Information Security & Risk Management

• 1 - Assign value to Assets
• 2 - Estimate Potential Loss per Threat - (SLE) single loss expectancy
• 3 - Perform a threat analysis - (ARO) Annualized rate of occurrence
• 4 - Derive the overall - (ALE) Annualized loss expectancy
• 5 - Reduce, Transfer, Avoid, or Accept Risk

Single Loss Expectancy

asset value x exposure factor (EF) = SLE

Exposure Factor - the percentage of loss a realized threat could have on a certain asset

SLE x annualized rate of occurrence (ARO) = ALE

Annualized Rate of Occurrence (ARO) - Value that represents the estimated frequency of a specific threat taking place within a one year timeframe.

• The assessment and results are subjective
• eliminates opportunity to create a dollar value for cost/benefit discussions
• Difficult to track risk management objection with subjective measures
• standards are not available.

• Calculations are complex
• process is laborious without automated tools
• more preliminary work needed to gather detailed information about environment
• standards are not available

• Newest version of BS7799 Part 1
• Provides a list of controls that can be used within the framework outlined in ISO 27001:2005

• Newest version of BS7700 Part 11
• Provides the steps for setting up and maintaining security program.

international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy

Information Risk Management - is the PROCESS of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

Failure Mode and Effects Analysis is a method ofr determining functions, identifying functional failures, and assessing the causes of failure and the failure effects through a structured process.

group decision method where each group member can communicate anonumously

• vulnerability - is the absence of a safeguard (a weakness that can be exploited)
• threat - possibility that someone or something would exploit a vulnerability to cause harm to an asset.
• risk - the probability of threat agent exploiting a vulnerability and the loss potential from that action

• Information Security and Risk Management Study Sheet
• Confidentiality – the security objective to protect from improper disclosure of sensitive information.
• Availability – the requirement of business to have access to systems and data.
• Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.
• Known as the CIA or AIC Triad, Confidentiality, Availability,
• and Integrity have to work in concert to keep data not only protected
• and accurate, but accessible to authorized users.

• Policy – management stating the role security plays in an organization.
• Procedure – a mandated series of steps to accomplish a task, such as software installation.
• Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
• Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
• Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.
• The Organization’s Security Policy is an abstract statement from
• management which is implemented through the IT staff. For example, the
• following of a procedure, to install a standard, in accordance with a
• guideline, and is setup referencing the baseline, is an instance of
• adhering to policy.

• Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
• Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
• Threat – a potential accidental or intentional danger to an information system.
• Exposure – an opportunity for a threat to cause damage.
• Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
• Risk Transference – the passing on of risk to a third party, such as insurance.
• Countermeasure – reactive controls applied after an incident.
• Safeguards are installed to protect against threats, but if a
• vulnerability exists in a safeguard an exposure to a threat surfaces
• resulting in a risk which either has to be countered or transferred.

• Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
• Operational Planning – a mid term plan focusing on an organization’s functional plans.
• Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.
• The Planning Horizon is the compilation of strategic, operational, and tactical planning.

• Job Rotation – movement of employees to expose collusion and policy violations.
• Mandatory Vacations – forced leave to detect elements of fraud.
• Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
• Need to Know – only those persons absolutely requiring information should have access to such information.
• Least Privilege – allowing processes and users only enough permission to accomplish their job.
• Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
• Due Care – responsible acts reducing the probability of being held liable or negligent.

• Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
• Data Custodian – is the security enforcer for the data owner, such as an email server admin.
• Auditor – independent assurance that the security controls are being implemented correctly and are operational.
• Application Owners – addresses user permissions and security controls on data specific to a particular application.

• Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
• ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
• Asset Identification – are tangible, such as the facility, and intangible, such as data.
• Assurance – a level of confidence that a particular security level is being upheld.
• CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and
• Support, Monitor and Evaluate.

• Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management,
• and appropriate use of enterprise resources.
• Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.

• Project Sizing – a pre risk analysis documentation of the scope of the project.
• Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
• Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
• Quantitative Risk Analysis – a monetary determination of risk.
• Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
• Delphi Technique – an anonymously communicated group decision.
• Single Loss Expectancy (SLE) – amount that could be
• lost if a threat is executed upon, such as the value of data, cost to
• replace data, and potential opportunities missed.
• Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.

• Risk Analysis Formulas
• Total Risk = Threats X Vulnerability X Asset Value
• Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
• Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year