Section 6 Risk Identification Flashcards
What is Risk Identification?
Process of finding, recognizing and describing risk
Note1: Invloves the identication of risk sources, events, thier effects, and consequences.
Note2: can invlove historical data, theroretical anaylsys, and expert opinion, and interested partie’s needs.
Risk Identification Activities
3.1 Determine the risk identification approach
3.2 Identification of Information security Risk
3.3 Identify Risk Owners
3.1 Determine the risk identification approach
What are the two commoly used approach to perform risk identification?
event-based
asset-based
True or False: Aggregation of risks should not be undertaken unless they are relevant to each other at the level at which the organization’s context is being considered. It can be necessary to consider separately risks which are merged for the purpose of overall risk management budgeting, when planning treatment options, as different controls can be needed to manage them.
TRUE: The statement is saying that combining or aggregating risks should only be done if those risks are related to each other in the context of the organization. However, even if risks are combined for things like budgeting and overall risk management, it might still be important to separately consider these risks when planning how to deal with them. This is because different strategies or controls may be needed to manage each individual risk, even if they are grouped together for some administrative purposes.
However, when it comes to actually dealing with these risks and making plans to manage them, it might be necessary to look at each risk separately. This is because each type of risk may require different strategies or actions to handle it effectively.
For instance, if you’re dealing with the risk of a data breach (cybersecurity) and the risk of a lawsuit (legal), you might need different measures for each. You may need to invest in better cybersecurity tools for one and maybe get legal advice or insurance for the other. So, even though you aggregated them for budgeting purposes, you still need to think about and manage each risk individually.
What is asset-based approach?
- Identifies threats and vulnerabilities specific to individual assets (data, hardware, software, etc.).
- Assocoiate risk with Assets
- Identify RISK through an analysis of assets, threats and vlunerabilities
What is event-based approach?
Identify Risk through establishment of risk scearios.
What is a risk scenario?
- Risk scenario is the description of a risk exploiting a weakness
- It helps you visualize how a risk could understand its consequences.
- Describes a potential threat to an organization or its assets.
What are the Information Gathering Techniques?
- Observe (on-site process, personnel, operation)
- Questionares (send questionares to interested parties)
- Interview (Interview different levels of individuals)
- Review Documented Information (review processes, procedures, description of controls, or reports, priveous audit reports)
- Scan Tool (scan for vulnerabilities and establish lists of assets)
What is the aim of Risk Identification?
To generate a list of risk
Which asset category do event-based approaches utilize to identify events and their consequences?
Primary (business) assets
What components should be considered when identifying and assessing information security risks?
components related to the past
components related to the future
What are the examples of components related to the past?
components related to the past:
- security events and incidents (both inside the - organization and outside);
- risk sources;
- exploited vulnerabilities;
- measured consequences;
What are the examples of components related to the future?
components related to the future:
- threats;
- vulnerabilities;
- consequences;
- risk scenarios.
