Chapter 4: Risk Analysis Process
- Better securing the IT systems that store, process, or transmit organizational information. - Enabling management to make well-informed risk management decisions and to justify the expenditures. - Assisting management in authorizing (or accrediting) the IT systems on the basis of the supporting documentation. - A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.
Objectives of performing risk management include?
- System-specific - Hybrid - Common
Security controls are allocated to various components of an information system such as?
- The likelihood that the event will occur or be initiated by an adversary. - The likelihood that the initiation/occurrence will result in adverse impacts.
The overall likelihood of a threat event is the combination of?
- Step 1: Prepare for the Assessment - Step 2: Conduct the Assessment - Step 3: Communicate and Share Assessment Results - Step 4: Maintain the Assessment
The process of assessing information security risk based on NIST SP 800-30 includes what? Or what is the Risk Assessment Process?
Risk Tolerance
The willingness of some person or some organization to accept or avoid risk is called?
- Threat sources - Threat events - Vulnerabilities and predisposing conditions. - Potential impacts. (Likelihood of impacts) - Assessment and analysis approaches. - What mission/business functions are primary.
What are some examples of assumptions in key areas relevant to the risk assessment?
- Resources available for the assessment. - Skills and expertise available for the assessment. - Operational considerations related to mission/business activities.
What are some examples of constraints in key areas relevant to the risk assessment?
- Risk Avoidance - Risk Mitigation - Risk Sharing or Transfer - Risk Acceptance
What are some risk response options?
- Organizational applicability. - Time frame supported. - Architectural/Technology considerations.
What does Task 1-2: Identify Scope, in the Risk Assessment Process provide?
- Organizational applicability. - Time frame supported. - Architectural/Technology considerations.
What does Task 1-3: Identify Assumptions and Constraints, in the Risk Assessment Process provide?
Determines the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring.
What does Task 2-6: Determine Risk, in the Risk Assessment Process provide?
Communicates risk assessment results to organizational decision makers to support risk responses and determining the appropriate method.
What does Task 3-1: Communicate Risk Assessment Results, in the Risk Assessment Process provide?
Threat-oriented, asset/impact-oriented, vulnerability-oriented.
What is an analysis approach?
Quantitative, qualitative, semi-quantitative.
What is an assessment approach?
Tier 1: Organizational (Governance) Tier 2: Mission / Business Process Tier 3: Information System (Environment of Operation)
What is the DoD three-tiered approach to risk management that address risk-related concerns as described in NIST SP 800-39?
Risk Management
What is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations' missions?
Risk Mitigation
What risk response option may be appropriate for a portion of risk that cannot be accepted, avoided, shared, or transferred?
Risk Acceptance
What risk response option may be appropriate when identified risk is within the organizational risk tolerance or substantially greater risk due to compelling mission, business, or operational needs.
Risk Sharing or Transfer
What risk response option may be appropriate when organizations desire and have the means to shift risk liability and responsibility to other organizations?
Risk Avoidance
What risk response option may be appropriate when the identified risk exceeds the organizational risk tolerance by taking actions to eliminate the activities or technologies that are the basis for the risk?
Risk Management Framework
NIST in partnership with DoD, ODNI, and CNSS has developed common information security framework for federal government and contractors called?
Effectiveness Time-Frame
Describes how long the results of particular risk assessments can be used to legitimately inform risk-based decisions.
Organizational Applicability
Describes which parts of the organization or sub-organizations are affected by the risk assessment and the risk-based decisions resulting from the assessment.
- Improve information security. - Strengthen risk management processes. - Encourage reciprocity among federal agencies.
Goals of the Risk Management Framework?
- System Security Plan (SSP) - Plan of Action & Milestones (POA&M) - Security Assessment Report (SAR) - Authorization Decision Document (ADD)
Key documents produced during the RMF process?
NIST SP 800-37 (revision 1)
Risk Management Framework can be found what publication?
- Techniques and methodologies the organization plans to employ to assess security risks. - Methods and procedures the organization plans to use to evaluate the significance of identified risks. - Mitigation measures to organizations plans to employ to address identified risks. - Level of acceptable risk (risk tolerance). - Ongoing monitoring and oversight to ensure strategy is being effectively carried out.
Tier 1 addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes what?
- Defining core missions and business processes. - Prioritizing missions and business processes. - Defining types of information needed to successfully execute missions and processes. - Incorporating organizational-wide (high-level) information security into missions and business processes. - Specifying the degree of autonomy for subordinate organizations that the parent organization is willing to permit.
Tier 2 addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture and also includes what?
An Information System Perspective
Tier 3 addresses risk from _____________ and is guided by the decisions at Tiers 1 and 2. Risk decisions at upper levels impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e. security controls).
- Categorize - Select - Implement - Assess - Authorize - Monitor
What are the RMF steps?
Architectural/Technology Considerations
What considerations used to clarify the scope of the risk assessment.
- Information that the assessment is intended to produce. - Decisions the assessment is intended to support.
What does Task 1-1: Identify Purpose, in the Risk Assessment Process provide?
Allows the organization to identify internal or external sources of information on threats, vulnerabilities, and impacts.
What does Task 1-4: Identify Information Sources, in the Risk Assessment Process provide?
It explores one or more risk models for use in conducting risk assessments and identify which model is to be used for the risk assessment.
What does Task 1-5: Identify Risk Model and Analytic Approach, in the Risk Assessment Process provide?
- Identifies and characterizes threat sources of concern, including the capability, intent, and targeting characteristics for adversarial threats. - Assess the range of effects for non-adversarial threats.
What does Task 2-1: Identify Threat Sources, in the Risk Assessment Process provide?
- Identifies potential threat events. - The relevance of the event. - Identifies threat sources that could initiate the events.
What does Task 2-2: Identify Threat Events, in the Risk Assessment Process provide?
To understand the nature and degree to which organizations, mission/business processes, and information systems are vulnerable to threat sources.
What does Task 2-3: Identify Vulnerabilities and Predisposing Conditions, in the Risk Assessment Process provide?
To assess the likelihood of threat event initiation by taking into consideration the characteristics of the threat sources, the vulnerabilities/predisposing conditions identified, and organizational susceptibility reflecting the safeguards/countermeasures in place to impede such events.
What does Task 2-4: Determine Likelihood, in the Risk Assessment Process provide?
Describes adverse impacts in terms of the potential harm caused to organizational operations and assets, individuals, other organizations, or the Nation.
What does Task 2-5: Determine Impact, in the Risk Assessment Process provide?
Shares risk-related information produced during the risk assessment with appropriate organizational personnel
What does Task 3-2: Share Risk-Related Results, in the Risk Assessment Process provide?
Conducts ongoing monitoring of the risk factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the Nation.
What does Task 4-1: Monitor Risk Factors, in the Risk Assessment Process provide?
Updates existing risk assessment using the results from ongoing monitoring of risk factors.
What does Task 4-2: Update Risk Assessment, in the Risk Assessment Process provide?