Week 3A - Managing Cyber/Info Security Flashcards
Risk Definition (AS/NZS 27005)
Risk is the effect of uncertainty on objectives
Effect of Event
The consequence, derivation from the normal state
Uncertainty
How likely is it that this event will happen?
Types of Objectives
Financial
Health & Safety
Information Security
Environmental
Which two terms are used to express InfoSec risk?
Likelihood and Consequence
Likelihood
The chance of something happening
Consequences
Outcome of an event affecting objectives
Consequences have ___ and ___
Magnitude and Impact
Consequences - Magnitude
Perception of magnitude is defined by stakeholder perspective
Consequences - Impact
The impact on stakeholders varies - need to understand context
Which Australian Standard provides guidelines for information security risk management?
AS/NZS 27005:2012
What are the 6 Broad Steps of the Risk Management Process of AS/NZS 27005:2012?
- Context Establishment
- Risk Assessment - Identification, Analysis, Evaluation
- Risk Treatment
- Risk Communication
- Risk Monitoring
- Risk Acceptance
- Context Establishment - What are the 3 types contexts to consider?
External Context
Internal Context
Risk Management Context
- Context Establishment - External Context
Relationship between organisation and external environment
- Context Establishment - Internal Context
Understand the organisation – capabilities, goals, objectives
- Context Establishment - Risk Management Context
Goals, objectives, strategies, scope and parameters of area the risk management process is being applied to
- Risk Assessment - What are the 3 components of risk assessment?
2.1 Risk Identification
2.2 Risk Analysis
2.3 Risk Evaluation
2.1 Risk Identification
Identify assets, consider threats, vulnerabilities and existing controls
2.2 Risk Analysis
Determine the magnitude of identified risks using Qualitative and Quantitative analysis
2.2 Risk Analysis - Qualitative Analysis
Uses descriptive scales (in words) with ordered categories
2.2 Risk Analysis - Quantitative Analysis
Uses numerical values for scales
2.2 Risk Analysis - Asset Value (AV)
Estimated total value of asset (in $$$)
2.2 Risk Analysis - Exposure Factor (EF)
% of asset loss caused by threat occurrence
2.2 Risk Analysis - Annualized Rate of Occurrence (ARO)
Estimated frequency a threat will occur in a year
2.3 Evaluation - What is the output of the risk analysis stage?
A prioritized list of risks for further action - high risk needs immediate action, low risk may be accepted without treatment
- Risk Treatment - List 4 risk treatment options
Risk Avoidance
Risk Modification
Risk Sharing
Risk Retention
- Risk Treatment - Risk Avoidance
Stop doing the activity that gives rise to risk
- Risk Treatment - Risk Modification
Apply controls to change the likelihood of he event or reduce the magnitude of consequences
- Risk Treatment - Risk Sharing
Share with another party that can effectively manage the risk
- Risk Treatment - Risk Retention
Know the risk exists, but decide to do nothing
- Risk Treatment - What is Treatment Proportionality?
Balance the cost and effort of implementing treatment option against benefits derived
- Risk Treatment - Residual Risk
Risk remaining after risk treatments have been applied
- Risk Communication
Use communication and consultation so all stakeholders understand the basis or decisions and why they are required
- Risk Communication - What is a risk statement?
A relatively short summary of risk used to communicate risks to stakeholders
- Risk Communication - Risk Statement Format
“There is a risk that <event/incident> occurs leading to <consequence> that causes <impact>"</impact></consequence>
- Risk Monitoring & Review
Ongoing review is essential to ensure continuing relevance
- Risk Monitoring & Review - What 3 things need to be monitored?
- Changes in Identified Risks
- Effectiveness of Treatment Plan
- Emerging risks
- Risk Monitoring & Review - Recording the Process
Each stage of the risk management process should be recorded
- Risk Acceptance
What level of risk is acceptable for the organisation?
