information security Flashcards
Risk Appetite
Before the organization can or should proceed, it needs to
understand whether the current level of controls identified at
the end of the risk assessment process results in a level of risk
management it can accept
risk tolerance
The risk tolerance (or risk threshold) works hand in glove with
risk appetite, as it more clearly defines the range of acceptable
risk for each initiative, plan, or activity
6
Residual Risk
The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.
Risk Treatment/Response Options
- Mitigation: Involves the implementation of some solution that will reduce an identified risk.
- Transfer: Shift risk to another entity (some or all of the risk is being
transferred to some external entity) - Avoidance: the organization abandons the risk-inducing activity altogether,
effectively taking the asset out of service or discontinuing the
activity so the risk is no longer present. - Acceptance: Management may be willing to accept an identified risk as is, with no effort to reduce it.
Other Factors Impacting Response
Balancing Risk and Reward to maximize profits
Organizational Design
Organizational Culture
Residual Risk
Legal and Regulatory
Feasibility and Cost Benefit Analysis
Before deciding on the strategy for a specific asset-vulnerability-
threat combination, all readily accessible information about the
consequences of the vulnerability must be explored
Cost Benefit Analysis (CBA)
The criterion most commonly used when evaluating a project that
implements InfoSec controls and safeguards is economic
feasibility
Organizations can begin this type of economic feasibility analysis
by valuing the information assets and determining the loss in
value if those information assets became compromised
Cost and benefit Analysis (CBA)
cost: Just as it is difficult to determine the value of information, it is
difficult to determine the cost of safeguarding it
benefit: Benefit is the value to the organization of using controls to prevent
losses associated with a specific vulnerability
Other Methods of Establishing Feasibility
Organizational feasibility
Operational feasibility
Technical feasibility
Political feasibility
Importance of Risk and Control Ownership
Ongoing activities, including control effectiveness assessments
and risk assessments, used to observe changes in risk. Security
managers perform risk monitoring to report risk levels to
executive management and to identify unexpected changes in
risk levels.
Key Risk Indicators
Training and Awareness
Risk Documentation
Knowing yourself and knowing your enemy
if you know your enemy and yourself, you need not fear the result of a hundred battles. if you know yourself but not the enemy. for every victory gained you will also suffer a defeat (failure). if you know neither the enemy nor yourself, you will succumb (secome/تسلیم شدن) in every battle.
Asset (اَسِت )دارائی Identification
information system ocmponenets: People , procedures, data, software, hardware, netwroking
Identifying Hardware, Software, and Network Assets
Many organizations use asset inventory systems to keep track of
their hardware, network, and software components
Determine which attributes of each of these information assets
should be tracked
Identifying People, Procedures and Data Assets
Responsibility for identifying, describing, and evaluating these
information assets should be assigned to managers who possess
the necessary knowledge, experience, and judgment
Assessing Values for Information Assets
As each information asset is identified, categorized, and
classified, a relative value must be assigned
Relative values are comparative judgments made to ensure that
the most valuable information assets are given the highest priority.
Threat Assessment
Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment
Identifying Threats
Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy
Prioritizing Threats
Just as it did with information assets, the organization should conduct a weighted table analysis with threats
The organization should list the categories of threats it faces, and then select categories that correspond to the questions of interest
Vulnerability Assessment
Once the organization has identified and prioritized both its information assets and the threats facing those assets it can
begin to compare information asset to threats
Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset
Different Forms of Vulnerabilities
forces of nature
human error or failure
software attacks
technical hardware failures or errors
theft
Detection Techniques
netwrok device: vulnerability scanning
pen testing , netwrok architecture review
software application: vulnerability scanning
business processes: process review, internal audit (بازرسی)
operating system: vulnerability scanning
Risk Assessment
Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment
Risk assessment assigns a risk rating or score to each specific vulnerability
While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process
calculating quantified risk
asset value (AV) :
An asset is anything of value to an organization
exposure factor (EF) :
This represents the percentage of the asset
value that will be lost if an incident were to occur.
SLE (Single Loss Expectancy): Represents the financial loss when a threat scenario occurs
one time
AV × EF = SLE
ARO (Annual Rate of Occurrence): Number of times this will occur in a year
ARO = Number of incidents per
year
ALE (Annual Loss Expectancy): annualized loss of asset value due to threat realization
SLE × ARO = ALE
Qualitative Risk Analysis
Probability or likelihood
Impact : Australian and New Zealand Risk Management Standard 4360, uses qualitative methods of determining risk based on a
threat’s probability of occurrence and expected results of a successful attack.
