Module 2: Risk Assessment Flashcards
What is Risk
It is defined as the probability of the occurrence of an incident
What is Risk Policy
A set of ideas that are to be implemented in order to minimize and mitigate risks faced by an organization
Risk Policy defines these steps in managing the risks
- Establishing a Context
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Treating the risks
- Monitor and Review
- Communication and Consultation
What is Risk Assessment
A set of guidelines and procedures to identify and assess the risks that pose a threat to the business or project environment
What is the NIST Risk Assessment Methodology
- System Characterization
- Threats Identification
- Identify Vulnerabilities
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
What happens in Step 1 System Characterization
The limits of an IT system are determined in order to set the scope of risk assessment
What happens in Step 2 Threats Identification
Different threats and threat sources are to be identified
What are the two threat sources
Human and Technical Threats
What are the common human threats
- False data entry or deletion of data
- Eavesdropping
- Impersonation
- Theft
- Espionage
What are the common technical threats
- Breaking passwords for unauthorized access
- Sniffing and scanning of network traffic
- Malicious code infection
- Spam and mail frauds
- DDoS attacks
- Session hijacking
What is a threat source
It means any incident or occurrence with the potential to cause harm to the information system
What happens in Step 3 Identify Vulnerabilities
To prepare a list of information system vulnerabilities that could be exploited by the probable threat-sources
What is the best source for information gathering
Internet
Vulnerability identification process methods
- Vulnerability sources
- System security testing
- Development of security requirements checklist
System Security testing methods
- Automated vulnerability scanning tool
- Security test and evaluation (ST&E)
- Pen Test
What happens in Step 4 Control Analysis
The controls that are planned to implement or already implemented are analyzed by the organization in order to reduce the probability of a threat.
What happens in Step 5 Likelihood Determination
This step determines the likelihood of occurrence of a threat.
Factors for the overall likelihood
- Motivation and the capability of threat-source
- Nature of the vulnerability
- Efficiency and existence of current controls
What happens in Step 6 Impact Analysis
This step involved in risk assessment methodology determines the adverse impact resulting from a successful threat with the exercise of the vulnerability
What happens in Step 7 Risk Determination
To determine the level of risk to different organizational processes and assets.
Risk Determination involves what consideration
- The probability of occurrence of an anticipated incident
- The tangible and intangible impact of incident on organizations resources
- The control measures to minimize the impact or totally avoid the incident
What happens in Step 8 Control Recommendations
Risk assessment teams recommend the controls based on the likelihood, impact and criticality of risk for business operation
What happens in Step 9 Results Documentation
An official, detailed, and clear risk assessment report helps the senior management in taking decisions on policies, procedures, system operational, and management changes.
Steps involved in the risk assessment of the work place
- Identify hazards
- Determine who will be harmed and how
- Analyze risks and check for precautions
- Implement results of risk assessment
- Review risk assessment
What is a hazard
A hazard is anything that may cause harm
What is a plan of action
It is a document that contains the implementation method of the risk assessment results
What is Risk Analysis
The process that defines and analyzes the dangers
How do you find Risk Analysis
Risk Assessment + Risk Management + Risk Communication
What is Risk Management
A structured approach to manage risks due to any incident on information systems and its security
What is Risk Communication
The correspondence between the client and the manager
Risk Analysis helps to analyze what five elements
- Assets
- Disruptive events
- Vulnerabilities
- Losses
- Safeguards
What are the two approaches for Risk Analysis
Quantitative Risk Analysis (numbers, dollars) & Qualitative Risk Analysis (Best guess)
What is Risk Mitigation
The process of minimizing the risk
What Risk Mitigation Strategies are used
- Risk Assumption
- Risk Avoidance
- Risk Limitation
- Risk Planning
- Research and Acknowledgement
- Risk Transference
What is Risk Assumption
Executes controls to bring risk factor to an acceptable level or accepts the potential risk
What is Risk Avoidance
It refers to preventing the risks by curbing the cause of the risk and/or consequence
What is Risk Limitation
This procedure implements controls to diminish the level of controls which in turn condenses the impact of a threat’s exercising vulnerability
Example: Use of supporting, preventive, and detective controls
What is Risk Planning
A risk mitigation plan is to developed in order to prioritize, implement, and maintain the controls
What is Research and Acknowledgment
Analyzing the vulnerability of flaw and determine what actions can be taken to lessen the risk
What is Risk Transference
Transfer the risk with the help of other options.
What is Cost-Benefit Analysis
The process of calculating return on investment
What are NIST’s approach for Control Implementation
- Prioritize actions
- Evaluate recommended control options
- Conduct cost-benefit analysis
- Select control
- Assign responsibility
- Develop a safeguard implementation plan
- Implement selected controls
How do you prioritize actions
By using the risk levels in the risk assessment report
What is residual risk
The amount of risk remaining after implementation of all the possible controls
How do you calculate residual risk
Residual risk = Inherent Risk * Control risk
How do you calculate inherent risk
Inherent risk = threats * vulnerability
The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination
Quantitative risk analysis
How many primary steps does NIST’s risk assessment methodology involve
Nine
In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified?
System Characterization
In a qualitative risk analysis, risk is calculated in terms
(Attack Success + Criticality) - (Countermeasures) = Risk
In a quantitative risk analysis, risk is calculated in terms
Risk = Probability of Loss * Loss
What is the Risk formula
Risk = (events) * (probability of occurrence) * (consequences)
A measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues
Risk
In step 4 Control Analysis of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are the two control categories
Preventive and Detective controls
