IT Risk and Risk Assessment Flashcards
Confidentiality
Only authorized individuals, processes or systems should have access to information on a need to know basis
Integrity
Information should be protected from intentional, unauthorized or accidental changes
Availability
Information or service must be available when and where needed
Accountability
All actions must be associated with a discrete entity performing said action
Risk Responses (OMATA)
- Ownership
- Mitigation
- Avoidance
4, Transfer - Acceptance
Ways to reduce workforce risks
- Job Rotation
- Separation of Duties
- Least Privilege (need-to-know)
- Mandatory Vacations
- Employee Termination
- Vendor, Consultant, and Contractor Controls
Risk Assessment Process
- Prepare
- Conduct
- Communicate
- Maintain
Annual Loss Expectancy (ALE)
Gives a measure of the expected annual loss due to a vulnerability
ALE = ARO * SLE
Core Information Security Principles
- Confidentiality
- Integrity
- Availability
- Accountability
Annual Rate of Occurrence (ARO)
Estimate of how often a threat will be successful in exploiting a vulnerability over a period of 1 year
Single Loss Expectancy (SLE)
Difference between original value and remaining value of an asset after a single exploit
SLE = asset value ($) * exposure value (%)
Responsibility of Data/Information/Business Owners
Responsible for information asset (assigns data classification, ensures protection of data with controls)
Responsibility of Data Custodian
Individual or function taking care of the information on behalf of the data owner
Responsible for availability of data, backup, and recovery
Risk Management Process
- Framing
- Assessing
- Responding
- Monitoring
Risk Assessment
Process of identifying, estimating, and prioritizing information security risks
Can be qualitative or quantitative
Risk Assessment Evaluation
- Threats to assets
- Vulnerabilities present
- Likelihood that a threat will be realized by taking advantage of an exposure
- Impact of the exposure on the organization
- Countermeasures available
- Residual risk
Risk Assessment Methodology
- Risk assessment process
- Explicit risk model
- Assessment approach
- Analysis approach
Risk Factors
- Vulnerability - flaw or weakness in system security
- Threat - potential for threat-source to exercise particular vulnerability
- Likelihood of occurrence - weighted risk factor based on analysis of probability a given threat is capable of exploiting a given vulnerability
- Level of impact - magnitude of harm that can be expected
Qualitative Risk Assessments
Used to assess risks based on NON-NUMERICAL categories or levels (i.e., low, medium, high)
Supports communicating risk results to decision makers
Results are descriptive rather than measurable
Used when: 1) Quantitative assessment skills are lacking 2) Timeframe is short 3) Paucity of data that can be used for risk assessment
Quantitative Risk Assessments
Used to assess risks based on the use of NUMBERS
Supports cost-benefit analyses or alternative risk responses or courses of action
Usually done in conjunction with qualitative analysis
Aims to see whether the cost of the risk outweighs the cost of the countermeasure
Semi-Quantitative Assessments
Used to asses risks that use bins, scales, or representative numbers whose values and meanings are not maintained in other contexts (i.e., 1 (low) - 10 (high))
Conducting Risk Assessment
- Identify threat source
- Identify threat events
- Identify vulnerabilities
- Determine likelihood that identified threat source would initiate specific threat events (and they be successful)
- Determine adverse impacts to organization
- Determine information security risks as combination of likelihood of threat exploitation of vulnerabilities and impact of such exploitation