Risk management

Ace your homework & exams now with Quizwiz!

What is at risk

Networks- is someone on the network, capturing data Data- is it being taken or altered.

Does risk management eliminate risk?

No

Attacks

Acts or actions that exploit vulnerabilities (an identified weakness) Accomplished by threat agent that damages or steals organizations information

Threat

Any activity that represents a possible danger or loss of CIA.

Which of the following is true about a threat?

Any activity that represents a possible loss of CIA or presents a danger

List the 5 steps of the Risk Management process

Asset Identification Identify Threats Identify Vulnerabilities Asses Risks Determine Countermeasures

Risk Management Process

Asset identification Identify threats Identify Vulnerabilities Assess Risk Determine Countermeasures

Best practices in threat assesment

Assume nothing

Sources for identifying vulnerabilities

Audits Certification and accreditation (ATO, OSA) System logs, scan reports Incident Response investigation

List four stratgies for risk control:

Avoidance Transference Mitigation Acceptance

cost-benefit analysis

CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised items that impact cost of a control: cost of development training fees implementation cost service costs cost of maintenance

When identifying risk consider

CIA Confidentiality- data at rest/in transmission. Integrity- versioning, change management Availability- backups, required hours of operation.

Risk Management Process: Asset Identification

Can be: People- id number, skills, clearance level, Data and information- data structure, creator/owner, online/offline location, backup procedures. Procedures- description, elements its tied to, purpose, storage location Software Hardware Attributes to consider for hardware/software: names, IP address, MAC, serial number, model, software version,

Information asset valuation

Critical- compromise to these assets would have grave consequences leading to mission failure. 50-100 High- compromise would have serious consequences that would impair operations for a significant period of time 13-50 Medium- compromise to assets would have moderate consequences that could impair operations for limited time 3-13 Low- compromise to assets would have little or no impact 1-3

Vulnerability Valuation

Critical- no known countermeasures and adversary capability exists 75-100% High- some countermeasures, multiple weaknesses exist that could be exploited 50-74% Medium- there are effective countermeasures in place, but adversaries can exploit a weakness 25-49% Low- multiple levels of countermeasure exist and few or no adversaries could exploit the asset 0-24%

A good risk management plan will eliminate all risks.

False

Documenting the results of risk assessment

Final summary comprised in ranked vulnerability risk worksheet. which details assets, asset impact, vulnerability, vulnerability likelihood and risk rating factor. needed for next step: assessing and controlling risk

Vulnerability Identifcation

Human Operational- insufficient security procedures Informational vulnerabilities Facility- weak physical location and geographical Equipment

Threat Categories

Human Threats Natural Threats Bring your own device Cloud Computing Big data

To identify risks

Identify Threats Identify vulnerabilities Estimate the likelihood of a threat exploiting a vulnerability

Risk Mitigation Plan

Identify costs implement countermeasures verify countermeasures are effective Document- plan of actions and milestones (POAMS)

Human Threats

Internal or External Internal- current or past employees External- hackers, malware, DOS, terrorists.

Overview of risk management

Know yourself- understand the systems currently in place Know the enemy- understand threats to the organization

Selecting a risk contorl strategy

Level of threat and value of asset play a major role in selecting a control method. •Rules of thumb on strategy selection can be applied: •When a vulnerability exists •When a vulnerability can be exploited •When attacker's cost is less than potential gain •When potential loss is substantial•

What is risk cont.

Likelihood Threat Vulnerability Impact

What is risk?

Likelihood that a loss will occur. Harm that may arise from some current process or future event. Process of understanding and responding to factors that may lead to failure of CIA.

Risk Component: Losses

Losses- occur when a threat exposes a vulnerability results in a compromise to business functions or assets

Types of attacks

Malware- viruses, worms, trojan horses, active web scripts, with intent to destroy or steal information DoS- sending a large number of connection or information requests to a target Phishing- attempt to gain personal/financial information from person. Social engineering- people are the weakest link.

Risk Management Process: Risk Control

Once the risk worksheet is complete you must choose one strategy to control each risk. Avoidance Transference Mitigation Acceptance

List at least three different categories of assets for an organization,

People. Data and information, Procedures, Software. hardware

Types of risk assessment

Quantitative Qualitative

Risk Management Process: Identify Threats

Realistic threats need investigation, set aside non important threats

Select the correct formula for calculating risk

Risk = Asset Value x Threat Rating x Vulnerability Rating

Qualitative Assessment

Subjective Method use relative values based on opinions from experts. Uses words such as low, moderate, high Uses probablity and impact.

Risk Appetite

The amount of risk an organization is willing to accept considering costs and benefits. Decisions with regard to: allocation of resources Management controls Potential consequences Impacts to other parts of organization

Threat and vulnerability order

Threat creates an attack Attack exploits a vulnerability An exploited vulnerability results in a loss

Transference

Transfer the risk or share it with other assets, processes or organizations

Most attacks occur by exploiting a vulnerability.

True

Not all risks are created equal or should be treated the same.

True

Risk Management Process: Vulnerability Identification

Vulnerability- anything that can be exploited to attack an asset At the end of the risk identification process, you'll have a list of assets and their vulnerabilities

Example: a Microsoft patch is not applied.

Vulnerability- what the patch was fixing Threat- someone may gain access to a network if the patch inst applied Likelihood-??

Overlapping countermeasures

Vulnerability=weakness (doesnt present a risk) Threat does not present a risk Risk= threat exploits a vulnerability

Information Asset valuation questions to consider

Which asset is: most critical to organizations success? Generates the most revenue/profitability? would be most expensive to replace or protect? would be the most embarrassing or cause greatest liability?

Questions to ask in Threat assessment

Which threats present danger to assests? Which threat represents the most danger to information? How much would it cost to recover from attack? Which threat requires greatest expenditure to prevent?

Threat

any activity that represents a possible danger or loss of CIA. They exploit vulnerabilities Identify threats: internal/external natural or man made Intentional or accidental

Mission critical systems

any system that must continue to run to ensure business runs.

Avoidance

apply safeguards eliminate the source of the risk eliminate the exposure of assets to the risk attempts to prevent exploitation of the vulnerability Three common methods: application of policy training and education applying technology

Risk Management Process: Risk Assessment

evaluates the relative risk for each vulnerability assigns a risk rating/score to each asset. Based on asset value, threat and vulnerability assessment (HW chart) Goal- create a method for evaluation the relative risk of each listed vulnerability

A good risk management strategy involves annual monitoring.

false

Goal of risk managment

identify the risks, determine the appropriate actions.

Risk Profile

listing and assessment of the business's top risks

Quantitative Assessment

objective method Uses numbers with dollar values Math problems Requires data that takes time to gather

Probability/Likelihood

probability that a specific vulnerability will be the object of a successful attack. Assign a value 1-100

Risk control

process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components of an information system

Risk Analysis in Information Systems is primarily:

qualitative

Mitigaiton

reduce the impact of the risk, or reduce vulnerability (likelihood or impact) through planning and preparation Approach includes three types of plans: IRP DRP BCP

TIps to identify threats

review historical data Review information on past threats No guaranteed threats will be repeated No guarantee new threats wont appear. Think like an adversary

Accept the risk

take no action. valid only when the service/information/asset doesnt justify the cost of protection risk appetite describes the degree to which organization is willing to accept risk

Risk response

the action taken to manage or treat the risks Not all risks are created equal or should be treated the same Goal- identify the risks, determine the appropriate actions.

What is Risk Management

the identification, assessment and prioritization of risks.

Residual Risk

the risk that remains residual risk = total risk-controls

Critical Business function

vital to an organization, if it fails cannot perform essential operations and results in monetary loss

Vulnerability

weakness in a system, procedure or internal control that could be exploited or triggered by a threat source

Risk identifcation

•A risk management strategy enables identification, classification, and prioritization of organization's information assets •Residual risk: risk remaining to the information asset even after the existing control is applied

Minimizing risk

•Assess the risk and magnitude of harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. • •Determine the levels of information security appropriate to protect information and information systems. • •Implement policies and procedures to cost-effectively reduce risks to an acceptable level. • •Regularly test and evaluate information security controls and techniques to ensure effective implementation and improvement of such controls and techniques.

Summary Cont

•Risk Management is a recognition that you cannot protect your company from everything. •It is about prioritization and the acceptance of risk. •IT should NOT decide how much residual risk is acceptable.


Related study sets

Church History Trimester 1 Review Ch. 1

View Set

Finance: Ch 3 Institutional Lenders for Real Estate Finance

View Set

NCLEX/ ATI comp: Musculoskeletal (OA & RA)

View Set

Science 500 - Unit 2, Plants - TEST

View Set

Funeral Services NBE Arts Review

View Set

All BABOK Techniques - Advantages & Disadvantages

View Set

Section 9: Animal Nursing: Animal Care, Emergency Care, Pocket Pets/Laboratory Animals, Medical Nursing

View Set