Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 6: Performing a Risk Assessment - Coggle Diagram
Chapter 6: Performing a Risk Assessment
How to identify and evaluate controls
When identifying and evaluating controls, the following should be considered
In-place controls
Planned controls
Control Categories
Physical controls - Controls the physical environment, including locks, and guards to restrict physical access and elements to control the environment
Locked doors
Guards and access logs
Video cameras
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
Technical controls - Uses computers or software to protect systems
System logs
Audit trails
Session time-out
Input validation
Login identifier
Encryption
Firewalls
Procedural controls - Controls placed in response to the rules and guidelines directed by upper-level management, and they include several specific controls.
Policies and procedures
Security plans
Insurance
Rules of behavior
Awareness and training
What presesnting risk assessment results entails
2 phases
1st phase - recommendations are presented to the managers who are responsible for deciding which recommendations to implement, and they may not approve every recommendation
2nd phase - the decisions made by the managers are documented. Then a plan of action and milestones (POAM) ARE CREATED. The POAM can be used to track and monitor the controls. It helps ensure the controls are implemented and also helps to track the actual costs.
What to consider when selecting a risk assessment methodology?
Risk assessment involves the following steps
Assessing threats, vulnerabilities, and exploits
Evaluating risks
Identifying and evaluating relevant controls
Developing recommendations to mitigate risks
Identifying and evaluating relevant vulnerabilties
Presenting recommendations to management
Identifying and evaluating relevant threats
Identifying assets and activities to be addressed
How to identify assets and activities
Asset valuation - Process of determining the fair market value of an asset, which is one of the first priorities of risk management.
Value of an asset can be view from different perspectives.
Recovery value
Elements that need to be considered when determining the value of any asset
Hardware and software assets
Personnel assets
System functions
Data and information assets
System access and availability
Facilities and supplies
Replacement value
How to identify and evaluate relevant threats
Important data to review when reviewing historical events
Natural events
Accdients
Attacks
Equipment failures
Threat modeling - process used to identify possible threats on a system by looking at a system from the attacker's perspective.
A threat model provide info on:
Threat profile
Threat analysis
The system
How to develop mitigating recommendations
Supporting data may include
Estimate of cost and time to implement
Estimate of operational impact
Threat/vulnerability pairs
Cost-benefit analysis
What the best practices for performing risk assessments are
Reviewing past risk assessments
Matching the risk assessment to the management structure
Reviewing past audits
Identifying assets withing the risk assessment boundaries
Ensuring systems are fully described
Identifying and evaluating relevant threats
Identifying and evaluating vulnerabilities
Identifying and evaluating controls
Tracking the results
Management structure - How responsibilities are assigned
An organization may have the following divisions for IT management
Network infrastructure
User and computer management
Group Policy
Email servers
Web servers
Database Servers
Configuration and change management
How to identify and evaluate relevant vulnerabilities
Not all vulnerabilities result in a loss
All systems have vulnerabilities
Vulnerability assessment - process used to discover weaknesses in a system.
Identifying names
Identifying operating systems
Identifying open ports
Identifying weak passwords
Identifying IP addresses
Capturing data
Vulnerability assessment tools
Nmap
SAINT
Nessus
How to select a methodology based on the assessment needs
Quantitative risk assessment - Uses predefined formulas. Collected data is used to identify following:
Safeguard or control value
Annual loss expectancy
Annual rate of occurence
Exposure factor
Single loss expectancy
Qualitative risk assessment - If actual costs are available or arent easy to calculate. A qualitative methodology can be used instead of quantitative which uses the opinions of experts to determine two primary data points