Quiz 4 Info Security
What information attributes to track depends on:
- Needs of organization/risk management efforts -Management needs of information security/information technology communities
Benchmarking
- an alternative to CBA -process of seeking out and studying practices in other organizations that one's own org desires to duplicate
Defense Strategy Summary
- assigns a mitigation approach to each vulnerability - key info: defense - vulnerability list
Defense (Avoidance)
- attempts to prevent exploitation of the vulnerability - available methods: policy, education, technology, combination
Current Best Practices
- baseline and track basic defense coverages - baseline and track patch latency -password strength rater -automated platform compliance scores -email traffic analysis
Termination
- benefit of business practice not worth the potential reward - methods: evaluate alternative methods, discontinue service
Cost Benefit Analysis
- common, accepted approach for information security controls selection - evaluates value of assets to be protected compared with the expense of protection - EX: economic feasibility study
Methods for selecting risk control strategy
- cost benefit analysis - benchmarking - best practices
Acceptance
- doing nothing to protect a vulnerability and accepting the outcome of its exploitation -valid only when the particular function, service, info, or asset does not justify cost of protection
What are the three components of risk assessment?
- estimate of the likelihood of attack - estimate of the likelihood of success - estimate of the magnitude of loss
Vulnerability Matrix Summary
- identify threat-asset pairs or vulnerabilities - key info: comprehensive list of vulnerabilities
What are two measurement categories used to compare practices in benchmarking?
- metrics based measures - process based measures
Problems with Applying Benchmarking and Best Practices
- organizations don't talk to each other -no two organizations are identical -best practices are a moving target - knowing what was going on in information security in recent years through benchmarking doesn't necessarily prepare for what's next
Contractual Transfer
- risk transfer mechanism - refers to the various methods other than insurance by which a pure risk and its potential financial consequences can be transferred to another party
Risk Transfer
- stick to you knitting, transfer non-expert internal services to external expert organizations - available methods: service level objectives, insurance
When considering best practices for adoption in an organization
Does organization resemble identified target with best practice? Are resources at hand similar? Is organization in a similar threat environment?
Weighted Factor Analysis
Lists the information assets and then has a few criterion in columns - each column is given a weight that must all add up to 100 and then each asset is given a score using the weights multiplied by their score on the criterion
Risk Management
a continuous life cycle process
risk assessment is considered
a guestimation
A vulnerability exists when what two things come together?
a threat and an asset
Know yourself
identify, examine and understand the information and systems currently in place
Who is responsible for classifying their information assets?
information owners
At the end of risk identification process,
list of assets and their vulnerabilities is achieved
What asset attributes are to be included in asset identification?
name, IP address, MAC address, element type, serial number, manufacturer name, model number, software version, physical location, logical location, controlling entity
What does the ranked vulnerability worksheet look like?
one column for the asset and one column for the asset impact, one column for the vulnerability and another column for its likelihood - each asset is then given a risk-rating factor(final column)
Vulnerability Identification works best when
people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions
Asset Attributes for people
position, clearance lebel, name/number/id, special skills, supervisor
Risk Assessment Summary
process of assigning a value or risk rating to asset/threat pairs (vulnerabilities)
Risk Assessment
process of determining the extent to which given risks may impact organizational assets
Risk Identification
process of examining and documenting an organization's current information technology security situation
Risk Control Summary
process of taking carefully reasoned steps to ensure the confidentiality, integrity and availability of components in organization's information system
Information classifications must be
review periodically
Tsu's concept of "know your enemy" relates to what phase of the risk management process?
risk identification
Tsu's concept of "know yourself" relates to what phase of the risk management process?
risk identification
Residual Risk
risks that remain in information assets even after existing controls are applied
Best business practices
security efforts that provide a superior level protection of information
Vulnerability Identification
specific avenues threat agents can exploit to attack an information asset are called vulnerabilities
Risk Appetite
the degree to which orgs are willing to accept risk as trade-off to the expense of applying controls
What two values in the estimated risk are percentages?
the likelihood of attack and the likelihood of success
What deliverable is tied to the risk assessment phase?
the ranked vulnerability worksheet where the final quantity reported for each asset/threat pair is the risk rating factor
Risk Assessment evaluates
the relative risk for each vulnerability and assigns a risk rating score to each information asset
What work product results from vulnerability identification?
threat/asset matrix
What is the primary objective for the weighted factor analysis?
to provide value and prioritize assets, it provides a weighted score for each asset
Ranked Vulnerability Worksheet summary
users estimates for attack, success and loss key info: weighted vulnerability list
What deliverables are associated with risk identification?
weighted factor analysis and threat/asset matrix
Mitigation Approach includes
-Disaster Recovery Plan (DRP): restoration of operations in total-loss scenario - Business Continuity Plan (BCP): continue basic operation without given resources - Incident Response Plan (IRP): immediate actions in the event of an incident
Mitigation
-attempts to reduce impact of vulnerability exploitation through planning and preparation
Weighted Factor Analysis Summary
-value & prioritize assets -key info: weighted score for each asset
What is a threat/asset matrix?
Assets are on one axis and the threats are the other access - you mark under each asset what threats apply to it
Examples of threats with info security
Acts of human error or failure, forces of nature, technological obsolescence, hardware and software failures
Strategies available to control identifiable risks
Apply Safeguards (defense) Transfer the risk (transference) Reduce impact (mitigation) Understand consequences and accept risk (acceptance) Eliminate vulnerable asset (termination)
What two tools can be used to show that due care and due diligence are being met?
Benchmarking: meets acceptability of other industry participants or leaders Best Practices: Provide a superior level protection of information compared to industry mean
Tools for controlling Risk
CBA Benchmarking Best Practices
What deliverables are associated with risk assessment?
Ranked vulnerability worksheet
What are the three components of risk management?
Risk control, risk identification, risk assessment
Risk Control
applying controls to reduce risks to an organizations data and information systems
Questions for valuation and prioritization
cant this asset be monetized? critical to org success? essential for revenue/profitability? most expensive to replace or protect? embarrassing or cause of great liability if lost?
Most organization do not need a detailed level of
classification - typically just military and federal agencies
Asset attributes for data
classification, owner/manger, online/offline, location, data structures used, backup procedures
What deliverables are associated with risk control?
defense strategy
What are the five strategies for risk control?
defense, risk transfer, mitigation, acceptance, termination
Asset Attributes for procedures
description, storage location for reference, intended purpose, associated assets, storage location for update
During Threat Identification
determine realistic threats needing investigation and unimportant threats are set aside
What is the equation for the estimated risk?
estimated risk = A*S*M
Risk Identification Summary
formal process of examining and documenting risk present in info systems - enables identification, classification and prioritization of organization's information assets
Know the enemy
identify examine and understand threats facing the organization