The flashcards below were created by user
mjweston
on FreezingBlue Flashcards.
-
IT security management
consists of determining a clear view of an organization's IT security objectives and general risk profile, performing risk assessment for each asset in the organization, and how to reduce the risks or accept the resultant risks
-
baseline approach
informal approach
detailed risk analysis
combined approach
four approaches to identifying and mitigating risks to an organization's IT infrastructure
-
baseline approach
implement a basic general level of security controls on systems using codes of practice, industry best practice, and baseline documents - goal is to provide protection against the most common threats - recommended only for small organizations - cheap
-
informal approach
involves conducting some form of informal, pragmatic risk analysis for the organization's IT systems - requires no additional skills (uses current employee's knowledge) - quick and cheap- recommended for small to medium-sized organizations
-
detailed risk analysis
most comprehensive approach - includes identifying assets, threats, & vulnerabilities, and the likelihood of the risk occurring & consequences - most detailed examination of the security risks - highest cost in time, resources & expertise
-
combined approach
approach that uses elements of the other security risk assessment approaches to provide reasonable levels of protection as quickly as possible and to adjust the protection controlls as needed - easier to sell to mgmt - resources are likely to be applied where most needed - most cost effective & highly recommended for most organizations
-
risk appetite
the level of risk the organization views as acceptable
-
asset
- anything that has value to the organization
- can be tangible or intangible
-
threat
a potential cause of an unwanted incident, which may result in harm to a system or organization
-
vulnerability
a weakness in an asset or group of assets that can be exploited by one or more threats
-
risk
combination of the probablility of an event and its consequence, being the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets
-
IT security policy
risk analysis
implementation guidelines/implementation
follow-up
four steps in the information systems managament process
-
1-establish context - risk appetite (acceptable level of risk)
2-asset identification
3-threat identification
4-vulnerability identification - ID flaws & weaknesses
5-analyze existing controls - safeguards
6-determine liklihood
7-determine consequences
8-determine resulting level of risk
8 steps of Detailed Security Risk Analysis
-
non-human resources - natural disasters
human resource related - internal (HR employees, IT dept, employees, former employees) or external (virus, worms, phishing, spam, etc.)
types of threats or threat sources
-
risk acceptance
choosing to accept a risk level greater than normal for business reasons
-
risk avoidance
not proceeding with the activity or system that creates this risk
-
risk transfer
sharing responsibility for the risk with a third party
-
reduce consequence
by modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur
-
reduce likelihood
by implementing suitable controls to lower the chance of the vulnerability being exploited (ex: firewalls, increasing password complexity, or change policies
-
risk acceptance
risk avoidance
risk transfer
reduce consequence
reduce liklihood
what are the risk treatment alternatives
|
|