39 terms

CH9 Risk Management: Controlling Risk

risk management
To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function
This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data
These objectives are met via the application of the principles of ___.
An organization must choose one of "four" basic strategies to control risks
Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability is called ___.
Shifting the risk to other areas or to outside entities is called ___.
___ is reducing the impact if the vulnerability is exploited.
Understanding the consequences and accepting the risk without control or mitigation is called ___.
Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability. Avoidance is accomplished through:
-Application of ___
-Application of ___ and education
-Countering threats
-Implementation of technical security controls and safeguards
Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations.
May be accomplished by rethinking how services are offered:
-Revising deployment models
-___ to other organizations
-Purchasing insurance
-Implementing service ___ with providers
Mitigation is the control approach that attempts to reduce the damage caused by the exploitation of vulnerability.
-Using ___ and preparation
-Depends upon the ability to detect and respond to an attack as quickly as possible
Disaster recovery plan (DRP)
Incident response plan (IRP)
Business continuity plan (BCP)
3 Types of mitigation plans
Acceptance is the choice to do nothing to protect an information asset, to accept the loss when it occurs.
This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not ___ the security expenditure.
cost benefit
Before using the acceptance strategy, the organization must:
-Determine the level of___ to the information asset
-Assess the probability of attack and the likelihood of a successful exploitation of a vulnerability
-Approximate the ARO of the exploit
-Estimate the potential loss from attacks
-Perform a thorough ___ analysis
-Evaluate controls using each appropriate type of feasibility
-Decide that the particular asset did not justify the cost of protection
Risk appetite
___ (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept.
As they evaluate the trade-offs between perfect security and unlimited accessibility. The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited
Residual risk
When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for. This is called___.
Threats, vulnerabilities and assets
Residual Risk is a combined function of:
___, ___ and ___, less the effects of the safeguards in place
information security
The goal of ___ is NOT to bring residual risk to zero, but to bring it in line with an organization's "risk appetite".
If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest decide to leave residual risk in place, then the information security program has accomplished its primary goal.
Risk control
___ involves selecting one of the four risk control strategies.
If the loss is within the range of losses the organization can absorb, or if the attacker's gain is less than expected costs of the attack, the organization may choose to accept the risk
Guidelines for risk control strategy selection:
-When a vulnerability ___,
Implement security controls to reduce the likelihood of a vulnerability being exercised
-When a vulnerability can be ___,
Apply layered controls to minimize the risk or prevent occurrence
-When the attacker's potential gain is greater than the costs of attack,
Apply technical or managerial controls to increase the attacker's cost, or reduce his gain
-When potential loss is substantial,
Apply controls to limit the extent of the attack
Before deciding on the strategy for a specific vulnerability, all readily accessible information about the consequences of the vulnerability must be explored.
Ask "what are the advantages of implementing a control as opposed to the disadvantages of implementing the control?"
There are a number of ways to determine the advantage or disadvantage of a specific control.
The primary means are based on the value of the information assets that it is designed to protect.
Economic feasibility
___is the criterion most commonly used when evaluating a project that implements information security controls and safeguards.
Begin a ___ analysis by:
Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised.
This ___ process is called Cost-benefit analysis or economic feasibility study
It is difficult to determine the value of information. It is also difficult to determine the cost of safeguarding it. 4 Factors that affect the cost of a safeguard are:
-Cost of development or acquisition of hardware, software, and services
-___ fees
-Cost of implementation
-Service and maintenance costs
annualized loss expectancy (ALE)
___is the value to the organization of using controls to prevent losses associated with a specific vulnerability.
Usually determined by valuing the information assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset.
This is expressed as the___.
Asset valuation
___is the process of assigning financial value or worth to each information asset.
The value of information differs within and between organizations, based on the characteristics of information and the perceived value of that information.
Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation.
intellectual property
Asset valuation components:
-Value retained from the cost of creating the information asset
-Value retained from past maintenance of the information asset
-Value implied by the cost of replacing the information
-Value from providing the information
-Value acquired from the cost of protecting the information
-Value to owners
-Value of ___
-Value to adversaries
-Loss of productivity while the information assets are unavailable
-Loss of revenue while information assets are unavailable
An organization must be able to place a dollar value on each information asset it owns, based on:
-How much did it cost to ___ or acquire?
-How much would it cost to recreate or recover?
-How much does it cost to ___?
-How much is it worth to the organization?
-How much is it worth to the competition?
Potential loss
___ is that which could occur from the exploitation of vulnerability or a threat occurrence. Ask these questions:
-What loss could occur, and what financial impact would it have?
-What would it cost to recover from the attack, in addition to the financial impact of damage?
-What is the single loss expectancy for each risk?
single loss expectancy (SLE)
A ___is the calculation of the value associated with the most likely loss from an attack. "THIS" is based on the value of the asset and the expected percentage of loss that would occur from a particular attack.
SLE = asset value (AV) x exposure factor (EF)
Where EF is the percentage loss that would occur from a given vulnerability being exploited.
This information is usually estimated
annualized rate of occurrence (ARO)
In most cases, the probability of a threat occurring is the probability of loss from an attack within a given time frame.
This value is commonly referred to as the ___.
Cost-Benefit Analysis
___ determines whether or not a control alternative is worth its associated cost.
"This" may be calculated before a control or safeguard is implemented to determine if the control is worth implementing.
Or calculated after controls have been implemented and have been functioning for a time
ALE (prior to control)
ALE (post-control)
Cost-benefit analysis formula
CBA = ALE(prior) - ALE(post) - ACS
___ is the annualized loss expectancy of the risk before the implementation of the control
___ is the ALE examined after the control has been in place for a period of time
___ is the annual cost of the safeguard
Organizational feasibility analysis
___ examines how well the proposed information security alternatives will contribute to the operation of an organization.
Operational feasibility
___ addresses user and management acceptance and support.
Technical feasibility
___ examines whether or not the organization has or can acquire the technology to implement and support the alternatives.
Political feasibility
___ defines what can and cannot occur based on the consensus and relationships between the communities of interest.
Alternatives to Feasibility Analysis
Due care and due diligence
Best business practices
Gold standard
Government recommendations
-___: Operationally Critical Threat, Asset, and Vulnerability Evaluation
-Microsoft InfoSec risk management process:
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
-The Factor Analysis of Information Risk (FAIR) framework
-The ISO 27000 series includes a standard for the performance of Risk Management