Asset valuation is process of assigning financial value or worth to each information asset;there are many components to asset valuationOnce value of assets is estimated, potential loss from exploitation of vulnerability is studiedProcess result is estimate of potential loss per riskExpected loss per risk stated in the following equation:oAnnualized loss expectancy (ALE) = Single loss expectancy (SLE) * Annualized rate ofoccurrence (ARO)SLE is equal to asset value times exposure factor (EF)The cost benefit analysis (CBA) formulaCBA determines if alternative being evaluated is worth cost incurred to control vulnerabilityCBA most easily calculated using ALE from earlier assessments, before implementation ofproposed control:oCBA = ALE(prior) – ALE(post) – ACSALE(prior) is annualized loss expectancy of risk before implementation of controlALE(post) is estimated ALE based on control being in place for a period of timeACS is the annualized cost of the safeguardEvaluation, Assessment and Maintenance of Risk ControlsSelection and implementation of control strategy is not end of processStrategy and accompanying controls must be monitored/re-evaluated on ongoing basis todetermine effectiveness and to calculate more accurately the estimated residual riskProcess continues as long as organization continues to functionQuantitative VS Qualitative Risk Control PracticesPerforming the previous steps using actual values or estimates is known as quantitativeassessmentPossible to complete steps using evaluation process based on characteristics using non-numerical measures; called qualitative assessment
Chapter 05 Risk Management
TRUEFALSE
1. The upper management of an organization must structure the IT and information security
functions to defend the organization's information assets.
(A) True
(B) False
Answer : (A)
2. Risk control is the application of controls that reduce the risks to an organization's
information assets to an acceptable level.
(A) True
(B) False
Answer : (A)
3. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to
be successful in an engagement.
(A) True
(B) False
Answer : (B)
4. Knowing yourself means identifying, examining, and understanding the threats facing the
organization.
(A) True
(B) False
Answer : (B)
5. In addition to their other responsibilities, the three communities of interest are responsible for
determining which control options are cost effective for the organization.
(A) True
(B) False
Answer : (A)
___________ is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.
__________ include information and the systems that use, store, and transmit information.
Using the simplified information classification scheme outlined in the text, all information that has been approved by management for public release has a(n) ____________________ classification
A(n) ____________________ policy requires that employees secure all information in appropriate storage containers at the end of each day.
_______________ is the process of assigning financial value or worth to each information asset.
You can determine the relative risk for each of the organization's information assets by a process called risk __________
____________ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.
The combination of an asset’s value and the percentage of the asset that might be lost in an attack is known as the loss _____________
The ____________________ control strategy is the risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
The ____________________ control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Of the three types of mitigation plans, the ____________________ plan is the most strategic and long term, as it focuses on the steps to ensure the continuation of the organization.
Cost ____________________ is the process of preventing the financial impact of an incident by implementing a control.
A single loss ____________________ is the calculation of the value associated with the most likely loss from an attack.
_______________ is the process of comparing other organizations’ activities against the practices used in one’s own organization to produce results it would like to duplicate.
The difference between an organization’s observed and desired performance is often referred to as a _______________
Risk _______ is a determination of the extent to which an organization's information assets are exposed to risk.
Risk ________ is the enumeration and documentation of risks.
Risk ______ defines the quantity and nature of risk that organizations are willing to accept.
________ risk is the amount of risk remaining after controls are applied.
__________ is an evaluation of the threats to information assets.
If your industry was typically targeted by hackers three times a year. The likelihood would be _______ percent.
Creating a/n ______ of information assets is a critical step in understanding what the organization is protecting.
A/n ________ analysis is an economic feasibility study.
The _____ control attempts to shift residual risk.
The ______ control is the decision to do nothing about residual risk.
One of the first components of risk identification is identification. inventory and categorization of assets, including all elements, or attributes, of an organization’s information system. List and describe these asset attributes.
1. People comprise employees and nonemployees. 2. Procedures fall into two categories: IT and business standard procedures, and IT and business sensitive procedures. 3. Data components account for the management of information in all its states: transmission, processing, and storage. 4. Software components are assigned to one of three categories: applications, operating systems, or security components. Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and the devices that are part of information security control systems. Hardware components are separated into two categories: devices and peripherals, and networks.
When valuing information assets, what criteria could be considered in establishing or determining the value of the assets?
Which information asset is most critical to the organization’s success? Which information asset generates the most revenue? Which of these assets plays the biggest role in generating revenue or delivering services? Which information asset would be the most expensive to replace? Which information asset would be the most expensive to protect? Which information asset would most expose the company to liability or embarrassment if revealed?
Calcualte the risk given the following: The asset is thought to have a 20% chance of attack each year The attack has a 25% chance of success The assett is valued at 60 The expencted percent of loss is 40 Your assumptions are 80% accurrate
(20% * 25%) * (60 * 40%) + 20% = 1.44
What are the five strategies for controlling risk?
The five strategies for controlling risk are: 1. The Defend Control Strategy 2. The Transfer Control Strategy 3. The Mitigate Control Strategy 4. The Accept Control Strategy 5. The Terminate Control Strategy
Calculate the: a) single loss expectancy, b) annualized rate of occurrence, and c) annulaized loss expectancy of an asset give the following: The web site has an estimated value of $2 million Hacker defacement indicates a damage of 20% of the web site. You should expect an attack every 6 months.
a) SLE = $2 million * 20% = $400,000 b) ARO = 2 * 100 = 200% c) ALE = SLE * ARO or 400,000 * 2 = 800,000