Module 4- study set Questions & Answers

Module 4- study set Questions & Answers who is responsible for overseeing, enabling, and supporting the structering of IT and information security functions to defend their information assets? upper management Risk management framework risk management involves discovering and understanding answers to some key questions about risk associated with an organizations information assets: -risk identification -risk analysis -risk evaluation -risk treatment Risk Management examine and document an organizations information assets **responsible for identifying and controlling the risks that an organization encounters. the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level *involves two key areas: -RM framework (planning)- overall structure of the straits planning and design for the entirety of the organization's RM efforts- chart on ppt that has the executive governance and support, framework design, framework implementation, framework monitoring and review, and continuous improvement. -RM process (Doing)- the implementation of risk management, as specified in the framework- chart on ppt with risk assessment (risk identification, risk analysis, and risk evaluation) *RM framework (planning) guides the RM process (doing) which conducts the processes of risk evaluation an remediation risk identification The recognition, enumeration, and documentation of risks to an organization's information assets. risk assessment A determination of the extent to which an organization's information assets are exposed to risk *includes all elements of an organizations system: people, procedures, data, software, hardware, and networking elements. risk treatment (risk control) the application of safeguards or controls that reduce the risks to an organization's information assets to an acceptable level The roles of the communities of interest (VERY SMART AND VERY SPECIFIC TECHNICOLOGICAL PEOPLE) responsible for: evaluating current and proposed risk controls determining which control options are cost-effective for the organization acquiring or installing the needed controls ensuring that the controls remain effective Risk appetite quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility * CAN EITHER BE LIKELIHOOD OR IMPACT DRIVEN *the overall risk the company is willing to take *the implementation of the RM plan, specifically the RM process is likely to be influenced by the organizations risk appeitite residual risk the risk to information assets that remains even after current controls have been applied *the risk that has not been covered by one of the safeguards risk tolerance (risk threshold) the assessment of the amount of risk and organization is willing to accept for a particular information asset *there are many vulnerabilities that affect the risk appetite what is the goal of information security? to bring residual risk in alignment with risk appetite inherent risk the risk that is common or expected within a particular asset ex: McDonalds came out with a new menu item and someone is wanting to steal the formula (they have an inherent risk for their new product, therefore they need to put controls-patents- in place to protect the formula) residual risk the risk that remains after management implements internal controls or some other response to risk ex: the controls are so good, they have zero residual risk (not possible to get it to zero, can get very close, but there will always be a residual risk-thats where controls come in) Likehood the probability that something/the event will happen/occur (high, medium, and low) *the overall rating- a numerical value of a defined scale- of the probability that a specific vulnerability will be exploited or attacked, commonly referred to as a threat *the likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploring a given vulnerability. The likelihood risk factor combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact. *An assessment of likelihood of occurrence is typically based on: -adversary intent -adversary capability -adversary targeting *once the probability of an attack by a threat has been evaluated, the organization typically looks at the impact or consequences of a successful attack. Impact the likelihood that the threat event results in adverse impacts. *the level of impact from threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information of information system availability risk assessment: risk identification the first operational phase of the RM process is the identification of risk. At this stage, managers must: 1. identify the organization's information assets 2. classify them (confidential, private, public) 3. categorize them into useful groups (people, procedures, data, software, hardware, networking) 4. prioritize them by overall importance- weighted table analysis and then followed by a heat map(high, medium, low) TVA worksheet (also known as a heat map) Total vulnerability assessment us used to assess and rank assets based on their vulnerabilities. start by identifying your assets (such as systems, data, or processes) and then evaluate the vulnerabilities of each asset in terms of potential risks. assign scores based on factors like likelihood and impact. calculate the total vulnerability score for each asset by multiplying the likelihood and impact scores. Finally, rank your assets based on their total vulnerability scores, prioritizing those with higher scores for further attention in terms of security measures or risk mitigation. goes from red (most critical, highest risk) to green/blue (fewest vulnerability, fewest threats) *3-D approach Risk analysis assess the relative risk for each vulnerability and assigns a risk rating or score to each information asset *the goal is to develop a repeatable method to evaluate the relative risk for each vulnerability that has been identified and added to the list *if a vulnerability is fully managed by an existing control, it can be set aside *if it is partially controlled, you can estimate what percentage of the vulnerability has been controlled risk evaluation the continuous examination of the risk management process and determining whether or not it is effective * if the RR is greater than risk appetite, lok for treatment strategies to further reduce the risk *if RR is less than risk appetite, document the results and proceed to the latter stages of risk management Risk treatment/ risk response After the risk management has been identified, analyzed and evaluated the level of risk currently inherent in its information assets (risk assessment), it then must treat the risk that is deemed unacceptable when it exceeds risk appetite. This process is known as risk response or risk control. The appropriate strategy must be selected and applied to each information asset with current unavailable levels of risk -mitigation -transference: -Acceptance: -termination: risk Mitigation Attempts to prevent the exploitation of the vulnerability referred to as risk defense, this is the preferred approach which is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards *the organization is attempting to improve the security of an information asset by reducing the likelihood or probability of a successful attack risk termination also known as risk avoidance. is based on the organization's intentional choice not to protect an asset. the organization does not want the information asset to remain at risk and removes it from the operating environment by shutting it down or disabling its connectivity to potential threats sometimes the cost of protecting an asset outweights its value