Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
37 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
Define Risk Assessment (RA)
|
A process used to identify and evaluate risks
|
aka Risk Analysis
|
|
|
What are safeguards?
|
-Controls
-May reduce a vulnerability or it may reduce the impact from a threat |
|
|
|
When should an RA be completed?
|
-When evaluating risk
-When evaluating control -Periodcially after a c ontrol has been implemented |
|
|
|
Risk Assessments tend to:
|
-Support decision making
-Evaluate control effectiveness |
|
|
|
What are the steps involved in the RA?
|
-Identify threats and vulnerabilities
-Identify the likelihood that a risk will occur -Identify asset values -Determine the impact of a risk -Determine the usefulness of a safeguard or control |
|
|
|
Critical Components of a Risk Assessment
|
-Identify Scope
-Identify Critical Areas -Identify Team |
|
|
|
Identify Scope:
|
The scope identifies the boundary of the RA, eliminate scope creep, and helps keep the project on track
|
|
|
|
SPOF
|
Single Point of Failure:
-any single piece of hardware whose failure can take down the Web site |
|
|
|
Identify Team
|
RA Team personnel should not be the same people who are responsible for correcting deficiencies
-helps avoid a conflict of interest |
|
|
|
Types of Risk Assessment
|
Quantitative & Qualitative
|
|
|
|
Quantitative Type of RA
|
- uses numbers such as actual dollar values, requires a significant amount of data, does take time to gather and when data is available it becomes a math problem with the use of formulas
|
|
|
|
Single Loss Expectancy (SLE)
|
The total loss expected from a single incident
|
|
|
|
Annual Rate of Occurrence (ARO)
|
The number of times an incident is expected to occur in a year
|
|
|
|
Annual Loss Expectancy (ALE)
|
The expected loss in a year
|
|
|
|
Safeguard Value
|
This is the cost of a control
|
|
|
|
Limitations of a Quantitative RA
|
Accurate data not available and insuring that people use the control as expected
|
|
|
|
Qualitative Type of RA
|
-doesn't assign dollar values, it determines the level of risk based on the probability and impact of a risk
|
|
|
|
Define PROBABILITY in a Qualitative RA
|
-the likelihood that a threat will exploit a vulnerability
|
|
|
|
Define IMPACT in a Qualitative RA
|
-the negative result if a risk occurs
-used to identify the magnitude of a risk -identified as low, medium, or high |
|
|
|
Risk Level Formula
|
Risk Level = Probability x Impact
|
|
|
|
What are the two sections of a qualitative analysis?
|
-prioritizing the risk
-evaluating the effectiveness of controls |
|
|
|
Risk categories in prioritizing the risk
|
DoS Attack
Web defacing Loss of data from unauthorized access Loss of Web site data due to hardware failure |
|
|
|
DoS Attack
|
any denial of service or distribute of service attack that results in an outage
|
|
|
|
Web defacing
|
modification of the Web site by unauthorized parties
|
|
|
|
Loss of data from unauthorized access
|
any loss of confidentialty by an attacker accessing customer data or accessing any internal private data
|
|
|
|
Loss of Web site data due to hardware failure
|
indicates loss of any Web site data to include any data used to show the Web pages to customers or application used to retrieve and foramt the date into Web pages
|
|
|
|
RAID stands for
|
Redundant Array of Independent Disks
|
|
|
|
Benefits of a Qualitative RA
|
-uses the opinions of the experts
-is easy to complete -uses words and scales that are easy to express and understand |
|
|
|
Limitations of a Qualitative RA
|
-subjective
-based on expertise of the experts -no CBA -no real standards |
|
|
|
Subjective Limitations of a Qualitative RA
|
the analysis and results are based on opinions more than facts
|
|
|
|
Experts Limitations of a Qualitative RA
|
the value of the assessment is only as valuable as the expertise of the experts
|
|
|
|
No CBA Limitations of a Qualitative RA
|
it does not include a cost-benefit analysis
|
|
|
|
No Real Standards Limitations of a Qualitative RA
|
need to define the scales used in the process as simple as low, medium, and high
|
|
|
|
Quantitative Analysis
|
-objective
-uses numeric values such as dollar amounts -more time consuming -requires access to a significant amount of historical data -data not always easy to obtain -based on SLE, ARO, and ALE formulas shows clear losses and saving with dollar values -data can easily be used in a CBA |
|
|
|
Qualitative Analysis
|
-subjective
-based on opinions of experts -can be done quicker at a lower cost than quantitaive analysis -uses word values such as Low, Medium and High -requires a definition of scales used in the RA |
|
|
|
Challenges of a Risk Assessment
|
-using a static process to evalutate a moving target
-availability of data and resoources -data consistency -estimating impact effects -providing results support resource allocation and risk acceptance |
|
|
|
Best Practices for Risk Management
|
-start with clear goals and a defined scope
-ensure senior managment support -build a strong RA team -repeat the RA regularly -define a methodology to use -provide a report of clear risks and clear recommendations |
|
