TINFO462Week4Notes.pdf T INFO 462 - Building An Information Risk Management Toolkit
Popular in T INFO 462 - Building An Information Risk Management Toolkit
One Day of Notes
verified elite notetaker
Popular in Information technology
This 3 page Class Notes was uploaded by James Cha on Friday January 30, 2015. The Class Notes belongs to T INFO 462 - Building An Information Risk Management Toolkit at University of Washington taught by Marc Dupuis in Winter2015. Since its upload, it has received 97 views. For similar materials see T INFO 462 - Building An Information Risk Management Toolkit in Information technology at University of Washington.
Reviews for TINFO462Week4Notes.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 01/30/15
T INFO 462 Week 4 ThursdayI January 29th Performing a Risk Assessment There are several steps involved a Risk Assessment RA 0 First step is to clearly define what you will assess I Describing the system I Collecting data to identify threatsvulnerabilities 0 Next step is to identify countermeasures or controls that can mitigate the risks I Evaluate inplace and planned controls 0 Evaluate and recommend additional controls I Support controls with a costbenefit analysis An RA takes timing and planning Two primary RA approaches quantitative and qualitative Steps Involved in RA BEFORE progressing with the RA you must first complete 2 preliminary actions 0 Define the assessment a pointintime assessment 0 Review previous findings Identify assets and activities to address Identify and evaluate relevant threats Identify and evaluate relevant vulnerabilities Identify and evaluate relevant countermeasures Assess threats vulnerabilities and exploits Evaluate risks Develop recommendations to mitigate risks Present recommendations to management Identifying Management Structure Refers to how responsibilities are assigned Defining the scope allows easier implementation of recommendations Group Policy an automated management tool Identifying Assets and Activities Within Risk Assessment Boundaries Asset valuation the process of determining the fair market value of an asset One of the first priorities of risk management Can determine the value from the replacement value of the asset Can determine the value based on either what the asset provides to the organization or the cost to recover the asset Also possible to determine the value using a combination of both values Once you know the value of the asset you can then prioritize their importance 0 EX If an asset is worth 1000 it needs one level of protection I If an asset is worth SlMillion it needs another level of protection Scope Creep occurs when you start evaluating assets outside the scope of the RA This results in wasted time and wasted resources When considering the value of an asset you can look at it from different perspectives 0 Replacement value I The cost to purchase a new asset in its place 0 EX if a laptop fails or is stolen the price to purchase a new laptop with similar hardwaresoftware may be up to 1500 0 Recovery value I The cost to get the asset operational after a failure 0 EX if the hard drive on a server fails you wouldn t replace the entire server instead you d replace the hard drive and take steps to recover the system There are several elements to consider when determining the value of different assets System access and system availability 0 System functions 0 0 Hardware and software assets 0 Personnel assets 0 Data and information assets Facilities and supplies System Access and availability refers to how and when the asset needs to be available 0 Some assets may need to be available 24 hours a day 7 days a week 0 Other assets may only need to be available Monday through Friday during business hours 0 Email Whitelist A list of approved email addresses or email domains For example adding an email to the whitelist an ensure it never being marked as spam mail Email Blacklist The opposite of whitelist in that they are automatically marked as spam Identifying and Evaluating Relevant Threats A threat is any potential danger o The danger can be to the data the hardware or the systems Reviewing Historical Data 0 You can save a lot of time by reviewing historical data to identify realistic threats I Attacks If your website is attacked before it is likely it will be attacked again The success of the next attack will depend on the level of protection implemented since then I Natural Events If hurricanes have hit your location before they likely will do so again in the future Most organizations that are in risk zones for natural disasters have disaster recovery plans in place Example of such disasters include hurricanes tornadoes and earthquakes These plans should be reviewed at least once a year I Accidents Can be any event that affects confidentiality integrity or availability This includes users accidentally deleting data and can also include user errors or mishaps in the workplace I Equipment Failures These result in outages Some systems are more prone to failure than others and may have a much greater impact on the mission of the business Threat Modeling A process used to identify possible threats on a system It attempts to look at a system from the attacker s perspective The result of threat modeling is a document called threat model The threat model provides information on O O The system Includes background information on the system Threat profile This is a list of threats It identifies what the attacker may try to do to the system including possible goals of the attack Threat analysis Each threat in the threat profile is analyzed to determine if an asset is vulnerable Threat analysis includes reviewing existing controls to determine their effectiveness against the threat Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'