Term
| Risk Analysis Process (6) |
|
Definition
- Asset ID
- Vulnerability ID
- Threat Assessment
- Probability quantification
- Financial Impact Eval.
- Countermeasures Determination
|
|
|
Term
|
Definition
| ID Assets that require protection and their value |
|
|
Term
| Vulnerability Identification |
|
Definition
ID vulnerabilities/threat to assets; confirms asset protection problems.
Locating weaknesses that expose critical areas susceptible to vulnerabilities |
|
|
Term
|
Definition
| Determining threats that may take advantage of vulnerabilities |
|
|
Term
| Probability quantification |
|
Definition
| Calculating the likelihood that threats will exploit vulnerabilities |
|
|
Term
|
Definition
| Financial impact of potential threats evaluated |
|
|
Term
| Countermeasures Determination |
|
Definition
ID/Development of countermeasures to threat
-must be ECONOMICAL
-must provide EXPECTED level of protection |
|
|
Term
| Results of Improper Risk Management (4) |
|
Definition
- Disclosure of critical asset
- Modification of critical asset
- Loss/destruction of critical asset
- Interruption of critical asset
|
|
|
Term
|
Definition
- Avoidance: elminate threats
- Reduction: reduce severity of risk/probability of loss
- Transfer: reallocate liability to 3rd Party (iie. Insurance Co.) via contract
- Acceptance: analyze/determine asset loss < cost of countermeasure
|
|
|
Term
|
Definition
determining asset's worth to organization; all costs considered; depend on financial impact
- what requires protection?
- cost if asset loss/damaged
|
|
|
Term
| Asset Valuation Methods (4) |
|
Definition
- Asset Mgt System
- Accounting System
- Insurance Valuation
- Delphi Method
|
|
|
Term
|
Definition
| detailed record of company property/similar assets |
|
|
Term
|
Definition
| Financial assets such as costs to develop software |
|
|
Term
|
Definition
| Insurers determine value of assets & risk analysis of assets that are insured under policy |
|
|
Term
|
Definition
3rd party panel of experts who determine value of assets.
- systematic
- interactive communication
- 2 or more rounds to revise estimated value of assets; uses median score of estimates
- also determines risk
|
|
|
Term
|
Definition
| system weakness; safeguard deficiency that enables violation of system's integrity |
|
|
Term
|
Definition
- Physical Structure: physical factors that expose threat (no security guards, unlocked doors, etc)
- Electrical: power to building where data stored; affects availability
- Software: Virus/Malware protection; exposing systems to damage/loss due to lack of anti-virus software
- Network: possibility of data transmitted over network to be intercepted; encryption
- Personnel: human factor; lack of training, hiring of personnel that may damage/threat organization (no background check)
|
|
|
Term
|
Definition
- Natural Disasters: related to weather or non-controllable events due to nature
- Man-Made: Intensional (arson, theft, damage, file destruction, info disclosure) & Non-intensional (mistakes, power outage, illness, info disclosure)
|
|
|
Term
| Risk Probability/Prioritization (4 steps) |
|
Definition
- Perform risk analysis on individual basis
- List the various/ensuing risks discovered via analysis
- Determine risk probability
- Prioritize risks by probability levels; focus on high-probability risks during response process
|
|
|
Term
| Quantitative Risk Analysis |
|
Definition
- estimates based on historical incidents/likelihood of risk reoccurance
- numerical basis
- historical/accouting reporting basis
|
|
|
Term
| Qualitative Risk Analysis |
|
Definition
- not based on numbers/history
- best guess
- group acceptance of risk probability (via Delphi)
- Delphi assigns risk value:
- Not at all likely
- Somewhat likely
- More likely
- Will occur
- Not historical, but prioritize risks based on analysts' opinions
|
|
|
Term
| Risk/Vulnerability Determination Factors (3) |
|
Definition
- Likelihood: Annualized Rate of Occurrence (ARO) % factor estimates # of times event/threat occurs
- Impact: Single Loss Expectancy (SLE) $ = Exposure Factor (EF) % * Asset Value (AV) $
- Risk: Annualized Loss Expectancy (ALE) $ = ARO % * SLE $
|
|
|
Term
| Safeguard Selection Criteria (3) |
|
Definition
- Cost Effectiveness: eliminates/reduces risk is acceptable to org
- Risk Reduction: reduces risk, not incurs it
- Practicality: makes sense
|
|
|
Term
|
Definition
ethics: org's principles of acceptable & proper conduct/system of moral values
Enforcement:
- documents expectations
- defines responsibilities
- regulates security by minimizing risk
- enables org ethical behavior
|
|
|
Term
| Regulatory Requirements for Ethic Programs |
|
Definition
Organizations that enforce:
Laws & Regulations:
- Sarbanes-Oxley (SOX) Act
- Health Insurance Portability & Accountability (HIPPA) Act
- Gramm-leach-Bliley (GLBA) Act
|
|
|
Term
| Common Computer Ethics Fallacies (5) |
|
Definition
- Free Information: information is yearning to be free; helps to escape
- Computer Game: if it lets you do something, its ok (like a video game)
- Taking Candy from a Baby: if people are negligent enough to do it, why shouldn't I be able to do it?
- Shatterproof: it didnt break anything, so must be ok to use
- The Ends Justify the Means: he/she is learning from act to help themself or society
|
|
|
Term
| Internet Architecture Board Ethics: actions to avoid (5) |
|
Definition
- seeking to gain unauthorized access
- disrupting inteded Internet use
- wasting resources such as people, capacity, & computers through unprincipled actions
- destroying integrity of computer-based info
- compromising user privacy
|
|
|
Term
(ISC)2 Code of Ethics:
International Information Systems Security Certification Consortium |
|
Definition
Preamble
- ensuring safety/protecting commonwealth
- require & acknowledge adherence to ethical values of behavioral std
- observe code for compliance & cert. purposes
Canons
- protect society, commonwealth, infrastructure
- act honorably, honesty, justly, responsibly, legally
- provide diligent/competent service to principles
- advance/protect the profession
|
|
|
