Principles of Information Security Sixth Edition Chapter 4 Review Questions
Principles of Information Security, Fourth Edition Chapter 4 Managing IT Risk
Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, take a chance identification, and take a chance control – Depict how risk is identified and assessed – Assess hazard based on probability of occurrence and likely impact – Explain the primal aspects of documenting run a risk via the process of risk assessment Principles of Information Security, Quaternary Edition 2
Learning Objectives (cont'd. ) – Describe the various risk mitigation strategy options – Identify the categories that tin can be used to allocate controls – Recognize the conceptual frameworks for evaluating risk controls and formulate a cost benefit assay – Describe how to maintain and perpetuate/sustain risk controls Principles of Data Security, Quaternary Edition 3
Introduction • Organizations must pattern and create safe environments in which business organisation processes and procedures can function • Risk management: process of identifying and decision-making risks facing an organization • Risk identification: process of examining an arrangement's current data technology security situation • Chance control: applying controls to reduce risks to an organization's data and information systems Principles of Data Security, Quaternary Edition 4
Risk Direction An Overview of Risk Management Know yourself: place, examine, and empathise the information and systems currently in place Know the enemy: identify, examine, and understand threats facing the system Responsibility of each community of interest inside an organization to manage risks that are encountered Principles of Data Security, Quaternary Edition 5
Effigy 4 -1 Components of Hazard Management Principles of Information Security, Fourth Edition 6
The Roles of the Communities of Involvement • Information security, direction and users, and information technology all must work together • Communities of interest are responsible for: – Evaluating the risk controls – Determining which control options are cost effective for the organization – Acquiring or installing the needed controls – Ensuring that the controls remain effective Principles of Information Security, Fourth Edition 7
Risk Identification • Risk management involves i - identifying ii - classifying iii -prioritizing an organisation'south assets • A threat assessment procedure identifies and quantifies the risks facing each asset • Components of risk identification – People – Procedures – Information – Software – Hardware Principles of Data Security, Quaternary Edition 8
Plan and Organize the Process • First step in the Chance Identification procedure is : follow your project management principles • Brainstorm past organizing a team with representation beyond all affected groups • The process must then be planned out – Periodic deliverables – Reviews – Presentations to management • Tasks laid out, assignments fabricated and timetables discussed Principles of Information Security, Fourth Edition 9
Effigy four -2 Components of Risk Identification Principles of Information Security, 4th Edition 10
Asset Identification and Inventory • Iterative process; begins with identification of assets, including all elements of an organization'due south system (people, procedures, data and information, software, hardware, networking) • Assets are and then classified and categorized Principles of Information Security, Fourth Edition 11
Table 4 -1 Categorizing the Components of an Data Organisation Principles of Data Security, 4th Edition 12
People, Procedures, and Information Asset Identification • Homo resources, documentation, and information information avails are more hard to identify • Important asset attributes: – People: position proper name/number/ID; supervisor; security clearance level; special skills – Procedures: description; intended purpose; what elements it is tied to; storage location for reference; storage location for update – Information: nomenclature; owner/creator/ manager; data structure size; information structure used; online/offline; location; backup procedures employed Principles of Data Security, Fourth Edition xiii
Hardware, Software, and Network Asset Identification • What data attributes to rail depends on: – Needs of organization/take chances direction efforts – Preferences/needs of the security and data technology communities • Nugget attributes to be considered are: name; IP address; MAC address; element type; serial number; manufacturer proper name; model/part number; software version; concrete or logical location; controlling entity • Automated tools can identify organization elements for hardware, software, and network components Principles of Data Security, 4th Edition 14
Information Nomenclature and Direction • Variety of nomenclature schemes used by corporate and armed forces organizations • Information owners responsible for classifying their information avails • Data classifications must be reviewed periodically • Well-nigh organizations practise non need detailed level of classification used by military machine or federal agencies; even so, organizations may need to allocate data to provide protection Principles of Information Security, Quaternary Edition 15
Data Classification and Management (cont'd. ) • Security clearance structure – Each data user assigned a single level of authorisation indicating nomenclature level – Before accessing specific set of information, employee must come across need-to-know requirement • Management of Classified Data • Storage, distribution, portability, and destruction of classified information • Clean desk-bound policy • Dumpster diving Principles of Information Security, Fourth Edition 16
Classifying and Prioritizing Information Assets • Many organizations have data nomenclature schemes (e. 1000. , confidential, internal, public data) • Classification of components must be specific to permit decision of priority levels • Categories must be comprehensive and mutually exclusive Principles of Information Security, Fourth Edition 17
Data Nugget Valuation • Questions help develop criteria for asset valuation • Which information nugget: – – Is most critical to organization's success? Generates the most revenue/profitability? Would be nigh expensive to supervene upon or protect? Would be the virtually embarrassing or cause greatest liability if revealed? Principles of Information Security, 4th Edition xviii
Figure 4 -5 Sample Inventory Worksheet Principles of Data Security, Fourth Edition nineteen
Information Asset Valuation (cont'd. ) • Information asset prioritization – Create weighting for each category based on the answers to questions – Summate relative importance of each asset using weighted factor analysis – List the assets in society of importance using a weighted gene assay worksheet Principles of Information Security, Fourth Edition 20
Table iv -two Case of a Weighted Factor Assay Worksheet Notes: EDI: Electronic Data Interchange SSL: Secure Sockets Layer Principles of Data Security, 4th Edition 21
Identifying and Prioritizing Threats • Realistic threats need investigation; unimportant threats are fix aside • Threat assessment: – Which threats present danger to assets? – Which threats represent the almost danger to data? – How much would it toll to recover from attack? – Which threat requires greatest expenditure to prevent? Principles of Information Security, Fourth Edition 22
Table four -3 Threats to Data Security 5 Principles of Information Security, Fourth Edition 23
Vulnerability Identification • Specific avenues threat agents tin can exploit to assail an information asset are chosen vulnerabilities • Examine how each threat could be perpetrated and listing organization'southward assets and vulnerabilities • Process works best when people with various backgrounds within system work iteratively in a series of brainstorming sessions • At end of adventure identification process, list of assets and their vulnerabilities is accomplished Principles of Information Security, Fourth Edition 24
Adventure Assessment • Risk cess evaluates the relative risk for each vulnerability • Assigns a run a risk rating or score to each information asset • The goal at this point: create a method for evaluating the relative risk of each listed vulnerability Principles of Information Security, Fourth Edition 25
Likelihood • The probability that a specific vulnerability volition be the object of a successful attack • Assign numeric value: number between 0. 1 (depression) and 1. 0 (loftier), or a number betwixt one and 100 • Zero not used since vulnerabilities with zippo likelihood are removed from nugget/vulnerability list • Use selected rating model consistently • Utilize external references for values that have been reviewed/adjusted for your circumstances Principles of Information Security, Fourth Edition 26
Risk Determination • For the purpose of relative hazard cess: – – – Risk EQUALS Likelihood of vulnerability occurrence TIMES value (or impact) MINUS percentage take a chance already controlled PLUS an chemical element of incertitude – Take a chance = (likelihood * value or impact) – (pct take chances already controlled) + (uncertainty chemical element ) Principles of Data Security, 4th Edition 27
Identify Possible Controls • For each threat and associated vulnerabilities that accept residuum run a risk, create preliminary list of control ideas • Residual risk is take chances that remains to information asset even after existing control has been applied • There are three full general categories of controls: – Policies – Programs – Technologies Principles of Information Security, Fourth Edition 28
Documenting the Results of Take a chance Cess • Terminal summary comprised in ranked vulnerability take a chance worksheet • Worksheet details asset, asset impact, vulnerability likelihood, and risk-rating factor • Ranked vulnerability hazard worksheet is initial working certificate for side by side footstep in risk management procedure: assessing and controlling take a chance Principles of Data Security, Quaternary Edition 29
Table four -ix Ranked Vulnerability Risk Worksheet Principles of Information Security, Quaternary Edition xxx
Deliverable Purpose Information asset classification worksheet Assembles information virtually data avails and their impact Weighted criteria analysis worksheet Assigns ranked value or impact weight to each data asset Ranked vulnerability risk worksheet Assigns ranked value of hazard rating for each uncontrolled asset-vulnerability pair Table four -10 Risk Identification and Assessment Deliverables Principles of Information Security, Fourth Edition 31
Take a chance Control Strategies • Once ranked vulnerability chance worksheet consummate, must cull i of five strategies to control each run a risk: – – – Defend Transfer Mitigate Accept Finish Principles of Information Security, Fourth Edition 32
Defend • Attempts to foreclose exploitation of the vulnerability • Preferred approach • Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of run a risk avoidance: – Application of policy – Grooming and instruction – Applying technology Principles of Information Security, Quaternary Edition 33
Transfer • Control approach that attempts to shift risk to other assets, processes, or organizations • If lacking, organisation should hire individuals/firms that provide security management and administration expertise • Organization may so transfer take a chance associated with management of complex systems to another organization experienced in dealing with those risks Principles of Information Security, Fourth Edition 34
Mitigate • Attempts to reduce impact of vulnerability exploitation through planning and preparation • Approach includes iii types of plans – Incident response plan (IRP): ascertain the actions to take while incident is in progress – Disaster recovery plan (DRP): most common mitigation procedure – Business continuity plan (BCP): encompasses continuation of business activities if catastrophic issue occurs Principles of Data Security, Fourth Edition 35
Accept • Doing nothing to protect a vulnerability and accepting the outcome of its exploitation • Valid only when the detail function, service, information, or asset does non justify cost of protection Principles of Information Security, Fourth Edition 36
Stop • Directs the arrangement to avoid those concern activities that introduce uncontrollable risks • May seek an alternate machinery to come across customer needs Principles of Data Security, Quaternary Edition 37
Selecting a Take a chance Control Strategy • Level of threat and value of asset play major role in selection of strategy • Rules of thumb on strategy selection can exist applied: – – When a vulnerability exists When a vulnerability tin can exist exploited When attacker's price is less than potential gain When potential loss is substantial Principles of Data Security, Fourth Edition 38
Figure 4 -8 Risk Handling Decision Points Principles of Data Security, Fourth Edition 39
Feasibility Studies • Before deciding on strategy, all information about economic/noneconomic consequences of vulnerability of information asset must exist explored • A number of ways exist to determine advantage of a specific command Principles of Data Security, Fourth Edition xl
Cost Benefit Analysis (CBA) • Begun by evaluating worth of avails to be protected and the loss in value if they are compromised • The formal process to document this is chosen price do good assay or economic feasibility written report • Items that affect toll of a control or safeguard include: – – – price of development or acquisition; grooming fees; implementation cost; service costs; toll of maintenance • Benefit: value an organisation realizes using controls to prevent losses from a vulnerability Principles of Information Security, Fourth Edition 41
Cost Do good Analysis (CBA) (cont'd. ) • Nugget valuation: process of assigning financial value or worth to each information nugget • Procedure upshot is estimate of potential loss per risk • Expected loss per risk stated in the following equation: – Annualized loss expectancy (ALE) = unmarried loss expectancy (SLE) × annualized charge per unit of occurrence (ARO) – SLE = asset value × exposure factor (EF) Principles of Data Security, Fourth Edition 42
The Cost Benefit Analysis (CBA) Formula • CBA determines if alternative being evaluated is worth cost incurred to command vulnerability – CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: • CBA = ALE(prior) – ALE(post) – ACS – ALE(prior) is Annualized Loss Expectancy of risk before implementation of control – ALE(post) is estimated ALE based on command being in identify for a flow of fourth dimension – ACS is the Annualized Toll of the Safeguard Principles of Information Security, Fourth Edition 43
Evaluation, Assessment, and Maintenance of Run a risk Controls • Selection and implementation of control strategy is not end of process • Strategy and accompanying controls must be monitored/reevaluated on ongoing footing to make up one's mind effectiveness and to calculate more accurately the estimated residuum risk • Process continues every bit long every bit system continues to function Principles of Information Security, Fourth Edition 44
Principles of Data Security, Fourth Edition Figure 4 -9 Risk Control Bicycle 45
Quantitative Versus Qualitative Hazard Command Practices • Performing the previous steps using actual values or estimates is known as Quantitative Cess • Qualitative Assessment : Possible to consummate steps using evaluation procedure based on characteristics using non-numerical measures. • Scales importance : Utilizing scales rather than specific estimates relieves organization from difficulty of determining exact values Principles of Information Security, Fourth Edition 46
Benchmarking and Best Practices • An alternative approach to risk direction • Benchmarking: process of seeking out and studying practices in other organizations that one's own organization desires to indistinguishable • 1 of 2 measures typically used to compare practices: – Metrics-based measures – Procedure-based measures • In information security, ii categories of benchmarks are used: standards of due care/due diligence and best practices. • In and best practices , the Gold Practice == "the best of the all-time. " Principles of Information Security, Fourth Edition 47
Benchmarking and Best Practices (cont'd. ) • Standard of due care: when adopting levels of security for a legal defense, organisation shows it has washed what whatever prudent organisation would practice in similar circumstances • Due diligence: demonstration that organization is diligent in ensuring that implemented standards continue to provide required level of protection • Failure to support standard of due care or due diligence can get out organization open to legal liability Principles of Information Security, Fourth Edition 48
Benchmarking and Best Practices (cont'd. ) • Best business concern practices: security efforts that provide a superior level of information protection • When considering all-time practices for adoption in an system, consider: – Does organization resemble identified target with best practice? – Are resources at paw similar? – Is system in a similar threat surroundings? Principles of Information Security, Fourth Edition 49
Benchmarking and Best Practices (cont'd. ) • Problems with the application of benchmarking and best practices – Organizations don't talk to each other (biggest trouble) – No two organizations are identical – All-time practices are a moving target – Knowing what was going on in data security industry in recent years through benchmarking doesn't necessarily prepare for what'southward adjacent Principles of Information Security, Fourth Edition l
Benchmarking and Best Practices (cont'd. ) • Baselining: – Is Analysis of measures confronting established standards – In information security, baselining is comparison of security activities and events against an organization's future operation – Useful during baselining to accept a guide to the overall procedure Principles of Information Security, Fourth Edition 51
Other Feasibility Studies • Organizational: examines how well proposed IS alternatives will contribute to system'due south efficiency, effectiveness, and overall operation • Operational: examines user and direction acceptance and support, and the overall requirements of the organization's stakeholders • Technical: examines if arrangement has or tin acquire the applied science necessary to implement and support the control alternatives • Political: defines what tin can/cannot occur based on consensus and relationships Principles of Information Security, Fourth Edition 52
Risk Management Give-and-take Points • Arrangement must define level of risk it tin can live with • Risk appetite: defines quantity and nature of chance that organizations are willing to accept as merchandise-offs between perfect security and unlimited accessibility • Residue risk: hazard that has non been completely removed, shifted, or planned for Principles of Information Security, Fourth Edition 53
Figure 4 -10 Remainder risk Principles of Information Security, Quaternary Edition 54
Documenting Results • At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk • Another pick: document outcome of control strategy for each information asset-vulnerability pair as an action plan • Gamble assessment may be documented in a topicspecific report Principles of Information Security, Fourth Edition 55
Recommended Risk Command Practices • Convince budget authorities to spend upwardly to value of nugget to protect from identified threat • Terminal control choice may be balance of controls providing greatest value to equally many nugget-threat pairs every bit possible • Organizations looking to implement controls that don't involve such circuitous, inexact, and dynamic calculations Principles of Information Security, Fourth Edition 56
Summary • Risk identification: formal procedure of examining and documenting risk in information systems • Risk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components of an information arrangement • Risk identification – A risk management strategy enables identification, classification, and prioritization of organization's information assets – Residual run a risk: take a chance remaining to the information asset even afterward the existing control is practical Principles of Data Security, 4th Edition 57
Summary (continued) • Run a risk control: five strategies are used to command risks that result from vulnerabilities: – – – Defend Transfer Mitigate Accept Terminate Principles of Information Security, Fourth Edition 58
Summary (continued) • Selecting a risk control strategy – Cost Benefit Analysis – Feasibility Written report • Qualitative versus Quantitative Risk Command – Best Practices and Benchmarks – Organizational Feasibility, Operational Feasibility, Technical Feasibility, and Political Feasibility • Risk Appetite: organizational risk tolerance • Residual risk: risk remaining after awarding of risk controls Principles of Information Security, Fourth Edition 59
Source: https://slidetodoc.com/principles-of-information-security-fourth-edition-chapter-4/
0 Response to "Principles of Information Security Sixth Edition Chapter 4 Review Questions"
Post a Comment