ISTM 455 Chapter 5

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Information asset prioritization

Create weighting for each category based on the answers to questions. Prioritize each asset using weighted factor analysis. List the assets in order of importance using a weighted factor analysis worksheet.

the Loss Frequency

Describes assessment of likelihood of attack combined with expected probability of success v

the NIST risk management framework

Describes risk management as a comprehensive process requiring organizations to: Frame risk Assess risk Respond to determined risk Monitor risk on on going basis

residual risk

The risk to information assets that remains even after current controls have been applied

assessing risk acceptability

For each threat and associated vulnerabilities that have residual risk, create ranking of relative risk levels. Residual risk is the left-over risk after the organization has done everything feasible to protect its assets. If risk appetite is less than the residual risk, it must look for additional strategies to further reduce the risk.

calculating risk

For the purpose of relative risk assessment, risk equals: Loss frequency TIMES loss magnitude MINUS the percentage of risk mitigated by current controls PLUS an element of uncertainty

Asset attributes to be considered are

IP address, MAC address, element type, serial number, manufacturer name, model/part number, software version, physical or logical location, and controlling entity.

Data Classification and Management : Classifications include: [CIE]

Information owners are responsible for classifying their information assets. confidential Internal external

Identifying, Inventorying, and Categorizing Assets

Iterative process: Begins with the identification and inventory of assets, including all elements of an organization's system (people, procedures, data and information, software, hardware, networking)‏ assets are then categorized "adding details as we dig deeper into the analysis. "

Risk Control Strategies [5] DTMAT

Once ranked vulnerability risk worksheet complete, must choose one of five strategies to control each risk: Defense Transfer Mitigation Acceptance Termination

Loss magnitude

how much of an information asset could be lost in a successful attack. Also known as loss magnitude or asset exposure Combines the value of information asset with the percentage of asset lost in the event of a successful attack.

Asset Categorization - Data components account for the management of

information in transmission, processing, and storage.

information asset inventory

**Unless information assets are identified and inventoried, they cannot be effectively protected.** Inventory process involves formalizing the identification process in some form of organizational tool. Automated tools can sometimes identify the system elements that make up hardware, software, and network components.

communities of interest are responsible for:

-Evaluating current and proposed risk controls -Determining which control options are cost effective for the organization -Acquiring or installing the needed controls -Ensuring that the controls remain effective

overview of risk management (3 things) know ________, know _________, and take ____________

-Know yourself: identify, examine, and understand the information and systems currently in place -Know the enemy: identify, examine, and understand the threats facing the organization -Responsibility of each community of interest within an organization to manage the risks that are encountered

what info attributes to track depends on:

-Needs of organization/risk management efforts -Preferences/needs of the security and information technology communities

Introduction:

-Organizations must design and create safe environments in which business processes and procedures can function.

risk assessment

A determination of the extent to which an organization's information assets are exposed to risk.

accepting and termination

Acceptance Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or asset does not justify the cost of protection Termination Directs the organization to avoid business activities that introduce uncontrollable risks May seek an alternate mechanism to meet the customer needs

asset valuation

Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation Process result is the estimate of potential loss per risk. Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) = single loss expectancy (SLE) × annualized rate of occurrence (ARO)‏ SLE = asset value × exposure factor (EF)‏

documenting results

At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk.

defense

Attempts to prevent exploitation of the vulnerability Preferred approach Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards Three common methods of risk avoidance: Application of policy Education and training Applying technology

mitigation

Attempts to reduce the impact of an attack rather than reduce the success of the attack itself Approach includes three types of plans: Incident response (IR) plan: define the actions to take while incident is in progress Disaster recovery (DR) plan: the most common mitigation procedure; preparations for the recovery process Business continuity (BC) plan: encompasses the continuation of business activities if a catastrophic event occurs

Recommended Risk Control Practices

Convince budget authorities to spend up to the value of an asset to protect it from identified threat. Chosen controls may be a balanced mixture that provides greatest value to as many asset-threat pairs as possible. Organizations looking to implement controls that don't involve such complex, inexact, and dynamic calculations.

important asset attributes -3 [PPD]

People: position name/number/ID; supervisor; security clearance level; special skills Procedures: description; intended purpose; relation to software/hardware/networking elements; storage location for reference; storage location for update Data: classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed

Quantitative versus Qualitative Risk Control Practices

Performing the previous steps using actual values or estimates is known as quantitative assessment Possible to complete steps using evaluation process based on characteristics using nonnumerical measures; called qualitative assessment Utilizing scales rather than specific estimates relieves or

risk assessment

Risk assessment evaluates the relative risk for each vulnerability. It assigns a risk rating or score to each information asset.

risk control

The application of controls that reduce the risks to an organization's information assets to an acceptable level.

Documenting Results of Risk Assessment: The final summarized document is the

The final summarized document is the

risk management

The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

Risk appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Risk Identification

The recognition, enumeration, and documentation of risks to an organization's information assets.

Transference

This strategy attempts to shift risk to other assets, processes, or organizations. If lacking, the organization should hire individuals/firms that provide security management and administration expertise. The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks.

difficultes of loss of magnitude

Valuating an information asset Estimating percentage of information asset lost during best-case, worst-case, and most likely scenarios

Threat Assessment

Which threats present a danger to assets in the given environment? Which threats represent the most danger to information? How much would it cost to recover from a successful attack? Which threats would require greatest expenditure to prevent?

Ranked Vulnerability Risk Worksheet

Worksheet describes: asset asset relative value vulnerability loss frequency loss magnitude

Asset Categorization - Software components

are applications, operating systems, or security components

CBA Formula

determines if alternative being evaluated is worth cost incurred to control vulnerability CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: CBA = ALE(prior) - ALE(post) - ACS ALE(prior) is annualized loss expectancy of risk before implementation of control ALE(post) is estimated ALE based on control being in place for a period of time ACS is the annualized cost of the safeguard

Asset Categorization - Procedures either...

do not expose knowledge useful to a potential attacker or are sensitive and could allow adversary to gain advantage.

Asset Categorization - hardware

either the usual system devices and peripherals or part of information security control systems.

First step in the Risk Identification process is to

follow your project management principles, 1. Begin by organizing a team with representation across all affected groups 2. The process must then be planned out ---Periodic deliverables ---Reviews --Presentations to management 3.Tasks laid out, assignments made and timetables discussed

the goal of information security is to bring

residual risk into line with risk appetite.

identify, classify and prioritize

risk management requires that infosec professionals know how to do this to an organziation infomation asset in RISK IDENTIFICATION

Data Classification and Management : Management of classified data includes

storage, distribution, transportation, and destruction.

Human resources, documentation, and data information assets are more difficult to

to identify


Ensembles d'études connexes

3.1- US Economic History/3.2- The Business Cycle

View Set

Chapter 1 Notes AP Environmental Science

View Set

physics electricity questions part 2

View Set

Forensics Crime Scene Evaluation

View Set

Secondary Education: Gallaudet University

View Set

Intro to Sociology Chapters 10-12

View Set