Section 21: Risk Assessments

Risk Assessments

A process used inside of risk management to identify how much risk exists in a given network or system

Risk

The probability that a threat will be realized

Vulnerabilities

Weaknesses in the design or implementation of a system

Threat

Any condition that could cause harm, loss, damage, or compromise to our information technology. These are external and beyond your control.

Risk Avoidance

A strategy that requires stopping the activity that has risk or choosing a less risky alternative

Risk Transfer

A strategy that passes the risk to a third party

Risk Mitigation

A strategy that seeks to minimize the risk to an acceptable level

Risk Acceptance

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Residual Risk

The risk remaining after trying to avoid, transfer, or mitigate the risk

Qualitative Risk

Using intuition, experience, and other methods to assign a relative value to risk

Quantitative Risk

Using numerical and monetary values to calculate risk

Magnitude of Impact

An estimation of the amount of damage that a negative risk might achieve

Single Loss Expectancy (SLE)

Cost associated with the realization of each individualized threat that occurs. SLE \= Asset Value * Exposure Factor

Annualized Rate of Occurrence (ALO)

Number of time per year that a threat is realized

Annualized Loss Expectancy (ALE)

Expected cost of a realized threat over a given year. ALE \= SLE * ARO

Security Assessments

Verify that the organization's security posture is designed and configured properly to help thwart different types of attacks. These might be required by contracts, regulations, or laws

Active Assessments

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

Passive Assessments

Utilize open source information, the passive collection and analysis of network data, and other unobtrusive methods without making direct contact with the targeted systems. These are limited in the amount of details they can find.

Security Controls

Methods implemented to mitigate a particular risk

Physical Controls

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Technical Controls

Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Administrative Controls

Focused on changing the behavior of people instead of removing the actual risk involved

Management Controls

Security Controls that are focused on the decision-making and the management of risk

Operational Controls

Focused on things done by people

Technical Controls

Logical controls that are put into a system to help secure it

Preventative Controls

Security Controls that are installed before an event happens and are designed to prevent something from occurring

Detective Controls

Used during the event to find out whether something bad might be happening

Corrective Controls

Used after an event occurs

Compensating Control

used whenever you can't meet the requirements for a normal control.

External Risk

Risks that are produced by a non-human source and are beyond human control

Internal Risk

Risks that are formed within the organization, arise during normal operations, and are often forecastable

Legacy Systems

An old method, technology, computer system, or application program which includes an outdated computer system still in use

Multiparty

A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

Intellectual property (IP) Theft

Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs

Software Compliance/Licensing

Risk Associated with a company not being aware of what software or components are installed within its network