Risk Assessment 5.3

Question 1

Threat Assessments

Answer 1

You need to take into account the possibility of natural phenomena such as earthquakes, severe weather, hurricanes, tornadoes, etc. Additionally the possibility of man-made threats, internal or externa. Internal threats such as employees, external threats such as outside organizations.

Question 2

Quantitative Risk Calculation

Answer 2

Annualized Rate of Occurrence (ARO). How likely is it that a hurricane will hit?

Single Loss Expectancy (SLE). What is the monetary loss if a single event occurs? A stolen laptop is about $1000 for example.

Annual Loss Expectancy (ALE). Your final calculation is your ARO * SLE.

There is also a qualitative effect.

Question 3

Evaluating Risk

Answer 3

Every project has a plan along with a risk. Identify and document the risk associate with each step. Apply possible solutions to the identified risks and monitor your results. You may also need to evaluate the risk of your supply chain. Usually you have 3rd parties to work with and that also needs to be taken into account. You have to look at their IT systems!

Question 4

Qualitative Risk Assessment

Answer 4

Identify risk factors. Ask opinions about the significance of each risk.

Impact
Annualize Rate of Occurrence (ARO)
Cost of Controls
Overall Risk

Question 5

Business Impact Analysis

Answer 5

Define the important business objectives. What is impacted? Revenue, legal issues, customer service?

How long will you be impacted? What is the impact’s bottom line?

Question 6

Testing For Risk

Answer 6

Many servers contain sensitive data. Running vulnerability and penetration tests can cause outages. Getting formal authorization for running these tests first is the best practice.

Question 7

Risk Response Techniques

Answer 7

Risk avoidance is the ideal way to avoid risk, however this isn’t generally possible. We have to accept that there is risks that we have to take. That being said, we can mitigate some of the risk. Additionally we have insurance.

Question 8

Change Management

Answer 8

How do we make changes? We have to upgrade software, change firewall configs, modify switch ports etc. Have clear policies and a change management plan, or expect chaos.