- Qualitative
- The financial officer’s estimate that password scanning attacks are highly probable.
- The IT manager’s opinion on what impact a flood would have on the server room.
- Quantitative
- The cost to the company for being offline for one day / it’s servers being offline for one day.
- The expected, total number of DDoS attacks per year
Category: Security & Privacy
Importance of Risk Management
Risk Management is important, because it:
- enables identification and protection of all critical assets
- helps ensure legal compliance
Risk assessment process
- Threat identification is the review of technical and technical events that may damage a system
- System characterization is the review of system and data criticality and sensitivity
- Control analysis is the review of current and planned countermeasures against security requirements checklists.
- Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.
Spanning-Tree Analysis
Maps all possible threats to an information system according to general risk categories.
SOMAP
Security Officers Management and Analysis Project. A Swiss non-profit organization.
Value at Risk (VAR)
The Value at Risk (VAR) framework knows four stages:
- Identify threats
- Estimate likelyhood
- Estimate VAR
- Mitigate risk
P.U.S.H.
The four phases of PUSH are:
- Preparation
Defining audience and purpose of risk assessment. - Universe definition
identifying and characterizing most critical assets, risks and controls. - Scoring
choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls. - Hitting the mark
ensure risk assesment fulfils the purpose set out in the planning phase.
Risk Assessment Methodolgies
- OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
- FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
- NIST is a qualitative risk assessment methodology established with healthcare in mind.
- “Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
- CRAMM is an IT risk analysis method used in the British Government.
Methodological Frameworks
- ISO 27000 is a series of of standards to manage information security
- ITIL is comprised of a series of books aiming to improve IT service management and IT processes
- COSO is a framework for financial reporting and disclosure
- COBIT is a four domain model for IT governance and has 214 control objectives
Baselines, Procedures, Guidelines & Policies
- Baselines define a minimum technical standard that should be maintained across the organization
- Procedures are step-by-step instruction on how to comply with security requirements.
- Guidelines give discretionary guidance on how to comply with security requirements best.
- Policies define security requirements broadly.