9 Questions
What is risk management primarily concerned with?
Identifying, assessing, and controlling threats to an organization's capital and earnings
List three sources from which risks can stem in an organization.
Financial uncertainties, legal liabilities, technology issues.
Risk management only includes assessing and identifying risks, not controlling them.
False
ISO 27000 Security Standards address _________ standards.
security
Match the following risk treatment alternatives with their descriptions:
Risk acceptance = Accepting risk due to excessive cost of treatment Risk avoidance = Not proceeding with the risky activity Risk transfer = Buying insurance or outsourcing Reduce likelihood = Implementing suitable controls
What is the primary purpose of risk management?
Mitigate threats to an organization's capital and earnings
Define security management in IT.
Security management in IT is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.
The IT security management functions do not include developing and implementing a security awareness program.
False
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings arising from financial uncertainties, legal liabilities, technology issues, accidents, and natural ____________.
disasters
Study Notes
Risk Management
- The process of identifying, assessing, and controlling threats to an organization's capital and earnings
- Risks stem from various sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters
Security Management
- A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability
- IT security management functions include:
- Organizational IT security objectives, strategies, and policies
- Determining organizational IT security requirements
- Identifying and analyzing security threats to IT assets
- Identifying and analyzing risks
- Specifying appropriate safeguards
- Monitoring the implementation and operation of safeguards
- Developing and implementing a security awareness program
- Detecting and reacting to incidents
ISO 27000 Security Standards
- IT Security Management Process:
- Plan (establish policy, define objectives and processes)
- Do (implement and operate policy, controls, and processes)
- Check (assess and measure, and report results)
- Act (take corrective and preventative actions)
Organizational Context and Security Policy
- Examine organization's IT security:
- Objectives (wanted IT security outcomes)
- Strategies (how to meet objectives)
- Policies (what needs to be done)
- Security policy should be maintained and updated regularly using periodic security reviews
- Reflect changing technical/risk environments
Security Policy: Topics to Cover
- Needs to address:
- Scope and purpose, including relation to business, legal, and regulatory requirements
- IT security requirements
- Assignment of responsibilities
- Risk management approach
- Security awareness and training
- General personnel issues and legal sanctions
- Integration of security into systems development
- Information classification scheme
- Contingency and business continuity planning
- Incident detection and handling processes
- How and when policy reviewed, and change control to it
Management Support
- IT security policy must be supported by senior management
- Need an IT security officer to provide consistent overall supervision, manage the process, and handle incidents
- Large organizations may need IT security officers on major projects/teams to manage the process within their areas
Security Risk Assessment
- Critical component of the process
- Else, may have vulnerabilities or waste money
- Ideally, examine every asset vs. risk, but not feasible in practice
- Choose one of the possible alternatives based on organization's resources and risk profile:
- Baseline approach
- Informal approach
- Formal approach
- Combined approach
Baseline Approach
- Use "industry best practice"
- Easy, cheap, and can be replicated
- Gives no special consideration to organization
- May give too much or too little security
- Implement safeguards against most common threats
- Baseline recommendations and checklist documents available from various bodies
- Alone, only suitable for small organizations
Informal Approach
- Conduct informal, pragmatic risk analysis on organization's IT systems
- Exploits knowledge and expertise of analyst
- Fairly quick and cheap
- Does address some organization-specific issues
- Some risks may be incorrectly assessed
- Skewed by analyst's views, varies over time
- Suitable for small to medium-sized organizations
Detailed Risk Analysis
- Most comprehensive alternative
- Assess using formal structured process
- Identify likelihood of risk and consequences
- Hence, have confidence in controls being appropriate
- Costly and slow, requires expert analysts
- May be a legal requirement to use
- Suitable for large organizations with IT systems critical to their business objectives
Combined Approach
- Combines elements of other approaches
- Initial baseline on all systems
- Informal analysis to identify critical risks
- Formal assessment on these systems
- Iterated and extended over time
- Better use of time and money resources
- Better security earlier that evolves
- May miss some risks early
- Recommended alternative for most organizations
Detailed Risk Analysis Process
Establish Context
- Determine broad risk exposure of organization
- Related to wider political/social environment
- Legal and regulatory constraints
- Specify organization's risk appetite
- Set boundaries of risk assessment
- Decide on risk assessment criteria used
Asset Identification
- Identify assets
- Anything that needs to be protected
- Of value to organization to meet its objectives
- Tangible or intangible
- In practice, try to identify significant assets
- Draw on expertise of people in relevant areas of organization
- Identify and interview such personnel
- See checklists in various standards
Threat Identification
- Identify threats or risks to assets
- Ask who or what could cause harm?
- How could this occur?
- Threats are anything that hinders or prevents an asset providing appropriate levels of key security services:
- Confidentiality, integrity, availability, accountability, authenticity, and reliability
- Assets may have multiple threats
Threat Sources
- Threats may be natural ("acts of God") or man-made (accidental or deliberate)
- Should consider human attackers
- Motivation, capability, resources, probability of attack, and deterrence
- Any previous history of attack on organization
Vulnerability Identification
- Identify exploitable flaws or weaknesses in organization's IT systems or processes
- Determine applicability and significance of threat to organization
- Need combination of threat and vulnerability to create a risk to an asset
- Can use lists of potential vulnerabilities in standards
Analyze Risks
- Specify likelihood of occurrence of each identified threat to asset given existing controls
- Specify consequence should threat occur
- Hence, derive overall risk rating for each threat
- Risk = probability threat occurs x cost to organization
- In practice, very hard to determine exactly
- Use qualitative not quantitative ratings for each
- Aim to order resulting risks in order to treat them
Determine Likelihood, Consequence, and Resultant Risk
Document in Risk Register and Evaluate Risks
Risk Treatment
- Risk acceptance: accept risk (perhaps because of excessive cost of risk treatment)
- Risk avoidance: do not proceed with the activity that causes the risk (loss of convenience)
- Risk transfer: buy insurance; outsource
- Reduce consequence: modify the uses of an asset to reduce risk impact
- Reduce likelihood: implement suitable controls
Assets
- Integrity of stored file and database information
- Availability, integrity of financial system
- Availability, integrity of procurement system
- Availability, integrity of maintenance/production system
- Availability, integrity, and confidentiality of mail services
Threats & Vulnerabilities
- Unauthorized modification of control system
- Corruption, theft, loss of information
- Attacks/errors affecting procurement system
- Attacks/errors affecting financial system
- Attacks/errors affecting mail system
- Attacks/errors affecting maintenance/production system
Risk Register
- A document that records and tracks risks throughout the risk management process
Risk Management
- The process of identifying, assessing, and controlling threats to an organization's capital and earnings
- Risks stem from various sources, including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters
Security Management
- A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability
- IT security management functions include:
- Organizational IT security objectives, strategies, and policies
- Determining organizational IT security requirements
- Identifying and analyzing security threats to IT assets
- Identifying and analyzing risks
- Specifying appropriate safeguards
- Monitoring the implementation and operation of safeguards
- Developing and implementing a security awareness program
- Detecting and reacting to incidents
ISO 27000 Security Standards
- IT Security Management Process:
- Plan (establish policy, define objectives and processes)
- Do (implement and operate policy, controls, and processes)
- Check (assess and measure, and report results)
- Act (take corrective and preventative actions)
Organizational Context and Security Policy
- Examine organization's IT security:
- Objectives (wanted IT security outcomes)
- Strategies (how to meet objectives)
- Policies (what needs to be done)
- Security policy should be maintained and updated regularly using periodic security reviews
- Reflect changing technical/risk environments
Security Policy: Topics to Cover
- Needs to address:
- Scope and purpose, including relation to business, legal, and regulatory requirements
- IT security requirements
- Assignment of responsibilities
- Risk management approach
- Security awareness and training
- General personnel issues and legal sanctions
- Integration of security into systems development
- Information classification scheme
- Contingency and business continuity planning
- Incident detection and handling processes
- How and when policy reviewed, and change control to it
Management Support
- IT security policy must be supported by senior management
- Need an IT security officer to provide consistent overall supervision, manage the process, and handle incidents
- Large organizations may need IT security officers on major projects/teams to manage the process within their areas
Security Risk Assessment
- Critical component of the process
- Else, may have vulnerabilities or waste money
- Ideally, examine every asset vs. risk, but not feasible in practice
- Choose one of the possible alternatives based on organization's resources and risk profile:
- Baseline approach
- Informal approach
- Formal approach
- Combined approach
Baseline Approach
- Use "industry best practice"
- Easy, cheap, and can be replicated
- Gives no special consideration to organization
- May give too much or too little security
- Implement safeguards against most common threats
- Baseline recommendations and checklist documents available from various bodies
- Alone, only suitable for small organizations
Informal Approach
- Conduct informal, pragmatic risk analysis on organization's IT systems
- Exploits knowledge and expertise of analyst
- Fairly quick and cheap
- Does address some organization-specific issues
- Some risks may be incorrectly assessed
- Skewed by analyst's views, varies over time
- Suitable for small to medium-sized organizations
Detailed Risk Analysis
- Most comprehensive alternative
- Assess using formal structured process
- Identify likelihood of risk and consequences
- Hence, have confidence in controls being appropriate
- Costly and slow, requires expert analysts
- May be a legal requirement to use
- Suitable for large organizations with IT systems critical to their business objectives
Combined Approach
- Combines elements of other approaches
- Initial baseline on all systems
- Informal analysis to identify critical risks
- Formal assessment on these systems
- Iterated and extended over time
- Better use of time and money resources
- Better security earlier that evolves
- May miss some risks early
- Recommended alternative for most organizations
Detailed Risk Analysis Process
Establish Context
- Determine broad risk exposure of organization
- Related to wider political/social environment
- Legal and regulatory constraints
- Specify organization's risk appetite
- Set boundaries of risk assessment
- Decide on risk assessment criteria used
Asset Identification
- Identify assets
- Anything that needs to be protected
- Of value to organization to meet its objectives
- Tangible or intangible
- In practice, try to identify significant assets
- Draw on expertise of people in relevant areas of organization
- Identify and interview such personnel
- See checklists in various standards
Threat Identification
- Identify threats or risks to assets
- Ask who or what could cause harm?
- How could this occur?
- Threats are anything that hinders or prevents an asset providing appropriate levels of key security services:
- Confidentiality, integrity, availability, accountability, authenticity, and reliability
- Assets may have multiple threats
Threat Sources
- Threats may be natural ("acts of God") or man-made (accidental or deliberate)
- Should consider human attackers
- Motivation, capability, resources, probability of attack, and deterrence
- Any previous history of attack on organization
Vulnerability Identification
- Identify exploitable flaws or weaknesses in organization's IT systems or processes
- Determine applicability and significance of threat to organization
- Need combination of threat and vulnerability to create a risk to an asset
- Can use lists of potential vulnerabilities in standards
Analyze Risks
- Specify likelihood of occurrence of each identified threat to asset given existing controls
- Specify consequence should threat occur
- Hence, derive overall risk rating for each threat
- Risk = probability threat occurs x cost to organization
- In practice, very hard to determine exactly
- Use qualitative not quantitative ratings for each
- Aim to order resulting risks in order to treat them
Determine Likelihood, Consequence, and Resultant Risk
Document in Risk Register and Evaluate Risks
Risk Treatment
- Risk acceptance: accept risk (perhaps because of excessive cost of risk treatment)
- Risk avoidance: do not proceed with the activity that causes the risk (loss of convenience)
- Risk transfer: buy insurance; outsource
- Reduce consequence: modify the uses of an asset to reduce risk impact
- Reduce likelihood: implement suitable controls
Assets
- Integrity of stored file and database information
- Availability, integrity of financial system
- Availability, integrity of procurement system
- Availability, integrity of maintenance/production system
- Availability, integrity, and confidentiality of mail services
Threats & Vulnerabilities
- Unauthorized modification of control system
- Corruption, theft, loss of information
- Attacks/errors affecting procurement system
- Attacks/errors affecting financial system
- Attacks/errors affecting mail system
- Attacks/errors affecting maintenance/production system
Risk Register
- A document that records and tracks risks throughout the risk management process
Learn about risk management, the process of identifying, assessing and controlling threats to an organization's capital and earnings.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
