New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: James Cha

TINFO462Week5Notes.pdf T INFO 462 - Building An Information Risk Management Toolkit

James Cha
GPA 3.59
T INFO 462 - Building An Information Risk Management Toolkit
Marc Dupuis

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

As this course is taken only 1 day of the week, these notes were over the course of week 5. Taken directly from the textbook and lecture slides, these notes should have no errors in them.
T INFO 462 - Building An Information Risk Management Toolkit
Marc Dupuis
Class Notes
25 ?




Popular in T INFO 462 - Building An Information Risk Management Toolkit

Popular in Information technology

This 4 page Class Notes was uploaded by James Cha on Friday February 6, 2015. The Class Notes belongs to T INFO 462 - Building An Information Risk Management Toolkit at University of Washington taught by Marc Dupuis in Winter2015. Since its upload, it has received 68 views. For similar materials see T INFO 462 - Building An Information Risk Management Toolkit in Information technology at University of Washington.

Similar to T INFO 462 - Building An Information Risk Management Toolkit at UW

Popular in Information technology


Reviews for TINFO462Week5Notes.pdf


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 02/06/15
T INFO 462 Building an Information Risk Management ToolKit Week 5 Tuesday Feb 3rd and Thursday Feb 5quotquot Notes Planning Risk Mitigation Throughout Your Organization After completing the basics of identifying assets threats and vulnerabilities you can begin by identifying controls Controls Mitigate risk throughout an organization 0 One of the ways to evaluate controls is to identify critical business operations and critical business functions 0 Controls should be in place to protect against risks for these critical areas of your business Compliance An important topic in IT today If any laws or guidelines govern your organization you need to ensure you re compliant Noncompliance can be quite expensive 0 1st step is identifying the relevant laws and guidelines to see if they apply to your organization I If they do apply you need to assess the regulations to identify the impact on your organization Where Should Your Organization Start with Risk Mitigation Your organization should start by identifying assets Asset Inventory Helps determine the value of your systems services and data 0 The value of the assets can be monetary or relative 0 Example Assigning values such as High Medium and Low for assets I The value do not necessarily equate to the cost of equipment rather the value relates to the possible business impact if the assets are damaged or lost Scope of Risk Management for Your Organization The scope of risk management indicates your area of concern or your area of control There are things you can control and things you can t 0 Example You can t control hurricanes or earthquakes but you can reduce the impact of these events by planning how your organization will respond so the scope identifies the boundaries of a proiect When considering risk management scope within your organization consider the following items 0 Critical business operations An early step in risk management is identifying what business operations are critical you want to identify what business operations must be functional to ensure the organization stays afloat 0 Customer service delivery An evaluation of services you provide to customers a customer is any entity that receives a service 0 Missioncritical business systems applications and data access Many organizations have these and when they aren t available the mission is affected 0 Seven domains of a typical IT infrastructure Reviewing the seven domains of a typical IT infrastructure to identify risks I User Domain Every organization has users and computers are here to support them I Workstation Domain The computers that the users will use I LAN Domain Includes the networking components that connect systems on a local area network LAN I LANtoWAN Domain Marks the boundary where the private network meets the public network I WAN Domain Includes all systems that are accessible over a wide area network WAN I SystemApplication Domain Includes any serverbased applications such as e mail servers database servers or any system that has a dedicated application I Remote Access Domain Allows remote users to access the private network 0 Information systems security gap Refers to the difference between the controls you have in place and what you need Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization It is very important for an organization to know what laws and regulations apply to it and once identified it is important to ensure that the organization is in compliance Noncompliance can have serious consequences as some laws assess hefty fines on an organization result in jail time and can negatively affect an organization s ability to do business Compliance is a mitigation control 0 You implement controls to mitigate risk 0 Controls reduce or neutralize threats or vulnerabilities to an acceptable level When assessing the impact of compliance issues in your organization you should take 2 distinct steps 0 1 Identify what compliance issues apply to your organization O 2 Assess the impact of these issues on your business operations Legal Requirements Compliance Laws Regulations and Mandates Although there are many laws and regulations that apply to IT they don t apply to ALL of them Some key laws that apply to organizations are 0 Health Insurance Portability and Accountability Act HIPAA Applies to any organization that handles health information SarbanesOxley Act SOX Applies to any business that is required to be registered with the Securities and Exchange Commission Federal Information Security Management Act FISMA Applies to all US federal agencies to protect their data Family Educational Rights and Privacy Act FERPA Applies to all education institutions and agencies that receive funding under any program administered by the US Department of Education Children s Internet Protection Act CIPA Applies to any school or library that receives funding from the US ERate Program Payment Card Industry Data Security Standard PCI DSS This is NOT a law but rather a standard that was jointly created by several credit card companies CostBenefit Analysis A costbenefit analysis CBA is a significant step when evaluating a control You compare the cost of the control to the cost of the risk if it occurs If the control costs more to implement than the cost of the risk it is not costeffective There are 2 pieces of data to perform an effective CBA O 0 Know the cost of the control Know the projected benefits of the control I Formula for calculating the projected benefits 0 Loss before control Loss after control Projected benefits I Then you can determine if the control should be used 0 Projected benefits Cost of control Control value I If the result is a positive value the control is worthwhile I If the result is negative the control costs more than the benefits and shouldn t be purchased Best Practices for Planning Risk Mitigation Throughout Your Organization When planning risk mitigation strategies for you organization you can use several best practices 0 Review Historical Documentation Includes documentation on policies and procedures and past security incidents Include Both a Narrow and Broad Focus Identifying specific risks and mitigation strategies for specific systems and functions as a narrow focus but also broadening the focus to include the entire organization Ensure That You Identify Governing Laws Taking time to understand laws Redo RAs When a Control Changes Risk assessments are completed at a point in time and if the RA changes the RA is no longer valid Include a CostBenefit Analysis CBAs provide justification for controls and help you determine their value


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Kyle Maynard Purdue

"When you're taking detailed notes and trying to help everyone else out in the class, it really helps you learn and understand the I made $280 on my first study guide!"

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.