lecture 3 Flashcards
(24 cards)
COSO ERM framework, every risk management decision either increases, decrease or erodes value:
- Aligning risk appetite
- reducing operational suprises
- enhancing risk response
- identifying and managing multiple and cross enterprise risks
- seizing opportunities
- improving deployment of capital
Risk identification
Processes for identifying the risks and opportunities that ccould impact on an organisation
risk assessment
the identification and analysis of risks to the achievement of business objectives. it forms a basis for determining how risks should be managed. Includes development of risk treatment strategies
Strategic understanding of information value
the strategic objectives, how, why, what information is most critical. value of other information assets
risk appetite
is a high level view of how much risk management is willing to accept
Risk identification mini steps
Identify information/ICT processes and then develop a set of risk indicators relative to these
threat
potential cause of an unwanted incident, which may result in harm to a system or organisation
likelihood
the probability of a risk eventuating
Consequence
the impact of an adverse change to the level of business objectives achieved
existing controls
safeguards and countermeasures in place to manage risk
Jacobsons window
Isolates four classes of risk, low-low, high-low
low-high and hihgh-high. these four are easily broken down into either inconsequential or significant risk classes
options available for risks
accept = monitor avoid = eliminate reduce = institute controls share = partner with someone
Key elements of impact analysis
Assess the degree of harm or loss that can occur as a result of exploitation of vulnerability
determining acceptable risk levels
evaluating risks on the basis of the likelihood of and consequences provides two factors that can be used to prioritize risk management
Expected value of risk
EVR = estimated loss from specific risk * % likelihood of loss
enterprise risk management (effective IT security strategy needs a holistic security conscious enviroment in entire organisation and commitment to:) `
Ensure stakeholders confidence and trust through the integrity of the business and its information assets
- Maintaining the confidentialllity of personal and financial information
- safeguarding sensitive business information from unauthorised disclosure
- ensuring availability to business critical information assets
Confidentiality
meaning that the information assets can be accessed and disclosed only by authorised parties
integrity
meaning that the information assets can only be modified or deleted by authorised ways, therefore they are always complete and true
availability
meaning that the information assets are accessible to the authorised parties in a timely manner
non-repudiation
meaning the ability to prove that a sender sent or receiver received a message even if the sense or receiver wishes to deny it later
Authenticity
Meaning both genuineness and validility of an information asset
privacy
meaning to protect the confidentiality and identity of a user
accountability
meaning the ability to audit the level of protection provided for information assets and the ability to identify where the responsibility lies to provide such protection
Assurance
meaning the measurement of confidence in the level of protection of an information asset and the degree to which a particular control enforces information security policy requirements
