Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 7: RISK MANAGEMENT: TREATING RISK - Coggle Diagram
CHAPTER 7: RISK MANAGEMENT: TREATING RISK
MANAGING RISK
Managing Risk
Risk appetite is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
The goal of InfoSec is not to bring residual risk to zero; rather it is to bring it in line with an organization’s risk appetite
Risk Management
Once a treatment strategy has been selected and implemented, controls should be monitored and measured on an ongoing basis to determine their effectiveness and to maintain an ongoing estimate of the remaining risk
Feasibility and Cost–Benefit Analysis
Before deciding on the strategy for a specific TVA triplet, an organization should explore all readily accessible information about the economic and noneconomic consequences
Cost
Some of the items that affect the cost of a control or safeguard include.
Benefit
The benefit is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset
Asset Valuation
Asset valuation is the process of assigning financial value or worth to each information asset
Alternatives to Feasibility Analysis
Benchmarking
Due care and due diligence
Best business practices
Gold standard
Government recommendations and best practices
RECOMMENDED ALTERNATICE RISK TREATMENT PRACTICES
Recommended Alternative Risk Treatment Practices
Many of the approaches to asset valuation described previously attempt to use actual values or estimates to create a quantitative assessment;
Delphi Technique
The Delphi technique, named for the oracle at Delphi, is a process whereby a group rates or ranks a set of information
ALTERNATIVE RISK MANAGEMENT METHODOLOGIES
The OCTAVE Methods
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation
Microsoft Risk Management Approach
Four phases in the MS InfoSec risk management process:
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
FAIR
The Factor Analysis of Information Risk (FAIR) framework
A taxonomy for information risk
Standard nomenclature for information risk terms
A framework for establishing data collection criteria
Measurement scales for risk factors
A computational engine for calculating risk
A modeling construct for analyzing complex risk scenarios
Basic FAIR analysis is composed of ten steps in four stages
Stage 1—Identify scenario components:
Stage 2—Evaluate Loss Event Frequency (LEF)
Stage 3—Evaluate Probable Loss Magnitude (PLM)
Stage 4—Derive and articulate Risk
INTRODUCTION TO RISK TREATMENT
Risk Treatment Strategies
Defense
The defense risk treatment strategy attempts to prevent the exploitation of the vulnerability
Three common methods of risk defense:
Application of policy
Application of SETA programs
Implementation of technology
Transference
The transference risk treatment strategy attempts to shift risk to another entity
Mitigation
The mitigation risk treatment strategy is the treatment approach that focuses on planning and preparation to reduce the impact of an incident.
Acceptance
The acceptance risk treatment strategy is the decision to do nothing beyond the current level of protection to protect an information asset from risk
Termination
The organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk