ü Assigns a risk rating or score to each Information asset.
ü It is useful in gauging the relative risk to each Vulnerable asset.
1 Valuation of Information assets
ü Assign weighted scores for the value to the organization of each Information asset.
ü National Institute of Standards & Technology (NIST) gives some standards.
ü To be effective, the values must be assigned by asking he following questions.
ü Which threats present a danger to an organization’s assets in the given environment?
ü Which threats represent the most danger to the organization’s Information?
ü How much would it cost to recover from a successful attack?
ü Which of the threats would require the greatest expenditure to prevent?
ü It is the probability of specific vulnerability within an organization will be successfully attacked.
ü NIST gives some standards.
ü 0.1 = Low 1.0 = High
ü Eg: Number of network attacks can be forecast based on how many network address the organization has assigned.
3 Risk Determination
Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability
ü For the purpose of relative risk assessment, risk equals:
– Likelihood of vulnerability occurrence TIMES value (or impact)
– MINUS percentage risk already controlled
– PLUS an element of uncertainty
Eg: Information Asset A has a value score of 50 & has one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no current controls, estimate that assumptions and data are 90% accurate.
Risk = [(1.0) x 50] – 0% + 10%
= (50 x 1.0) – ((50 x 1.0)x 0.0) + ( (50 x 1.0) x 0.1)
= 50 – 0 + 5
4 Identify Possible Controls ( For Residual Risk)
Residual risk is the risk that remains to the information asset even after the existing control has been applied.
Three general categories of controls
ü General Security Policy
ü Program Security Policy
ü Issue Specific Policy
ü Systems Specific Policy
1 Security Technologies
6 Technical Implementation Policies
ü Specially addresses admission of a user into a trusted area of the organization.
ü Eg: Computer rooms, Power Rooms.
ü Combination of policies , Programs, & Technologies
Types of Access controls
Mandatory Access Controls (MACs)
Give users and data owners limited control over access to information resources.
ü Managed by a central authority in the organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls)
Discretionary Access Controls ( DAC)
Implemented at discretion or option of the data user Lattice-based Access Control
Variation of MAC - users are assigned matrix of authorizations for particular areas of access.
5 Documenting the Results of Risk Assessment
By the end of the Risk Assessment process, you probably have a collection of long lists of information assets with data about each of them.
The goal of this process is to identify the information assets that have specific vulnerabilities and list them, ranked according to those most needing protection. You should also have collected some information about the controls that are already in place.
The final summarized document is the ranked vulnerability risk worksheet, a sample of which is shown in the following table.
Table 220.127.116.11 Ranked vulnerability risk worksheet
Copyright © 2018-2020 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.