MIS 170 Chapter 8
control, safeguard and countermeasure
- control limits or constrains behavior - the other are controls that exercise restraint on or management of some activity
Countermeasure
- counters or addresses a specific threat
DRP (disaster recovery plan)
- details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations
1.3 Plan risk response
- determine responses to each risk that provide the best value
1.2 Assess risks
- determine which risks are the most serious ones -
Business Impact Analysis
- determines the extent of the impact that a particular incident would have on business operations over time - ask two questions -"what can affect the business?" -"how will it affect the business?""
Monitor and control risk response
- does this countermeasure solve this problem? - countermeasures might pose a new risk to the organization - perform certification and accreditation of countermeasure programs - follow best practices and exercise due diligence
Two key risk management principles
- dont spend more to protect an asset than it is worth - a countermeasure without a corresponding risk is a solution seeking a problem; it is difficult to justify the cost
implement the risk response plan
- either administrative or technical - detective controls -preventive controls - corrective controls
DRP
- establishes an emergency operations center as an alternate location from whick the BCP/DRP will be coordinated and implemented
BCM (business continuity management)
- includes BPB & DRP
Control
- includes both safeguards and countermeasures
1.5 Monitor and control risk responses
- measure each risk response to ensure that it is performing as expected
Incident handling
- preparation ==> identification ==> notification ==> response ==> recovery and followup ==> documentation and reporting
Qualitative Risk Analysis
- probability or likelihood - impact
Two approaches to assess risk
- quantitative: attempts to describe risk in financial terms - qualitative: ranks risk based on their probability of occurrence and impact on business operations
Plan a risk response
- reduce, transfer, accept and avoid each negative risk. - exploit, share, enhance, or accept each positive risk. `
Threat
- something (generally bad) that might happen
1.4 Implement risk response
- take action
Impact
- the amount of harm a threat exploiting a vulnerability can cause
Purpose of risk management
- to identify possible problems before something bad happens
1.1 Identify Risk
- what could go wrong? Develop scenarios for each threat to assess the threats - Methods: Brainstorming, Surveys, Interviews, Checklists
Restoring damaged systems
-
Risk Register
- Contains information on risks - Description -Expected Impact - The probability - Steps to mitigate the risk - Steps to take should event occur - Rank of risk
Steps to disaster recovery
- Ensure the safety of individuals ==> contain the damage ==> assess the damage and begin recovery operations according to the DrP and BCP
Review and test the plan
- Important to review and update the BCP regularly -checklist -structured walk-through -simulation -parallel -full interruption
Risk
- The likelihood that a particular threat will be realized against a specific vulnerability
Event
- a measurable occurrence that has an impact on the business
Disruption
- a sudden unplanned event.
Safeguard
- addresses gaps or weaknesses in controls that could lead to a realized threat
Incident
- any event that violates or threatens to violate your security policy
Vulnerability
- any exposure that could alow a threat to be realized
Calculating Quantified Risk
- calculate the asset value - calculate the exposure factor - calculate the single loss expectancy - determine how often a loss is likely to occur every year - determine annualized loss expectancy
BCP (business continuity plan)
- contains the actions needed to keep critical business processes running after a disruption
Risk management process
Identify risk ==> assess risks ==> plan risk response ==> Implement risk responses ==> Monitor and control risk responses
