Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 6: RISK MANAGEMENT, SITI AISYAH SYAFIQAH BINTI YUSOF BA2325C…
CHAPTER 6: RISK MANAGEMENT
Introduction to the Management of Risk in Information Security
• Therefore I say: One who knows the enemy and knows himself will not be in danger in a hundred battles
Assessing Risk
• InfoSec managers and technicians are the defenders of information.
• They constantly face a lot of threats to the organization’s information assets.
• A layered defense is the foundation of any InfoSec program.
Process involves discovering and understanding answers to some key questions about the risk associated with an organization’s information assets:
Where and what is the risk (risk identification)?
How severe is the current level of risk (risk analysis)?
Is the current level of risk acceptable (risk evaluation)?
What do I need to do to bring the risk to an acceptable level (risk treatment)?
The RM framework consists of 5 key stages:
Executive governance and support
Framework design
Framework implementation
Framework monitoring and review
Continuous improvement
RM policies include:
• Purpose and scope
• RM intent and objectives
• Roles and responsibilities of subordinate groups
• Resource requirements
• Risk appetite and tolerances
• RM program development guidelines
• Special instructions and revision information
• References to other key policies, plans, standards, and
The Risk Management Process
Establishing the context
Identifying risk
Analyzing risk
Evaluating the risk
Treating the unacceptable risk
Summarizing the findings
Introduction to Risk Treatment
After the risk management (RM) process team has identified, analyzed, and evaluated the level of risk currently inherent in its information assets (risk assessment), it then must treat the risk that is deemed unacceptable when it exceeds its risk appetite
Treating risk begins with an understanding of what risk treatment strategies are and how to formulate them
5 basic strategies to treat the risks for those assets:
Defense
Transference
Mitigation
Acceptance
Termination
Managing Risk
Risk appetite is the quantity and nature of risk that organizations willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
The reasoned approach to risk is one that balances the expense against the possible losses, if exploited
FEASIBILITY & COST–BENEFIT ANALYSIS
While the advantages of a specific strategy can be identified in several ways, the primary way is to determine the value of the information assets it is designed to protect
Cost avoidance is the money saved by using the defense strategy via the implementation of a control, thus eliminating the financial ramifications of an incident
The criterion most used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility
ALTERNATIVES TO FEASIBILITY ANALYSIS
Benchmarking
Due care and due diligence
Best business practices
Gold standard
Government recommendations and best practices
Alternative Risk Management Methodologies
1. The Octave Method
Operationally Critical Threat, Asset, and Vulnerability Evaluation
2. Microsoft Risk Management Approach
Microsoft also promotes a risk management approach
4 phases in the MS InfoSec RM process:
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
3. Factor Analysis of Information Risk (Fair)
Stage 1—Identify scenario components:
Identify the asset at risk
Identify the threat community under consideration
Basic FAIR analysis is composed of
10 steps in 4 stages:
Stage 2—Evaluate Loss Event Frequency (LEF):
Estimate the probable Threat Event Frequency (TEF)
Estimate the Threat Capability (TCap)
Estimate Control strength (CS)
Derive Vulnerability (Vuln)
Derive Loss Event Frequency (LEF)
Stage 3—Evaluate Probable Loss Magnitude (PLM)
Estimate worst-case loss
Estimate probable loss
Stage 4—Derive and articulate Risk
Derive and articulate Risk
4. ISO Standards for InfoSec Risk Management
The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005
The 27005 document includes a five-stage risk
management methodology:
Risk Assessment
Risk Treatment
Risk Acceptance
Risk Communication
Risk Monitoring and Review
5. NIST Risk Management Framework
First component describing the environment in
which risk-based decisions are made
Second component addresses how organizations assess risk within the context of the organizational risk frame
Third component addresses how organizations respond to risk once that risk is determined
Fourth component addresses how organizations monitor risk over time
SITI AISYAH SYAFIQAH BINTI YUSOF
BA2325C (2022787025)