Module 2: Risk Assessment Flashcards
What is Risk
It is defined as the probability of the occurrence of an incident
What is Risk Policy
A set of ideas that are to be implemented in order to minimize and mitigate risks faced by an organization
Risk Policy defines these steps in managing the risks
- Establishing a Context
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Treating the risks
- Monitor and Review
- Communication and Consultation
What is Risk Assessment
A set of guidelines and procedures to identify and assess the risks that pose a threat to the business or project environment
What is the NIST Risk Assessment Methodology
- System Characterization
- Threats Identification
- Identify Vulnerabilities
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
What happens in Step 1 System Characterization
The limits of an IT system are determined in order to set the scope of risk assessment
What happens in Step 2 Threats Identification
Different threats and threat sources are to be identified
What are the two threat sources
Human and Technical Threats
What are the common human threats
- False data entry or deletion of data
- Eavesdropping
- Impersonation
- Theft
- Espionage
What are the common technical threats
- Breaking passwords for unauthorized access
- Sniffing and scanning of network traffic
- Malicious code infection
- Spam and mail frauds
- DDoS attacks
- Session hijacking
What is a threat source
It means any incident or occurrence with the potential to cause harm to the information system
What happens in Step 3 Identify Vulnerabilities
To prepare a list of information system vulnerabilities that could be exploited by the probable threat-sources
What is the best source for information gathering
Internet
Vulnerability identification process methods
- Vulnerability sources
- System security testing
- Development of security requirements checklist
System Security testing methods
- Automated vulnerability scanning tool
- Security test and evaluation (ST&E)
- Pen Test
What happens in Step 4 Control Analysis
The controls that are planned to implement or already implemented are analyzed by the organization in order to reduce the probability of a threat.
What happens in Step 5 Likelihood Determination
This step determines the likelihood of occurrence of a threat.
Factors for the overall likelihood
- Motivation and the capability of threat-source
- Nature of the vulnerability
- Efficiency and existence of current controls
What happens in Step 6 Impact Analysis
This step involved in risk assessment methodology determines the adverse impact resulting from a successful threat with the exercise of the vulnerability
What happens in Step 7 Risk Determination
To determine the level of risk to different organizational processes and assets.
Risk Determination involves what consideration
- The probability of occurrence of an anticipated incident
- The tangible and intangible impact of incident on organizations resources
- The control measures to minimize the impact or totally avoid the incident
What happens in Step 8 Control Recommendations
Risk assessment teams recommend the controls based on the likelihood, impact and criticality of risk for business operation
What happens in Step 9 Results Documentation
An official, detailed, and clear risk assessment report helps the senior management in taking decisions on policies, procedures, system operational, and management changes.
Steps involved in the risk assessment of the work place
- Identify hazards
- Determine who will be harmed and how
- Analyze risks and check for precautions
- Implement results of risk assessment
- Review risk assessment
