Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 6: RISK MANAGEMENT ASSESSING RISK - Coggle Diagram
CHAPTER 6: RISK MANAGEMENT ASSESSING RISK
INTRODUCTION TO THE MANAGEMENT OF RISK IN INFOROMATION SECURITY
Risk Management
The process of discovering and assessing the risks to an organization’s operations and determining how those risks can be controlled or mitigated
Process
Where and what is the risk (risk identification)?
How severe is the current level of risk (risk analysis)?
Is the current level of risk acceptable (risk evaluation)?
What do I need to do to bring the risk to an acceptable level (risk treatment)?
Formal methodology
The RM framework
is the overall structure of the strategic planning and design for the entirety of the organization’s RM efforts
Executive governance and support
Framework design
Framework implementation
Framework monitoring and review
Continuous improvement
The RM process
is the implementation of risk management, as specified in the framework
RISK MANAGEMENT PROCESS
The RM process uses the specific knowledge and perspective of the team to complete
Establishing the context
Identifying risk
Analyzing risk
Evaluating the risk
Treating the unacceptable risk
Summarizing the findings
Risk Assessment: Risk Identification
Manager must
identify the organization’s information assets,
classify them,
categorize them into useful groups, and
prioritize them by overall importance
Threat Assessment
Identifying Threats
Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy
Assessing Threats
Which threats
represent an actual danger to our organization’s information?
are internal and which are external?
have the highest probability of occurrence?
have the highest probability of success?
could result in the greatest loss if successful?
are the organization least prepared to handle?
cost the most to protect against?
cost the most to recover from?
Prioritizing Threats
The organization should list the categories of threats it faces, and then select categories that correspond to the questions of interest
Vulnerability Assessment
Once the organization has identified and prioritized both its information assets and the threats facing those assets it can begin to compare information asset to threats
RISK ASSESSMENT: RISK ANALYSIS
Assessing Risk
To develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list
Risk Determination
Once the likelihood and impact are known, the organization can perform risk determination using a formula that seeks to quantify certain risk elements
Formula
Risk equals likelihood of threat event (attack) occurrence multiplied by impact (or consequence), plus or minus an element of uncertainty
Likelihood × Impact
Risk Evaluation
Once the risk has been identified and its relative severity against the value of the information asset has been evaluated, the organization must decide whether the current level of risk is acceptable or something must be done
If accepted by the organization. the process moves on to the monitoring and review function, where the organization keeps an eye on assets, threats, and vulnerabilities for a trigger to restart the RM process anew.
If not accepted by the organization. The RM process prceeds to risk treatment.
Risk treatment, is the process of doing something about risk once the organization has identified risk, assessed it, evaluated it, and then determined that the current level of remaining risk.