Asset valuation is process of assigning financial value or worth to each information asset;there are many components to asset valuationOnce value of assets is estimated, potential loss from exploitation of vulnerability is studiedProcess result is estimate of potential loss per riskExpected loss per risk stated in the following equation:oAnnualized loss expectancy (ALE) = Single loss expectancy (SLE) * Annualized rate ofoccurrence (ARO)SLE is equal to asset value times exposure factor (EF)The cost benefit analysis (CBA) formulaCBA determines if alternative being evaluated is worth cost incurred to control vulnerabilityCBA most easily calculated using ALE from earlier assessments, before implementation ofproposed control:oCBA = ALE(prior) – ALE(post) – ACSALE(prior) is annualized loss expectancy of risk before implementation of controlALE(post) is estimated ALE based on control being in place for a period of timeACS is the annualized cost of the safeguardEvaluation, Assessment and Maintenance of Risk ControlsSelection and implementation of control strategy is not end of processStrategy and accompanying controls must be monitored/re-evaluated on ongoing basis todetermine effectiveness and to calculate more accurately the estimated residual riskProcess continues as long as organization continues to functionQuantitative VS Qualitative Risk Control PracticesPerforming the previous steps using actual values or estimates is known as quantitativeassessmentPossible to complete steps using evaluation process based on characteristics using non-numerical measures; called qualitative assessment Show
 Chapter 05 Risk Management TRUEFALSE 1. The upper management of an organization must structure the IT and information security functions to defend the organization's information assets. (A) True (B) False Answer : (A) 2. Risk control is the application of controls that reduce the risks to an organization's information assets to an acceptable level. (A) True (B) False Answer : (A) 3. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement. (A) True (B) False Answer : (B) 4. Knowing yourself means identifying, examining, and understanding the threats facing the organization. (A) True (B) False Answer : (B) 5. In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization. (A) True (B) False Answer : (A) ___________ is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. __________ include information and the systems that use, store, and transmit information. Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ____________________ classification A(n) ____________________ policy requires that employees secure all information in appropriate storage containers at the end of each day. _______________ is the process of assigning financial value or worth to each information asset. You can determine the relative risk for each of the organization's information assets by a process called risk __________ ____________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked. The combination of an asset’s value and the percentage of the asset that might be lost in an attack is known as the loss _____________ The ____________________ control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. The ____________________ control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Of the three types of mitigation plans, the ____________________ plan is the most strategic and long term, as it focuses on the steps to ensure the continuation of the organization. Cost ____________________ is the process of preventing the financial impact of an incident by implementing a control. A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack. _______________ is the process of comparing other organizations’ activities against the practices used in one’s own organization to produce results it would like to duplicate. The difference between an organization’s observed and desired performance is often referred to as a _______________ Risk _______ is a determination of the extent to which an organization's information assets are exposed to risk. Risk ________ is the enumeration and documentation of risks. Risk ______ defines the quantity and nature of risk that organizations are willing to accept. ________ risk is the amount of risk remaining after controls are applied. __________ is an evaluation of the threats to information assets. If your industry was typically targeted by hackers three times a year. The likelihood would be _______ percent. Creating a/n ______ of information assets is a critical step in understanding what the organization is protecting. A/n ________ analysis is an economic feasibility study. The _____ control attempts to shift residual risk. The ______ control is the decision to do nothing about residual risk. One of the first components of risk identification is identification. inventory and categorization of assets, including all elements, or attributes, of an organization’s information system. List and describe these asset attributes. 1. People comprise employees and nonemployees. 2. Procedures fall into two categories: IT and business standard procedures, and IT and business sensitive procedures. 3. Data components account for the management of information in all its states: transmission, processing, and storage. 4. Software components are assigned to one of three categories: applications, operating systems, or security components. Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and the devices that are part of information security control systems. Hardware components are separated into two categories: devices and peripherals, and networks. When valuing information assets, what criteria could be considered in establishing or determining the value of the assets? Which information asset is most critical to the organization’s success? Which information asset generates the most revenue? Which of these assets plays the biggest role in generating revenue or delivering services? Which information asset would be the most expensive to replace? Which information asset would be the most expensive to protect? Which information asset would most expose the company to liability or embarrassment if revealed? Calcualte the risk given the following: The asset is thought to have a 20% chance of attack each year The attack has a 25% chance of success The assett is valued at 60 The expencted percent of loss is 40 Your assumptions are 80% accurrate (20% * 25%) * (60 * 40%) + 20% = 1.44 What are the five strategies for controlling risk? The five strategies for controlling risk are: 1. The Defend Control Strategy 2. The Transfer Control Strategy 3. The Mitigate Control Strategy 4. The Accept Control Strategy 5. The Terminate Control Strategy Calculate the: a) single loss expectancy, b) annualized rate of occurrence, and c) annulaized loss expectancy of an asset give the following: The web site has an estimated value of $2 million Hacker defacement indicates a damage of 20% of the web site. You should expect an attack every 6 months. a) SLE = $2 million * 20% = $400,000 b) ARO = 2 * 100 = 200% c) ALE = SLE * ARO or 400,000 * 2 = 800,000 Is the process of identifying and controlling the risks to an organization's information assets?What is Information Security Risk Management? Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization's assets.
Which of the following assigns a risk rating or score to each information asset?Risk mitigation is the process of assigning a risk rating or score to each information asset. 43. The most common example of a mitigation procedure is a contingency plan.
Is the process of identifying risk as represented by vulnerabilities to an organization?Risk determination assesses threats and vulnerabilities to consider the likelihood that known threat sources will be able to exploit identified vulnerabilities to cause one or more adverse events and the consequences if such events occur.
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?Risk appetite is the level of risk that an organization is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.
|
What is the process of assigning financial value or worth to each information asset?
zusammenhängende Posts
Urheberrechte © © 2024 berikutyang Inc.
