Risk Management Flashcards
Risk Categories (3)
Damage
Disclosure
Losses
5 Risk Factors
Physical Damage
Malfunction
Attacks
Human Error
Application Error
Security Policy Development
( 4 Steps)
- Security Procedures
- Security Guidelines
- Security Baselines
- Acceptance Use Policy
Risk Planning
(In Organizational mgt level / number of years)
Strategic 5 yr
Tactical 1 yr
Operating MQ
Response to Risk (6)
Acceptance
Mitigation
Assignment
Avoidance
Deterrence
Rejection
Primary Risk Management Framework
NIST 800-37
NIST 800-37 Steps
- Prepare
- Categorize
- Security Control
- Implement Security Control
- Assess the Controls
- Authorize the system
- Monitor Security Control
Types of Risk (3)
Residual
Inherent
Total
Total Risk
Formula
Threats * Vulnerabilities * Asset Value
Risk
Formula
Threat * Vulnerability
Methodology of Risk Assessment - Examples such as NIST….,
NIST SP 800-30
OCTAVE
FRAP
FMEA
Fault Tree Analysis
Risk Analysis Approach (2)
Quantitative Risk Analysis
Qualitative Risk Analysis
Risk Management Process (4) Steps
(FARM)
Frame Risk
Assess Risk
Respond to Risk
Monitor
Information Exhibits Vulnerabilities ( Data x 3)
Data at rest
Data in transit
Data in use
TOC/TOU
Time-of-check to Time-of-use
The Delphi Technique
Used in Qualitative Risk Analysis
Individual opinions taken in rounds
Residual Risk
(Threats * vulnerability * asset value) * control gap
Residual risk = Total Risk - Countermeasures
Value of safeguard to the organization
(Control Selection)
Formula
(ALE before implementing the safeguard) - (ALE after implementing the safeguard) - (Annual Cost of Safeguard)
NIST SP 800-39
(Holistic Risk Management)
Managing Information Security Risk
Define 3 Tiers to Risk:
Tier 1 - Organization View
Tier 2 - Mission/ Business Process view
Tier 3 - Information system view
Risk Analysis 4 Main Goals
- Identify assets and their value to the organization
- Determine the likelihood that a threat exploits a vulnerability
- Determine the business impact of these potential threats
- Provide an economic balance between the impact of the threat and the cost of the countermeasure
Risk Management methodology
NIST SP 800-30
-Focus: Computer systems and IT issues.
- Does not cover large organizational threats
- Focus on operational component of an enterprise
Risk Management Methodology
OCTAVE
- Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology.
- 7 Processes
- Created by Carnegie Mellon University
- People manage and direct the risk evaluation for information security within an organization.
- Idea: People who work here knows and best understand the risks
Facilitated workshops - All systems, apps and processes within an organization
Risk Management Methodology
FRAP
Facilitated Risk Analysis Process
By Thomas Peltier
Crux of this qualitative method focus only on the system that really need assessment to reduce cost
1 App 1 System at a time
Based on experience not numbers
Risk Management Methodology
FMEA
- Failure Modes and Effect Analysis
- (Block diagrams)
- Function identifying functional failures assessing the cause of failure
- And the cause of the failure through structured process
- Mainly used in product development and operational environments
- Identifying single point of failure
- 5-steps
Risk Management Methodology
Fault Tree Analysis
Accessing the Failure in most complex systems
Quantitative Risk Analysis
Single Loss Expectancy (SLE) -Definition
SLE is a monetary value is assigned to single event that represents the organization’s potential loss amount
Quantitative Risk Analysis
Annualized Loss Expectancy (ALE)
Annual effective amount that an organization should spend
Quantitative Risk Analysis
Exposure Factor (EF)
Exposure Factor represents the percentage of a loss a realized threat could have on a certain asset
Quantitative Risk Analysis
Annualized Rate of Occurrence (ARO)
ARO is a value represents the estimated frequency of a specific threat taking place within 12- month timeframe