Chapter 8 Risk Management: Identifying and Assessing Risk

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Risk identification and assessment process

- plan and organize process. - create system component categories. - develop inventory of assets. - identify threats. - specify vulnerable assets. - assign value of impact rating to assets. - assess likelihood for vulnerabilities. - calculate relative risk factor for assets. - preliminary review of possible controls. - document findings.

threats facing an organization should be examined

After identifying and performing a preliminary classification of information assets.

Threat assessment

Each identified threat must be further examined to determine its potential to affect the targeted information asset.

Human error or failure

Example: Accidents, employee mistakes, failure to follow policy

Technological obsolescence

Example: Antiquated or outdated technologies

information extortion

Example: Blackmail threat of information disclosure

Technical software failures or errors

Example: Bugs, code problems, loopholes, back-doors

Sabotage or vandalism

Example: Damage to or destruction of systems or information

Forces of nature

Example: Fire, flood, earthquake, lightning, etc.

Deviations in quality of service from service providers

Example: Fluctuations in power, data, and other services

Technical hardware failures or errors

Example: Hardware equipment failure

Theft

Example: Illegal confiscation of equipment or information

Software attacks

Example: Malware: viruses, worms, macros, denial of-services, or script injections

Compromises to intellectual property

Example: Software piracy or other copyright infringement

Espionage or trespass

Example: Unauthorized access and/or data collection

Knowing the enemy

Identifying, examining, and understanding the threats facing the organization's information assets

Risk Determination

Risk equals likelihood of vulnerability occurrence times value minus percentage risk already controlled plus an element of uncertainty

Risk assessment

a process that assigns a comparative risk rating or score to each specific information asset. (Enables the organization to gauge the relative risk introduced by each vulnerable information asset and allows comparative ratings later in the risk control process)

Each information asset

is evaluated for each threat it faces

goal of risk assessment

is the assignment of a risk rating or score that represents the relative risk for a specific vulnerability of a specific information asset

Threat identification

process of assessing potential weaknesses in each information asset.

Risk management

process of discovering and assessing the risks to an organization's operations. (Also determining how those risks can be controlled or mitigated).

Risk analysis

the identification and assessment of levels of risk in the organization. (A major component of risk management)

Project scope complexity

when assume every threat can and will attack every information asset.

Threats-Vulnerabilities-Assets (TVA) worksheet

worksheet lists the assets in priority order along one axis, and the threats in priority along the other axis


Ensembles d'études connexes

INDUSTRIAL MINERALS AND MANUFACTURING MATERIALS

View Set

Chapter 15 Brain and Cranial Nerves

View Set

Understanding Management CH 1-4 Assignments

View Set