week 8 - risk management Flashcards
System characterization
System characterization establishes the scope of the risk assessment effort.
- System related info eg. software hardware, users and admin who interact with system, purpose and nature of system
- Operational info like functional requirement, policies regarding operation of system, system architecture, physical security.
What is two steps of threat identification, what is threat and what is vulnerability.
Threat is the potential that a potential threat source will act on a vulnerability
Vulnerability is a weakness that can be intentionally triggered or exploited
Threat-source does not pose threat if there is no vuln
- Threat source identification
- identify potential threat source and compile them into list of threat sources that are applicable to the IT system being evaluated. Natural, human, environmental - Motivation and threat actions
- Humans are most dangerous due to their affinity to motivations ability to utilize resources. For others only need to identify threat actions no motivation
Vulnerability identification
Make list of system vulnerabilities that could be exploited by a threat sources.
Make a list of vulnerability/threat pairs to identify vulnerabilities that could be exploited.
Sources of info
eg. system security testing, previous risk assessment
Control analysis
Analyze controls that are implemented or going to be implemented by org.
Controls are able to minimize or eliminate the likelihood of a threat source exercising the vulnerability
2 categories of controls, technical and non-technical
Technical - incorporated into system and is usually hardware / software
Non-technical - usually management and operational controls like policies
Control categories consist of both preventive and defective type of controls
Likelihood determination
Impact analysis
Risk determination
Control recommendation
