D3-Information Risk Management Flashcards
Information Risk Management
Is the fundamental Undertaking for any organization that desires to be reasonably aware of risks that, If not identified or monitored, could result in unexpected losses and even threaten the survival of the organization
1.Risk Management
2. Risk awareness
3. Risk Mitigation
1.Risk Management
The purpose of ____ is the identification of credible threats and the means
to decide what to do about those threats
1.Risk Management
2. Risk avoidance
3. Risk Mitigation
1.Risk Management
The effectiveness of a risk management program is largely dependent on two factors:
- Support from the security committee, and an orgs culture with respect to security awareness and accountability.
- Support from executive management, and an orgs culture with respect to security awareness and accountability.
- Support from executive management, and an orgs culture with respect to security awareness and accountability.
REFERS to activities whose objective is to make business leaders, stakeholders, and other personnel aware of the organization’s information risk management program.
1.Risk Management
2. Risk awareness
3. Risk Mitigation
- Risk awareness
The goal of ___ ____ awareness is to ensure that business leaders and decision-makers are aware of the idea that
all business decisions have a risk component and that many
decisions have implications on information risk.
1.Risk Management
2. Risk awareness
3. Risk Mitigation
- Risk awareness
Primarily, ___ ____ applies to an entire organization, whereas risk awareness encompasses senior personnel who are involved in the risk
management process.
1.Risk Management
2. Risk awareness
3. Risk Mitigation
4. Security Awareness
- Security Awareness
Information security mgmt systems Requirements.
Requirements 4 through 10 in this standard describe the structure of an entire information security
management system (ISMS) including risk management.
1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37
1.ISO/IEC 27001
ISO- Information security risk management.
1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37
2.ISO/IEC 27005
ISO Risk assessment techniques.
1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37
- ISO/IEC 31010
Guide for Applying the Risk Management Framework to Federal Information Systems:
A Security Life Cycle Approach.”
1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37
- NIST 800-37
A _ _ is defined as an Examination of a process or system to determine differences between its existing state and a desired
future state. This helps the security manager better understand the current state and how it is different from the desired future state.
- Security audit
- Gap analysis
- Gap analysis
In further detail, the _ _ will reveal what characteristics of the current state can remain, what should be discarded, what should be replaced, and what should be added.
- Security audit
- Gap analysis
- Security audit
- Gap analysis
_ _ is the activity where decisions about risks are made after weighing various risk treatment options. _ _ decisions are typically made by a business owner associated with the
affected business activity.
1.Risk Management
2. Risk awareness
3. Risk Mitigation
4. Security Awareness
4. Risk Treatment
- Risk Treatment
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity The organization defines the scope of the risk management process itself.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
1.Scope definition
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity
The organization uses various means to discover and track its information and
information system assets. A classification scheme may be
used to identify risk and criticality levels.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
2.Asset identification and valuation
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity
Developed outside of the risk management life-cycle process, _ _ is an expression of the level of risk that an organization is willing to accept. A _ _ that is related to information risk is typically expressed in qualitative means; however, organizations in financial services industries often express risk in
quantitative terms.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
3.Risk appetite
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the first step in the iterative risk management process. Here, the organization
identifies a risk that comes from one of several sources. 1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
4.Risk identification
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the second step in a typical risk management process. After the risk has been identified, it is then analyzed to determine several characteristics, including the following, Probability of event occurrence ,Impact of event occurrence, Mitigation and Recommendation.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
5.Risk analysis
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the last step in a typical risk
management process. Here, an individual decision-maker or
committee makes a decision about a specific risk.
Accept. mitigate, transfer..etc
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
Risk treatment
The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity takes many forms, including
formal communications within risk management processes
and procedures, as well as information communications
among risk managers and decision-makers.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication
- Risk communication
Several established methodologies are available for organizations that want to manage risk using a formal standard. This standard NIST
Special Publication _____ “Guide for Conducting Risk
Assessments,” is a detailed, high-quality standard that describes the steps used for conducting risk assessments
- NIST SP 800-39
- NIST SP 800-30
- NIST SP 800-30
Several established methodologies are available for organizations that want to manage risk using a formal standard. This standard NIST
Special Publication _____ consists of multilevel risk management, at the
information systems level, at the mission/business process level, and at the overall organization level. Communications up and down these levels ensures that risks are communicated upward for overall awareness, while risk awareness and risk decisions are communicated downward for overall awareness
- NIST SP 800-39
- NIST SP 800-30
- NIST SP 800-39
The tiers of risk management are described in NIST SP 800-39 in
this way:
* Tier 1: Organization view This level focuses on the role
of governance, the activities performed by the risk executive,
and the development of risk management and investment
strategies.
* Tier 2: Mission/business process view This level is all
about enterprise architecture, enterprise security architecture,
and ensuring that business processes are risk aware.
* Tier 3: Information systems view This level
concentrates on more tactical things such as system
configuration and hardening specifications, vulnerability
management, and the detailed steps in the systems
development life cycle.
Memorize
The tiers of risk management are described in NIST SP 800-39 (3 tiers )
Mission/business process view This level is all
about enterprise architecture, enterprise security architecture,
and ensuring that business processes are risk aware.
- Tier 1
- Tier 2
- Tier 3
- Tier 2
The tiers of risk management are described in NIST SP 800-39 (3 tiers )
Organization view This level focuses on the role of governance, the activities performed by the risk executive, and the development of risk management and investment
strategies.
- Tier 1
- Tier 2
- Tier 3
- Tier 1
The tiers of risk management are described in NIST SP 800-39 (3 tiers )
Information systems view This level concentrates on more tactical things such as system configuration and hardening specifications, vulnerability
management, and the detailed steps in the systems development life cycle.
1. Tier 1
2. Tier 2
3. Tier 3
- Tier 3
Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.
The overall risk management process defined by NIST SP 800-39 consists of several steps
Risk framing This consists of the assumptions,
scope, tolerances, constraints, and priorities, in other words,
the business context that is considered prior to later steps
taking place.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 1
Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.
The overall risk management process defined by NIST SP 800-39 consists of several steps
Risk assessment This is the actual risk assessment, where threats and vulnerabilities are identified and assessed to determine levels and types of risk.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 2
Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.
The overall risk management process defined by NIST SP 800-39 consists of several steps
Step 3: Risk response This is the process of analyzing
each risk and developing strategies for reducing it, through appropriate risk treatment for each identified risk. Risk treatment options are accept, mitigate, avoid, and transfer.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 3
Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.
The overall risk management process defined by NIST SP 800-39 consists of several steps
Risk monitoring This is the process of performing periodic and ongoing evaluation of identified risks to see
whether conditions and risks are changing.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 4
NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step The organization performs
the actual risk assessment. This consists of several tasks.
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step When the risk assessment
has been completed, the results are then communicated to
decision-makers and stakeholders in the organization. The
purpose of communicating risk assessment results is to
ensure that the organization’s decision-makers make decisions
that include considerations for known risks.
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 3: Communicate results
NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step After a risk assessment has been completed, the organization will then maintain the assessment by monitoring risk factors identified in the risk
assessment. This enables the organization to maintain a view of relevant risks that incorporates changes in the business environment since the risk assessment was completed
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 4: Maintain assessment
NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.
A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.
Table below belongs to
- Table F-1: Input—vulnerability and predisposing conditions
- Table F-2: Vulnerability severity assessment scale
- Table F-4: Predisposing conditions
- Table F-5: Pervasiveness of predisposing conditions
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
Under B. Identify vulnerabilities and predisposing conditions
NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.
A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.
Table below belongs to
* Table D-1: Threat source inputs
* Table D-2: Threat sources
* Table D-3: Adversary capabilities
* Table D-4: Adversary intent
* Table D-5: Adversary targeting
* Table D-6: Nonadversary threat effects
* Table E-1: Threat events
* Table E-2: Adversarial threat events
* Table E-3: Nonadversarial threat events
* Table E-4: Relevance of threat events
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
Under A. Identify threat sources and events
NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.
A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.
Table below belongs to
* Table G-1: Inputs—determination of likelihood
* Table G-2: Assessment scale—likelihood of threat event
initiation
* Table G-3: Assessment scale—likelihood of threat event
occurrence
* Table G-4: Assessment scale—likelihood of threat event
resulting in adverse impact
* Table G-5: Assessment scale—overall likelihood
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
Under C. Determine likelihood of occurrence
NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.
A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.
Table below belongs to
- Table H-1: Input—determination of impact
- Table H-2: Examples of adverse impacts
- Table H-3: Assessment scale—impact of threat events
- Table H-4: Identification of adverse impacts
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
Under D. Determine magnitude of impact
NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.
A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.
Table below belongs to
- Table I-1: Inputs—risk
- Table I-2: Assessment scale—level of risk (combination of
likelihood and impact) - Table I-3: Assessment scale—level of risk
- Table I-4: Column descriptions for adversarial risk table
- Table I-5: Template for adversarial risk table to be
completed by risk manager - Table I-6: Column descriptions for non adversarial risk
table - Table I-7: Template for non adversarial risk table to be
completed by risk manager
Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment
Step 2: Conduct assessment
Under E. Determine risk
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
Before a risk assessment can
be performed, a number of parameters need to be
established, including the following:
* Scope of the risk assessment This includes which
portions of an organization are to be included, based on
business unit, service, line, geography, organization
structure, or other means.
* Purpose of the risk assessment Reasons include
legal or due diligence or support of an ISMS, business
continuity plan, vulnerability management plan, or
incident response plan.
* Risk evaluation criteria Determine the means
through which risks will be examined and scored.
* Impact criteria Determine how the impact of
identified risks will be described and scored.
* Risk acceptance criteria Specify the method that the
organization will use to determine risk acceptance.
* Logistical plan This includes which personnel will
perform the risk assessment, which personnel in the
organization need to provide information such as control
evidence, and what supporting facilities are required such
as office space.
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 1: Establish context
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
The risk assessment is performed.
* Asset identification Risk analysts identify assets,
along with their value and criticality.
* Threat identification Risk analysts identify relevant
and credible threats that have the potential to harm
assets, along with their likelihood of occurrence. There
are many types of threats, both naturally occurring and
man-caused, and they could be accidental or deliberate.
Note that some threats may affect more than one asset.
ISO/IEC 27005 contains a list of threat types, as does
NIST Special Publication 800-30 (in Table D-2) described
earlier in this section. Note that a risk analyst may
identify additional threats.
* Control identification Risk analysts identify existing
and planned controls. Those controls that already exist
should be examined to see whether they are effective.
The criteria for examining a control includes whether it
reduces the likelihood or impact of a threat event. The
results of this examination will conclude whether the
control is effective, ineffective, or unnecessary. Finally,
when identifying threats, the risk analyst may determine
that a new control is warranted.
* Vulnerability identification Vulnerabilities that can
be exploited by threat events that cause harm to an
asset are identified. Remember that a vulnerability does
not cause harm, but its presence may permit a threat
event to harm an asset. ISO/IEC 27005 contains a list of
vulnerabilities. Note that a risk analyst may need to
identify additional vulnerabilities.
* Consequences identification The risk analyst will
identify consequences that would occur for each
identified threat against each asset. Consequences may
be the loss of confidentiality, integrity, or availability of
any asset, as well as a loss of human safety. Depending
on the nature of the asset, consequences may take many
forms, including service interruption or degradation,
reduction in service quality, loss of business, reputation
damage, or monetary penalties including fines. Note that
consequences may be a primary result or a secondary
result of the realization of a specific threat. For example,
the theft of sensitive financial information may have little
or no operational impact in the short term, but legal
proceedings over the long term could result in financial
penalties, unexpected costs, and loss of business.
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 2: Risk assessment
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
Levels of risk are determined
according to the risk evaluation and risk acceptance criteria
established in step 1. The output of risk evaluation is a list of
risks, with their associated threats, vulnerabilities, and
consequences.
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 3: Risk evaluation
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
Decision-makers in the
organization will select one of four risk treatment options for
each risk identified in step 3. These options are as follows:
* Risk reduction (sometimes known as risk
mitigation) In this option, the organization alters
something in information technology (e.g., security
configuration, application source code, or data), business
processes and procedures, or personnel (e.g., training).
In many cases, an organization will choose to update
an existing control or enact a new control so that the risk
reduction may be more effectively monitored over time.
The cost of updating or creating a control—as well as the
impact on ongoing operational costs of the control—will
need to be weighed alongside the value of the asset
being protected, as well as the consequences associated
with the risk being treated. A risk manager remembers
that a control can reduce many risks, and potentially for
several assets, so the risk manager will need to consider
the benefit of risk reduction in more complex terms.
Chapter 4 includes a comprehensive discussion on the
types of controls.
* Risk retention (sometimes known as risk
acceptance) Here, the organization chooses to accept
the risk and decides not to change anything.
* Risk avoidance The organization decides to
discontinue the activity associated with the risk. For
example, an organization assesses the risks related to the
acceptance of credit card data for payments. They decide
to change the system so that credit card data is sent
instead directly to a payment processor so that the
organization will no longer be accepting credit card data.
* Risk transfer The organization transfers risk to
another party. The common forms of risk transfer are
insurance and outsourcing security monitoring to a third
party.
When an organization transfers risk to another party,
there will usually be residual risk that is more difficult to
treat. For example, while an organization may have had
reduced costs from a breach because of cyber insurance,
the organization may still suffer reputational damage in
the form of reduced goodwill.
Decision-makers weigh the costs and benefits
associated with each these four options and decide the
best course of action for the organization.
The four risk treatment options are not mutually
exclusive; sometimes a combination of risk treatment
options is the best option for an organization. For
instance, a business application was found to accept
weak passwords; the chosen risk treatment was a
combination of security awareness training (mitigation)
and acceptance (the organization elected not to modify
the application as this would have been too expensive).
Further, some treatments can address more than one
risk. For example, security awareness training may
reduce several risks associated with end-user computing
and behavior.
Often, after risk treatment, some risk—known as
residual risk—remains. When analyzing residual risk, the
organization may elect to undergo additional risk
treatment to reduce the risk further, or it may accept the
residual risk as is. Note that residual risk cannot be
reduced to zero—there will always be some level of risk.
Because some forms of risk treatment (mainly, risk
reduction and risk transfer) may require an extended
period of time to be completed, risk managers usually
track ongoing risk treatment activities to completion.
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 4: Risk treatment
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
All parties involved in
information risk—the CISO (or other top-ranking information
security official), risk managers, business decision-makers,
and other stakeholders—need channels of communication
throughout the entire risk management and risk treatment life
cycle. Examples of risk communication include the following:
* Announcements and discussions of upcoming risk
assessments
* Collection of risk information during risk assessments
(and at other times)
* Proceedings and results from completed risk
assessments
* Discussions of risk tolerance
* Proceedings from risk treatment discussions and risk
treatment decisions and plans
* Educational information about security and risk
* Updates on the organization’s mission and strategic
objectives
* Communication about security incidents to affected
parties and stakeholders
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 5: Risk communication
ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step
Organizations are
not static, and neither is risk. The value of assets, impacts,
threats, vulnerabilities, and likelihood of occurrence should be
periodically monitored and reviewed so that the organization’s
view of risk continues to be relevant and accurate. Monitoring
should include the following:
* Discovery of new, changed, and retired assets
* Change in business processes and practices
* Changes in technology architecture
* New threats that have not been assessed
* New vulnerabilities that were previously unknown
* Changes in threat event probability and consequences
* Security incidents that may alter the organization’s
understanding of threats, vulnerabilities, and risks
* Changes in market and other business conditions
* Changes in applicable laws and regulations
- Step 1: Establish context
- Step 2: Risk assessment
- Step 3: Risk evaluation
- Step 4: Risk treatment
- Step 5: Risk communication
- Step 6: Risk monitoring and review
- Step 6: Risk monitoring and review
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is The cost expended in incident response
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
- Response
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is Lost productivity caused by the incident
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
- Productivity
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is The expense required to rebuild or replace
an asset
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
- Replacement
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is All forms of legal costs resulting
from the incident
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
- Competitive advantage Loss of business to other
organizations - Reputation Loss of goodwill and future business
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.
- Fines and judgments
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is Loss of business to other
organizations
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
- Reputation Loss of goodwill and future business
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.
- Competitive advantage
Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:
This loss is Reputation Loss of goodwill and future business
- Productivity
- Response
- Replacement
- Fines and judgments
- Competitive advantage
- Reputation
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.
- Reputation
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Reading data without authorization”
- Access
- Misuse
- Disclose
- Modify
- Deny use
- Access
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Using an asset differently from intended usage”
- Access
- Misuse
- Disclose
- Modify
- Deny use
- Misuse
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Threat agent shares data with other unauthorized
parties”
- Access
- Misuse
- Disclose
- Modify
- Deny use
- Disclose
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Threat agent modifies asset”
- Access
- Misuse
- Disclose
- Modify
- Deny use
Deny use Threat agents prevent legitimate subjects from
accessing assets
- Modify
FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Threat agents prevent legitimate subjects from
accessing assets”
- Access
- Misuse
- Disclose
- Modify
- Deny use
- Deny use
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic includes the make, model, serial
number, asset tag number, logical name, and any other
means for identifying the asset.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Identification
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic Initially, may signify the purchased value but may also include its depreciated value if an IT asset management
program is associated with the organization’s financial asset
management program.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Value
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic The asset’s location needs to be specified so that its existence may be verified in a periodic inventory.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Location
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic Security management programs
almost always include a plan for classifying the sensitivity of
information and/or information systems. Example
classifications include secret, restricted, confidential, and
public.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Security classification
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic IT assets may be classified into a hierarchy of
asset groups. For example, any of the servers in a data center
that support a large application may be assigned to an asset
group known as “Application X Servers.”
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Asset Group
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic is usually the person or group responsible for
the operation of the asset.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Owner
An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,
This characteristic the ownership and operations of assets will be divided into two bodies, where the owner owns them but a custodian operates or maintains them.
- Identification
- Value
- Location
- Security classification
- Asset Group
- Owner
- Custodian
- Custodian
Information classification is a process whereby different sets and
collections of data in an organization are analyzed for various types
of value, criticality, integrity, and sensitivity. There are different ways
to understand these characteristics.
This information may be more easily
monetized by intruders who steal this information. Types of
information include credit card numbers, bank account
numbers, gift certificates or cards, and discount or promotion
codes. Loss of this type of information may cause direct
financial losses.
- Monetary Value
- Operational criticality
- Accuracy or integrity
- Sensitivity
- Monetary Value
Information classification is a process whereby different sets and
collections of data in an organization are analyzed for various types
of value, criticality, integrity, and sensitivity. There are different ways
to understand these characteristics.
In this category, information must
be available at all times, or perhaps the information is related
to some factors of business resilience. Examples of
information in this category include virtual server images,
incident response procedures, and business continuity
procedures. Corruption or loss of this type of information may
have a significant impact on ongoing business operations.
- Monetary Value
- Operational criticality
- Accuracy or integrity
- Sensitivity
- Operational criticality
Information classification is a process whereby different sets and
collections of data in an organization are analyzed for various types
of value, criticality, integrity, and sensitivity. There are different ways
to understand these characteristics.
Information in this category is required to be highly accurate. If altered, the organization could suffer significant financial or reputational harm.
Examples of this kind of information include exchange rate tables, product or service inventory data, machine calibration data, and price lists. Corruption or loss of this type of information impacts business operations by causing
incomplete or erroneous transactions.
- Monetary Value
- Operational criticality
- Accuracy or integrity
- Sensitivity
- Accuracy or integrity
Information classification is a process whereby different sets and
collections of data in an organization are analyzed for various types
of value, criticality, integrity, and sensitivity. There are different ways
to understand these characteristics.
This type of information is most commonly associated with individual citizens. Examples of sensitive information include personal contact information, personal
financial data including credit card and bank account numbers, and medical records.
- Monetary Value
- Operational criticality
- Accuracy or integrity
- Sensitivity
- Sensitivity
Drilling into further detail, examples of information at each level of classification
Merger and acquisition plans, user and system account password, and encryption keys falls under
- Secret
- Restricted
- Confidential
- Public
- Secret
Drilling into further detail, examples of information at each level of classification
Credit card numbers, bank account numbers, Social Security numbers, detailed financial records, detailed system configuration, and vulnerability scan reports falls under
- Secret
- Restricted
- Confidential
- Public
- Restricted
Drilling into further detail, examples of information at each level of classification
System documentation, end-user documentation, internal memos, and network diagrams falls under
- Secret
- Restricted
- Confidential
- Public
- Confidential
Drilling into further detail, examples of information at each level of classification
Marketing collateral, published financial reports, and press releases falls under
- Secret
- Restricted
- Confidential
- Public
- Public
A typical approach to system classification and protection is this: for each level of classification and for each type of system, a system hardening standard will be developed that specifies the features and configuration settings to be applied to the system. These settings will help to make the system resistant to attack, and in some cases these settings will also help protect the information being stored,
processed, or transmitted by the systems.
Used to store information at the Restricted level of classification, perhaps credit card data. The system itself will be classified as Restricted, and the organization will develop system-hardening standards for the operating system and database management systems.
- Database management server
- Demilitarized zone (DMZ) firewall
- Internet time server
- Database management server
A typical approach to system classification and protection is this: for each level of classification and for each type of system, a system hardening standard will be developed that specifies the features and configuration settings to be applied to the system. These settings will help to make the system resistant to attack, and in some cases these settings will also help protect the information being stored,
processed, or transmitted by the systems.
A firewall protects servers located in a DMZ from threats on the
Internet, as well as protecting the organization’s internal
assets from the DMZ, in the event that an asset in the DMZ is
compromised by an attacker. While the firewall does not store
information, it protects information by restricting the types of
traffic that are permitted to flow from the Internet to systems
upon which the information resides. The organization will
develop and implement hardening standards for the firewall.
- Database management server
- Demilitarized zone (DMZ) firewall
- Internet time server
- Demilitarized zone (DMZ) firewall
A typical approach to system classification and protection is this: for each level of classification and for each type of system, a system hardening standard will be developed that specifies the features and configuration settings to be applied to the system. These settings will help to make the system resistant to attack, and in some cases these settings will also help protect the information being stored,
processed, or transmitted by the systems.
Here, a server provides precise time clock data to other servers, network devices, and end-user workstations in the organization. While the time server itself
does not store, process, or transmit sensitive information, it is still classified as Restricted because this server has direct access (via time protocols and possibly other protocols) to assets that are classified as Restricted. This server will be
hardened according to hardening standards developed by the organization.
- Database management server
- Demilitarized zone (DMZ) firewall
- Internet time server
- Internet time server
Risk identification is the activity during a risk assessment where
various scenarios are studied for each asset. Several considerations
are applied in the analysis of each risk.
All realistic threat scenarios are examined for each asset to see which ones are likely to occur.
- Threats
- Threat actors
- Vulnerabilities
- Asset value
- Impact
- Threats
Risk identification is the activity during a risk assessment where
various scenarios are studied for each asset. Several considerations
are applied in the analysis of each risk.
It is important to understand the variety of threat actors and to know which ones are more motivated to target the organization and for what reasons. This further
illuminates the likelihood that a given threat scenario will occur.
- Threats
- Threat actors
- Vulnerabilities
- Asset value
- Impact
- Threat actors
Risk identification is the activity during a risk assessment where
various scenarios are studied for each asset. Several considerations
are applied in the analysis of each risk.
For each asset, business process, and staff members being examined, vulnerabilities need to be identified. Then, various threat scenarios are examined to see which ones are made more likely because of corresponding
vulnerabilities.
- Threats
- Threat actors
- Vulnerabilities
- Asset value
- Impact
- Vulnerabilities
Risk identification is the activity during a risk assessment where
various scenarios are studied for each asset. Several considerations
are applied in the analysis of each risk.
The value of each asset is an important factor to include in risk analysis. As described in the earlier section on asset value, there are several ways in which assets may be valued. For instance, a customer database may have a
modest recovery cost if it is damaged or destroyed; however, if that same customer database is stolen and sold on the black market, the value of the data may be much higher to cybercriminals, and the resulting costs to the organization to
mitigate harm done to customers may be higher still. Other ways to examine asset value is through the revenue derived from its existence or use.
- Threats
- Threat actors
- Vulnerabilities
- Asset value
- Impact
- Asset value
Risk identification is the activity during a risk assessment where
various scenarios are studied for each asset. Several considerations
are applied in the analysis of each risk.
The risk manager examines vulnerabilities, threats (with threat actors), asset value, and estimates the impact of the different threat scenarios. Impact is considered separately from asset value, as there are some threat scenarios that have minimal correlation with asset value but instead are related to reputation damage. Breaches of privacy data can result in high mitigation costs and reduced business. Breaches
in hospitals can threaten patient care. Breaches in almost any IoT context can result in extensive service interruptions and life safety issues.
- Threats
- Threat actors
- Vulnerabilities
- Asset value
- Impact
- Impact
In risk assessments, likelihood is an important dimension that helps
a risk manager understand several aspects related to the unfolding
of a threat event. Likelihood of a serious security incident has less to
do with technical details and more to do with the thought process of
an adversary.
This is related to an organization’s security operations practices, including vulnerability management, patch management, and system hardening. Organizations that do a poor job in these areas are more likely to suffer
incidents simply because they are making it easier for adversaries to break in to systems.
- Hygiene
- Visibility
- Velocity
- Motivation
- Skill
- Hygiene
In risk assessments, likelihood is an important dimension that helps
a risk manager understand several aspects related to the unfolding
of a threat event. Likelihood of a serious security incident has less to
do with technical details and more to do with the thought process of
an adversary.
This is related to the organization’s standing: how large and visible the organization is and how much the attacker’s prestige will increase when able to successfully
compromise a target.
- Hygiene
- Visibility
- Velocity
- Motivation
- Skill
- Visibility
In risk assessments, likelihood is an important dimension that helps
a risk manager understand several aspects related to the unfolding
of a threat event. Likelihood of a serious security incident has less to
do with technical details and more to do with the thought process of
an adversary.
This factor is related to the timing of various threat scenarios and whether there is any warning or foreknowledge.
- Hygiene
- Visibility
- Velocity
- Motivation
- Skill
- Velocity
In risk assessments, likelihood is an important dimension that helps
a risk manager understand several aspects related to the unfolding
of a threat event. Likelihood of a serious security incident has less to
do with technical details and more to do with the thought process of
an adversary.
Here, it is important to consider various types of adversaries to better understand the factors that would motivate them to attack the organization. It could be about
money, reputation, or rivalry.
- Hygiene
- Visibility
- Velocity
- Motivation
- Skill
- Motivation
In risk assessments, likelihood is an important dimension that helps
a risk manager understand several aspects related to the unfolding
of a threat event. Likelihood of a serious security incident has less to
do with technical details and more to do with the thought process of
an adversary.
For various threat scenarios, what skill level is required to successfully attack the organization? A higher skill level does not always mean an attack is less likely; other
considerations such as motivation come into play as well.
- Hygiene
- Visibility
- Velocity
- Motivation
- Skill
- Skill
Risk assessment is used to
- identify risks and, perhaps, suggested remedies
- identify the most critical business processes, together with their supporting IT systems and dependencies on other processes or systems.
- identify risks and, perhaps, suggested remedies
BIA is used to
- identify risks and, perhaps, suggested remedies
- identify the most critical business processes, together with their supporting IT systems and dependencies on other processes or systems.
- identify the most critical business processes, together with their supporting IT systems and dependencies on other processes or systems.
In quantitative risk analysis, risk managers are attempting to
determine actual costs and probabilities of events. This technique
provides more specific information to executives about the actual
costs that they can expect to incur in various security event
scenarios. There are two aspects of quantitative risk analysis that prove to be
a continuing challenge:
It is difficult to come up with even an order-of-magnitude estimate on the probability of nearly every event scenario. Even with better information coming
from industry sources, the probability of high-impact incidents are dependent upon many factors, some of which are difficult to quantify.
- Event probability
- Event cost
- Event probability
In quantitative risk analysis, risk managers are attempting to
determine actual costs and probabilities of events. This technique
provides more specific information to executives about the actual
costs that they can expect to incur in various security event
scenarios. There are two aspects of quantitative risk analysis that prove to be
a continuing challenge:
It is difficult to put an exact cost on any given security incident scenario. Security incidents are complex events that involve many parties and have unpredictable
short- and long-term outcomes. Despite improving information from research organizations on the cost of breaches, these are still rough estimates and may not take into account all aspects of cost.
- Event probability
- Event cost
- Event cost
Because of these challenges, quantitative risk analysis should be
regarded as an effort to develop estimates, not exact figures. Partly
this is because risk analysis is a measure of events that may occur,
not a measure of events that do occur. Standard quantitative risk analysis involves the development of several figures:
This is the value of the asset, which is usually (but not necessarily) the asset’s replacement value. Depending on the type of asset, different values may need to
be considered.
- Asset value (AV)
- Exposure factor (EF)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
- Annualized loss expectancy (ALE)
- Asset value (AV)
Because of these challenges, quantitative risk analysis should be
regarded as an effort to develop estimates, not exact figures. Partly
this is because risk analysis is a measure of events that may occur,
not a measure of events that do occur. Standard quantitative risk analysis involves the development of several figures:
This is the financial loss that results from the realization of a threat, expressed as a percentage of the asset’s total value. Most threats do not completely
eliminate the asset’s value; instead, they reduce its value. For
example, if an organization’s $120,000 server is rendered
unbootable because of malware, the server will still have
salvage value, even if that is only 10 percent of the asset’s
value. In this case, the EF would be 90 percent. Note that
different threats will have different impacts on EF because the
realization of different threats will cause varying amounts of
damage to assets.
- Asset value (AV)
- Exposure factor (EF)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
- Annualized loss expectancy (ALE)
- Exposure factor (EF)
Because of these challenges, quantitative risk analysis should be
regarded as an effort to develop estimates, not exact figures. Partly
this is because risk analysis is a measure of events that may occur,
not a measure of events that do occur. Standard quantitative risk analysis involves the development of several figures:
This value represents the financial loss when a threat scenario occurs one time. is defined as AV × EF.
- Asset value (AV)
- Exposure factor (EF)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
- Annualized loss expectancy (ALE)
- Single loss expectancy (SLE)
Because of these challenges, quantitative risk analysis should be
regarded as an effort to develop estimates, not exact figures. Partly
this is because risk analysis is a measure of events that may occur,
not a measure of events that do occur. Standard quantitative risk analysis involves the development of several figures:
This is an estimate of the number of times that a threat will occur per
year. If the probability of the threat is 1 in 50 (one occurrence every 50 years), then ARO is expressed as 0.02. However, if the threat is estimated to occur four times per year, then ARO is 4.0. Like EF and SLE, ARO will vary by threat.
- Asset value (AV)
- Exposure factor (EF)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
- Annualized loss expectancy (ALE)
- Annualized rate of occurrence (ARO)
Because of these challenges, quantitative risk analysis should be
regarded as an effort to develop estimates, not exact figures. Partly
this is because risk analysis is a measure of events that may occur,
not a measure of events that do occur. Standard quantitative risk analysis involves the development of several figures:
Annualized loss expectancy (ALE) This is the expected annualized loss of asset value due to threat realization. ALE is defined as SLE × ARO.
- Asset value (AV)
- Exposure factor (EF)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
- Annualized loss expectancy (ALE)
- Annualized loss expectancy (ALE)
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Establish risk measurement criteria Here, the organization identifies the most important impact areas. The impact areas in the model include reputation/customer confidence, financial, productivity, safety and health,
fines/legal penalties, and other. For example, reputation may be the most important impact area for one organization, while privacy or safety may be the most important for others.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 1
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
*Develop an information asset profile The organization identifies its in-scope information assets and develops a profile for these assets that describe its features,
qualities, characteristics, and value.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 2
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Identify information asset containers The organization identifies all the internal and external information systems that store, process, and transmit in-scope assets.
Note that many of these systems may be operated by third party organizations.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 3
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Identify threat scenarios This is a continuation of step 4, where threat scenarios are expanded upon (and unlikely ones eliminated). A threat tree may be developed
that first identifies actors and basic scenarios and then is expanded to include more details.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 5
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Identify risks A continuation of step 5, the consequences of each threat scenario are identified.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 6
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Analyze risks This is a simple quantitative measure that is used to score each threat scenario based on risk criteria developed in step 1. The output is a ranked list of
risks.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 7
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Select mitigation approach A continuation of step 7, the risks with higher scores are analyzed to determine methods available for risk reduction.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 8
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) is a risk analysis approach developed by Carnegie Mellon University. The latest version is known as OCTAVE Allegro and is used to assess information security risks so that an organization can obtain meaningful results from a risk assessment.
The OCTAVE Allegro methodology uses eight steps:
Identify areas of concern This is the start of identifying threats that, if realized, could cause harm to information assets. Typically, this is identified in a
brainstorming activity.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
- Step 6
- Step 7
- Step 8
- Step 4
Here, questionnaires are distributed to a panel of experts in two or more rounds. A facilitator will anonymize the responses and distribute them to the experts.
The objective is for the experts to converge on the most important risks and mitigation strategies.
- Delphi method
- Event tree analysis (ETA)
- Fault tree analysis (FTA)
- Monte Carlo analysis
Derived from the fault tree analysis method. This is a logic-modeling technique for analysis of success and failure outcomes given a specific event scenario, in this case a threat scenario.
- Delphi method
- Event tree analysis (ETA)
- Fault tree analysis (FTA)
- Monte Carlo analysis
- Event tree analysis (ETA)
This is a logical modeling technique used to diagram all the consequences for a given event scenario. FTA begins with a specific scenario and proceeds forward in time with all possible consequences. A large “tree” diagram can result that depicts many different chains of events.
- Delphi method
- Event tree analysis (ETA)
- Fault tree analysis (FTA)
- Monte Carlo analysis
- Fault tree analysis (FTA)
Derived from computational algorithms, this analysis begins with a given system with inputs, where the inputs are constrained to minimum, likely, and maximum values. Running the simulation provides some insight into actual likely scenarios.
1. Delphi method
2. Event tree analysis (ETA)
3. Fault tree analysis (FTA)
4. Monte Carlo analysis
- Monte Carlo analysis
In a general sense, risk treatment represents the actions that take
place that the organization undertakes to reduce risk to an
acceptable level. More specifically, for each risk identified in a risk
assessment, there are four actions that an organization can take:
Defined as a decision whereby the organization finds the presence of
a risk as acceptable and that it requires no reduction or mitigation.
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transfer
- Risk acceptance
In a general sense, risk treatment represents the actions that take
place that the organization undertakes to reduce risk to an
acceptable level. More specifically, for each risk identified in a risk
assessment, there are four actions that an organization can take:
Defined as a decision to reduce the risk through some means, such as by changing a process or procedure, by changing how a security control functions, or by adding a security control.
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transfer
- Risk mitigation
In a general sense, risk treatment represents the actions that take
place that the organization undertakes to reduce risk to an
acceptable level. More specifically, for each risk identified in a risk
assessment, there are four actions that an organization can take:
Defined as a decision to discontinue that activity that precipitates the risk.
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transfer
- Risk avoidance
In a general sense, risk treatment represents the actions that take
place that the organization undertakes to reduce risk to an
acceptable level. More specifically, for each risk identified in a risk
assessment, there are four actions that an organization can take:
Defined as a decision to employ an external organization to accept the risk.
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transfer
- Risk transfer
Defined as the risk that remains after risk treatment is applied.
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transfer
- Residual Risk
- Residual Risk
Organizations in many industries are subject to regulatory and legal
requirements. Many organizations are also duty bound through legal
agreements between companies. Many of these legal obligations
involve the topic of data protection, data privacy, and data usage.
This theme concerning data protection, privacy, and usage
manifests itself in so many forms that it would fill volumes of works,
and for information security professionals it would not be that
interesting to read. But there are some common approaches to
these regulations:
Many laws, regulations, and private legal obligations require organizations to enact a variety of specific measures to protect information. Typically, these measures are required to be in place, regardless of the reduction of actual risk in any specific organization, simply because the law or regulation says so. A good example of this
is the Payment Card Industry Data Security Standard (PCIDSS), which requires any organization that stores, processes, or transmits credit card data to implement a large set of controls. PCI-DSS makes no provision for whether any particular control is actually going to reduce risk in any specific organization. Instead, all the controls are required all of the time in every such organization.
- Mandatory protective measures
- Optional protective measures
- Mandatory risk assessments
- Mandatory protective measures
Organizations in many industries are subject to regulatory and legal
requirements. Many organizations are also duty bound through legal
agreements between companies. Many of these legal obligations
involve the topic of data protection, data privacy, and data usage.
This theme concerning data protection, privacy, and usage
manifests itself in so many forms that it would fill volumes of works,
and for information security professionals it would not be that
interesting to read. But there are some common approaches to
these regulations:
Some laws, regulations, and other legal obligations include a number of specific
protective measures, which the organization could choose not to implement. For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) lists required controls and “addressable” controls. In most cases, the organization would be required to have a formal, valid business reason why any optional measures are not implemented.
- Mandatory protective measures
- Optional protective measures
- Mandatory risk assessments
- Optional protective measures
Organizations in many industries are subject to regulatory and legal
requirements. Many organizations are also duty bound through legal
agreements between companies. Many of these legal obligations
involve the topic of data protection, data privacy, and data usage.
This theme concerning data protection, privacy, and usage
manifests itself in so many forms that it would fill volumes of works,
and for information security professionals it would not be that
interesting to read. But there are some common approaches to
these regulations:
Some laws, regulations, and legal obligations require organizations to perform risk
assessments, but many do not require specific actions to take place as a result of those risk assessments. For instance, the Payment Card Industry Data Security Standard (PCI-DSS) requires organizations to perform annual risk assessments (in
requirement 12.2), but nowhere does PCI-DSS permit an organization to opt out of any PCI-DSS control because of the absence of risk.
- Mandatory protective measures
- Optional protective measures
- Mandatory risk assessments
- Mandatory risk assessments
As organizations ponder options for risk treatment (and in particular,
risk mitigation), they generally will consider the costs of the mitigating steps and the expected benefits they may receive. When an organization understands the costs and benefits of risk mitigation, this helps them develop strategies that are either more cost effective or result in greater cost avoidance. There are several cost- and benefit-related considerations that an organization needs to understand when weighing mitigation options.
Organizations need to understand how a mitigating control changes the probability
of threat occurrence and what that means in terms of cost reduction and avoidance.
- Change in threat probability
- Change in threat impact
- Change in operational efficiency
- Total cost of ownership (TCO)
- Change in threat probability
As organizations ponder options for risk treatment (and in particular,
risk mitigation), they generally will consider the costs of the mitigating steps and the expected benefits they may receive. When an organization understands the costs and benefits of risk mitigation, this helps them develop strategies that are either more cost effective or result in greater cost avoidance. There are several cost- and benefit-related considerations that an organization needs to understand when weighing mitigation options.
Organizations need to understand the change in the impact of a mitigated threat in
terms of an incident’s reduced costs and avoided costs versus the cost of the mitigation.
- Change in threat probability
- Change in threat impact
- Change in operational efficiency
- Total cost of ownership (TCO)
- Change in threat impact
As organizations ponder options for risk treatment (and in particular,
risk mitigation), they generally will consider the costs of the mitigating steps and the expected benefits they may receive. When an organization understands the costs and benefits of risk mitigation, this helps them develop strategies that are either more cost effective or result in greater cost avoidance. There are several cost- and benefit-related considerations that an organization needs to understand when weighing mitigation options.
Aside from the direct cost of the mitigating control, organizations need to
understand the impact on the mitigating control on other operations. For instance, adding code review steps to a software development process may mean that the
development organization may complete fewer fixes and enhancements in a given period of time.
- Change in threat probability
- Change in threat impact
- Change in operational efficiency
- Total cost of ownership (TCO)
- Change in operational efficiency
As organizations ponder options for risk treatment (and in particular,
risk mitigation), they generally will consider the costs of the mitigating steps and the expected benefits they may receive. When an organization understands the costs and benefits of risk mitigation, this helps them develop strategies that are either more cost effective or result in greater cost avoidance. There are several cost- and benefit-related considerations that an organization needs to understand when weighing mitigation options.
When an organization considers a mitigation plan, the best approach is to understand its total cost of ownership
- Change in threat probability
- Change in threat impact
- Change in operational efficiency
- Total cost of ownership (TCO)
- Total cost of ownership (TCO)
Defined as the risk of loss resulting from failed controls, processes, and systems; internal and external events; and other occurrences that impact business
operations and threaten an organization’s survival.
- Operational risk
- Operational failure
- Operational risk
Defined as the period of time from the onset of an outage until the resumption of service. It’s purpose to establish a measurable interval of time, during which
the necessary activities for recovering or resuming business operations must take place.
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO (Recovery capacity objective)
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- RTO (Recovery Time Objective)
Defined as the period of acceptable data loss due to an incident or disaster. Generally, this equates to the maximum period of time between backups or data
replication intervals. It is generally measured in minutes or hours, and like RTO, shorter RPO targets typically are associated with higher costs.
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO ( (Recovery capacity objective))
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- RPO (Recovery Point Objective)
Defined as the capacity of a temporary or recovery process, as compared to the normal process. In the event of any incident or disaster that results in the organization switching to a temporary or recovery process or system, the capacity of that temporary or recovery process or system may be less than that used during normal business operations.
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO (Recovery capacity objective)
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- RCapO (Recovery capacity objective)
Defined as the level or quality of service that is required after an event, as compared to business normal operations. Depending on the nature of the business process in question, might be measured in transaction throughput, service quality, response time, available capabilities and features, or something else.
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO ( (Recovery capacity objective))
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- SDO (Service Delivery Objective)
Defined as a theoretical time period, measured from the onset of a disaster, after which the organization’s ongoing viability would be at risk
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO ( (Recovery capacity objective))
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- MTD (Maximum Tolerable Downtime)
Sometimes known as maximum acceptable outage (MAO), is defined as the maximum period of time that an organization can tolerate operating in recovery (or alternate processing) mode. This metric comes into play in situations where
an organization’s recovery mode is unlike its normal business operations and not viable for long-term business operations.
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- RCapO ( (Recovery capacity objective))
- SDO (Service Delivery Objective)
- MTD (Maximum Tolerable Downtime)
- MTO (Maximum Tolerable Outage)
- MTO (Maximum Tolerable Outage)
A written agreement that specifies service levels in terms of the quantity of work, quality, timeliness, and remedies for shortfalls in quality or quantity. These agreements are typically established in operational processes and systems.
- SLA
- TPRM
1.SLA
Refers to activities used to discover and manage risks associated with external organizations performing operational functions for an organization
- SLA
- TPRM
- TPRM
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to have a formal security and/or privacy program including
but not limited to governance, policy, risk management, annual risk assessment, internal audit, vulnerability management, incident management, secure development, security awareness training, data protection, and third-party
risk.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Security and/or privacy program
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to have a control framework, including linkages to risk
management and internal audit.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Security and/or privacy controls
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to undergo penetration tests or vulnerability assessments of its service infrastructure and applications, performed by a competent security professional services firm of the organization’s choosing (or a company that the organization and third party jointly agree upon), with reports made available to the organization upon request.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Vulnerability assessments
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to undergo annual SOC1 and/or SOC 2 Type 2 audits, ISO
27001 certifications, HITRUST certifications, PCI ROCs, or other industry-recognized and applicable external audits, with reports made available to the organization upon request.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- External audits and certifications
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to have a formal security incident capability that includes testing and training.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Security incident response
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to notify the organization in the event of a suspected and
confirmed breach, within a specific time frame, typically 24 hours. The language around “suspected” and “confirmed” needs to be developed carefully so that the third party cannot sidestep this responsibility.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Security incident notification
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to permit the organization to conduct an audit of the third-party organization without cause. If the third party does not want to permit this, one fallback position is to insist on the right to audit in the event of a suspected or confirmed breach or other circumstances. Further, include the right to have a
competent security professional services firm perform an audit of the third-party security environment on behalf of the organization (useful for several reasons, including geographic location and that the external audit firm will be more objective). The cost of the audit is usually paid for by the organization, and in some cases the organization will provide credits or compensation to the third parry for the time incurred by the third party’s team.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Right to audit
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to permit an annual on-site review of its operations and security. This can give the organization greater confidence in the third party’s
security and operations.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Periodic review
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to respond to annual questionnaires and evidence requests as part of the organization’s third-party risk program.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Annual due diligence
Before services can commence, the organization and the third party will negotiate a legal agreement that describes the services provided, along with service levels, quality, pricing, and other terms found in typical legal agreements. Based on
the details discovered in the assessment phase, the organization can
develop a section in the legal agreement that addresses security and
privacy. This part of the legal agreement will typically cover these
subjects:
Require the third party to carry a cyber insurance policy with minimum coverage levels. Require the third party to comply with all requirements in the policy so
that the policy will pay out in the event of a security event. A great option is to have the organization be a named beneficiary on the policy, in the event there is a widespread breach that could result in a large payout to many customers.
- Security and/or privacy program
- Security and/or privacy controls
- Vulnerability assessments
- External audits and certifications
- Security incident response
- Security incident notification
- Right to audit
- Periodic review
- Annual due diligence
- Cyber insurance
- Cyber insurance
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Implemented during the design phase to anticipate potential threats and incorporate design features to block them.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Threat modeling
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Standards that specify allowed and disallowed coding techniques, including those more likely to introduce security defects and other defects.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Coding standards
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Performed by peers that are part of the program development and maintenance process. A peer is more likely to find defects in security problems than the
developer who wrote the code.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Code reviews
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Performed in the developer’s IDE or executed separately in the developers’ central software build
environments.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Code scanning
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Performed on web applications to discover exploitable defects.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Application scanning
In addition to secure coding, organizations need to introduce
several security-related steps into their software development
process.
Performed periodically by internal personnel or by qualified security advisory firms.
- Threat modeling
- Coding standards
- Code reviews
- Code scanning
- Application scanning
- Application penetration testing
- Application penetration testing
The IT service management (ITSM) companion activities, incident management and problem management, are important activities for IT organizations.
Is the IT function that is used to analyze chronic and recurring incidents to discover their root cause and prevent further occurrences.
- Problem management
- Change management
- Configuration management
- Incident management
- Problem management
The IT service management (ITSM) companion activities, incident management and problem management, are important activities for IT organizations.
Is the IT function that is used to control changes made to an IT environment. It’s purpose is to reduce the likelihood that proposed changes will introduce unexpected risks, which could lead to unplanned outages
and security incidents.
- Problem management
- Change management
- Configuration management
- Incident management
- Change management
The IT service management (ITSM) companion activities, incident management and problem management, are important activities for IT organizations.
Is the IT function where the configuration of components in an IT environment is independently
recorded.
- Problem management
- Change management
- Configuration management
- Incident management
- Configuration management
The IT service management (ITSM) companion activities, incident management and problem management, are important activities for IT organizations.
Is the IT function that is used to analyze service outages, service slowdowns, service errors, security incidents, and software bugs, as well as to restore the agreed-on service as soon as possible.
- Problem management
- Change management
- Configuration management
- Incident management
- Incident management
Incident management and problem management need to include
the disciplines of security and risk. Four primary security- and risk related
considerations in incident management are these:
IT personnel analyzing an incident or problem need to understand the security nature of the incident or problem,
including whether the incident or problem has an impact on security. For instance, a malfunctioning firewall may be
permitting traffic to pass through a control point that should not be permitted. Further, many security incidents are first
recognized as simple malfunctions or outages and recognized later as symptoms of an attack. For example, users
complaining of slow or unresponsive servers may be experiencing the effects of a distributed denial-of-service (DDoS) attack on the organization’s servers, which, incidentally, may be a diversionary tactic to an actual attack occurring elsewhere in the organization. In the context of problem management, a server suffering from availability or performance issues may have been compromised and altered by an attacker.
- Security or risk component associated with an incident
- Security or risk implication associated with actions to restore service
- Security or risk implications associated with root cause analysis (RCA)
- Security or risk implications associated with corrective action
- Security or risk component associated with an incident
Incident management and problem management need to include
the disciplines of security and risk. Four primary security- and risk related
considerations in incident management are these:
IT personnel analyzing an incident and working to restore service need to understand the security and risk impact that their analysis and corrective actions have on IT systems and associated information. For example, rebooting a security server in an attempt to remedy a situation may result in a loss of visibility and/or protection from events.
- Security or risk component associated with an incident
- Security or risk implication associated with actions to restore service
- Security or risk implications associated with root cause analysis (RCA)
- Security or risk implications associated with corrective action
- Security or risk implication associated with actions to restore service
Incident management and problem management need to include
the disciplines of security and risk. Four primary security- and risk related
considerations in incident management are these:
Root-cause analysis is defined as the analysis of a problem in order to identify its underlying origin, instead of merely its symptoms and factors. IT personnel analyzing a problem must be aware of the security and risk considerations while performing root-cause analysis. IT personnel need the skills to recognize the security and risk implications of symptoms and origins. For example, a problem with server availability was traced to some file system permissions that were set improperly; those file system permission changes affected the ability for users to directly access sensitive data that should be accessed only by an
application.
- Security or risk component associated with an incident
- Security or risk implication associated with actions to restore service
- Security or risk implications associated with root cause analysis (RCA)
- Security or risk implications associated with corrective action
- Security or risk implications associated with root cause analysis (RCA)
Incident management and problem management need to include
the disciplines of security and risk. Four primary security- and risk related
considerations in incident management are these:
IT personnel analyzing a problem must be aware of the security and risk implications of changes being
considered within business processes and technology. For instance, an application malfunction that is corrected by
elevating its service account to the privileged (administrative) level may solve the underlying access permission error, but it
creates significant risks as well.
- Security or risk component associated with an incident
- Security or risk implication associated with actions to restore service
- Security or risk implications associated with root cause analysis (RCA)
- Security or risk implications associated with corrective action
- Security or risk implications associated with corrective action
An organization’s workers are tasked with the acquisition and management of critical and sensitive information. Thus, there are
several practices in HR that contribute to the support of information protection, including the following:
Prior to hiring an individual, an organization uses various means to verify the background of a candidate and to ensure that they are free of a criminal history and other undesired matters.
- Background checks
- Legal agreements
- Training
- Development and management of roles
- Management of the human resource information system (HRIS)
- Background checks
An organization’s workers are tasked with the acquisition and management of critical and sensitive information. Thus, there are
several practices in HR that contribute to the support of information protection, including the following:
An organization will generally direct new employees to agree to and sign legal documents including nondisclosure, noncompete, and compliance with security and other organization policies.
- Background checks
- Legal agreements
- Training
- Development and management of roles
- Management of the human resource information system (HRIS)
- Legal agreements
An organization’s workers are tasked with the acquisition and management of critical and sensitive information. Thus, there are
several practices in HR that contribute to the support of information protection, including the following:
- Background checks
- Legal agreements
- Training
- Development and management of roles
- Management of the human resource information system (HRIS)
HR organizations are typically responsible for delivering training of all kinds to its workers, including but not
limited to security awareness training. This helps workers in the organization better understand the organization’s security
policy, the importance of information and asset protection, and practices in place for information protection.
- Training
An organization’s workers are tasked with the acquisition and management of critical and sensitive information. Thus, there are
several practices in HR that contribute to the support of information protection, including the following:
HR organizations typically create and maintain job descriptions, which should include security-related responsibilities, and a
hierarchy of positions in the organization.
- Background checks
- Legal agreements
- Training
- Development and management of roles
- Management of the human resource information system (HRIS)
- Development and management of roles
An organization’s workers are tasked with the acquisition and management of critical and sensitive information. Thus, there are
several practices in HR that contribute to the support of information protection, including the following:
Most HR organizations today utilize an HRIS for all official records concerning its workers. Many HRIS
systems today are integrated with an organization’s identity and access management system: when an employee is hired,
transferred, or terminated, a data feed from the HRIS to the identity and access management (IAM) platform ensures that
axis management information and systems are kept up-to date. This makes it all the more important that HRIS systems
have accurate information in them.
- Background checks
- Legal agreements
- Training
- Development and management of roles
- Management of the human resource information system (HRIS)
- Management of the human resource information system (HRIS)
Defined as ongoing activities including control effectiveness assessments and risk assessments to observe changes
in risk.
- Risk monitoring
- Key Risk Indicators
- Audits
- Risk monitoring
A measure of information risk, used to reveal trends related to levels of risk of security incidents in the organization
- Risk monitoring
- Key Risk Indicators
- Audits
- Key Risk Indicators
- A risk manager is planning a first-ever risk assessment in an organization. What is the best approach for ensuring success?
A. Interview personnel separately so that their responses can be compared.
B. Select a framework that matches the organization’s control framework.
C. Work with executive management to determine the correct scope.
D. Do not inform executive management until the risk assessment has been completed.
Answers
1. C. The best approach for success in an organization’s risk management program, and during risk assessments, is to
have support from executive management. Executives need to define the scope of the risk management program,
whether by business unit, geography, or other means.
- A security manager has completed a vulnerability scan and has identified numerous vulnerabilities in production servers.
What is the best course of action?
A. Notify the production servers’ asset owners.
B. Conduct a formal investigation.
C. Place a single entry into the risk register.
D. Put individual vulnerability entries into the risk register.
- A. Most organizations do not place individual vulnerabilities into a risk register. The risk register is primarily for strategic
issues, not tactical issues such as individual vulnerabilities. However, if the vulnerability scan report was an indication of a
broken process or broken technology, then that matter of brokenness might qualify as a valid risk register entry.
- The concept of security tasks in the context of a SaaS or IaaS environment is depicted in a:
A. Discretionary control model
B. Mandatory control model
C. Monte Carlo risk model
D. Shared responsibility model
- D. The shared responsibility model, sometimes known as a shared responsibility matrix, depicts the operational model for
SaaS and IaaS providers where client organizations have some security responsibilities (such as end user access control) and service provider organizations have some security responsibilities (such as physical access control).
- The categories of risk treatment are:
A. Risk avoidance, risk transfer, risk mitigation, and risk acceptance
B. Risk avoidance, risk transfer, and risk mitigation
C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk acceptance
D. Risk avoidance, risk treatment, risk mitigation, and risk acceptance
- A. The four categories of risk treatment are risk mitigation (where risks are reduced through a control or process
change), risk transfer (where risks are transferred to an external party such as an insurance company or managed
services provider), risk avoidance (where the risk-producing activity is discontinued), and risk acceptance (where
management chooses to accept the risk).
- Which of the following recovery objectives is associated with the longest allowed period of service outage?
A. Recovery tolerance objective (RTO)
B. Recovery point objective (RPO)
C. Recovery capacity objective (RCapO)
D. Recovery time objective (RTO)
- D. Recovery time objective is the maximum period of time from the onset of an outage until the resumption of service.
- When would it make sense to spend $50,000 to protect an asset worth $10,000?
A. If the protective measure reduced threat impact by more than 90 percent.
B. It would never make sense to spend $50,000 to protect an asset worth $10,000.
C. If the asset was required for realization of $500,000 monthly revenue.
D. If the protective measure reduced threat probability by more than 90 percent.
- C. Ordinarily it would not make sense to spend $50,000 to protect an asset worth $10,000. But sometimes there are
other considerations, such as revenue realization or reputation damage, that can be difficult to quantify.
- Which of the following statements is true about compliance risk?
A. Compliance risk can be tolerated when fines cost less than controls.
B. Compliance risk is just another risk that needs to be measured.
C. Compliance risk can never be tolerated.
D. Compliance risk can be tolerated when it is optional.
- B. In most cases, compliance risk is just another risk that needs to be understood. This includes the understanding of
potential fines and other sanctions in relation to the costs required to reach a state of compliance. In some cases,
however, being out of compliance can also result in reputation damage, as well as larger sanctions if the organization suffers
from a security breach because of the noncompliant state.
- A security steering committee empowered to make risk treatment decisions has chosen to accept a specific risk. What
is the best course of action?
A. Refer the risk to a qualified external security audit firm.
B. Perform additional risk analysis to identify residual risk.
C. Reopen the risk item for reconsideration after one year.
D. Mark the risk item as permanently closed.
- C. A risk register item that has been accepted should be shelved and considered after a period of time, perhaps one
year. This is a better option than closing the item permanently; in a year’s time, changes in business conditions, security threats, and other considerations may compel the organization to take different action.
- A security steering committee has voted to mitigate a specific risk. Some residual risk remains. What is the best course of action regarding the residual risk?
A. Accept the residual risk and close the risk ledger item.
B. Continue cycles of risk treatment until the residual risk reaches an acceptable level.
C. Continue cycles of risk treatment until the residual risk reaches zero.
D. Accept the residual risk and keep the risk ledger item open.
- B. After risk reduction through risk mitigation, the residual risk should be treated like any new risk: it should be
reexamined, and a new risk treatment decision should be made. This should continue until the final remaining residual
risk is accepted.
- A security manager has been directed by executive management to not document a specific risk in the risk
register. This course of action is known as:
A. Burying the risk
B. Transferring the risk
C. Accepting the risk
D. Ignoring the risk
- D. The refusal of an organization to formally consider a risk is known as ignoring the risk. This is not a formal method
of risk treatment because of the absence of deliberation and decision-making. It is not a wise business practice to keep
some risk matters “off the books.”
- A security manager is performing a risk assessment on a business application. The security manager has determined
that security patches have not been installed for more than a year. This finding is known as a:
A. Probability
B. Threat
C. Vulnerability
D. Risk
- C. The absence of security patches on a system is considered a vulnerability. A vulnerability is defined as a weakness in a system that could permit an attack to occur.
- A security manager is performing a risk assessment on a data center. The security manager has determined that it is
possible for unauthorized personnel to enter the data center through the loading dock door and shut off utility power to
the building. This finding is known as a:
A. Probability
B. Threat
C. Vulnerability
D. Risk
- B. Any undesired action that could harm an asset is known as a threat.
- A security manager has developed a scheme that prescribes required methods be used to protect information at rest, in
motion, and in transit. This is known as a(n):
A. Data classification policy
B. Asset classification policy
C. Data loss prevention plan
D. Asset loss prevention plan
- A. A data classification policy is a statement that defines two or more classification levels for data, together with
procedures and standards for the protection of data at each classification for various use cases such as storage in a
database, storage on a laptop computer, transmissions via email, and storage on backup media.
- A security manager is developing a strategy for making improvements to the organization’s incident management
process. The security manager has defined the desired future state. Before specific plans can be made to improve the
process, the security manager should perform a:
A. Training session
B. Penetration test
C. Vulnerability assessment
D. Gap analysis
- D. When the desired end state of a process or system is determined, a gap analysis must be performed so that the
current state of the process or system can also be known. Then, specific tasks can be performed to reach the desired
end state of the process.