ISTM 455 Chapter 5
Information asset prioritization
Create weighting for each category based on the answers to questions. Prioritize each asset using weighted factor analysis. List the assets in order of importance using a weighted factor analysis worksheet.
the Loss Frequency
Describes assessment of likelihood of attack combined with expected probability of success v
the NIST risk management framework
Describes risk management as a comprehensive process requiring organizations to: Frame risk Assess risk Respond to determined risk Monitor risk on on going basis
residual risk
The risk to information assets that remains even after current controls have been applied
assessing risk acceptability
For each threat and associated vulnerabilities that have residual risk, create ranking of relative risk levels. Residual risk is the left-over risk after the organization has done everything feasible to protect its assets. If risk appetite is less than the residual risk, it must look for additional strategies to further reduce the risk.
calculating risk
For the purpose of relative risk assessment, risk equals: Loss frequency TIMES loss magnitude MINUS the percentage of risk mitigated by current controls PLUS an element of uncertainty
Asset attributes to be considered are
IP address, MAC address, element type, serial number, manufacturer name, model/part number, software version, physical or logical location, and controlling entity.
Data Classification and Management : Classifications include: [CIE]
Information owners are responsible for classifying their information assets. confidential Internal external
Identifying, Inventorying, and Categorizing Assets
Iterative process: Begins with the identification and inventory of assets, including all elements of an organization's system (people, procedures, data and information, software, hardware, networking) assets are then categorized "adding details as we dig deeper into the analysis. "
Risk Control Strategies [5] DTMAT
Once ranked vulnerability risk worksheet complete, must choose one of five strategies to control each risk: Defense Transfer Mitigation Acceptance Termination
Loss magnitude
how much of an information asset could be lost in a successful attack. Also known as loss magnitude or asset exposure Combines the value of information asset with the percentage of asset lost in the event of a successful attack.
Asset Categorization - Data components account for the management of
information in transmission, processing, and storage.
information asset inventory
**Unless information assets are identified and inventoried, they cannot be effectively protected.** Inventory process involves formalizing the identification process in some form of organizational tool. Automated tools can sometimes identify the system elements that make up hardware, software, and network components.
communities of interest are responsible for:
-Evaluating current and proposed risk controls -Determining which control options are cost effective for the organization -Acquiring or installing the needed controls -Ensuring that the controls remain effective
overview of risk management (3 things) know ________, know _________, and take ____________
-Know yourself: identify, examine, and understand the information and systems currently in place -Know the enemy: identify, examine, and understand the threats facing the organization -Responsibility of each community of interest within an organization to manage the risks that are encountered
what info attributes to track depends on:
-Needs of organization/risk management efforts -Preferences/needs of the security and information technology communities
Introduction:
-Organizations must design and create safe environments in which business processes and procedures can function.
risk assessment
A determination of the extent to which an organization's information assets are exposed to risk.
accepting and termination
Acceptance Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify the cost of protection Termination Directs the organization to avoid business activities that introduce uncontrollable risks May seek an alternate mechanism to meet the customer needs
asset valuation
Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation Process result is the estimate of potential loss per risk. Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO) SLE = asset value × exposure factor (EF)
documenting results
At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk.
defense
Attempts to prevent exploitation of the vulnerability Preferred approach Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards Three common methods of risk avoidance: Application of policy Education and training Applying technology
mitigation
Attempts to reduce the impact of an attack rather than reduce the success of the attack itself Approach includes three types of plans: Incident response (IR) plan: define the actions to take while incident is in progress Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs
Recommended Risk Control Practices
Convince budget authorities to spend up to the value of an asset to protect it from identified threat. Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. Organizations looking to implement controls that don't involve such complex, inexact, and dynamic calculations.
important asset attributes -3 [PPD]
People: position name/number/ID; supervisor; security clearance level; special skills Procedures: description; intended purpose; relation to software/hardware/networking elements; storage location for reference; storage location for update Data: classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed
Quantitative versus Qualitative Risk Control Practices
Performing the previous steps using actual values or estimates is known as quantitative assessment Possible to complete steps using evaluation process based on characteristics using nonnumerical measures; called qualitative assessment Utilizing scales rather than specific estimates relieves or
risk assessment
Risk assessment evaluates the relative risk for each vulnerability. It assigns a risk rating or score to each information asset.
risk control
The application of controls that reduce the risks to an organization's information assets to an acceptable level.
Documenting Results of Risk Assessment: The final summarized document is the
The final summarized document is the
risk management
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
Risk appetite
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
Risk Identification
The recognition, enumeration, and documentation of risks to an organization's information assets.
Transference
This strategy attempts to shift risk to other assets, processes, or organizations. If lacking, the organization should hire individuals/firms that provide security management and administration expertise. The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks.
difficultes of loss of magnitude
Valuating an information asset Estimating percentage of information asset lost during best-case, worst-case, and most likely scenarios
Threat Assessment
Which threats present a danger to assets in the given environment? Which threats represent the most danger to information? How much would it cost to recover from a successful attack? Which threats would require greatest expenditure to prevent?
Ranked Vulnerability Risk Worksheet
Worksheet describes: asset asset relative value vulnerability loss frequency loss magnitude
Asset Categorization - Software components
are applications, operating systems, or security components
CBA Formula
determines if alternative being evaluated is worth cost incurred to control vulnerability CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: CBA = ALE(prior) - ALE(post) - ACS ALE(prior) is annualized loss expectancy of risk before implementation of control ALE(post) is estimated ALE based on control being in place for a period of time ACS is the annualized cost of the safeguard
Asset Categorization - Procedures either...
do not expose knowledge useful to a potential attacker or are sensitive and could allow adversary to gain advantage.
Asset Categorization - hardware
either the usual system devices and peripherals or part of information security control systems.
First step in the Risk Identification process is to
follow your project management principles, 1. Begin by organizing a team with representation across all affected groups 2. The process must then be planned out ---Periodic deliverables ---Reviews --Presentations to management 3.Tasks laid out, assignments made and timetables discussed
the goal of information security is to bring
residual risk into line with risk appetite.
identify, classify and prioritize
risk management requires that infosec professionals know how to do this to an organziation infomation asset in RISK IDENTIFICATION
Data Classification and Management : Management of classified data includes
storage, distribution, transportation, and destruction.
Human resources, documentation, and data information assets are more difficult to
to identify