Please enable JavaScript.
Coggle requires JavaScript to display documents.
RISK MANAGEMENT & INFORMATION SECURITY - Coggle Diagram
RISK MANAGEMENT & INFORMATION SECURITY
RISK MANAGEMENT
CENTRAL FOCUS
INFORMATION SECURITY
Identifying, assessing, prioritizing, and addressing risks
RISK
likelihood that something bad will happen to an asset
ELEMENTS OF RISK
assets
value to an organization
vulnerabilities
any exposure that could allow a threat to be realized
threats
something bad that could happen to an organization
PURPOSE
identify possible problems before something bad happens
INFORMATION SYSTEM SECURITY
protection of data itself
RISK ASSESSMENTS
QUANTITATIVE
the cost / value of an identified risk is examined
STEPS
calculate single loss expectancy (SLE)
AV * EF
determine how often a loss is likely to occur every year (ARO)
using historical data
determine annualized loss expectancy (ALE)
SLE * ARO
calculate exposure factor (EF)
% of asset value that would be lost if an incident occured
calculate asset value (AV)
QUALITATIVE
the risk impact is examined & rating is assigned for each risk
STEPS
PLAN A RISK RESPONSE STRATEGY
TRANSFER responsibility
ACCEPT risk
REDUCE risk
AVOID risk
IT AND NETWORK INFRASTRUCTURE
the components that make up a network
IT INFRASTRCUTRE
servers, storage systems, workstations, laptops
NETWORK INFRASTRCUTRE
routers, switches, modems, connectors, access points
ATTACK PERPETRATORS
White hat hackers
ethical hackers / professionals performing penetration testing
Gray hat hackers
average abilities - could be either or
Black hat hackers
break IT security to gain access with no authorization to steal sensitive data
COMMON THREATS TO INFRASTRUCTURE
SEVEN DOMAINS
LAN TO WAN
exposure to internal resources from outside, loss of productivity
WAN DOMAIN
transmitted unencrypted sensitive data, denial of service attacks (DoS)
LAN DOMAIN
unauthorized network access, spreading malicious software
REMOTE ACCESS DOMAIN
brute force password attacks, unauthorized remote access
WORKSTATION DOMAIN
unauthorized access, malicious software installed
SYSTEM APP DOMAIN
data loss from errors, failures, disasters
USER DOMAIN
social engineering/phishing attacks
COMMON ATTACK VECTORS
specific type of attack that poses a threat against an IT infrastructure
CATEGORIES
attacks on PEOPLE
attacks on IT ASSETS
attacks on AVAILABILITY