Governance Flashcards
Risk Assessment
o Identify and Valuate Assetso Identify Threats and Vulnerabilities
Risk Analysis
o Qualitative o Quantitative (best)
Risk Mitigation/Response
o Reduce /Avoido Transfero Accept /Reject
Risk Management
- Risk Assessment2. Risk Analysis3. Risk Mitigation/Response4. Ongoing Risk Monitoring
TCO
Total Cost of Ownership (TCO)- total cost of a mitigating safeguard
Threat
potentially harmful occurrence (e.g. earthquake, attack)
Vulnerability
a weakness that allows a threat to cause harm
Impact
consequences or severity of the damage, sometimes expressed in dollars
AV
Asset Value (AV)- tangible (i.e. equipment costs) and intangible assets. Intangible assets are calculated by:- Market approach- price at which comparable assets have been purchased- Income approach- the present value of the future earning capacity- Cost approach- the cost incurred to recreate or replace asset
EF
Exposure Factor (EF)- percentage of value an asset lost due to an incident
ARO
Annual Rate of Occurrence (ARO)- number of losses per year
SLE
Single Loss Expectancy (SLE)- cost of a single loss; SLE = AV x EF
ALE
Annualized Loss Expectancy (ALE)- annual cost of loss due to risk; ALE = SLE x ARO
ROI
Return on Investment (ROI)- money saved by implementing a safeguard; ROI = ALE - TCO
Risk Option
Risk Options- Accept, Mitigate, Transfer (eg insurance), Reject (ignore)
NIST (800-30) Risk Management Process
NIST (800-30) Risk Management Process:1. System characterization2. Threat ID3. Vulnerability ID4. Control analysis5. Likelihood determination6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation
Due Care
Due Care- doing what a reasonable person would do; it’s the actions of performing Due Diligence
Due Diligence
Due Diligence- research, documentation & management of Due Care
Best Practice
Best Practice- consensus on the best way to accomplish something; demonstrates due care and due diligence
ISO 27001
ISO 27001- specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on completion of an audit
ISO 27002
ISO 27002 (was ISO 17799 until 2005)- Focused on best practices/techniques for IS, with 11 areas:1. Policy2. Organization of information security3. Asset Management4. HR Security5. Physical & Environmental security6. Communications and Operations management7. Access Control8. Info systems acquisition, development & maintenance9. Info security incident management10. Business continuity management11. Compliance
ITIL
ITIL (Information Technology Infrastructure Library)1. Framework for providing best practices on IT Service Management (ITSM)2. Five practices, publications1. Service Strategy2. Service Design3. Service Transition4. Service Operations5. Continual Service Improvement
PCI DSS
PCI DSS- Payment Card Industry Data Security Standard
COBIT
COBIT (Control Objectives for Information and related Technology)- IT goals focused
