Chapter 2: IT Risk Assessment Flashcards
How does risk identification begin?
By documenting the assets of the organization and determining the value of an asset
Risk identification also includes…
Documenting threats that could pose a risk of damage to the organization
What is risk assessment?
A process used to identify and evaluate risk and its potential effects
Statistical inference that uses prior distribution data to determine the probability of a result
Bayesian Analysis
Provides a diagram to communicate risk assessment results by displaying links between possible causes, controls, and consequences. The cause of the event is depicted in the middle of the diagram and triggers, controls, mitigation strategies, and consequences branch off the knot.
Bow Tie Analysis
The purpose of this is to gather a large group of types of potential risk or ideas
Brainstorming/ Structured Interview
The process to determine the impact of losing the support of any resource
Business Impact Analysis
Combines the technique of a fault tree analysis and and even tree analysis and allows for time delays to be considered
Cause and Consequence Analysis
Looks at the factors that contributed to a certain effect and groups the causes into categories which are then displayed using a diagram
Cause-and-effect Analysis
List of potential or typical threats or other considerations that should be of interest to the organization
Checklists
Uses expert opinion which is often received using two or more rounds of questionnaires
Delphi Method
A forward, bottom up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes
Event Tree Analysis
Starts with an event and examines possible means for the event to occur and displays these results in a logical tree diagram
Fault Tree Analysis
Originally developed for the food safety industry for proactively preventing risk and assuring quality, reliability, and safety of processes
Hazard Analysis and Critical Control Points (HACCP)
A structured means of identifying and evaluating potential risk by looking at possible deviations from existing processes
Hazard and Operability Studies (HAZOP)
Examines the effect of human error on systems and their performance
Human Reliability Analysis (HRA)
A semiquantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events. Also looks at controls and their effectiveness.
Layers of Protection Analysis (LOPA)
Used to analyze systems that can exist in multiple states and assumes that future events are independent of past events
Markov Analysis
A simulation used to establish the aggregate variation in a system resulting from variations in the system, for a number of inputs, where each input has a defined distribution and the inputs are related to the output via defined relationships
Monte Carlo Analysis
Looks at what threats or hazards may harm an organization’s activities, facilities, or systems
Preliminary Hazard Analysis
Analyzes the functions and potential failures of a specific asset, particularly a physical asset such as equipment
Reliability-centered Maintenance
Examines possible future scenarios that were identified during risk identification
Scenario Analysis
Used to identidy design errors or sneak conditions- latent hardware, software, or integrated conditions that may cause an unwanted event to occur
Sneak Circuit Analysis
Uses structured brainstorming to identify risk, typically within a facilitated workshop
Structured “What If” Analysis
What are contributing factors in risk prevention, detection, and response?
Structure and culture of the organization
The risk management function should have an enterprise wide mandate that
Allows the risk management team to review and provide input into all business processes
The risk management function should participate in…
Incident management activities and be responsible for investigating incidents to ensure that all lessons are learned
Policies provide direction regarding…
Acceptable and unacceptable behavior and actions to the organization and send a clear message from senior management regarding the desired approach to the protection of assets and the culture of the organization
Policies give authority to the…
Staff of risk management, audit, and security teams of the organization to perform their job responsibilities
High level is policy is issued by
Senior management as a way to address the objectives of the organization’s mission and vision statement
High level policy (aka overarching security policy) should require compliance with…
Laws and best practices, and state the goal of managing risk through protecting the organization’s assets
The next level of policies after the high level policy is…
Technical and functional
Where policies are out of date, unenforced, or incomplete, the risk practitioner should…
Underline the vulnerability and the risk it poses to the organization
A mandatory requirement, code of practice, or specification approved by external standards organizations
Standard
A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards
Procedures
A lack of standards and procedures will result in…
Undependable, inconsistent operations and may result in risk due to not detecting a risk event, noncompliance, or difficulty preventing an attack
What is risk identification?
The process of determining and documenting risk that an enterprise faces.
Some of the considerations that affect risk assessment related to technology:
Age of equipment Expertise available for maintenance Variety of vendors/suppliers Documentation of systems Availability of replacement parts Ability to test systems or equipment Operating environment and user expertise Ability to patch/mitigate vulnerabilities
A key factor in the maturation of the processes and practices of an organization is the development of…
An enterprisewide approach to risk management, architecture, and business continuity
A lack of architecture often results in:
Controls that overlap Controls that conflict with one another Unidentified single points of failure Unidentified methods to bypass controls Inadequate network isolation
Controls are implemented to…
Mitigate risk or comply with regulations
An alternate form of control that corrects a deficiency or weakness in the control structure of the enterprise; may be considered when an entity cannot meet a requirement explicitly, as stated, due to legitimate technical or business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls
Compensating controls
Remediate errors, omissions, and unauthorized uses and intrusions, once they are detected
Corrective controls
Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums
Detective controls
Provide warnings that can deter potential compromise, such as warning banners on login screens or offering rewards for the arrest of hackers
Deterrent controls
Mandate the behavior of an entity by specifying what actions are, or are not, permitted
Directive control
Inhibit attempts violate security and include such controls as access control enforcement, encryption, and authentication
Preventive controls
The risk is much more serious if:
Controls are inadequate. The wrong controls are being used. Controls are ignored or bypassed. Controls are poorly maintained. Logs or control data are not reviewed. Controls are not tested. Changes to configuration of controls are not managed. Controls can be physically accessed and altered.
The condition of the program at a point in time
Current state
Used to determine the state of IT risk on a regular basis and with scheduled reporting to management
Regular reviews of IT risk
An excellent source of analysis data and recommendations which are often related to the improvement of managerial, technical, and operational controls
Audits
The risk practitioner must test the performance of the control to ensure that it is…
It is properly installed, operating correctly, and providing the desired result
Testing the control includes…
Testing both the technical and nontechnical aspects of the control
What are the nontechnical aspects of a control?
Rules governing the operation of the control
Procedures used in monitoring and operating the control
Proficiency if the staff responsible for the operation of the control
A thorough review of an incident can identify…
Weak controls
Poor detection
Inappropriate or ineffective response
Lack of training of staff
Interviewing operations staff and reviewing logs and trouble tickets may…
Indicate an unmitigated or recurring problem or trend within a system that may require remediation
Logs should contain a record of all important events that occur on a system such as…
Changes to permissions System start up or shut down Login or logout Changes to data Errors or violations Job failures
A review of logs can identify…
Risk relevant events and can detect compliance violations, suspicious behaviors, errors, probes or scans, and abnormal activity
It is a careful, methodical review of the security controls for a system with the intent of discovering any weaknesses or potential gaps on the control framework that could allow a successful attack
Vulnerability assessment
Techniques for vulnerability assessments:
Social engineering
Physical security tests
Network probes and scans
Application vulnerability reviews
Possible vulnerabilities
Unpatched systems
Buffer overflows
Susceptibility to injection attacks
Unlocked server rooms
Exposed cabling
Sensitive data left on unattended desks or screens
Open ports or services that are not required
Can be used to validate the results of a vulnerability assessment and prove whether the controls and countermeasures used by the organization are working correctly
Penetration test
The desired state of IT risk is closely linked to the the
Risk acceptance level set by management
Challenges of data analysis
Are all of the data available?
Have any of the data been altered or changed?
Are the data in the correct format?
Are the data based on measuring important factors?
A predictive or diagnostic analytical tool that is used to explore the root causes or factors that contribute to positive or negative effects or outcomes and to identify potential risk
Cause and effect analysis
A technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome (top-level event) and combines hardware failures and human failure
Fault tree analysis
A quantitative risk analysis technique that helps to determine which risk factors potentially have the most impact and examines the extent to which the uncertainty of each element affects the object under consideration when all other elements are held at their baseline values
Sensitivity analysis
Examines the nature of the threat and the potential threat scenarios
Threat modeling
It is done by mapping the potential method, approaches, steps, and techniques used by an adversary to perpetrate an attack
Threat modeling
Examines how a system will function and provide “use” for users
Use case modeling
Looks at all possible errors, mistakes, or ways a system can be misused
Misuse case modeling
Examines ways a system can be attacked and used for a purpose for which the system was never intended
Threat modeling
A process of diagnosis to establish the origins of events which can be used for learning from consequences, typically from errors and problems
Root cause analysis
A facilitated workshop where the group is told to pretend that the project has failed and then they are to discuss why it has failed
Pre-mortem
Base on documenting the desire state or condition of risk that management wants to reach and then carefully analyzing and evaluating the current condition of the organization; identifies the current gap or difference between the desired and current state so that corrective action can be taken when necessary
Gap analysis
It is a measure that determines how well the process is performing in enabling the goal to be reached; it is a good indicator of capabilities, practices, and skills
KPI Key Performance Indicator
A good method of indicating a trend that may have the potential to result in a problem in the future
Key Risk Indicator KRI
A measure that tells management, after the fact, whether an IT process has achieved its business requirements and is usually expressed in terms of information criteria
Key Goal Indicator KGI
Two main methods of analyzing risk
Quantitative and Qualitative
Based on numerical calculations, such as monetary values, and is most suitable for supporting cost-benefit analysis calculations because all IT risk can be compared to the cost of a control and the value of the benefit that the control would provide
Quantitative risk assessment
Quantitative risk assessment is often based on the…
Calculation of the impact of a single risk event and on what the event would cost, including direct costs (lost of sales) and indirect costs (damage to reputation)
One challenge with all risk assessment approaches is
The problem of forecasting the likelihood or frequency of a risk event
To properly use data from a quantitative risk assessment
The cost of the risk is often calculated on an annual basis
Based on scenarios or descriptions of situations that may have occurred or may occur
Qualitative Risk Assessment
The development of scenarios may be based on
Threats
Vulnerabilities
Asset/impact
Examines a risk event from the basis of what threat sources (threat agents) exist and the threats that can be launched against the organization
Threat - based scenario
The threat- based scenario would
Identify the potential method of attack
The vulnerabilities exploited
The intent and skill of the attacker
The potential damage to the assets affected
Examines the organization’s known vulnerabilities and attempts to determine the threats that could exploit those vulnerabilities and the impact
Vulnerability based scenario approach
Based on the identification of critical and sensitive assets and the potential ways that an asset could be damaged
Asset/impact approach
Combines the value of qualitative and quantitative risk assessment
Semiquantitative risk assessment
In the semiquantitative approach, the risk practitioner creates
A range of values used to assess risk
It is derived from a combination of all the components of risk including the recognition of the threats and the characteristics and capabilities of a threat source, likelihood, vulnerabilities, severity of the vulnerability, likelihood of attack success and level of impact of a successful attack
Risk ranking
OCTAVE
Operationally Critical Threat Asset and Vulnerability Evaluation
This process-driven methodology is used to identify, prioritize, and manage information security risk
OCTAVE
OCTAVE helps organiztions:
Develop qualitative risk evaluation criteria based on operational risk tolerances
Identify assets that are critical to the mission of the organization
Identify vulnerabilities and threats to the critical assets
Determine and evaluate potential consequences to the organization if threats are realized
Initiate corrective actions to mitigate risk and create practice-based protection strategy
It is a comprehensive, systematic, context-driven and self-directed evaluation approach
OCTAVE
The OCTAVE process is based on three primary phases:
- Build asset-based threat profiles (organizational evaluation)
- Identify infrastructure vulnerabilities (technological evaluation)
- Develop security strategy and mitigation plans (strategy and plan development)
When assessing risk, it is important to measure…
The capability and maturity of the risk management processes of the organization
Key elements used to measure IT risk management capability:
Support of senior management
Regular communication between stakeholders
Existence of policy, procedures, and standards
Completion of a current BIA
Logging and monitoring of system activity
Regular review of logs
Scheduled risk assessments and reviews
Testing of BCPs and DRPs
Training of staff
Involvement of risk principles and personnel in IT projects
Gathering feedback from users and stakeholders
Validating the risk appetite and risk acceptance levels
Tome to detect/resolve a security incident
The impact of risk is a measure of the
Impact on the business
The risk response would have to be chosen based on
Business-related considerations more than on IT factors
IT management must play an active role in
Mitigating risk and supporting risk management activities
It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there
Enterprise Architecture (EA)
What should the Enterprise Architecture answer? (4 questions)
- Are we doing the right things?
- Are we doing them the right way?
- Are we getting the benefits?
- Are we getting them well done?
The risk associated with an IT system is a combination of
the risk associated with each element that makes up an IT system
Examples of hardware
CPU Motherboards RAM ROM Networking components Firewalls and gateways Keyboards Monitors
Examples of risk associated with hardware
Outdated hardware Poorly maintained hardware Misconfigured hardware Poor architecture Lack of documentation Lost, misplaced, or stolen hardware Hardware that is not discarded in a secure manner Sniffing or capturing traffic Physical access Hardware failure Unauthorized hardware
Software includes
applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user
Risk associated with software
Logic flaws or semantic errors Bugs (semantic errors) Lack of patching Lack of access control Disclosure of sensitive information Improper modification of information Loss of source code Lack of version control Lack of input and output validation
What is an operating system?
It is the core software that allows the user to interface with hardware and manages all system operations
Risk associated with operating systems
Unpatched vulnerabilities Poorly written code (buffer overflows, etc.) Complexity Misconfiguration Weak access controls Lack of interoperability Uncontrolled changes
IT management must play an active role in
Mitigating risk and supporting risk management activities
It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there
Enterprise Architecture (EA)
What should the Enterprise Architecture answer? (4 questions)
- Are we doing the right things?
- Are we doing them the right way?
- Are we getting the benefits?
- Are we getting them well done?
The risk associated with an IT system is a combination of
the risk associated with each element that makes up an IT system
Examples of hardware
CPU Motherboards RAM ROM Networking components Firewalls and gateways Keyboards Monitors
Examples of risk associated with hardware
Outdated hardware Poorly maintained hardware Misconfigured hardware Poor architecture Lack of documentation Lost, misplaced, or stolen hardware Hardware that is not discarded in a secure manner Sniffing or capturing traffic Physical access Hardware failure Unauthorized hardware
Software includes
applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user
Risk associated with software
Logic flaws or semantic errors Bugs (semantic errors) Lack of patching Lack of access control Disclosure of sensitive information Improper modification of information Loss of source code Lack of version control Lack of input and output validation
What is an operating system?
It is the core software that allows the user to interface with hardware and manages all system operations
Risk associated with operating systems
Unpatched vulnerabilities Poorly written code (buffer overflows, etc.) Complexity Misconfiguration Weak access controls Lack of interoperability Uncontrolled changes
What is an application?
The face of the information system and is the mechanism by which users can access information, perform transactions and use system features
Risk associated with applications
Poor or no data validation Exposure of sensitive data Improper modification of data Logic flaws Lack of version control Loss of source code Weak or lack of access control Lack of operability with other software Back doors Poor coding practices
Utilities can include two separate areas of concern:
- environmental control
2. those that support the use of system resources
Environmental controls include:
power
heating, ventilation, and air conditioning systems (HVAC)
Risks associated with environmental control utilities
Power interruptions - Loss of power - Surge - Spikes - Sags - Brownouts - Faults - Generators are poorly maintained and outdated HVAC - Overheating - Humidity problems - Corrosion and condensation (high humidity) - Static (low humidity) - Clogged filters - Lack of maintenance Water - Loss of water (needed for cooling systems) - Health and safety issues Secure operational areas - Restricted access to server rooms - Secure access to power supplies, generators, elevator shafts
Risk associated with software utilities
Use of outdated drivers Unavailability of drivers Unpatched drivers Use of insecure components Unpatched vulnerabilities
Samples of network devices
cablings repeaters switches routers firewalls gateways wireless access points
What is a network?
A system of interconnected computers and the communication equipment used to connect them
Uses of a network
transferring data between individuals transferring data between applications controlling and monitoring of remote equipment backing up data enabling communication between devices
When assessing network-based risk, risk associated with the following must be examined
network configuration and management network equipment protection the use of layered definition suitable levels of redundancy availability of bandwidth use of encryption for transmitting data encryption key management use of certificates to support PKI damage to cabling and network equipment tapping network communications and eavesdropping on communications choice of network architecture documentation of network architecture
Types of cabling
UTP
coaxial
fiber
Concerns with regards to cabling
Physical security of cabling
Cable exceeded approved length of the cable runs
Protection from damage to cabling (conduit)
Use in an area of high radio frequency interference (may require shielding)
Use of cable that is not of suitable standard
Ensuring use of plenum-rated cable where required
Improper terminations of cable on connectors
Lack of cabling records
What are repeaters?
Devices used to extend the length of a signal being transmitted over cable or wireless networks
Advantage of a repeater
it can filter out some noise or errors that may be affecting traffic
Risk with repeaters
ensuring that there are enough repeaters in use to provide a clean, error-free signal
a wireless repeater providing a strong signal into areas outside the perimeter of the organization’s facilities could allow unauthorized access
What are switches?
they are used to connect devices together
What can switches do?
forward packets to a destination divide networks through configuration perform routing functions address translation and balancing perform load balancing
Risks associated with switches
Physical protection of the switch
Ensuring proper configuration of the switch
Documentation
Being a single point of failure
What is the purpose of a router?
To connect multiple networks together and forward incoming packets in the direction of the destination IP address that is in the packet header
What is the delay in processing called?
Latency
What are the risks associated with routers?
Improper configuration Use of weak protocols Software bugs Unpatched systems Physical security
What is a firewall?
A system or combination of systems that enforces a boundary between two or more networks
A simple packet filtering router that examines individual packets and enforces rules based on addresses, protocols, and ports
First generation
Keeps track of all connections in a state table. this allows it to enforce rules based on packets in the context of the communications session
Second generation
Operates at layer seven and is able to examine the actual protocol being used for communications. This is much more sensitive to suspicious activity related to the content of the message itself
Third generation
Sometimes called deep packet inspection and is an enhancement to the third generation firewalls and brings in the functionality of an intrusion prevention system
Next generation
Firewall logs must be
reviewed regularly to detect any suspicious activity
What is a proxy?
A proxy is a device that acts as intermediary between two communicating parties.
What is a Domain Name System?
It is a mechanism that makes the Internet work. It is a simple cross-reference used to associate a normal name with an IP address used by network devices
Risks with DNS
False DNS replies
Cybersquatting
Exploiting the DNS
What is the risk with wireless access points?
Unauthorized people are able to login
Installation of rogue or unauthorized wireless access points
How to address risks with wireless access points?
Segmenting the wireless access points in a location that us not subject to interference from other devices or near a window
Strong password requirements
This topology connects every device onto one bus or communication path
bus network topology
what is the risk with a bus network topology?
A cut cable may result in total network failure and it is relatively easy to sniff a bus network
What control can be used for a bus network topology?
Encrypted VPN must be used on cable modem Internet access
In this topology, every device is connected to a central switch
Star topology
What is the risk with the star topology?
The central switch is a single point of failure
In this topology, it is a series of star networks arranged with branches to other star networks in a tree type structure
Tree network topology
What is the risk with the tree network topology?
A cut link between the branches of the tree can cause isolation of that branch
What is a ring network topology?
A ring connect every device into one ring and passes traffic from device to device around the ring
What is a mesh network topology?
Many devices are connected to many other devices in a mesh, so that traffic can route around a failure in any part of the network
What is a LAN?
A communication network that serves several users within a specified geographical area, such as a building or a department
What is a WAN?
A computer network connecting different remote locations that may range from short distances, such as a floor or a building, to extremely long transmissions that encompass a large region or several countries
What is a leased line?
A leased or rented line from a supplier provided for the sole use of the organization that leases the line. It is a private network.
What is a packet-switching network?
This allows a communications network to be shared by multiple organizations, thereby reducing the cost considerably
What is a microwave?
A line-of-sight technology where the sending and receiving stations need a clear line of sight between each other
What is optical?
Similar to the microwave but built on laser technology. Optical communications and is also line of sight
What is satellite communications?
It has enabled communications from remote areas where it was not previously possible to provide other forms of communications
What is VPN?
It is secure private network that uses the public telecommunications.
What are the risks in network implementation?
risks on the:
suitability of the network architecture
the proper configuration and management of the network devices
the ongoing monitoring of network performance
What is the DMZ?
The area of the network that is accessible to outsiders through the Internet
What is the extranet?
A network that is accessible to outsiders and used for trusted communications such as communicating with business partners
What is UI (user interface)?
The way a user interfaces with an application or a system.
What are risks to data management?
Lack of clear ownership
Improper data management/ data leakage
Compliance with data management policies and procedures
What must the risk practitioner do regarding new threats and vulnerabilities?
Must ensure that new and emerging risk is identified and evaluated and that the organization is aware of and watching new for emerging threats and vulnerabilities. The risk practitioner should work with the business and system owner to perform a threat analysis and determine if and how the organization should respond
What must the risk practitioner do regarding emerging technologies?
To consider potential risk and controls for the application of these technologies that may present value to the organization to accepting new technologies that may present value to the organization
Assess and evaluate the approach of the organization to accepting new technologies and the attitude of the security team and IT operations toward reviewing and securing new technologies as they become available
What must the risk practitioner do regarding industry trends?
Assess the maturity of the IT department and the organization as a whole toward monitoring and adapting to new market trends
What are relevant contractual requirements for outsourcing?
right to audit clauses security and bcp/drp reviews staffing reviews regulatory reviews outsourcers and third party affiliate reviews right for early termination security and continuity requirements service level agreements
What are the reasons for failure of IT projects?
Unclear or changing requirements Scope creep Lack of budget Lack of skilled resources Problems with technology Delays in delivery of supporting elements/ equipment Unrealistic timelines Lack of progress reporting
Lack of good project management can lead to:
Loss of business
Loss of competitive advantage
Low morale among staff members
Inefficient processes
Lack of testing of new systems or changes to existing systems
Impact on other business operations
Failure to meet SLAs or contractual requirements
Failure to comply with laws and regulations
What are the key tasks to be performed during the SDLC?
Security categorization of the system
BIA
Privacy impact assessment
Use of a secure information systems development policy
Awareness of vulnerabilities with selected technology or operational environment
What is the purpose of BCPs and DRPs?
To enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities
What is the first step in preparing a new BCP?
To identify business processes of strategic importance
Based on the key processes, the risk assessment should identify the following:
The human resources, data and infrastructure elements, and other resources that support the key processes
A list of potential vulnerabilities - dangers and threats
The estimated probability of the occurrence of these threats
The efficiency and effectiveness of existing risk mitigation controls
Business continuity planning is primarily the responsibility of
the senior management, because they are entrusted with safeguarding the assets and the viability of the organization
Business continuity planning takes into consideration:
those critical operations that are necessary to the survival of the organization
the human/material resources supporting them
Besides the plan for the continuity of operations, the BCP should also include
the DRP that is used to recover a facility rendered inoperable, including relocating operations
the restoration plan that is used to return operations to normality
A single integrated plan ensures that:
there is proper coordination among various plan components
resources committed are used in the most effective way and there is reasonable confidence that the organization will survive a disruption
Incident management starts with
the preparation and planning that build an incident response plan (IRP)
The primary focus of incident management is
to get the organization’s affected systems and operations back into normal service as quickly as possible
RTO
recovery time objective
RPO
recovery point objective
The recovery of critical business processes may be through an alternate process, including
manual process or outsourced support
having sufficient inventory on hand
using facilities available at another office or location
displacing less critical work with more critical functions
The core source of data used in business continuity planning is a
BIA
The BIA examines the
impact of an outage on the business over the length of time of the outage
Disaster recovery planning is
the recovery of business and IT services following a disaster or incident within a predefined schedule and budget
The risk practitioner should review the BCP/DRP to ensure that
they are up to date, reflect risk scenarios and business priorities, and have been tested
Exceptions should only be allowed through a
documented, formal process that requires approval of the exception from a senior manager
After an exception is no longer needed
the exception should be removed
Who is tasked with making the decision of what the best response is to the identified risk?
Risk owner
To ensure accountability, the ownership of risk must be
with an individual, not with a department or the organization as a whole
The results of the risk assessment should be compiled into a
risk assessment report for submission to senior management
