IT security EXAM #2 (Chapter 8)
What are the elements of Risks?
Assests, Threats, and Vulnerabilities
Business Impact Analysis (BIA):
An analysis of the business to determine what kinds of events will have an impact on what systems.
Business continuity plan (BCP):
Contains the actions needed to keep critical business processes running after a disruption. Disruptions can be minor, such as a power outage, or major, such as weather damage that makes an organization's building unusable.
Disaster recovery plan (DRP):
Details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations. §Disruptions include extreme weather, criminal activity, civil unrest/terrorist acts, operational, and application failure disruptions
Purpose of Risk Management
Identify Risks
Risk Management and Information Security (GOAL)
Seek a balance between the utility and cost of various risk management options
Importance of Business Impact Analysis
§Conduct a BIA for these reasons: •Set value of each business unit or resource as it relates to how the entire organization operates •Identify critical needs to develop a business recovery plan •Set order or priority for restoring the organization's functions after a disruption
Assess Risks
§Quantitative—Attempts to describe risk in financial terms and put a dollar value on each risk §Qualitative—Ranks risks based on their probability of occurrence and impact on business operations
Ther Risk Management Process
• Identify risks: The first step to managing risk is identifying risks. What could go wrong? Answers can include fire, flood, earthquake, lightning strike, loss of electricity or other utility, labor strikes, and transportation unavailability. You must develop scenarios for each threat to assess the threats. • Assess risks: Some risks pose a greater possibility of loss than others. Furthermore, not all risks apply to all businesses in all locations. For example, businesses in Montana or Moscow don't need to worry about hurricanes. Of the risks that are possible, impact will be more or less severe depending on the scenario and location. Assessing risk is about determining which risks are the most serious ones. • Plan risk response: Starting with the highest-priority risks, explore potential responses to each one. With direction from your organization's upper management, determine the responses to each risk that provide the best value. • Implement risk responses: Take action to implement the chosen responses to each risk from the previous step. • Monitor and control risk responses: Monitor and measure each risk response to ensure that it is performing as expected. This step can include passive monitoring and logging as well as active testing to see how a control behaves.
How to identify Risks
•Brainstorming •Surveys •Interviews •Working groups •Checklists •Historical information