RM

Question 1

Vulnerability

Answer 1

flaw or weakness in a

• system
• procedure
• design
• entity
• implementation,
• or internal control

that could be exercised (accidentally triggered or intentionally exploited) by a threat and result in a security breach or violations of the system’s security

Behavioral: unscured computers or memory sticks, unlocked filing cabinets (computer left unlocked) (password on sticky note)

system related: software bugs, insecure communication channels (outdated software)

organizational: untrained workforce (social engineering), it Misuse (visiting problematic websites)

Question 2

threats

and threat analysis

Answer 2

are a potential cause for undesired incidents with negative consequences for a system or an organization

types of threats

• human error ( accindent: deleting files, mistakes, social engineering, phishing)
• physical (theft, vandalism, sabotage)
• unauthorized access (espionage, trespassing)
• forces of nature (fire, earthquake, blackout)
• legal and contractual (legislation breaches)

threat analysis:

• systematically identifying potential threats and resulting damage
• basis for risk analysis

Question 3

risk and risk mgmt

Answer 3

risk is an insecurity concerning the goal achievement of an organization and is often seen as the combination of the probability of occurence and the consequences of an event

• risks result from vulnerabilities being exploited by threats, producing undesired consequences
• Risk Management: the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level
• you can’t eliminate all risks always dealing with risks

Question 4

Risk mgmt process

Answer 4

C            Monitoring/review
o
m                           1 risk identification
m                 
u            
n                            2 risk analysis 
i
c
a                            3 risk evaluation.     risk assessment
t
i                                      I
o                                    v
n

Question 5

Context Establishment

Answer 5

Goal: understand the organization’s internal and external operating context that plays a role and affects the risk management process

external context:

• Business env. (who are the customers, competitors)
• legal and compliance (what are regulations to comply)
• threats and vulnerabilities
• outside support (any outside support one needs to inform)

internal context:

-internal stakeholders (who needs to be informed)
-culture
-exisiting information
security program (what is there already
-experience (where there some issues in the past, what has been learned)

Question 6

Risk Identification

Answer 6

goal to identify threats facing the organization’s information assets and understand the significance of these threats

-Identification of information assets that collect store process or transmit information (people, networks)

• create a catalog of the organization’s. Informations assets
• prioritize the information assets by assigning value to them

Threat analysis: identification of threats associated with the information assets

• identify threats that are relevant to the organization and vulnerabilities associated with (groups of) information assets
• weighted ranking of threats for groups of information assets (probabilities)

Question 7

Risk Analysis

Answer 7

• Goal: to determine the extent to which the Organisation’s information assets are exposed to risk:
• Required input: likelihood and impact
• likelihood that a specific vulnerability will be exploited or attacked (scale from 0 to 1 how likely in the next 12 months)
• potential impact of a successful attack (financial impact)
• Risk determination:

R = L x I

-Must be reviewed continually as risks can change

Question 7

Risk evaluation

Answer 7

determine if risk treatment is needed based on the results of risk analysis ant the organizations risk appetite

risk evaluation:

• How acceptable is each risk
• should the risk be treated

Decision criteria:

• Organization’s risk appetite
• Potential solutions and their costs
• Certain solutions might address multiple risks

Question 8

risk treatment

Answer 8

choose strategies that counteract the risks identified during the risk assessment phase

Strategy:

Defense: Applying controls and safeguards that reduce the risk (clean desk policies)

Transference: Shifting risks to other areas or to outside entities (insurance against risk or outsource risk treatment: dependency )

Mitgiation: Reducing the impact in case of a possible attack (data backup, store data on mirror server)

acceptance: Stating willingness to live with the risk (too expensive to reduce the remaining risk)
termination: remove an information asset from all operations (shutting down old Webserver which is not maintained)

Question 9

Critical Reflection

Answer 9

Applying the risk management process conveys the impression of having used a rigorous method to protect an organization’s information assets

Any issues with the process?

• statistical rigor
• abuse (someone in charge abuses the process to proof his good work)
• disturbing mixture of quantitative analyses applied to interpretive data
• risk analysis ignore the effects of luck and guesswork on its accuracy
• if original estimates are invalid, then the probability arithmetic which follows it is complete nonsense
• highly subjective nature of risk analysis permit its abuse