TINFO462Week5Notes.pdf T INFO 462 - Building An Information Risk Management Toolkit
Popular in T INFO 462 - Building An Information Risk Management Toolkit
Popular in Information technology
This 4 page Class Notes was uploaded by James Cha on Friday February 6, 2015. The Class Notes belongs to T INFO 462 - Building An Information Risk Management Toolkit at University of Washington taught by Marc Dupuis in Winter2015. Since its upload, it has received 68 views. For similar materials see T INFO 462 - Building An Information Risk Management Toolkit in Information technology at University of Washington.
Reviews for TINFO462Week5Notes.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/06/15
T INFO 462 Building an Information Risk Management ToolKit Week 5 Tuesday Feb 3rd and Thursday Feb 5quotquot Notes Planning Risk Mitigation Throughout Your Organization After completing the basics of identifying assets threats and vulnerabilities you can begin by identifying controls Controls Mitigate risk throughout an organization 0 One of the ways to evaluate controls is to identify critical business operations and critical business functions 0 Controls should be in place to protect against risks for these critical areas of your business Compliance An important topic in IT today If any laws or guidelines govern your organization you need to ensure you re compliant Noncompliance can be quite expensive 0 1st step is identifying the relevant laws and guidelines to see if they apply to your organization I If they do apply you need to assess the regulations to identify the impact on your organization Where Should Your Organization Start with Risk Mitigation Your organization should start by identifying assets Asset Inventory Helps determine the value of your systems services and data 0 The value of the assets can be monetary or relative 0 Example Assigning values such as High Medium and Low for assets I The value do not necessarily equate to the cost of equipment rather the value relates to the possible business impact if the assets are damaged or lost Scope of Risk Management for Your Organization The scope of risk management indicates your area of concern or your area of control There are things you can control and things you can t 0 Example You can t control hurricanes or earthquakes but you can reduce the impact of these events by planning how your organization will respond so the scope identifies the boundaries of a proiect When considering risk management scope within your organization consider the following items 0 Critical business operations An early step in risk management is identifying what business operations are critical you want to identify what business operations must be functional to ensure the organization stays afloat 0 Customer service delivery An evaluation of services you provide to customers a customer is any entity that receives a service 0 Missioncritical business systems applications and data access Many organizations have these and when they aren t available the mission is affected 0 Seven domains of a typical IT infrastructure Reviewing the seven domains of a typical IT infrastructure to identify risks I User Domain Every organization has users and computers are here to support them I Workstation Domain The computers that the users will use I LAN Domain Includes the networking components that connect systems on a local area network LAN I LANtoWAN Domain Marks the boundary where the private network meets the public network I WAN Domain Includes all systems that are accessible over a wide area network WAN I SystemApplication Domain Includes any serverbased applications such as e mail servers database servers or any system that has a dedicated application I Remote Access Domain Allows remote users to access the private network 0 Information systems security gap Refers to the difference between the controls you have in place and what you need Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization It is very important for an organization to know what laws and regulations apply to it and once identified it is important to ensure that the organization is in compliance Noncompliance can have serious consequences as some laws assess hefty fines on an organization result in jail time and can negatively affect an organization s ability to do business Compliance is a mitigation control 0 You implement controls to mitigate risk 0 Controls reduce or neutralize threats or vulnerabilities to an acceptable level When assessing the impact of compliance issues in your organization you should take 2 distinct steps 0 1 Identify what compliance issues apply to your organization O 2 Assess the impact of these issues on your business operations Legal Requirements Compliance Laws Regulations and Mandates Although there are many laws and regulations that apply to IT they don t apply to ALL of them Some key laws that apply to organizations are 0 Health Insurance Portability and Accountability Act HIPAA Applies to any organization that handles health information SarbanesOxley Act SOX Applies to any business that is required to be registered with the Securities and Exchange Commission Federal Information Security Management Act FISMA Applies to all US federal agencies to protect their data Family Educational Rights and Privacy Act FERPA Applies to all education institutions and agencies that receive funding under any program administered by the US Department of Education Children s Internet Protection Act CIPA Applies to any school or library that receives funding from the US ERate Program Payment Card Industry Data Security Standard PCI DSS This is NOT a law but rather a standard that was jointly created by several credit card companies CostBenefit Analysis A costbenefit analysis CBA is a significant step when evaluating a control You compare the cost of the control to the cost of the risk if it occurs If the control costs more to implement than the cost of the risk it is not costeffective There are 2 pieces of data to perform an effective CBA O 0 Know the cost of the control Know the projected benefits of the control I Formula for calculating the projected benefits 0 Loss before control Loss after control Projected benefits I Then you can determine if the control should be used 0 Projected benefits Cost of control Control value I If the result is a positive value the control is worthwhile I If the result is negative the control costs more than the benefits and shouldn t be purchased Best Practices for Planning Risk Mitigation Throughout Your Organization When planning risk mitigation strategies for you organization you can use several best practices 0 Review Historical Documentation Includes documentation on policies and procedures and past security incidents Include Both a Narrow and Broad Focus Identifying specific risks and mitigation strategies for specific systems and functions as a narrow focus but also broadening the focus to include the entire organization Ensure That You Identify Governing Laws Taking time to understand laws Redo RAs When a Control Changes Risk assessments are completed at a point in time and if the RA changes the RA is no longer valid Include a CostBenefit Analysis CBAs provide justification for controls and help you determine their value
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'