Chapter 8 Risk Management: Identifying and Assessing Risk
Risk identification and assessment process
- plan and organize process. - create system component categories. - develop inventory of assets. - identify threats. - specify vulnerable assets. - assign value of impact rating to assets. - assess likelihood for vulnerabilities. - calculate relative risk factor for assets. - preliminary review of possible controls. - document findings.
threats facing an organization should be examined
After identifying and performing a preliminary classification of information assets.
Threat assessment
Each identified threat must be further examined to determine its potential to affect the targeted information asset.
Human error or failure
Example: Accidents, employee mistakes, failure to follow policy
Technological obsolescence
Example: Antiquated or outdated technologies
information extortion
Example: Blackmail threat of information disclosure
Technical software failures or errors
Example: Bugs, code problems, loopholes, back-doors
Sabotage or vandalism
Example: Damage to or destruction of systems or information
Forces of nature
Example: Fire, flood, earthquake, lightning, etc.
Deviations in quality of service from service providers
Example: Fluctuations in power, data, and other services
Technical hardware failures or errors
Example: Hardware equipment failure
Theft
Example: Illegal confiscation of equipment or information
Software attacks
Example: Malware: viruses, worms, macros, denial of-services, or script injections
Compromises to intellectual property
Example: Software piracy or other copyright infringement
Espionage or trespass
Example: Unauthorized access and/or data collection
Knowing the enemy
Identifying, examining, and understanding the threats facing the organization's information assets
Risk Determination
Risk equals likelihood of vulnerability occurrence times value minus percentage risk already controlled plus an element of uncertainty
Risk assessment
a process that assigns a comparative risk rating or score to each specific information asset. (Enables the organization to gauge the relative risk introduced by each vulnerable information asset and allows comparative ratings later in the risk control process)
Each information asset
is evaluated for each threat it faces
goal of risk assessment
is the assignment of a risk rating or score that represents the relative risk for a specific vulnerability of a specific information asset
Threat identification
process of assessing potential weaknesses in each information asset.
Risk management
process of discovering and assessing the risks to an organization's operations. (Also determining how those risks can be controlled or mitigated).
Risk analysis
the identification and assessment of levels of risk in the organization. (A major component of risk management)
Project scope complexity
when assume every threat can and will attack every information asset.
Threats-Vulnerabilities-Assets (TVA) worksheet
worksheet lists the assets in priority order along one axis, and the threats in priority along the other axis
