ITEC 85 Lesson 4: Risk Management
9 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is risk management primarily concerned with?

  • Managing legal liabilities
  • Implementing technology solutions
  • Identifying, assessing, and controlling threats to an organization's capital and earnings (correct)
  • Assessing financial performance
  • List three sources from which risks can stem in an organization.

    Financial uncertainties, legal liabilities, technology issues.

    Risk management only includes assessing and identifying risks, not controlling them.

    False

    ISO 27000 Security Standards address _________ standards.

    <p>security</p> Signup and view all the answers

    Match the following risk treatment alternatives with their descriptions:

    <p>Risk acceptance = Accepting risk due to excessive cost of treatment Risk avoidance = Not proceeding with the risky activity Risk transfer = Buying insurance or outsourcing Reduce likelihood = Implementing suitable controls</p> Signup and view all the answers

    What is the primary purpose of risk management?

    <p>Mitigate threats to an organization's capital and earnings</p> Signup and view all the answers

    Define security management in IT.

    <p>Security management in IT is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.</p> Signup and view all the answers

    The IT security management functions do not include developing and implementing a security awareness program.

    <p>False</p> Signup and view all the answers

    Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings arising from financial uncertainties, legal liabilities, technology issues, accidents, and natural ____________.

    <p>disasters</p> Signup and view all the answers

    Study Notes

    Risk Management

    • The process of identifying, assessing, and controlling threats to an organization's capital and earnings
    • Risks stem from various sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters

    Security Management

    • A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability
    • IT security management functions include:
      • Organizational IT security objectives, strategies, and policies
      • Determining organizational IT security requirements
      • Identifying and analyzing security threats to IT assets
      • Identifying and analyzing risks
      • Specifying appropriate safeguards
      • Monitoring the implementation and operation of safeguards
      • Developing and implementing a security awareness program
      • Detecting and reacting to incidents

    ISO 27000 Security Standards

    • IT Security Management Process:
      • Plan (establish policy, define objectives and processes)
      • Do (implement and operate policy, controls, and processes)
      • Check (assess and measure, and report results)
      • Act (take corrective and preventative actions)

    Organizational Context and Security Policy

    • Examine organization's IT security:
      • Objectives (wanted IT security outcomes)
      • Strategies (how to meet objectives)
      • Policies (what needs to be done)
    • Security policy should be maintained and updated regularly using periodic security reviews
    • Reflect changing technical/risk environments

    Security Policy: Topics to Cover

    • Needs to address:
      • Scope and purpose, including relation to business, legal, and regulatory requirements
      • IT security requirements
      • Assignment of responsibilities
      • Risk management approach
      • Security awareness and training
      • General personnel issues and legal sanctions
      • Integration of security into systems development
      • Information classification scheme
      • Contingency and business continuity planning
      • Incident detection and handling processes
      • How and when policy reviewed, and change control to it

    Management Support

    • IT security policy must be supported by senior management
    • Need an IT security officer to provide consistent overall supervision, manage the process, and handle incidents
    • Large organizations may need IT security officers on major projects/teams to manage the process within their areas

    Security Risk Assessment

    • Critical component of the process
    • Else, may have vulnerabilities or waste money
    • Ideally, examine every asset vs. risk, but not feasible in practice
    • Choose one of the possible alternatives based on organization's resources and risk profile:
      • Baseline approach
      • Informal approach
      • Formal approach
      • Combined approach

    Baseline Approach

    • Use "industry best practice"
    • Easy, cheap, and can be replicated
    • Gives no special consideration to organization
    • May give too much or too little security
    • Implement safeguards against most common threats
    • Baseline recommendations and checklist documents available from various bodies
    • Alone, only suitable for small organizations

    Informal Approach

    • Conduct informal, pragmatic risk analysis on organization's IT systems
    • Exploits knowledge and expertise of analyst
    • Fairly quick and cheap
    • Does address some organization-specific issues
    • Some risks may be incorrectly assessed
    • Skewed by analyst's views, varies over time
    • Suitable for small to medium-sized organizations

    Detailed Risk Analysis

    • Most comprehensive alternative
    • Assess using formal structured process
    • Identify likelihood of risk and consequences
    • Hence, have confidence in controls being appropriate
    • Costly and slow, requires expert analysts
    • May be a legal requirement to use
    • Suitable for large organizations with IT systems critical to their business objectives

    Combined Approach

    • Combines elements of other approaches
    • Initial baseline on all systems
    • Informal analysis to identify critical risks
    • Formal assessment on these systems
    • Iterated and extended over time
    • Better use of time and money resources
    • Better security earlier that evolves
    • May miss some risks early
    • Recommended alternative for most organizations

    Detailed Risk Analysis Process

    Establish Context

    • Determine broad risk exposure of organization
    • Related to wider political/social environment
    • Legal and regulatory constraints
    • Specify organization's risk appetite
    • Set boundaries of risk assessment
    • Decide on risk assessment criteria used

    Asset Identification

    • Identify assets
    • Anything that needs to be protected
    • Of value to organization to meet its objectives
    • Tangible or intangible
    • In practice, try to identify significant assets
    • Draw on expertise of people in relevant areas of organization
    • Identify and interview such personnel
    • See checklists in various standards

    Threat Identification

    • Identify threats or risks to assets
    • Ask who or what could cause harm?
    • How could this occur?
    • Threats are anything that hinders or prevents an asset providing appropriate levels of key security services:
      • Confidentiality, integrity, availability, accountability, authenticity, and reliability
    • Assets may have multiple threats

    Threat Sources

    • Threats may be natural ("acts of God") or man-made (accidental or deliberate)
    • Should consider human attackers
    • Motivation, capability, resources, probability of attack, and deterrence
    • Any previous history of attack on organization

    Vulnerability Identification

    • Identify exploitable flaws or weaknesses in organization's IT systems or processes
    • Determine applicability and significance of threat to organization
    • Need combination of threat and vulnerability to create a risk to an asset
    • Can use lists of potential vulnerabilities in standards

    Analyze Risks

    • Specify likelihood of occurrence of each identified threat to asset given existing controls
    • Specify consequence should threat occur
    • Hence, derive overall risk rating for each threat
    • Risk = probability threat occurs x cost to organization
    • In practice, very hard to determine exactly
    • Use qualitative not quantitative ratings for each
    • Aim to order resulting risks in order to treat them

    Determine Likelihood, Consequence, and Resultant Risk

    Document in Risk Register and Evaluate Risks

    Risk Treatment

    • Risk acceptance: accept risk (perhaps because of excessive cost of risk treatment)
    • Risk avoidance: do not proceed with the activity that causes the risk (loss of convenience)
    • Risk transfer: buy insurance; outsource
    • Reduce consequence: modify the uses of an asset to reduce risk impact
    • Reduce likelihood: implement suitable controls

    Assets

    • Integrity of stored file and database information
    • Availability, integrity of financial system
    • Availability, integrity of procurement system
    • Availability, integrity of maintenance/production system
    • Availability, integrity, and confidentiality of mail services

    Threats & Vulnerabilities

    • Unauthorized modification of control system
    • Corruption, theft, loss of information
    • Attacks/errors affecting procurement system
    • Attacks/errors affecting financial system
    • Attacks/errors affecting mail system
    • Attacks/errors affecting maintenance/production system

    Risk Register

    • A document that records and tracks risks throughout the risk management process

    Risk Management

    • The process of identifying, assessing, and controlling threats to an organization's capital and earnings
    • Risks stem from various sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters

    Security Management

    • A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability
    • IT security management functions include:
      • Organizational IT security objectives, strategies, and policies
      • Determining organizational IT security requirements
      • Identifying and analyzing security threats to IT assets
      • Identifying and analyzing risks
      • Specifying appropriate safeguards
      • Monitoring the implementation and operation of safeguards
      • Developing and implementing a security awareness program
      • Detecting and reacting to incidents

    ISO 27000 Security Standards

    • IT Security Management Process:
      • Plan (establish policy, define objectives and processes)
      • Do (implement and operate policy, controls, and processes)
      • Check (assess and measure, and report results)
      • Act (take corrective and preventative actions)

    Organizational Context and Security Policy

    • Examine organization's IT security:
      • Objectives (wanted IT security outcomes)
      • Strategies (how to meet objectives)
      • Policies (what needs to be done)
    • Security policy should be maintained and updated regularly using periodic security reviews
    • Reflect changing technical/risk environments

    Security Policy: Topics to Cover

    • Needs to address:
      • Scope and purpose, including relation to business, legal, and regulatory requirements
      • IT security requirements
      • Assignment of responsibilities
      • Risk management approach
      • Security awareness and training
      • General personnel issues and legal sanctions
      • Integration of security into systems development
      • Information classification scheme
      • Contingency and business continuity planning
      • Incident detection and handling processes
      • How and when policy reviewed, and change control to it

    Management Support

    • IT security policy must be supported by senior management
    • Need an IT security officer to provide consistent overall supervision, manage the process, and handle incidents
    • Large organizations may need IT security officers on major projects/teams to manage the process within their areas

    Security Risk Assessment

    • Critical component of the process
    • Else, may have vulnerabilities or waste money
    • Ideally, examine every asset vs. risk, but not feasible in practice
    • Choose one of the possible alternatives based on organization's resources and risk profile:
      • Baseline approach
      • Informal approach
      • Formal approach
      • Combined approach

    Baseline Approach

    • Use "industry best practice"
    • Easy, cheap, and can be replicated
    • Gives no special consideration to organization
    • May give too much or too little security
    • Implement safeguards against most common threats
    • Baseline recommendations and checklist documents available from various bodies
    • Alone, only suitable for small organizations

    Informal Approach

    • Conduct informal, pragmatic risk analysis on organization's IT systems
    • Exploits knowledge and expertise of analyst
    • Fairly quick and cheap
    • Does address some organization-specific issues
    • Some risks may be incorrectly assessed
    • Skewed by analyst's views, varies over time
    • Suitable for small to medium-sized organizations

    Detailed Risk Analysis

    • Most comprehensive alternative
    • Assess using formal structured process
    • Identify likelihood of risk and consequences
    • Hence, have confidence in controls being appropriate
    • Costly and slow, requires expert analysts
    • May be a legal requirement to use
    • Suitable for large organizations with IT systems critical to their business objectives

    Combined Approach

    • Combines elements of other approaches
    • Initial baseline on all systems
    • Informal analysis to identify critical risks
    • Formal assessment on these systems
    • Iterated and extended over time
    • Better use of time and money resources
    • Better security earlier that evolves
    • May miss some risks early
    • Recommended alternative for most organizations

    Detailed Risk Analysis Process

    Establish Context

    • Determine broad risk exposure of organization
    • Related to wider political/social environment
    • Legal and regulatory constraints
    • Specify organization's risk appetite
    • Set boundaries of risk assessment
    • Decide on risk assessment criteria used

    Asset Identification

    • Identify assets
    • Anything that needs to be protected
    • Of value to organization to meet its objectives
    • Tangible or intangible
    • In practice, try to identify significant assets
    • Draw on expertise of people in relevant areas of organization
    • Identify and interview such personnel
    • See checklists in various standards

    Threat Identification

    • Identify threats or risks to assets
    • Ask who or what could cause harm?
    • How could this occur?
    • Threats are anything that hinders or prevents an asset providing appropriate levels of key security services:
      • Confidentiality, integrity, availability, accountability, authenticity, and reliability
    • Assets may have multiple threats

    Threat Sources

    • Threats may be natural ("acts of God") or man-made (accidental or deliberate)
    • Should consider human attackers
    • Motivation, capability, resources, probability of attack, and deterrence
    • Any previous history of attack on organization

    Vulnerability Identification

    • Identify exploitable flaws or weaknesses in organization's IT systems or processes
    • Determine applicability and significance of threat to organization
    • Need combination of threat and vulnerability to create a risk to an asset
    • Can use lists of potential vulnerabilities in standards

    Analyze Risks

    • Specify likelihood of occurrence of each identified threat to asset given existing controls
    • Specify consequence should threat occur
    • Hence, derive overall risk rating for each threat
    • Risk = probability threat occurs x cost to organization
    • In practice, very hard to determine exactly
    • Use qualitative not quantitative ratings for each
    • Aim to order resulting risks in order to treat them

    Determine Likelihood, Consequence, and Resultant Risk

    Document in Risk Register and Evaluate Risks

    Risk Treatment

    • Risk acceptance: accept risk (perhaps because of excessive cost of risk treatment)
    • Risk avoidance: do not proceed with the activity that causes the risk (loss of convenience)
    • Risk transfer: buy insurance; outsource
    • Reduce consequence: modify the uses of an asset to reduce risk impact
    • Reduce likelihood: implement suitable controls

    Assets

    • Integrity of stored file and database information
    • Availability, integrity of financial system
    • Availability, integrity of procurement system
    • Availability, integrity of maintenance/production system
    • Availability, integrity, and confidentiality of mail services

    Threats & Vulnerabilities

    • Unauthorized modification of control system
    • Corruption, theft, loss of information
    • Attacks/errors affecting procurement system
    • Attacks/errors affecting financial system
    • Attacks/errors affecting mail system
    • Attacks/errors affecting maintenance/production system

    Risk Register

    • A document that records and tracks risks throughout the risk management process

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Learn about risk management, the process of identifying, assessing and controlling threats to an organization's capital and earnings.

    More Like This

    Computer Security Concepts
    18 questions
    Fundamentals of Information Assurance
    10 questions
    Information Assurance and Security Overview
    9 questions
    Use Quizgecko on...
    Browser
    Browser