Blog

  • Types of Risk Assessment

    1. Qualitative
      • The financial officer’s estimate that password scanning attacks are highly probable.
      • The IT manager’s opinion on what impact a flood would have on the server room.
    2. Quantitative
      • The cost to the company for being offline for one day / it’s servers being offline for one day.
      • The expected, total number of DDoS attacks per year
  • Importance of Risk Management

    Risk Management is important, because it:

    • enables identification and protection of all critical assets
    • helps ensure legal compliance
  • Risk assessment process

    • Threat identification is the review of technical and technical events that may damage a system
    • System characterization is the review of system and data criticality and sensitivity
    • Control analysis is the review of current and planned countermeasures against security requirements checklists.
    • Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.
  • Spanning-Tree Analysis

    Maps all possible threats to an information system according to general risk categories.

  • SOMAP

    Security Officers Management and Analysis Project. A Swiss non-profit organization.

  • Value at Risk (VAR)

    The Value at Risk (VAR) framework knows four stages:

    • Identify threats
    • Estimate likelyhood
    • Estimate VAR
    • Mitigate risk

     

  • P.U.S.H.

    The four phases of PUSH are:

    • Preparation
      Defining audience and purpose of risk assessment.
    • Universe definition
      identifying and characterizing most critical assets, risks and controls.
    • Scoring
      choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
    • Hitting the mark
      ensure risk assesment fulfils the purpose set out in the planning phase.
  • Risk Assessment Methodolgies

    • OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
    • FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
    • NIST is a qualitative risk assessment methodology established with healthcare in mind.
    • Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
    • CRAMM is an IT risk analysis method used in the British Government.
  • Methodological Frameworks

    • ISO 27000 is a series of of standards to manage information security
    • ITIL is comprised of a series of books aiming to improve IT service management and IT processes
    • COSO is a framework for financial reporting and disclosure
    • COBIT is a four domain model for IT governance and has 214 control objectives
  • Baselines, Procedures, Guidelines & Policies

    • Baselines define a minimum technical standard that should be maintained across the organization
    • Procedures are step-by-step instruction on how to comply with security requirements.
    • Guidelines give discretionary guidance on how to comply with security requirements best.
    • Policies define security requirements broadly.