Flashcards in Risk Management Deck (76)
Information Risk Management - process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level
Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls
Cost / benefit Comparison
Compares the annualized cost of controls to the potential cost of loss
Understand what assets and threats should be evaluated
What a company would lose if a threat agent actually exploited a vulnerability
Loss that occurs after the initial vulnerability is exploited
NIST SP 800-30
Risk Management Guide for Information Technology Systems
Facilitated Risk Analysis Process - Focus on assessing one system at a time, only the most critical
- Based on experience and risk not quantified for expediency.
Operationally Critical Threat, Asset, and Vulnerability Evaluation - Carnegie Mellon methodology that allows people within an organization to make security evaluation decisions. Wider scope than FRAP.
Broad approach to risk management encompassing financial, capital, human safety, and business decision risks. Business, not security, focused.
International standard for risk management in ISMS (Information Security Management System)
Failure Modes and Effect Analysis - method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process
Fault tree analysis
Method used to identify possible failures that could occur in complex environments and systems
Central Computing and Telecommunications Agency Risk Analysis and Management Method - risk analysis and management method developed in the UK and tools sold by Siemens
Quantitative risk analysis
Assign monetary and numeric values to all elements of the risk analysis process
Qualitative risk analysis
Softer approach to the data elements of risk analysis. Does not assign numerical values to risk elements.
Single Loss Expectancy - dollar amount assigned to a single event that represents the company's potential loss amount. SLE = Asset value x Exposure factor
Represents the percentage of loss a threat could have on a certain asset.
Annual Loss Expectancy
ALE = SLE x Annualized Rate of Occurrence (ARO)
Annualized Rate of Occurrence
Value that estimates frequency of a specific threat taking place within a 12 month period.
Degree to which you lack confidence in an estimate
A group decision method that uses anonymity to obtain a consensus.
Cost / benefit analysis
“(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company”
Amount of risk left over when safeguards / countermeasures are implemented
(threats × vulnerability × asset value) × controls gap = residual risk
total risk – countermeasures = residual risk
Risk a company faces if it chooses not to implement any safeguards
threats × vulnerability × asset value = total risk
If total risk is too much for a company to deal with they may purchase insurance which transfers the risk
Remove risk by terminating the activity causing the risk
Risk reduced to level acceptable enough to continue doing business
Company understands level of risk and decides to live with it. Cost of countermeasure may outweigh potential loss value.