02. Risk Management Methodologies Flashcards
Risk Management Methodologies
Organisations select one or more standards for a variety of reasons
- Regulatory requirements
- Contractual requirements
- Better standard alignment with organisation risk program and needs
134
NIST Standards
NIST SP 800-30
A detailed, high quality standard describing the steps used for conducting risk assessments
134
Describes multilevel risk managment at different organisational levels;
Tier 1: Organisation View
Tier 2: Mission/business process view
Tier 3: Information systems view
134
NIST Standards
NIST SP 800-39
Risk management process conists of several steps
Step 1: Risk Framing
Step 2: Risk Assessment
Step 3: RIsk Response
Step 4: Risk Monitoring
- Assumptions, scope, tolerances, constracits, priorities
- Threats and vulnerabilities are identified
- Analysing risks and developing a strategy to educe risk
- Performing periodic evaluation and identifying where risks are changing
135
NIST Standards
NIST SP 800-30
Describes in greater detail a standard methodology for conducting a risk assessment
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Mantain assessment
135/136/137
NIST Standards
NIST SP 800-30
Step 2: Conduct an assessment
- Identify threat sources and events
- Identify vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
- The standard uses a list of tables as a standard source of threat infomration
- Organisation examines its environment; people, processes, technology
- Organisation detemines the probability of a threat scenario occurring.
- Risk manager determines the impact of each threat scenario happening
- The organisation determines the level of risk for each threat event
136
ISO/IEC 27005
ISO/IEC 27005
An international standard that defines a structured approach to risk assessments and risk management
Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communications
Step 6: Risk monitoring and review
Risk Management Methodologies
A vulnerability does not cause harm, but its presence may enable a..
threat event to harm an asset
138
FAIR
Factor Analysis of Information Risk
(FAIR)
An anlysis method that helps a risk manager understand the factors that contribute to risk, the probability of threat occurrence, and estimation of loss
- defines 6 types of loss
- Focuses on concept of asset value and liability
- Guides risk managers through analysis of threat agents and the different ways they act
140
FAIR
FAIR
Defines 6 types of loss
- Productivity
- Response
- Replacement
- Fines and judgements
- Competitive advantage
- Reputation
140
FAIR
FAIR
Guides risk managers through an analysis of threat agents and the different ways in which a threat agent acts upon an asset
- Access
- Misuse
- Disclose
- Modify
- Deny use
140
ISACAs Risk IT Framework
ISACA Risk IT Framework:
Developed to align with COBIT. Broken down into 3 major process areas
- Risk Governance (RG)
- Risk Evaluation (RE)
- Risk Response (RR)
141
ISACA Risk IT Framework:
ISACA Risk IT Framework:
The risk evaluation (RE) is broken down into 3 areas (RE1 - RE3)
- Collect Data (RE1)
- Analyse Risk (RE2)
- Maintain Risk Profile (RE3)
141
