Governance Flashcards
Risk Assessment
o Identify and Valuate Assets
o Identify Threats and Vulnerabilities
Risk Analysis
o Qualitative o Quantitative (best)
Risk Mitigation/Response
o Reduce /Avoid
o Transfer
o Accept /Reject
Risk Management
- Risk Assessment
- Risk Analysis
- Risk Mitigation/Response
- Ongoing Risk Monitoring
TCO
Total Cost of Ownership (TCO)- total cost of a mitigating safeguard
Threat
potentially harmful occurrence (e.g. earthquake, attack)
Vulnerability
a weakness that allows a threat to cause harm
Impact
consequences or severity of the damage, sometimes expressed in dollars
AV
Asset Value (AV)- tangible (i.e. equipment costs) and intangible assets. Intangible assets are calculated by:
- Market approach- price at which comparable assets have been purchased
- Income approach- the present value of the future earning capacity
- Cost approach- the cost incurred to recreate or replace asset
EF
Exposure Factor (EF)- percentage of value an asset lost due to an incident
ARO
Annual Rate of Occurrence (ARO)- number of losses per year
SLE
Single Loss Expectancy (SLE)- cost of a single loss; SLE = AV x EF
ALE
Annualized Loss Expectancy (ALE)- annual cost of loss due to risk; ALE = SLE x ARO
ROI
Return on Investment (ROI)- money saved by implementing a safeguard; ROI = ALE - TCO
Risk Option
Risk Options- Accept, Mitigate, Transfer (eg insurance), Reject (ignore)
NIST (800-30) Risk Management Process
NIST (800-30) Risk Management Process:
- System characterization
- Threat ID
- Vulnerability ID
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
Due Care
Due Care- doing what a reasonable person would do; it’s the actions of performing Due Diligence
Due Diligence
Due Diligence- research, documentation & management of Due Care
Best Practice
Best Practice- consensus on the best way to accomplish something; demonstrates due care and due diligence
ISO 27001
ISO 27001- specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on completion of an audit
ISO 27002
ISO 27002 (was ISO 17799 until 2005)- Focused on best practices/techniques for IS, with 11 areas:
- Policy
- Organization of information security
- Asset Management
- HR Security
- Physical & Environmental security
- Communications and Operations management
- Access Control
- Info systems acquisition, development & maintenance
- Info security incident management
- Business continuity management
- Compliance
ITIL
ITIL (Information Technology Infrastructure Library)
- Framework for providing best practices on IT Service Management (ITSM)
- Five practices, publications
- Service Strategy
- Service Design
- Service Transition
- Service Operations
- Continual Service Improvement
PCI DSS
PCI DSS- Payment Card Industry Data Security Standard
COBIT
COBIT (Control Objectives for Information and related Technology)- IT goals focused
COSO
COSO ((Committee of Sponsoring Organizations)- business goals focused
OCTAVE
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Analysis) - approach where analysts identify assets, their criticality, identify vulnerabilities and threats, and base the protection strategy to reduce risk
FRAP
FRAP (Facilitated Risk Analysis Process) Qualitative analysis used to determine whether or not to proceed with a quantitative analysis. If likelihood or impact is too low, the quantitative analysis if foregone
Certification
Certification- a detailed inspection that verifies a system meets the security requirements; precedes and supports accreditation
Accreditation
Accreditation- data owners acceptance of the risk represented by the system; authorizes operation
NIST 4 step Certification and Accreditation process
NIST 4 step Certification and Accreditation process
- Initiation
- Security Certification Phase
- Security Accreditation Phase
- Continuous Monitoring Phase