Subject Name: CS9224 - INFORMATION SECURITY
Unit - 3
1. What is risk management?
Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to assure
Confidentiality
Integrity
Availability
of all the components in the organization's information systems
2. What the roles to be played by the communities of interest to manage the risks an organization encounters?
It is the responsibility of each community of interest to manage risks; each community has a role to play:
Information Security
Management and Users
Information Technology
3. What is the process of Risk Identification?
A risk management strategy calls on us to "know ourselves" by identifying, classifying, and prioritizing the organization's information assets These assets are the targets of various threats and threat agents and our goal is to protect them from these threats
4. What are asset identification and valuation.
This iterative process begins with the identification of assets, including all of the elements of an organization's system: people, procedures, data and information, software, hardware, and networking elements
5. What is Asset Information for People?
Position name/number/ID
Supervisor
Security clearance level
Special skills
6. What are Hardware, Software, and Network Asset Identification?
When deciding which information assets to track, consider including these asset attributes:
Name
IP address
MAC address
Element type
Serial number
Manufacturer name
Manufacturer's model number or part number
Software version, update revision, or FCO number
Physical location
Logical location
Controlling entity
7. What are Asset Information for Procedures?
Description
Intended purpose
What elements is it tied to
Where is it stored for reference
Where is it stored for update purposes
8. What are the Asset Information for Data?
Classification
Owner/creator/manager
Size of data structure
Data structure used - sequential, relational
Online or offline
Where located
Backup procedures employed
9. How information assets are classified?
Examples of these kinds of classifications are:
confidential data
internal data
public data
Informal organizations may have to organize themselves to create a useable data classification model
The other side of the data classification scheme is the personnel security clearance structure
10. Define the process of Information asset valuation.
Create a weighting for each category based on the answers to the previous questions
Which factor is the most important to the organization?
Once each question has been weighted, calculating the importance of each asset is straightforward
List the assets in order of importance using a weighted factor analysis worksheet
11. What are the Questions to assist in developing the criteria to be used for asset valuation?
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset generates the most profitability?
Which information asset would be the most expensive to replace?
Which information asset would be the most expensive to protect? Which information asset would be the most embarrassing or cause the greatest liability if revealed?
12. Define data classification and management.
A variety of classification schemes are used by corporate and military organizations
Information owners are responsible for classifying the information assets for which they are responsible
Information owners must review information classifications periodically
The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies
13. What are security clearances?
The other side of the data classification scheme is the personnel security clearance structure
Each user of data in the organization is assigned a single level of authorization indicating the level of classification
Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement
This extra level of protection ensures that the confidentiality of information is properly maintained
14. Explain the process of threat identification?
Threat Identification
Each of the threats identified so far has the potential to attack any of the assets protected
This will quickly become more complex and overwhelm the ability to plan
To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process
15. How to identify and Prioritize Threats?
Each threat must be further examined to assess its potential to impact organization - this is referred to as a threat assessment
To frame the discussion of threat assessment, address each threat with a few questions:
Which threats present a danger to this organization's assets in the given environment?
Which threats represent the most danger to the organization's information?
How much would it cost to recover from a successful attack?
Which of these threats would require the greatest expenditure to prevent?
16. What is Vulnerability Identification?
We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization
Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset
Examine how each of the threats that are possible or likely could be perpetrated and list the organization's assets and their vulnerabilities
The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions
17. What is Risk assessment?
We can determine the relative risk for each of the vulnerabilities through a process called risk assessment
Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process
18. Mention the Risk Identification Estimate Factors
Likelihood
Value of Information Assets
Percent of Risk Mitigated
Uncertainty
19. Give an example of Risk determination.
For the purpose of relative risk assessment:
risk = likelihood of vulnerability occurrence times value (or impact) -
percentage risk already controlled + an element of uncertainty
Information Asset A has an value score of 50 and has one vulnerability:
Vulnerability 1 has a likelihood of 1.0 with no current controls and you estimate that assumptions and data are 90 % accurate
Asset A: vulnerability rated as 55 = (50 * 1.0) - 0% + 10%
No comments:
Post a Comment