Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
9 Cards in this Set
- Front
- Back
Step One
|
System characterization - set the scope of the assessment by defining boundaries of the IT system and capturing the resources and information that the system comprises. You need to determine system and data criticality and sensitivity at this stage.
|
|
Step Two
|
Threat identification - review the history of system attacks. create a threat statement listing the potential threat sources associated with the IT system under review
|
|
Step Three
|
Vulnerability identification- focus on flaws or weakness in system security procedures, design, implementation, or internal controls that could result in a security breach or a violation of the system's security policy. Gather information from previous risk assessments and audits and from software that tests system vulnerabilities. Compile a list of potential vulnerabilities describing their location, and whether the vulnerability level is high, medium, or low
|
|
Step Four
|
Control analysis- analyze existing and planned controls against system vulnerabilities. Review technical, managerial, and operational controls in terms of their ability either to prevent or detect violations of security policy.
|
|
Step Five
|
Likelihood determination- consider how capable the threat source is of carrying out the threat and the level of motivation the source has to do so. consider the nature of the vulnerability and the effectiveness of current controls against the threat that exploits it.
|
|
Step Six
|
Impact Analysis- done in terms of a loss of integrity, availability, or confidentiality of the system or system data.
|
|
Step Seven
|
risk determination- the level of risk to the system is determined based on the likelihood of attack, the impact a violation would have, and the adequacy of current or planned controls.
|
|
Step Eight
|
Control recommendations- controls that you recommend at this stage in the risk assessment process should aim to reduce risks to acceptable levels. Controls should also be appropriate to the organization's operations. consider the effectiveness or compatibility of the options, the operations impact they may have, the safety and reliability of the options, and their compliance with organizational policy, regulations, and legislation.
|
|
Step Nine
|
Results documentation- consolidate the results of risk assessment in an official report or briefing. This document will be used to help management make informed decisions around security policy, budgeting, and other security-related issues.
|