Lecture 4 Flashcards by J D

process of identifying and controlling risks facing an organization

Risk Management

Risk Management

How well did you know this?

Not at all

Perfectly

process of examining an organization’s current information technology security situation

Risk Management

Risk Identification

How well did you know this?

Not at all

Perfectly

applying controls to reduce risks to an organizations data and information systems

Risk Management

Risk Control

How well did you know this?

Not at all

Perfectly

Began as a advantage

Competitiveness

Risk Management

Information Technology Role

How well did you know this?

Not at all

Perfectly

Now falling behind is a disadvantage

Competitiveness

Risk Management

Information Technology Role

How well did you know this?

Not at all

Perfectly

is a necessity

Competitiveness

Risk Management

Availability

How well did you know this?

Not at all

Perfectly

Understand the technology and systems in your organization

An Overview of Risk Management

Risk Management

Know yourself

How well did you know this?

Not at all

Perfectly

Identify, examine, understand threats

An Overview of Risk Management

Risk Management

Know the enemy

How well did you know this?

Not at all

Perfectly

(3) Role of Communities of Interest

An Overview of Risk Management | Enumerate

Risk Management

Information Security
Management and Users
Information Technology

How well did you know this?

Not at all

Perfectly

Verify ? of asset inventory

The Roles of Communities of Interest - Management Review

Risk Management

completeness/accuracy

How well did you know this?

Not at all

Perfectly

Review and verify threats as well as ? strategies

The Roles of Communities of Interest - Management Review

Risk Management

controls and mitigation

How well did you know this?

Not at all

Perfectly

Review ? of each control

The Roles of Communities of Interest - Management Review

Risk Management

cost effectiveness

How well did you know this?

Not at all

Perfectly

? of controls deployed

The Roles of Communities of Interest - Management Review

Risk Management

Verify effectiveness

How well did you know this?

Not at all

Perfectly

Risk management involves identifying ? and identifying ??

Risk Identification

Risk Management

organization’s assets
threats/vulnerabilities

How well did you know this?

Not at all

Perfectly

begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)

Asset Identification and Valuation

Risk Management

Iterative Process

How well did you know this?

Not at all

Perfectly

are then classified and categorized

Asset Identification and Valuation

Risk Management

Assets

How well did you know this?

Not at all

Perfectly

Human resources, documentation, and data information assets are more difficult to ?

People, Procedures, and Data Asset Identification

Risk Management

identify

How well did you know this?

Not at all

Perfectly

People with knowledge, experience, and good judgment should be assigned this ?

People, Procedures, and Data Asset Identification

Risk Management

task

How well did you know this?

Not at all

Perfectly

These assets should be recorded using reliable ? process

People, Procedures, and Data Asset Identification

Risk Management

data-handling

How well did you know this?

Not at all

Perfectly

Asset attributes for ?: position name/number/ID; supervisor; security clearance level; special skills
* Try to avoid names

People, Procedures, and Data Asset Identification

Risk Management

people

How well did you know this?

Not at all

Perfectly

Asset attributes for ?
* Intended purpose
* Relationship to software, hardware, network elements
* Storage location

People, Procedures, and Data Asset Identification

Risk Management

procedures

How well did you know this?

Not at all

Perfectly

Asset attributes for ?
* classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed

People, Procedures, and Data Asset Identification

Risk Management

data

How well did you know this?

Not at all

Perfectly

(4) Asset attributes to be considered are:

Hardware, Software, and Network Asset Identification

Risk Management

Name (device or program name)
IP address
Media access control (MAC) address
Element type – server, desktop, etc. Device Class, Device OS, Device Capacity

How well did you know this?

Not at all

Perfectly

Where on network

Hardware, Software, and Network Asset Identification

Risk Management

Logical Location

How well did you know this?

Not at all

Perfectly

Organization unit to which it belongs | Hardware, Software, and Network Asset Identification ## Footnote **Risk Management**

Controlling entity

Many organizations have **?** schemes (e.g., confidential, internal, public data) | Information Asset Classification ## Footnote **Risk Management**

data classification

# **?** must be specific enough to allow determination of priority | Information Asset Classification ## Footnote **Risk Management**

Classification

# **?** all info fits in list somewhere | Information Asset Classification ## Footnote **Risk Management**

Comprehensive

# **?** fits in one place | Information Asset Classification ## Footnote **Risk Management**

Mutually exclusive

# **?** help develop criteria for asset valuation: which information asset | Information Asset Valuation ## Footnote **Risk Management**

Questions

# **?** (4) Questions help develop criteria for asset valuation: which information asset | Information Asset Valuation | Enumerate Example ## Footnote **Risk Management**

* is most critical to organization’s success? * generates the most revenue? * generates the most profit? * would be most expensive to replace?

# **?** help develop criteria for asset valuation: which information asset | Information Asset Valuation ## Footnote **Risk Management**

Questions

# **?** (2) Questions help develop criteria for asset valuation: which information asset | Information Asset Valuation | Enumerate Example ## Footnote **Risk Management**

* would be most expensive to protect? * would be most embarrassing or cause the greatest liability is revealed?

# **?** Calculate the relative importance of each asset | Listing Assets in Order of Importance ## Footnote **Risk Management**

Weighted factor analysis

(3) Each info asset assigned score for each critical factor (0.1 to 1.0) | Listing Assets in Order of Importance | Enumerate ## Footnote **Risk Management**

* Impact to revenue * Impact to profitability * Impact to public image

Each critical factor is assigned a weight **?** | Listing Assets in Order of Importance | Enumerate ## Footnote **Risk Management**

(1-100)

(2) Variety of classification schemes used by corporate and military organizations | Data Classification and Management | Enumerate ## Footnote **Risk Management**

* Georgia-Pacific Corporation (G-P) scheme * U.S. military classification scheme

# **?** Confidential, sensitive or proprietary | Data Classification and Management ## Footnote **Risk Management**

Georgia-Pacific Corporation (G-P) scheme

# **?** Internal, G-P employee, authorized contractors | Data Classification and Management ## Footnote **Risk Management**

Georgia-Pacific Corporation (G-P) scheme

# **?** External, public | Data Classification and Management ## Footnote **Risk Management**

Georgia-Pacific Corporation (G-P) scheme

(5) U.S. military classification scheme | Data Classification and Management | Enumerate Example ## Footnote **Risk Management**

* Unclassified Data * Sensitive by unclassified data * Confidential data * Secret data * Top secret data

# **?** responsible for classifying their information assets | Data Classification and Management ## Footnote **Risk Management**

Information owners

# **?** must be reviewed periodically | Data Classification and Management ## Footnote **Risk Management**

Information classifications

Most organizations do not need detailed level of classification used by **?** or **??** agencies. | Data Classification and Management ## Footnote **Risk Management**

* military * federal

(4) Organizations may need to classify data to provide protection | Data Classification and Management | Enumerate ## Footnote **Risk Management**

* Public * For official use only * Sensitive * classified

Assign classification to all **?** | Data Classification and Management ## Footnote **Risk Management**

data

Grant access to data based on **?** | Data Classification and Management ## Footnote **Risk Management**

classification and need

Devise some method of managing data relative to **?** | Data Classification and Management ## Footnote **Risk Management**

classification

# **?** : each data user assigned a single level of authorization indicating classification level | Security Clearances ## Footnote **Risk Management**

Security clearance structure

Before accessing specific set of data, employee must meet **?** requirement | Security Clearances ## Footnote **Risk Management**

need-to-know

Extra level of protection ensures information confidentiality is **?** | Security Clearances ## Footnote **Risk Management**

maintained

Storage, distribution, portability, and destruction of **?** | Management of Classified Data ## Footnote **Risk Management**

classified data

Information not unclassified or public must be clearly **?** as such | Management of Classified Data ## Footnote **Risk Management**

marked

# **?** requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed | Management of Classified Data ## Footnote **Risk Management**

Clean desk policy

# **?** can compromise information security | Management of Classified Data ## Footnote **Risk Management**

Dumpster diving

# **?** need investigation; unimportant threats are set aside | Threat Assessment ## Footnote **Risk Management**

Realistic threats

Each of the treats must be **?** to assess potential damage | Threat Assessment ## Footnote **Risk Management**

examined

(4) (Questions) | Threat Assessment ## Footnote **Risk Management**

* Which threats present a danger to an organization’s assets? * Which threats represent the most danger -probability of attack * How much would it cost to recover * Which treat requires the greatest expenditure to prevent?

Identify each **?** and each **??** it faces | Vulnerability Identification ## Footnote **Risk Management**

* asset * threat

Create a list of **?** | Vulnerability Identification ## Footnote **Risk Management**

vulnerabilities

Examine how each of the threats are likely to be **?** | Vulnerability Identification ## Footnote **Risk Management**

perpetrated

**?** evaluates the relative risk for each vulnerability | Risk Assessment ## Footnote **Risk Management**

Risk assessment

Assigns a **?** to each **??** | Risk Assessment ## Footnote **Risk Management**

* risk rating or score * information asset

Final summary comprised in **?** | Documenting Results of Risk Assessment ## Footnote **Risk Management**

ranked vulnerability risk worksheet

(5) Worksheet details **?**, **??**, **???**, **????**, and **?????**. | Documenting Results of Risk Assessment | Enumerate ## Footnote **Risk Management**

* asset * asset impact * vulnerability * vulnerability likelihood * risk-rating factor

Order by **?** factor | Documenting Results of Risk Assessment ## Footnote **Risk Management**

risk-rating

# **?** is initial working document for next step in risk management process: assessing and controlling risk | Documenting Results of Risk Assessment ## Footnote **Risk Management**

Ranked vulnerability risk worksheet

Once ranked vulnerability risk worksheet complete, must choose **one of four strategies to control each risk**: | Risk Control Strategies | Enumerate ## Footnote **Risk Management**

* avoidance * transference * mitigation * acceptance

Apply safeguards that eliminate or reduce residual risks (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**

avoidance

Transfer the risk to other areas or outside entities (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**

transference

Reduce the impact should the vulnerability be exploited (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**

mitigation

Understand the consequences and accept the risk without control or mitigation (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**

acceptance

# **?** Attempts to prevent exploitation of the vulnerability ## Footnote **Risk Management**

Avoidance

# **?** accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards | Avoidance ## Footnote **Risk Management**

Preferred approach

(3) Three common methods of risk avoidance: | Avoidance | Enumerate ## Footnote **Risk Management**

* Application of policy * Training and education * Applying technology

# **?** Control approach that attempts to shift risk to other assets, processes, or organizations ## Footnote **Risk Management**

Transference

(5) Examples (of Transference I think) | Transference | Enumerate Example ## Footnote **Risk Management**

* Rethinking how services are offered * Revising deployment models * Outsourcing * Purchasing insurance * Implementing service contracts

# **?** Concentrate on what you do best | Transference ## Footnote **Risk Management**

In Search of Excellence

# **?** Attempts to reduce impact of vulnerability exploitation through planning and preparation ## Footnote **Risk Management**

Mitigation

Approach includes three types of plans: | Mitigation | Enumerate ## Footnote **Risk Management**

* Incident response plan (IRP) * Disaster recovery plan (DRP) * Business continuity plan (BCP)

# **?** is most common mitigation procedure | Mitigation | 3 types of plans ## Footnote **Risk Management**

Disaster recovery plan (DRP)

The actions to take while incident is in progress is defined in **?** | Mitigation | 3 types of plans ## Footnote **Risk Management**

Incident response plan (IRP)

# **?** encompasses continuation of business activities if catastrophic event occurs | Mitigation | 3 types of plans ## Footnote **Risk Management**

Business continuity plan (BCP)

# **?** **Doing nothing** to protect a vulnerability and accepting the outcome of its exploitation ## Footnote **Risk Management**

Acceptance

# **?** Valid only when the particular function, service, information, or asset **does not justify cost of protection** ## Footnote **Risk Management**

Acceptance

# **?** describes the degree to which organization is **willing to accept risk** as trade-off to the expense of applying controls | Acceptance ## Footnote **Risk Management**

Risk appetite

Level of threat and value of asset play major role in **?** | Selecting a Risk Control Strategy ## Footnote **Risk Management**

selection of strategy

# **?** implement security control to reduce likelihood | Selecting a Risk Control Strategy ## Footnote **Risk Management**

When a vulnerability exists

# **?** apply layered protections, architectural designs, and administrative controls | Selecting a Risk Control Strategy ## Footnote **Risk Management**

When a vulnerability can be exploited

# **?** apply protection to increase attackers costs | Selecting a Risk Control Strategy ## Footnote **Risk Management**

When attacker’s cost is less than potential gain

# **?** redesign, new architecture, controls | Selecting a Risk Control Strategy ## Footnote **Risk Management**

When potential loss is substantial

(4) Categories of Controls | Categories of Controls | Enumerate ## Footnote **Risk Management**

* Control Function * Architectural Layer * Strategy Layer * Information Security Principle

# **?** Preventive & detective | Categories of Controls ## Footnote **Risk Management**

Control Function

# **?** Organizational policy, external networks, intranets, network devices, systems | Categories of Controls ## Footnote **Risk Management**

Architectural layer

# **?** Avoidance, mitigation, or transference | Categories of Controls ## Footnote **Risk Management**

Strategy layer

# **?** Classified by characteristics: Confidentiality, integrity, availability, authentication, authorization, accountability, privacy | Categories of Controls ## Footnote **Risk Management**

Information security principle

# **?** Compare cost to potential loss ## Footnote **Risk Management**

Feasibility Studies

# **?** is the process of avoiding the financial impact of an incident | Feasibility Studies ## Footnote **Risk Management**

Cost avoidance

# **?** Evaluate worth of asset ## Footnote **Risk Management**

Cost Benefit Analysis

Loss of value if asset **?** | Cost Benefit Analysis ## Footnote **Risk Management**

compromised

(4) Items affecting **cost of control** | Cost Benefit Analysis | Enumerate Example ## Footnote **Risk Management**

* Cost of development or acquisition * Cost of implementation * Services costs * Cost of maintenance

# **?** value gained by using controls | Cost Benefit Analysis ## Footnote **Risk Management**

Benefits

Calculate the single loss expectance * **?** = asset value * exposure factor * **??** = % loss from exploitation | Cost Benefit Analysis - Assess worth of asset ## Footnote **Risk Management**

* SLE * Exposure factor

Calculate Annualized loss expectancy * **?** = SLE * ARO (annualized rate of occurrence) | Cost Benefit Analysis - Assess worth of asset ## Footnote **Risk Management**

ALE

# **?** determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability | Cost Benefit Analysis Formula ## Footnote **Risk Management**

ALE

**?** = ALE (prior) – ALE (post) – ACS | Cost Benefit Analysis Formula ## Footnote **Risk Management**

CBA

# **?** is annualized loss expectancy of risk before implementation of control | Cost Benefit Analysis Formula ## Footnote **Risk Management**

ALE(prior)

# **?** is estimated ALE based on control being in place for a period of time | Cost Benefit Analysis Formula ## Footnote **Risk Management**

ALE(post)

# **?** is the annualized cost of the safeguard | Cost Benefit Analysis Formula ## Footnote **Risk Management**

ACS

# **?** An alternative approach to risk management ## Footnote **Risk Management**

Benchmarking

# **?** is process of seeking out and studying practices in **other organizations** that one’s own organization **desires to duplicate** ## Footnote **Risk Management**

Benchmarking

(2) One of two measures typically used to compare practices: | Benchmarking ## Footnote **Risk Management**

* Metrics-based measures * Process-based measures

(6) Metrics-based measures are comparisons based on numerical standards: | Benchmarking --Metrics-based measures ## Footnote **Risk Management**

* Number of successful attacks, * staff-hours spent of systems protection, * dollars spent on protection, * number of security personnel, * estimated value of info lost in attacks, * loss in productivity hours

# **?** Less focus on numbers ## Footnote **Risk Management**

Benchmarking -- Process-based measures

More strategic than **?** | Benchmarking -- Process-based measures ## Footnote **Risk Management**

metrics-based measures

Examine **?** an individual company performs | Benchmarking -- Process-based measures ## Footnote **Risk Management**

activities

# **?** when **adopting levels of security for a legal defense**, organization shows it **has done what any prudent organization would do in similar circumstances** | Benchmarking ## Footnote **Risk Management**

Standard of due care

# **?** demonstration that organization is **diligent in ensuring that implemented standards continue to provide** required level of protection | Benchmarking ## Footnote **Risk Management**

Due diligence

Failure to support standard of due care or due diligence can leave organization open to **?** | Benchmarking ## Footnote **Risk Management**

legal liability

security efforts that provide a superior level protection of information | Benchmarking – Best Practices ## Footnote **Risk Management**

Best business practices

Organizations don’t talk to each other (**?**) | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**

biggest problem

No two organizations are **?** | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**

identical

Knowing what **was going on** in information security industry in recent years through **?** **doesn’t** necessarily prepare for what’s **next** | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**

benchmarking

Analysis of measures against established standards ## Footnote **Risk Management**

Baselining

In information security, **?** is comparison of security activities and events against an organization’s future performance. ## Footnote **Risk Management**

baselining

The information gathered for an organization’s **?** becomes the baseline for future comparison. | Baselining ## Footnote **Risk Management**

first risk assessment

“the goal of information security is not to bring **?** to zero; it is to bring residual risk into line with an organization’s comfort zone or **??** | KEY ## Footnote **Risk Management**

* residual risk * risk appetite

At minimum, each information **?** should have documented **control strategy** clearly identifying any remaining residual risk, and **feasibility studies** to justify the findings. | Documenting Results ## Footnote **Risk Management**

asset-threat pair

# **?** document outcome of control strategy for each information asset-vulnerability pair as an action plan | Documenting Results ## Footnote **Risk Management**

Another option