Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100
Risk Management Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100% secure environment.
Types of Risk Page 71 Physical damage Human interaction Equipment malfunction Inside and outside attacks Misuse of data Loss of data Application error
Understanding Risk Management Businesses operate to make money Risks threaten the bottom line There is a finite amount of money to address an almost infinite number of vulnerabilities
Risk Management Team Goal – ensure the company is protected in the most cost-effective manner Page 73 Includes individuals from many or all departments to ensure all threats are identified and addressed
Risk Assessment Method of identifying vulnerabilities and threats and assessing the impact to determine whether to implement security controls. Table 2-5 on page 78
Risk Analysis Cost/benefit Integrate security program with company’s business objectives Must be supported and directed by senior management to be successful
Risk Analysis 1.What events could occur (threats) 2.What could be the potential impact (risk) 3.How often could this happen (frequency) 4.What is the level of confidence do we have in the answers of the first three questions (certainty)
Value of an Asset Cost to repair or replace Loss of productivity Value of data that can be corrupted Value to an adversary Liability, civil suits, loss of market share Assets can be tangible or intangible (reputation, intellectual property)
Use of Value of an Asset Perform cost/benefit calculations Specify countermeasures and safeguards Determine level of insurance to purchase
Risk Probability of a threat agent exploiting a vulnerability to cause harm to an asset and the resulting business impact.
Risk Assessment Methodologies Identify Vulnerabilities, associate threats, calculate risk values NIST SP FRAP OCTAVE
NIST SP U.S Federal Government Standard Figure 2-9 on page 80
FRAP Facilitated Risk Analysis Process Data is gathered and threats to business operations are prioritized based on their criticality. Documents controls that need to put in place to reduce identified risk
OCTAVE Carnegie Mellon University Software Engineering Institute People inside the organization manage and direct the risk evaluation
Risk Analysis Approaches Quantitative – Assigning a numeric value Qualitative – Red, Yellow, Green
Quantitative SLE – Single loss expectancy EF – Exposure Factor (percentage of loss on an asset) SLE = Asset Value * EF SLE =$150,000*25% = $37,500
Quantitative ARO – annual rate of occurrence (0 to 1 or more, 0.1 = once in ten years) ALE – Annual loss expectancy ALE = SLE * ARO ALE = $37,500 * 0.1 = $3,750 See Table on page 88
Qualitative Page 90 Figure 2-11 Page 90 Table 2-8
Delphi Technique Each member give anonymous opinion of a threat Results are compiled and distributed to members Members comment anonymously Result are compiled and distributed to members Process continues until there is a consensus
Cost/Benefit of Safeguard Value of Safeguard to the company = ALE (before safeguard) – ALE (after safeguard) – annual cost of safeguard Example page 93 Value = $12,000 - $3,000 - $650 = $8,350
Cost of Countermeasure Page 93 Page 94 – cost of IDS
Residual Risk Conceptual formulas Threats*vulnerability*asset value = total risk Total risk * control gaps = residual risk Total risk – countermeasures = residual risk
Handling Risk Transfer risk – Insurance Avoid risk – Don’t do it Mitigate risk – Reduce by controls Accept risk – Live with it. Cost of controls exceed benefits
Key Terms Pages 98-99
Outsourcing Cloud Software creation Reducing the risk – Page 100