1. What is Risk Management?
Risk Identification is conducted within the larger process of identifying and justifying risk control known as risk management.
2.What are the communities of interest?
Management and users
3.What are the responsibilities of the communities of interests?
Evaluating the risk controls
Determining which control options are cost effective for the organization
Acquiring or installing the needed controls.
Overseeing that the controls remain effective.
4.Write about MAC.
It is also called as electronic serial number or hardware addresses.
All network interface hardware devices have a unique number.
The number is used by the network operating system as a mechanism to identify a specific network device.
5.What is Public key infrastructure certificate authority?
It is a software application that provides cryptographic key management services.
6. What is Clean desk policy?
This requires each employee to secure all information in its appropriate storage container at the end of each day.
7. What is risk assessment?
It is the process of assessing the relative risk for each of the vulnerabilities.
8. What is Likelihood?
Likelihood is the overall rating of the probability that a specific vulnerability within an organization will be successfully attacked.
It is the risk that remains to the information asset even after the existing control has been applied.
10. What are Policies?
Policies are documents that specify an organization’s approach to security.
11.What are the types of security policies?
• General Security Policy
Program Security Policy
12.What are the types of access controls?
Mandatory Access Controls(MACs)
13.What are the Risk Control Strategies?
Avoidance – It is the risk control strategy that attempts to prevent the exploitation of the vulnerability.
Transference – It is the control approach that attempts to shift the risk to other assets,other processes ,or other organizations.
Mitigation – It is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Acceptance. – It is the choice to do nothingto protect vulnerability and to accept the outcome of an exploited vulnerability.
14. What are the common methods for Risk Avoidance?
Avoidance through Application of Policy
Avoidance through Application of training and education
Avoidance through Application of technology
15. What are the types of plans in Mitigation strategy?
The Disaster Recovery Plan(DRP)
Incident Response Plan(IRP)
Business Continuity Plan(BCP)
16. What is a hot site?
It is also known as business recovery site.
It is a remote location with systems identical or similar to the home site.
17. What are the ways to categorize the controls?
Information Security Principle.
Preventive Controls Detective Controls
Stop attempts to exploit vulnerability by implementing a security principle, such as authentication or confidentiality
It warn organizations of violations of security principles, organizational policies or attempts to exploit vulnerability.
It uses the technical procedure such as encryption or combination of technical means and enforcement methods.
It use techniques such as audit trials, intrusion detection and configuration monitoring.
19. What is the goal of documenting results of the risk assessment?
The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first
In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience
We should also have collected some information about the controls that are already in place
20. What are risk control strategies?
When risks from information security threats are creating a competitive disadvantagethe information technology and information security communities of interest take control of the risks
Four basic strategies are used to control the risks that result from vulnerabilities:
Apply safeguards (avoidance)
Transfer the risk (transference)
Reduce the impact (mitigation)
Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)
It is the process of examining and documenting the security posture of an organization’s information technology and the risk it faces.
ü It is the documentation of the results of risk identification.
Confidential: Access to information with this classification is strictly on a need-to-know basis or as required by the terms of a contract.
Internal: Used for all internal information that does not meet the criteria for the confidential category and is to be viewed only by authorized contractors, and other third parties.
External: All information that has been approved by management for public release.
ü Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability
Risk Control Strategies
Four basic strategies to control each of the risks that result from these vulnerabilities.
Apply safeguards that eliminate the remaining uncontrolled risks for the vulnerability [Avoidance]
Transfer the risk to other areas (or) to outside entities[transference]
Reduce the impact should the vulnerability be exploited[Mitigation]
Understand the consequences and accept the risk without control or mitigation[Acceptance]
It is the process of avoiding the financial impact of an incident by implementing a control.
Cost Benefit Analysis (CBA)
Organizations are urged to begin the cost benefit analysis by evaluating the worth of the information assets to be protected and the loss in value if those information assets were compromised by the exploitation of a specific vulnerability.
The formal process to document this decision making process is called a Cost Benefit analysis or an economic feasibility study.
ü Baselining is the analysis of measures against established standards,
When we have controlled any given vulnerability as much as we can, there is often risk that has not been completely removed or has not been completely shifted or planned for this remainder is called residual risk.