CH9 Risk Management: Controlling Risk

39 terms by william_pope 

Create a new folder

Advertisement Upgrade to remove ads

risk management

To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function
This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data
These objectives are met via the application of the principles of ___.

Avoidance
Transference
Mitigation
Acceptance

An organization must choose one of "four" basic strategies to control risks

Avoidance

Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability is called ___.

Transference

Shifting the risk to other areas or to outside entities is called ___.

Mitigation

___ is reducing the impact if the vulnerability is exploited.

Acceptance

Understanding the consequences and accepting the risk without control or mitigation is called ___.

policy
training

Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability. Avoidance is accomplished through:
-Application of ___
-Application of ___ and education
-Countering threats
-Implementation of technical security controls and safeguards

Outsourcing
contracts

Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations.
May be accomplished by rethinking how services are offered:
-Revising deployment models
-___ to other organizations
-Purchasing insurance
-Implementing service ___ with providers

planning

Mitigation is the control approach that attempts to reduce the damage caused by the exploitation of vulnerability.
-Using ___ and preparation
-Depends upon the ability to detect and respond to an attack as quickly as possible

Disaster recovery plan (DRP)
Incident response plan (IRP)
Business continuity plan (BCP)

3 Types of mitigation plans

justify

Acceptance is the choice to do nothing to protect an information asset, to accept the loss when it occurs.
This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not ___ the security expenditure.

risk
cost benefit

Before using the acceptance strategy, the organization must:
-Determine the level of___ to the information asset
-Assess the probability of attack and the likelihood of a successful exploitation of a vulnerability
-Approximate the ARO of the exploit
-Estimate the potential loss from attacks
-Perform a thorough ___ analysis
-Evaluate controls using each appropriate type of feasibility
-Decide that the particular asset did not justify the cost of protection

Risk appetite

___ (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept.
As they evaluate the trade-offs between perfect security and unlimited accessibility. The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited

Residual risk

When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for. This is called___.

Threats, vulnerabilities and assets

Residual Risk is a combined function of:
___, ___ and ___, less the effects of the safeguards in place

information security

The goal of ___ is NOT to bring residual risk to zero, but to bring it in line with an organization's "risk appetite".
If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest decide to leave residual risk in place, then the information security program has accomplished its primary goal.

Risk control

___ involves selecting one of the four risk control strategies.
If the loss is within the range of losses the organization can absorb, or if the attacker's gain is less than expected costs of the attack, the organization may choose to accept the risk

exists
exploited

Guidelines for risk control strategy selection:
-When a vulnerability ___,
Implement security controls to reduce the likelihood of a vulnerability being exercised
-When a vulnerability can be ___,
Apply layered controls to minimize the risk or prevent occurrence
-When the attacker's potential gain is greater than the costs of attack,
Apply technical or managerial controls to increase the attacker's cost, or reduce his gain
-When potential loss is substantial,
Apply controls to limit the extent of the attack

...

Before deciding on the strategy for a specific vulnerability, all readily accessible information about the consequences of the vulnerability must be explored.
Ask "what are the advantages of implementing a control as opposed to the disadvantages of implementing the control?"
There are a number of ways to determine the advantage or disadvantage of a specific control.
The primary means are based on the value of the information assets that it is designed to protect.

Economic feasibility

___is the criterion most commonly used when evaluating a project that implements information security controls and safeguards.

cost-benefit

Begin a ___ analysis by:
Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised.

decision-making

This ___ process is called Cost-benefit analysis or economic feasibility study

Training

It is difficult to determine the value of information. It is also difficult to determine the cost of safeguarding it. 4 Factors that affect the cost of a safeguard are:
-Cost of development or acquisition of hardware, software, and services
-___ fees
-Cost of implementation
-Service and maintenance costs

Benefit
annualized loss expectancy (ALE)

___is the value to the organization of using controls to prevent losses associated with a specific vulnerability.
Usually determined by valuing the information assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset.
This is expressed as the___.

Asset valuation

___is the process of assigning financial value or worth to each information asset.
The value of information differs within and between organizations, based on the characteristics of information and the perceived value of that information.
Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation.

intellectual property

Asset valuation components:
-Value retained from the cost of creating the information asset
-Value retained from past maintenance of the information asset
-Value implied by the cost of replacing the information
-Value from providing the information
-Value acquired from the cost of protecting the information
-Value to owners
-Value of ___
-Value to adversaries
-Loss of productivity while the information assets are unavailable
-Loss of revenue while information assets are unavailable

create
maintain

An organization must be able to place a dollar value on each information asset it owns, based on:
-How much did it cost to ___ or acquire?
-How much would it cost to recreate or recover?
-How much does it cost to ___?
-How much is it worth to the organization?
-How much is it worth to the competition?

Potential loss

___ is that which could occur from the exploitation of vulnerability or a threat occurrence. Ask these questions:
-What loss could occur, and what financial impact would it have?
-What would it cost to recover from the attack, in addition to the financial impact of damage?
-What is the single loss expectancy for each risk?

single loss expectancy (SLE)

A ___is the calculation of the value associated with the most likely loss from an attack. "THIS" is based on the value of the asset and the expected percentage of loss that would occur from a particular attack.

...

SLE = asset value (AV) x exposure factor (EF)
Where EF is the percentage loss that would occur from a given vulnerability being exploited.
This information is usually estimated

annualized rate of occurrence (ARO)
ALE = SLE * ARO

In most cases, the probability of a threat occurring is the probability of loss from an attack within a given time frame.
This value is commonly referred to as the ___.

Cost-Benefit Analysis

___ determines whether or not a control alternative is worth its associated cost.
"This" may be calculated before a control or safeguard is implemented to determine if the control is worth implementing.
Or calculated after controls have been implemented and have been functioning for a time

ALE (prior to control)
ALE (post-control)
ACS

Cost-benefit analysis formula
CBA = ALE(prior) - ALE(post) - ACS
___ is the annualized loss expectancy of the risk before the implementation of the control
___ is the ALE examined after the control has been in place for a period of time
___ is the annual cost of the safeguard

Organizational feasibility analysis

___ examines how well the proposed information security alternatives will contribute to the operation of an organization.

Operational feasibility

___ addresses user and management acceptance and support.

Technical feasibility

___ examines whether or not the organization has or can acquire the technology to implement and support the alternatives.

Political feasibility

___ defines what can and cannot occur based on the consensus and relationships between the communities of interest.

...

Alternatives to Feasibility Analysis
Benchmarking
Due care and due diligence
Best business practices
Gold standard
Government recommendations
Baseline

OCTAVE

Other METHODS:
-___: Operationally Critical Threat, Asset, and Vulnerability Evaluation
-Microsoft InfoSec risk management process:
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
-The Factor Analysis of Information Risk (FAIR) framework
-The ISO 27000 series includes a standard for the performance of Risk Management

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set