45106
Security Mgt
U5, risk analysis
and mgt (part 1)
- risk model
- risk
- identify, analyze, model
- assets
- threats
- vulnerabilities
- assets
- management
- countermeasures
- implementation
- audit
- countermeasures
- identify, analyze, model
- risk
- definitions
- risk
- potential for an unwanted
event to have a negative
impact upon an activity by
exploiting an exposure
- potential for an unwanted
event to have a negative
impact upon an activity by
exploiting an exposure
- risk management
- reduction of the exposures
identified by risk analysis to
a level acceptable to the
organization
- reduction of the exposures
identified by risk analysis to
a level acceptable to the
organization
- gap analysis
- highlights areas where
there are significant gaps i
the security managemen
process or in security
measures implemented
- highlights areas where
there are significant gaps i
the security managemen
process or in security
measures implemented
- business impact analysis
- identifies impact for
organization if the
functions that core
information systems are
interrupted. quantifies
importance for business
- identifies impact for
organization if the
functions that core
information systems are
interrupted. quantifies
importance for business
- assets
- physical environment
- hardware
- data
- software/systems
- communications network
- infrastructure
- staff
- physical environment
- risk
- 4 kinds of risk
- business
- project
- operational
- financial
- business
- related legislation
- HIPAA
- Gamm Leach Bliley Act
- Basel II
- Sarbanes Oxley
- financial services and markets act
- HIPAA
- manuallly documented or software-guided?
- manual
- low cost to entry
- simpler but error prone
- less efficient
- harder to share and repeat
- increased cost of expertise maintenance
- low cost to entry
- software guided
- consistently implements a specific methodology
- guides user
- reusable, shareable
- dynamic, efficient
- software options (image)
- consistently implements a specific methodology
- manual
- ISMS documentation set
- infosec policy
- information asset register
- risk assessment report
- statement of applicability
- policies and procedrues
- infosec policy
- threat motivation
- resources
- opportunity
- capability
- publicity
- asset attractiveness
- resources
- qualitative vs. quantitative
- qualtitative
- capable of handling soft impacts
- handles hard & soft impacts consistently
- adapts to emerging best practices
- accepts that risk mgt is evolving
- relies on consensus of "best placed"
- dependent on expert opinion
- only as good as your best expert opinion
- only as good as your best expert opinion
- capable of handling soft impacts
- quantitative
- every loss is capable of
beig expressed in
financial terms
- requires careful records
- formula for financial impact (image)
- expected frequency of
attacks is known (statistics
bank)
- has problems with new risks
- has problems with less concrete risk
- requires careful records
- every loss is capable of
beig expressed in
financial terms
- qualtitative
Möchten Sie kostenlos Ihre eigenen Mindmaps mit GoConqr erstellen? Mehr erfahren.