Professional Documents
Culture Documents
Upon Completion of This Chapter, You Should Be Able To:: - Identify The Categories That Can Be Used To Classify Controls
Upon Completion of This Chapter, You Should Be Able To:: - Identify The Categories That Can Be Used To Classify Controls
RISK MANAGEMENT
1
CH-4
RISK MANAGEMENT
Or
A risk is defined as the impact (damage) resulting from the
successful compromise of an asset.
2
CH-4
RISK MANAGEMENT
RISK MANAGEMENT
is the process of identifying risk, as represented by
vulnerabilities, to an organization’s information assets and
infrastructure, and taking steps to reduce this risk to an
acceptable level.
3
CH-4
RISK MANAGEMENT
• risk assessment,
- is the determination of the extent to which the organization’s
information assets are exposed or at risk.
• risk control.
- is the application of controls to reduce the risks to an organization’s
data and information systems.
4
CH-4
RISK MANAGEMENT
5
CH-4
RISK MANAGEMENT
RISK IDENTIFICATION
A risk management strategy requires that information security
professionals know their organizations’ information assets—
that is, identify, classify, and prioritize them.
6
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
7
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
8
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
9
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
you then review each information asset for each threat it faces
and create a list of vulnerabilities.
10
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
11
CH-4
RISK MANAGEMENT
RI SK I D ENTI FIC A TI ON
(Back)
12
CH-4
RISK MANAGEMENT
RISK IDENTIFICATION
13
figure(Back)
CH-4
RISK MANAGEMENT
RISK IDENTIFICATION
14
CH-4
RISK MANAGEMENT
RISK ASSESSMENT
Once you have identified the organization’s information assets
and the threats and vulnerabilities, you can evaluate the relative
risk for each of the vulnerabilities.
This process is called risk assessment.
15
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
16
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
You could also choose to use a number between 1 and 100 (zero
is not used, since vulnerabilities with a zero likelihood have been
removed from the asset/vulnerability list).
17
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
For example:
1. Information asset A has a value score of 50 and has one
vulnerability. Vulnerability 1 has a likelihood of 1.0 with no
current controls. You estimate that assumptions and data are 90
percent accurate.
The resulting ranked list of risk ratings for the above vulnerability
is:
18
CH-4
RISK MANAGEMENT
R I S K A S SE S S M EN T
For example:
2. Information asset B has a value score of 100 and has two
vulnerabilities: Vulnerability 2 has a likelihood of 0.5 with a
current control that addresses 50 percent of its risk; vulnerability
3 has a likelihood of 0.1 with no current controls. You estimate
that assumptions and data are 80 percent accurate.
The resulting ranked list of risk ratings for the above vulnerability
is:
19
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
20
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
21
CH-4
RISK MANAGEMENT
R I S K A S SE S S M EN T
22
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
23
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
24
CH-4
RISK MANAGEMENT
RI SK A SS ESSME NT
25
CH-4
RISK MANAGEMENT
26
CH-4
RISK MANAGEMENT
ii. Transfer
The transfer control strategy attempts to shift risk to other assets,
other processes, or other organizations.
iii. Mitigate
The mitigate control strategy attempts to reduce the impact
caused by the exploitation of vulnerability through planning and
preparation.
27
CH-4
RISK MANAGEMENT
iv. Accept
The accept control strategy is the choice to do nothing to protect
a vulnerability and to accept the outcome of its exploitation.
This may or may not be a conscious business decision.
28
CH-4
RISK MANAGEMENT
v. Terminate
The terminate control strategy directs the organization to avoid
those business activities that introduce uncontrollable risks.
29
CH-4
RISK MANAGEMENT
GO B A CK
30