- The financial officer’s estimate that password scanning attacks are highly probable.
- The IT manager’s opinion on what impact a flood would have on the server room.
- The cost to the company for being offline for one day / it’s servers being offline for one day.
- The expected, total number of DDoS attacks per year
Risk Management is important, because it:
- enables identification and protection of all critical assets
- helps ensure legal compliance
- Threat identification is the review of technical and technical events that may damage a system
- System characterization is the review of system and data criticality and sensitivity
- Control analysis is the review of current and planned countermeasures against security requirements checklists.
- Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.
Maps all possible threats to an information system according to general risk categories.
Security Officers Management and Analysis Project. A Swiss non-profit organization.
The Value at Risk (VAR) framework knows four stages:
- Identify threats
- Estimate likelyhood
- Estimate VAR
- Mitigate risk
The four phases of PUSH are:
Defining audience and purpose of risk assessment.
- Universe definition
identifying and characterizing most critical assets, risks and controls.
choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
- Hitting the mark
ensure risk assesment fulfils the purpose set out in the planning phase.
- OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
- FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
- NIST is a qualitative risk assessment methodology established with healthcare in mind.
- “Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
- CRAMM is an IT risk analysis method used in the British Government.
- ISO 27000 is a series of of standards to manage information security
- ITIL is comprised of a series of books aiming to improve IT service management and IT processes
- COSO is a framework for financial reporting and disclosure
- COBIT is a four domain model for IT governance and has 214 control objectives
- Baselines define a minimum technical standard that should be maintained across the organization
- Procedures are step-by-step instruction on how to comply with security requirements.
- Guidelines give discretionary guidance on how to comply with security requirements best.
- Policies define security requirements broadly.