Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Management Part 2 :Risk Assessment & Control (Cost Benefit…
Risk Management Part 2 :Risk Assessment & Control
Risk Control Strategies
Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:
1.Apply Safeguards (Avoidance)
"Prevention is better than cure"
Preferred approach by countering threats, removing asset, vulnerabilities,limiting asset access, and adding protective safeguards
Three common methods of risk avoidance:
1.Application of policy
2.Training and education
3.Applying Technology
2.Transfer the risk (Transference)
Shift risk to other assets, process, organizations
Organization should hire individuals/firms that provide security management and administration expertise
May transfer risk associated with management of complex systems to another organization experienced in dealing with those risks
3.Reduce Impact (Mitigation)
Reduce impact of vulnerability exploitation through planning and preparation
Approach includes 3 types of plans
Disaster Recovery Plan (DRP)
Business Continuity Plan (BCP)
Incident Response Plan (IRP)
DRP is most common mitigation procedure to recover limits losses
IRP lists actions to take during disaster attacks
BCP contain steps to ensure continuation of business activities if catastrophic event occurs
4.Understand consequences and accept risk (Acceptance)
Do noting to protect a vulnerability and accepting the outcome of its exploitation
Valid only when the particular function, service, information, or asset does not justify cost of protection
Risk appetite
describes the degree to which organization is willing to accept risk as trade off to expense of applying controls
Selecting a Risk Control Strategy
Depends on
level of threat
and
value of asset
Rules of thumb on strategy selection can be applied:
When a vulnerability exists
When a vulnerability can be exploitated
3.When attacker's cost is less than potential gain
4.When potential loss is substantial
Cost Benefit Analysis (CBA)
Most common approach for deciding on information security controls is economic feasibility of implementation
CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised
The formal process to document this is called cost benefit analysis or economic feasibility study
Cost
of a control or safeguard include: cost of development or acquisition; training fees; implementation cost; service costs; cost of maintenance
Benefit
is the value an organization realizes by using controls to prevent losses associated with a vulnerability
Benchmarking and Best Practices
An alternative approach to Risk Management
Is the process of seeking out and studying practices in other organizations that one's own can duplicate
One of 2 measures typically used to compare practices:
1.Metrics-based measures
2. Process-based measures
Best business practices
Security efforts that provide a superior level of information protection
When considering best practices for adoption in an organization consider:
Does Organization resemble identified target with best practice?
Are resources at hand similar?
Is organization in similar threat environment?