Steps of a Risk Analysis
- 1 - Assign value to Assets
- 2 - Estimate Potential Loss per Threat - (SLE) single loss expectancy
- 3 - Perform a threat analysis - (ARO) Annualized rate of occurrence
- 4 - Derive the overall - (ALE) Annualized loss expectancy
- 5 - Reduce, Transfer, Avoid, or Accept Risk
Single Loss Expectancy
asset value x exposure factor (EF) = SLE
Exposure Factor - the percentage of loss a realized threat could have on a certain asset
SLE x annualized rate of occurrence (ARO) = ALE
Annualized Rate of Occurrence (ARO) - Value that represents the estimated frequency of a specific threat taking place within a one year timeframe.
- The assessment and results are subjective
- eliminates opportunity to create a dollar value for cost/benefit discussions
- Difficult to track risk management objection with subjective measures
- standards are not available.
- Calculations are complex
- process is laborious without automated tools
- more preliminary work needed to gather detailed information about environment
- standards are not available
- Newest version of BS7799 Part 1
- Provides a list of controls that can be used within the framework outlined in ISO 27001:2005
- Newest version of BS7700 Part 11
- Provides the steps for setting up and maintaining security program.
international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
Information Risk Management - is the PROCESS of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
Failure Mode and Effects Analysis is a method ofr determining functions, identifying functional failures, and assessing the causes of failure and the failure effects through a structured process.
group decision method where each group member can communicate anonumously
vulnerability, threat, risk
- vulnerability - is the absence of a safeguard (a weakness that can be exploited)
- threat - possibility that someone or something would exploit a vulnerability to cause harm to an asset.
- risk - the probability of threat agent exploiting a vulnerability and the loss potential from that action
- Information Security and Risk Management Study Sheet
- Confidentiality – the security objective to protect from improper disclosure of sensitive information.
- Availability – the requirement of business to have access to systems and data.
- Integrity – the reliability of systems to properly function in order to prohibit improper modification of data.
- Known as the CIA or AIC Triad, Confidentiality, Availability,
- and Integrity have to work in concert to keep data not only protected
- and accurate, but accessible to authorized users.
- Policy – management stating the role security plays in an organization.
- Procedure – a mandated series of steps to accomplish a task, such as software installation.
- Standard – usually the implementation of a common hardware or software solution to a security risk, such as a Firewall.
- Baseline – a consistent minimum benchmark for security configurations across a multitude of implementations, such as password rules.
- Guideline – a recommendation until adopted as standards, but are considered best practices, such as the Common Criteria.
- The Organization’s Security Policy is an abstract statement from
- management which is implemented through the IT staff. For example, the
- following of a procedure, to install a standard, in accordance with a
- guideline, and is setup referencing the baseline, is an instance of
- adhering to policy.
- Safeguards – uniform and proactive controls applied before an incident, which incorporates the idea of least privilege.
- Vulnerability – a flaw in a procedure, implementation, or control that if exercised will result in a security breach.
- Threat – a potential accidental or intentional danger to an information system.
- Exposure – an opportunity for a threat to cause damage.
- Risk – probability of a threat agent exploiting a vulnerability resulting in losses.
- Risk Transference – the passing on of risk to a third party, such as insurance.
- Countermeasure – reactive controls applied after an incident.
- Safeguards are installed to protect against threats, but if a
- vulnerability exists in a safeguard an exposure to a threat surfaces
- resulting in a risk which either has to be countered or transferred.
- Strategic Planning – a long term plan focusing on high level requirements, such as the overarching security plan.
- Operational Planning – a mid term plan focusing on an organization’s functional plans.
- Tactical Planning – a short term “fire fighting” strategy usually at the keyboard level.
- The Planning Horizon is the compilation of strategic, operational, and tactical planning.
- Job Rotation – movement of employees to expose collusion and policy violations.
- Mandatory Vacations – forced leave to detect elements of fraud.
- Separation of Duties – split knowledge and dual control of job tasks, which helps prevent errors and fraud.
- Need to Know – only those persons absolutely requiring information should have access to such information.
- Least Privilege – allowing processes and users only enough permission to accomplish their job.
- Roles and Responsibilities – used to ensure everyone knows what an individual will be doing.
- Due Care – responsible acts reducing the probability of being held liable or negligent.
- Data Owners – responsible for data classification, user access, related business continuity plans and disaster recovery.
- Data Custodian – is the security enforcer for the data owner, such as an email server admin.
- Auditor – independent assurance that the security controls are being implemented correctly and are operational.
- Application Owners – addresses user permissions and security controls on data specific to a particular application.
- Information Risk Management – implementing the right mechanisms to mitigate and sustain an acceptable level of risk.
- ISO 17799 & 27001 – guidelines, controls, and best practices for comprehensive security programs.
- Asset Identification – are tangible, such as the facility, and intangible, such as data.
- Assurance – a level of confidence that a particular security level is being upheld.
- CobiT – four goals to ensure IT maps seamlessly with business needs; Plan and Organize, Acquire and Implement, Deliver and
- Support, Monitor and Evaluate.
- Governance – a set of management directives to ensure strategic direction, objective accomplishments, risk management,
- and appropriate use of enterprise resources.
- Organization for Economic Co-operation and Development (OECD) – an international group assisting governments with economic, social, and governance challenges worldwide.
- Project Sizing – a pre risk analysis documentation of the scope of the project.
- Failure Modes and Effect Analysis (FMEA) – an assessment of manufacturing defects.
- Fault Tree Analysis (FTA) – analytical approach to detect failures and system safety within a complex environment.
- Quantitative Risk Analysis – a monetary determination of risk.
- Qualitative Risk Analysis – a scaled intrinsic value assigned to a level of risk, such as 1-5 or high med and low.
- Delphi Technique – an anonymously communicated group decision.
- Single Loss Expectancy (SLE) – amount that could be
- lost if a threat is executed upon, such as the value of data, cost to
- replace data, and potential opportunities missed.
- Risk Analysis is performed to balance the economic impact of risk and the cost of the safeguards.
- Risk Analysis Formulas
- Total Risk = Threats X Vulnerability X Asset Value
- Residual Risk = (Threats X Vulnerability X Asset Value) X Controls Gap
- Annual Loss Expectancy (ALE) = Single Loss Expectancy X frequency per year