IS Risk Assesments Flashcards
What are the three possible IAP threat categories?
1) Intentional
2) Natural
3) Inadvertent
What are the 8 steps of an IAP Risk Assessment Process?
1) Identify information assets
2) Valuate information assets
3) Assess threats to information assets. Likely adversaries4) Assess likelihood of threat occurrence
5) Identify existing and projected vulnerabilities
6) Asses the impact of a loss event or disclosure on the organization
9) Identify existing and planned security controls or other options for addressing risk.
8) Assess and prioritize risk based on the likelihood and organizational impact.
What is the difference between Residual Risk and Residual Threat Risk? What is the qualitative fundamental equation of ISS?
Residual Threat Risk is the leftover risk for each threat. Residual Risk is the total leftover risk for all risks.
Residual Risk = (Threats*Vulnerabilities)/Countermeasures
What is an information system threat?
Any circumstance, capability, action, or event with the potential to adversely impact an information system.
Information Systems Vulnerability
A flaw or weakness in an information systems design that could be exploited to violate a system’s security policy.
What is the Information System Risk equation?
(level of threat) * (level of vulnerability)
When should an ISS risk assessment be carried out?
A regular and systematic basis to address changes that may occur in the business environment as well as security requirements and the nature of in the information assets, threats, vulnerabilities and impacts.
