Risk Flashcards
What is risk?
a possibility of having a negative impact.
The internal man-made threats are more serious than the external ones because internal person that within the organization have the access rights to your data, and of course your business process, so that they can damage you the most compared to external.
Hardware failure means your hard disk might be damaged, you might lose the data in your hard disk. Or maybe your servers could be down. All these kinds of hardware failure. The next one is going to be software. Your core software can be corrupted because of various reasons, maybe virus attack, maybe just hard disk failure and you’re done with software
Hardware failure means your hard disk might be damaged, you might lose the data in your hard disk. Or maybe your servers could be down. All these kinds of hardware failure. The next one is going to be software. Your core software can be corrupted because of various reasons, maybe virus attack, maybe just hard disk failure and you’re done with software
. Impact means we try to measure the damage due to the threat that you face. When you measure it, sometimes we can easily measure in terms of dollars, for example, because of the threat you lost your business, and then you see that the dollar amount that you lost.
. Impact means we try to measure the damage due to the threat that you face. When you measure it, sometimes we can easily measure in terms of dollars, for example, because of the threat you lost your business, and then you see that the dollar amount that you lost.
Risk mitigation means, reduce the risks using controls.
Risk mitigation means, reduce the risks using controls.
The more controls you add the more mitigation (risk reduction) you do to the control.
The more controls you add the more mitigation (risk reduction) you do to the control.
SR mgt decides when to stop. Most control ranges are at 40-60%. If anything happens it is on mgmt.
SR mgt decides when to stop. Most control ranges are at 40-60%. If anything happens it is on mgmt.
Why can’t we just transfer it without doing any controls whatsoever? Problem here is this, if you do it without any controls, then the insurance agent will come and do their own risk assessment to the organization. The insurance premium that you have to pay would be extremely high. Organizations always reduce the risk using controls to a level they feel comfortable. In other words, to a level that management feel most comfortable. If they are still worrying about the remaining risk, then we buy the insurance and transfer it to the third party.
Why can’t we just transfer it without doing any controls whatsoever? Problem here is this, if you do it without any controls, then the insurance agent will come and do their own risk assessment to the organization. The insurance premium that you have to pay would be extremely high. Organizations always reduce the risk using controls to a level they feel comfortable. In other words, to a level that management feel most comfortable. If they are still worrying about the remaining risk, then we buy the insurance and transfer it to the third party.
There are two different scenarios that we do risk re-evaluation, we call time driven and event driven. Time driven means we do periodically, that means once every six months time, we do the risk assessment and risk mitigation, or once in every year. That’s called time driven. There’s no external factor whatsoever, we just do it. The second one we call event driven. Event driven means, when there is environment change, let me give you guys some examples of environment change. You guys do traditional banking. Now, if you do go for e-banking, that’s environment change within the organization.
There are two different scenarios that we do risk re-evaluation, we call time driven and event driven. Time driven means we do periodically, that means once every six months time, we do the risk assessment and risk mitigation, or once in every year. That’s called time driven. There’s no external factor whatsoever, we just do it. The second one we call event driven. Event driven means, when there is environment change, let me give you guys some examples of environment change. You guys do traditional banking. Now, if you do go for e-banking, that’s environment change within the organization.
Ex. Preventive Software- Malware Detection
Detective control, sometimes the security administrators keep firewalls, that firewalls could detect any of these unauthorized access to the system and would give alarm to the security administrators.
Corrective control means if any case that our data is being corrupted, we can do the restoration. This is a classical example of corrective control. It has sometimes a preventative nature, again data loss possibly.
Corrective control means if any case that our data is being corrupted, we can do the restoration. This is a classical example of corrective control. It has sometimes a preventative nature, again data loss possibly.
hat is a preventative control, prevent unauthorized access. When we access to certain systems, we do have a preventative control to prevent unauthorized access.
hat is a preventative control, prevent unauthorized access. When we access to certain systems, we do have a preventative control to prevent unauthorized access.
hat is a preventative control, prevent unauthorized access. When we access to certain systems, we do have a preventative control to prevent unauthorized access.
Log of users is to find out who logged in a given period of time, who made the change to the system. So that is detective control. That’s for the accountability. When we do the record, in some systems, we might have logs. Scometimes we call it audit trails. In logs, in audit trails, we keep information about who accessed system, what kind of changes has been made to system, and if there’s any supervisors who have done the approval. And for example, if you want to keep track of the information, What was the information before? What is the information currently? You might have a before image, you might have after image. Of course we should have timestamp, which means the date and time, as well as whatever the information that you would like to keep record. This is a log of users. It’s a classical example of detective controls
Log of users is to find out who logged in a given period of time, who made the change to the system. So that is detective control. That’s for the accountability. When we do the record, in some systems, we might have logs. Scometimes we call it audit trails. In logs, in audit trails, we keep information about who accessed system, what kind of changes has been made to system, and if there’s any supervisors who have done the approval. And for example, if you want to keep track of the information, What was the information before? What is the information currently? You might have a before image, you might have after image. Of course we should have timestamp, which means the date and time, as well as whatever the information that you would like to keep record. This is a log of users. It’s a classical example of detective controls
There was a programmer in the bank, wrote his own program, he changed the lines of code in the bank’s system. He wrote a code and then he managed to get those whatever digits not to the bank but to his account. Nobody knew about it for many years. Eventually, the compliance officers came in and checked it out, and found that definitely this guy was doing something like this. This kind of thing should not happen in the future. In this case what we need to do is to come up with new regulations, in other words, new controls, to reduce the risk of this kind of thing happens.
There was a programmer in the bank, wrote his own program, he changed the lines of code in the bank’s system. He wrote a code and then he managed to get those whatever digits not to the bank but to his account. Nobody knew about it for many years. Eventually, the compliance officers came in and checked it out, and found that definitely this guy was doing something like this. This kind of thing should not happen in the future. In this case what we need to do is to come up with new regulations, in other words, new controls, to reduce the risk of this kind of thing happens.
t. The role of thumb is this, compliance testing passes, we don’t have to do too much substantive testing. That’s normal situation. Compliance testing passes, we don’t have it. But think about a situation where compliance officer goes to a bank, and found that that bank does not have a change management procedure. That banks says that programmer should do due diligence or whatever their own judgment to do the change.
t. The role of thumb is this, compliance testing passes, we don’t have to do too much substantive testing. That’s normal situation. Compliance testing passes, we don’t have it. But think about a situation where compliance officer goes to a bank, and found that that bank does not have a change management procedure. That banks says that programmer should do due diligence or whatever their own judgment to do the change.
Unit testing means just test one module. Look at the input and then give an input and then observe the output, and see if the system performs correctly. Then we look at the integration testing. Integration testing means two systems as interaction. Interaction means basically output of module one could be an input to module two. That is called interface between module one and module two. What we do is, we look at the interface between two modules. That’s what we call integration testing.
Security testing means how good security features within your own system are. In this case what we do is, we do penetration testing. We might hire some ethical hackers to let them hack your system and see how good your system’s information security is. That’s what we should do before we roll out, before we implement system. Volume testing means we input lot of data to the system. Sometimes when we put lot of data to the system, the system may malfunction. So that is what we call volume testing. The next one is called stress testing. Stress testing means concurrent users, many users access the system exactly at the same time. Benchmarking means we compare two similar systems in terms of performance, and see how good, how bad it is. The question I’m going to ask is, which is the most important testing out of these all? The most important testing is final acceptance testing. All done, test plan, unit testing, integration testing and system testing are done by IT people. But final acceptance test has to be done by the users.
Unit testing means just test one module. Look at the input and then give an input and then observe the output, and see if the system performs correctly. Then we look at the integration testing. Integration testing means two systems as interaction. Interaction means basically output of module one could be an input to module two. That is called interface between module one and module two. What we do is, we look at the interface between two modules. That’s what we call integration testing.
Security testing means how good security features within your own system are. In this case what we do is, we do penetration testing. We might hire some ethical hackers to let them hack your system and see how good your system’s information security is. That’s what we should do before we roll out, before we implement system. Volume testing means we input lot of data to the system. Sometimes when we put lot of data to the system, the system may malfunction. So that is what we call volume testing. The next one is called stress testing. Stress testing means concurrent users, many users access the system exactly at the same time. Benchmarking means we compare two similar systems in terms of performance, and see how good, how bad it is. The question I’m going to ask is, which is the most important testing out of these all? The most important testing is final acceptance testing. All done, test plan, unit testing, integration testing and system testing are done by IT people. But final acceptance test has to be done by the users.
? System does not exceed the predetermined amount. Can you think about an example? This could be the example that we have discussed before, salary example. $75,000 is the maximum limit. if salary is more than $75,000, system is going to reject.
