Chapters 4 - 6 Flashcards
What is Risk Management?
Identification, assessment and priotization of risks
What are the Two Formal Processes of Risk Management?
- Risk Identification and Assessment
- Risk Control
Who are the Communities of Interest in Risk Management?
- Information Security: leadership role in addressing risk
- Information Technology: building and maintaining secure systems
- Management: resource allocation and security prioritization
- Users: crucial in early detection and proper response to threats
What are the Steps of Risk Management?
- Evaluating Risk Controls
- Determining Cost Effective Control Options
- Acquiring and Installing Appropriate Controls
- Overseeing Processes for Effectivity
- Identfying Risks
- Assessing Risks
- Summarizing Findings
What are the Steps of Risk Identification?
- Plan and Organize Process
- Create System Component Categories
- Develop Inventory of assets
- Identify Threats
- Specify Vulnerable Assets
- Assign Value or Impact Rating to Assets
- Assess Vulnerability Likelihood
- Calculate Asset Relative Risk Factor
- Preliminary Review of Possible Controls
- Document Findings
How do you Inventory Information Assets?
- Identify Information Assets
- Determine Which Attributes of Each Information Asset Should be Tracked
What is Asset Ranking?
- Determine the Value of Assets
- Prioritizing According to Value
What is an Asset Classification Scheme?
- Categorizes information assets based on sensitivity
- Each category designates level of protection
- Must be comprehensive and mutually exclusive
What are Relative Values?
Comparative judgements made to ensure the most valuable information assets are given the highest priority
What is Threat Identification?
Assesses IT vulnerabilities and their capacity to compromise a system
What is Vulnerability Assessment?
The process of defining, Identifying, classifying, and prioritizing vulnerabilities
What is Risk Assessment?
Create a method to evaluate the relative risk of each listed vulnerability
What is the Extended Risk Formula?
Risk = Probability of Attack * Probability of Successful Attack * Value Lost on Successful Attack
What are the Goals of the Risk Management Process?
- Identify Information Assets and their Vulnerabilities
- Rank them According to Sensitivity
What is the Goal of the Risk Identification Process?
- Designate the Function of the Report
- Define who is Responsible for Preparing and Reviewing the Report
What is Risk Control?
Identifying Possible Controls
What are the Three General Categories of Control?
- Policies
- Programs
- Technical Controls
What are the Four Basic Strategies of Control Risks?
- Avoidance: applying safeguards against risks
- Transference: shifting risk to other areas or outside entities
- Mitigation: reducing impact of vulnerabilities
- Acceptance: accepting risk without control or mitigation
What are the Types of Mitigation Plans?
- Disaster Recovery Plan (DRP)
- Incident Response Plan (IRP)
- Business Continuity Plan (BCP)
What is a Metric?
- A measurement of a periodic or ongoing activity
- Used by management to measure key processes for their effectivities
What are the 3 Metrics categorizations?
- Key Risk Indicators (KRI): metrics associated with risk measurement
- Key Goal Indicators (KGI): metrics that portray attainment of strategic goals
- Key Performance Indicators (KPI): metrics that show the efficiency or effectivenes of security-related activities
What is Security Control?
Measures that reduce risk by eliminating or preventing harm or discovering and reporting it
What are the Types of Control Classifications?
- Management Controls
- Operational Controls
- Technical Controls
What are Management Controls?
Focuses on the selection of operational and technical controls to reduce risk of loss
What are Operational Controls?
Address control implementation and use of security policies and standards
What are Technical Controls?
Involve the correct use of hardware and software security capabilities in systems
What are the Types Control Classes?
- Supportive Controls
- Preventative Controls
- Detection and Recovery Controls
What are Supportive Controls?
Pervasive, underlying technical IT security capabilities that are interrelated and used by other controls
What are Preventative Controls?
Focuses on preventing security breaches by inhibiting security violation attempts
What are Detection and Recovery Controls?
Focuses on security breach responses by warning security violations or attempted violations
What is a Cost-Benefit Analysis?
- Identify controls that provide the greatest benefit given the available resources
- Contrast the impact of implementing a control or not
- A business decision
What is an IT Security Plan?
Detail the actions needed to improve the identified deficiencies in the risk profile
What details should be provided by the IT Security Plan?
- What will be done
- What resources are needed
- Who is responsible
What should be Included in the IT Security Plan?
- Risks, recommended controls, priorities
- Selected controls, needed resources
- Responsible personnel, implementation dates
- Maintenance requirements
What are IT Security Plan Documents?
- What needs to be done for each selected control
- Responsible personnel
- Resources and time frame
What are Identified Personnel?
- Implement new or enhanced controls
- May need system config changes, upgrades, or installs
- May involve development of new or extended procedures
- Need to be encouraged and monitored by management
How is security management a cyclic process?
constantly need to be repeated to respond to the changing IT systems and risk environment
What is included in Implementation followup?
- Maintenance of security controls
- Security compliance checking
- Change and configuration management
- incident management
Why is Maintenance and Monitoring Important?
Ensure the continued correct functioning and appropriateness of implemented controls
What are the Tasks of Maintenance?
- Periodic review of controls
- Upgrade controls to meet new requirements
- System changes do not impact controls
- Address new threats or vulnerabilities
What is Security Compliance?
- An audit process to review security process to ensure system complies with security plan
- Checks if suitable policies and controls are maintained and used correctly
What is Change Management?
- Process in reviewing proposed changes
- May be informal or informal
- Test patches to ensure no adverse affects on other applications
What is Configuration Management?
- Keeps track of configurations of each system in use and the changes done to them
- Know what patches or upgrades might be relevant
- Lists of hardware and software versions to help with restoration following a failure
