1. Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100

2. Risk Management Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100% secure environment.

3. Types of Risk Page 71 Physical damage Human interaction Equipment malfunction Inside and outside attacks Misuse of data Loss of data Application error

4. Understanding Risk Management Businesses operate to make money Risks threaten the bottom line There is a finite amount of money to address an almost infinite number of vulnerabilities

5. Risk Management Team Goal – ensure the company is protected in the most cost-effective manner Page 73 Includes individuals from many or all departments to ensure all threats are identified and addressed

6. Risk Assessment Method of identifying vulnerabilities and threats and assessing the impact to determine whether to implement security controls. Table 2-5 on page 78

7. Risk Analysis Cost/benefit Integrate security program with company’s business objectives Must be supported and directed by senior management to be successful

8. Risk Analysis 1.What events could occur (threats) 2.What could be the potential impact (risk) 3.How often could this happen (frequency) 4.What is the level of confidence do we have in the answers of the first three questions (certainty)

9. Value of an Asset Cost to repair or replace Loss of productivity Value of data that can be corrupted Value to an adversary Liability, civil suits, loss of market share Assets can be tangible or intangible (reputation, intellectual property)

10. Use of Value of an Asset Perform cost/benefit calculations Specify countermeasures and safeguards Determine level of insurance to purchase

11. Risk Probability of a threat agent exploiting a vulnerability to cause harm to an asset and the resulting business impact.

12. Risk Assessment Methodologies Identify Vulnerabilities, associate threats, calculate risk values NIST SP 800-30 FRAP OCTAVE

13. NIST SP 800-30 U.S Federal Government Standard Figure 2-9 on page 80

14. FRAP Facilitated Risk Analysis Process Data is gathered and threats to business operations are prioritized based on their criticality. Documents controls that need to put in place to reduce identified risk

15. OCTAVE Carnegie Mellon University Software Engineering Institute People inside the organization manage and direct the risk evaluation

16. Risk Analysis Approaches Quantitative – Assigning a numeric value Qualitative – Red, Yellow, Green

17. Quantitative SLE – Single loss expectancy EF – Exposure Factor (percentage of loss on an asset) SLE = Asset Value * EF SLE =$150,000*25% = $37,500

18. Quantitative ARO – annual rate of occurrence (0 to 1 or more, 0.1 = once in ten years) ALE – Annual loss expectancy ALE = SLE * ARO ALE = $37,500 * 0.1 = $3,750 See Table on page 88

19. Qualitative Page 90 Figure 2-11 Page 90 Table 2-8

20. Delphi Technique Each member give anonymous opinion of a threat Results are compiled and distributed to members Members comment anonymously Result are compiled and distributed to members Process continues until there is a consensus

21. Cost/Benefit of Safeguard Value of Safeguard to the company = ALE (before safeguard) – ALE (after safeguard) – annual cost of safeguard Example page 93 Value = $12,000 - $3,000 - $650 = $8,350

22. Cost of Countermeasure Page 93 Page 94 – cost of IDS

23. Residual Risk Conceptual formulas Threats*vulnerability*asset value = total risk Total risk * control gaps = residual risk Total risk – countermeasures = residual risk

24. Handling Risk Transfer risk – Insurance Avoid risk – Don’t do it Mitigate risk – Reduce by controls Accept risk – Live with it. Cost of controls exceed benefits

25. Key Terms Pages 98-99

26. Outsourcing Cloud Software creation Reducing the risk – Page 100