Week 8 - Risk Management
What is risk management? Why is the identification of risks and vulnerabilities to assets so important in risk management?
Risk identification (vulnerability), assessment (exposure), and control (reduce to acceptable)
According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
Know yourself (standing), know the enemy(threats).
Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
- Each community of interest
- Information security community
In risk management strategies, why must periodic review be part of the process?
Ensure still effective, always neglected.
Why do networking components need more examination from an information security perspective than from a systems development perspective?
Often the focal point of attacks, considered special rather than combined with others.
What value does an automated asset inventory system have during risk identification?
- Identify system elements that make up hardware, software, and network components
- calculation of possible loss and protections of cost in risk management
What information attribute is often of great value for local networks that use static addressing?
- IP Address
- With dynamic addressing, the MAC Address is more useful.
When devising a classification scheme for systems components, is it more important that the asset identification list be comprehensive or mutually exclusive?
Both are important as depending upon the organization’s list priority and classification.
What’s the difference between an asset’s ability to generate revenue and its ability to generate profit?
Revenue is the recognition of income from an activity supported by the system. Profit is the amount of revenue that exceeds operating costs. Some systems may cost more to operate than they contribute to revenue.
What are vulnerabilities? How do you identify them?
- Specific avenues that threat agents can exploit to attack an information asset.
- Analyzing all components of an information systems and evaluating the risk to each component identify the vulnerabilities.
What is competitive disadvantage? Why has it emerged as a factor?
A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today's marketplaces.
This is a factor because almost all organizations have an IT system in this day and time. Therefore, organizations need to obtain or improve their IT systems to avoid falling behind all others.
What five strategies for controlling risk are described in this chapter?
- Defend- The defend control strategy attempts to prevent the exploitation of the vulnerability.
- Transfer- The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.
- Mitigate- The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
- Accept- The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
- Terminate - The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.
Describe the defense strategy for controlling risk. List and describe the three common methods.
to prevent the exploitation of the vulnerability.
- Application of policy
- Education and training
- Application of technology
Describe the transference strategy for controlling risk. Describe how outsourcing can be used for this purpose.
shift risk to other assets, other processes, or other organizations. by rethinking how services are offered, revising deployment models, outsourcing, insurance, or implementing service contracts with providers.
Outsourcing transfer to another organization that has experience, and service provider is responsible for disaster recovery.
Describe the mitigation strategy for controlling risk. What three planning approaches are discussed in the text as opportunities to mitigate risk?
Reduce the impact.
- Incident Response Plan (IRP)
- Disaster recovery plan (DRP)
- Business Continuity Plan (BCP)
How is an incident response plan different from a disaster recovery plan?
The DR plan focuses more on preparations completed before and actions taken for disasters —often escalated incidents; to reestablish operations at the primary site.
The IR plan focuses onIncident Response: intelligence gathering, information analysis, coordinated decision making,and urgent, concrete actions taken while an incident is occurring.
What is risk appetite? Explain why it varies among organizations.
Quantity and nature of risk that organizations are willing to accept as trade-offs of security with accessibility.
Differences in expense of controlling and the losses. The key is to find the balance.
What is a cost-benefit analysis?
A decision-making process to evaluate whether benefit is worth the expense.
What is single loss expectancy? What is annualized loss expectancy?
A single loss expectancy is the value associated with the most likely loss from an attack.
Annual loss expectancy is the expected loss from exploitation of a vulnerability for a specific information asset over the course of a year.
What is residual risk?
Even when vulnerabilities have been controlled as much as possible, remainder that some risk that has not been completely removed, shifted, or planned for.