Risk Assessment
o Identify and Valuate Assets
o Identify Threats and Vulnerabilities
Risk Analysis
o Qualitative o Quantitative (best)
Risk Mitigation/Response
o Reduce /Avoid
o Transfer
o Accept /Reject
Risk Management
- Risk Assessment
- Risk Analysis
- Risk Mitigation/Response
- Ongoing Risk Monitoring
TCO
Total Cost of Ownership (TCO)- total cost of a mitigating safeguard
Threat
potentially harmful occurrence (e.g. earthquake, attack)
Vulnerability
a weakness that allows a threat to cause harm
Impact
consequences or severity of the damage, sometimes expressed in dollars
AV
Asset Value (AV)- tangible (i.e. equipment costs) and intangible assets. Intangible assets are calculated by:
- Market approach- price at which comparable assets have been purchased
- Income approach- the present value of the future earning capacity
- Cost approach- the cost incurred to recreate or replace asset
EF
Exposure Factor (EF)- percentage of value an asset lost due to an incident
ARO
Annual Rate of Occurrence (ARO)- number of losses per year
SLE
Single Loss Expectancy (SLE)- cost of a single loss; SLE = AV x EF
ALE
Annualized Loss Expectancy (ALE)- annual cost of loss due to risk; ALE = SLE x ARO
ROI
Return on Investment (ROI)- money saved by implementing a safeguard; ROI = ALE - TCO
Risk Option
Risk Options- Accept, Mitigate, Transfer (eg insurance), Reject (ignore)
NIST (800-30) Risk Management Process
NIST (800-30) Risk Management Process:
- System characterization
- Threat ID
- Vulnerability ID
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
Due Care
Due Care- doing what a reasonable person would do; it’s the actions of performing Due Diligence
Due Diligence
Due Diligence- research, documentation & management of Due Care
Best Practice
Best Practice- consensus on the best way to accomplish something; demonstrates due care and due diligence
ISO 27001
ISO 27001- specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on completion of an audit
ISO 27002
ISO 27002 (was ISO 17799 until 2005)- Focused on best practices/techniques for IS, with 11 areas:
- Policy
- Organization of information security
- Asset Management
- HR Security
- Physical & Environmental security
- Communications and Operations management
- Access Control
- Info systems acquisition, development & maintenance
- Info security incident management
- Business continuity management
- Compliance
ITIL
ITIL (Information Technology Infrastructure Library)
- Framework for providing best practices on IT Service Management (ITSM)
- Five practices, publications
- Service Strategy
- Service Design
- Service Transition
- Service Operations
- Continual Service Improvement
PCI DSS
PCI DSS- Payment Card Industry Data Security Standard
COBIT
COBIT (Control Objectives for Information and related Technology)- IT goals focused
