obtainer or indeed trusted, then an approach could be taken that a certain threshold constitutes low, medium, and high - ie if losses are 10k, 100k, 1000k.
