ISMN 5740 Exam 1 | STUDY GUIDE
- the likelihood that a loss will occur
Risk
- losses occur when a threat exposes a vulnerability
Threat any activity that represents a possible danger
vulnerability a weakness
loss results in a compromise to business functions or assets (both tangible and
intangible)
- identifies threats and vulnerabilities
- reduces adverse impact
Importance of Risk Management:
- improves organization survivability
- enhances cost-benefit awareness
1. User domain
2. Workstation domain
3. LAN domain
7 domains of a typical IT 4. LAN-to-WAN domain
infrastructure: 5. WAN domain
6. Remote Access domain
7. System/Application domain
confidentiality prevents unauthorized disclosure of systems
integrity prevents unauthorized modification of systems
availability prevents disruption of service and productivity
Risk Level in Red area indicates immediate action should be taken to reduce the risk
Risk Level in Orange area indicates that actions should be planned and initiated to reduce the risk
indicates these risks should be monitored and prepared to respond
Risk Level in Yellow area
if they are realized
, Risk Level in Green area indicates no specific actions need to be taken
Total risk = threats, vulnerabilities, and asset value
concept of mitigating controls designs to reduce risk
Residual risk = total risk minus countermeasures
1. Assess risks
2. identify risks to manage
Risk Management Elements/Process: 3. select controls
4. implement and test controls
5. evaluate controls
- consider the cost to implement a control and the cost of not
implementing a control
Survivability, and Balancing Risk and - spending money to manage a risk rarely adds profit;
Cost: important point is that spending money on risk management
can help ensure a business's survivability
- cost to manage a risk must be balanced against the impact value
- management
- system admin
Role-based perceptions of risk: - tier 1 admin
- developer
- end-user
1. identify threats
Risk Identification Process: 2. identify vulnerabilities
3. estimate likelihood of a threat exploiting a vulnerability
- external or internal
Risk Identification Elements:
- natural or man-made
Threats - sources:
- intentional or accidental
- audit
- certification records
Risk Identification Elements: - system logs
Vulnerabilities - sources: - prior event
- trouble reports
- incident response teams
- avoidance
- transfer
Techniques of Risk Management:
- mitigation
- acceptance
- residual risk
Aspects of Risk Management:
- cost-benefit analysis
- Environmental (fire, flooding)
Unintentional Threats (Casey's 3 - Accidents/Human (keystroke errors, programming bugs)
types): - Failures (equipment)
- Profit (greed)
- Passion (anger)
Intentional Threats (Casey's 3 P's):
- Psychosis (desire to damage)
- examples: hackers, criminals, disgruntled employees
- the likelihood that a loss will occur
Risk
- losses occur when a threat exposes a vulnerability
Threat any activity that represents a possible danger
vulnerability a weakness
loss results in a compromise to business functions or assets (both tangible and
intangible)
- identifies threats and vulnerabilities
- reduces adverse impact
Importance of Risk Management:
- improves organization survivability
- enhances cost-benefit awareness
1. User domain
2. Workstation domain
3. LAN domain
7 domains of a typical IT 4. LAN-to-WAN domain
infrastructure: 5. WAN domain
6. Remote Access domain
7. System/Application domain
confidentiality prevents unauthorized disclosure of systems
integrity prevents unauthorized modification of systems
availability prevents disruption of service and productivity
Risk Level in Red area indicates immediate action should be taken to reduce the risk
Risk Level in Orange area indicates that actions should be planned and initiated to reduce the risk
indicates these risks should be monitored and prepared to respond
Risk Level in Yellow area
if they are realized
, Risk Level in Green area indicates no specific actions need to be taken
Total risk = threats, vulnerabilities, and asset value
concept of mitigating controls designs to reduce risk
Residual risk = total risk minus countermeasures
1. Assess risks
2. identify risks to manage
Risk Management Elements/Process: 3. select controls
4. implement and test controls
5. evaluate controls
- consider the cost to implement a control and the cost of not
implementing a control
Survivability, and Balancing Risk and - spending money to manage a risk rarely adds profit;
Cost: important point is that spending money on risk management
can help ensure a business's survivability
- cost to manage a risk must be balanced against the impact value
- management
- system admin
Role-based perceptions of risk: - tier 1 admin
- developer
- end-user
1. identify threats
Risk Identification Process: 2. identify vulnerabilities
3. estimate likelihood of a threat exploiting a vulnerability
- external or internal
Risk Identification Elements:
- natural or man-made
Threats - sources:
- intentional or accidental
- audit
- certification records
Risk Identification Elements: - system logs
Vulnerabilities - sources: - prior event
- trouble reports
- incident response teams
- avoidance
- transfer
Techniques of Risk Management:
- mitigation
- acceptance
- residual risk
Aspects of Risk Management:
- cost-benefit analysis
- Environmental (fire, flooding)
Unintentional Threats (Casey's 3 - Accidents/Human (keystroke errors, programming bugs)
types): - Failures (equipment)
- Profit (greed)
- Passion (anger)
Intentional Threats (Casey's 3 P's):
- Psychosis (desire to damage)
- examples: hackers, criminals, disgruntled employees
