IA managing security risk

Card Set Information

IA managing security risk
2011-12-06 19:19:05
IA managing security risk

IA Final
Show Answers:

  1. A loss associated with an event - the loss is the
    risk - risk impact
  2. the liklihood of the event occurring - if this is 1 we have a problem(it will happen)
    Risk Probability
  3. The degree to which we can change the outcome
    risk control
  4. Risk Exposure =
    ex. fender bender in parking lot
    • Risk Impackt * Risk Probability
    • about the amount of the deductible * high
  5. 3 risk strategies
    avoid the risk, transfer the risk, assume the risk
  6. change security or system requirments
    avoid the risk
  7. insurance - it makes us whole or puts us back to the state prior to the loss
    transfer the risk
  8. accept it, control it, plan for it
    assume the risk
  9. Risk leverage is
    change in risk exposure/ cost of risk reduction
  10. higher leverage value is ______ - think of it this way: you don't want to spend a lot of money to only minimally reduce your risk
  11. 6 steps to risk analysis
    • 1. identify assets
    • 2. determine vulnerabilities
    • 3. estimate liklihood of exploitation
    • 4. compute expected annual loss
    • 5. survey applicable controls and costs
    • 6/ project annual savings of control
  12. hardware, software, data, people(skills), documentation, supplies, (as a general list)
    identify assets in risk analysis
  13. we can use a matrix as a guide but we need to use our imagination
    determining vulnerabilities in risk analysis
  14. When determining vulnerabilities as part of risk analysis we need to consider (4)
    • unintentional errors
    • malicious insiders
    • malicious outsiders
    • natural and physical disasters
  15. When determining vulnerabilities we can also map the assets - how is each asset subject to loss of
    confidentiality, integrity, availability
  16. Includes:
    desired goals are confidentiality, itegrity and availability
    information states: storage transmission, processing
    safeguards: policy and practices, human factors, technology
    McCumber Cube
  17. Mc Cumber cube desired goals section includes
    confidentiatily, integrity, availability
  18. Mc Cumber cube information states include
    • Storage - data at rest DAR
    • Transmission - data in transit DIT
    • Processing
  19. Mc Cumber cube safeguards include
    • policy and practices(operations)
    • Human factors(personnel)
    • technology
  20. Liklihood estimates include
    classical, frequency, subjective
  21. liklihood estimate - not possible for security because we cannot objectively assign a probability to an event
  22. liklihood estimate - we can look at past behavior to build probability estimates of future events
  23. liklihood estimate - expert opinion - can't really predict - flip to pin testing
  24. When computing expected loss you must look at
    tangible and intangible costs
  25. replacement of physical items - when real things are broken
    tangible costs
  26. loss of customer goodwill, loss of CIA, loss of employee trist
    intangibile costs
  27. match vunerabilites with controls
    do we have redundancy in controls for each vulnerability
    are any vulnerabilities without controls
    are some controls not addressing threats( pointless)
    survey controls
  28. The cost of a control includes an savings projected by minimizing vulnerabilities - gets subjective REALLY fast - can't really do it doesnt save instead it prevents loss
    project annual savins
  29. Reasons for risk analysis (5)
    • Improve awareness
    • relate the security mission to management objectives
    • identify assets, vulnerabilites and controls
    • improve basis for decisions
    • justify expenditures for security
  30. Reasons against risk analysis (4)
    • False sense of precision and confidence
    • hard to perform
    • typically made and forgotton
    • not accurate (too subjective)
  31. natural disasters(flood,fire) Power loss, Surges, human vandalism, interception of senstive information
    physical security concerns
  32. UPS is an ______ preventing the physical security concern of power loss
    Uninteruptable power supply
  33. unauthorizd access and use - theft due to portability
    human vandalism
  34. to prevent this physical security concern we use - shredding, secure file deletion, degaussing(magnet), elimination emmissions(tempest certified)
    interception of sensitive information
  35. extra sheilded so it doesnt emit electronic signals and cladded protected from emp bursts - expensive
    TEMPEST certified
  36. Contingency planning includes (3)
    backup, cold site(shell) hot site
  37. a contingency plan - preferabily off site or networked, complete, revolving, selective
    back up
  38. a contingency plan - facility with power and cooling, ready to install a new computing center
    cold site (shell)
  39. a contingency plan - computer facility ready to go - full business without people
    hot site