New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: James Cha

TINFO462Week4Notes.pdf T INFO 462 - Building An Information Risk Management Toolkit

James Cha
GPA 3.59
T INFO 462 - Building An Information Risk Management Toolkit
Marc Dupuis

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Notes taken for the 4th week of class. No class/lecture was on Tuesday so the notes I made for this week was from the lecture on Thursday (Jan. 29th) and the textbook itself.
T INFO 462 - Building An Information Risk Management Toolkit
Marc Dupuis
Class Notes
25 ?




Popular in T INFO 462 - Building An Information Risk Management Toolkit

Popular in Information technology

This 3 page Class Notes was uploaded by James Cha on Friday January 30, 2015. The Class Notes belongs to T INFO 462 - Building An Information Risk Management Toolkit at University of Washington taught by Marc Dupuis in Winter2015. Since its upload, it has received 97 views. For similar materials see T INFO 462 - Building An Information Risk Management Toolkit in Information technology at University of Washington.

Similar to T INFO 462 - Building An Information Risk Management Toolkit at UW


Reviews for TINFO462Week4Notes.pdf


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 01/30/15
T INFO 462 Week 4 ThursdayI January 29th Performing a Risk Assessment There are several steps involved a Risk Assessment RA 0 First step is to clearly define what you will assess I Describing the system I Collecting data to identify threatsvulnerabilities 0 Next step is to identify countermeasures or controls that can mitigate the risks I Evaluate inplace and planned controls 0 Evaluate and recommend additional controls I Support controls with a costbenefit analysis An RA takes timing and planning Two primary RA approaches quantitative and qualitative Steps Involved in RA BEFORE progressing with the RA you must first complete 2 preliminary actions 0 Define the assessment a pointintime assessment 0 Review previous findings Identify assets and activities to address Identify and evaluate relevant threats Identify and evaluate relevant vulnerabilities Identify and evaluate relevant countermeasures Assess threats vulnerabilities and exploits Evaluate risks Develop recommendations to mitigate risks Present recommendations to management Identifying Management Structure Refers to how responsibilities are assigned Defining the scope allows easier implementation of recommendations Group Policy an automated management tool Identifying Assets and Activities Within Risk Assessment Boundaries Asset valuation the process of determining the fair market value of an asset One of the first priorities of risk management Can determine the value from the replacement value of the asset Can determine the value based on either what the asset provides to the organization or the cost to recover the asset Also possible to determine the value using a combination of both values Once you know the value of the asset you can then prioritize their importance 0 EX If an asset is worth 1000 it needs one level of protection I If an asset is worth SlMillion it needs another level of protection Scope Creep occurs when you start evaluating assets outside the scope of the RA This results in wasted time and wasted resources When considering the value of an asset you can look at it from different perspectives 0 Replacement value I The cost to purchase a new asset in its place 0 EX if a laptop fails or is stolen the price to purchase a new laptop with similar hardwaresoftware may be up to 1500 0 Recovery value I The cost to get the asset operational after a failure 0 EX if the hard drive on a server fails you wouldn t replace the entire server instead you d replace the hard drive and take steps to recover the system There are several elements to consider when determining the value of different assets System access and system availability 0 System functions 0 0 Hardware and software assets 0 Personnel assets 0 Data and information assets Facilities and supplies System Access and availability refers to how and when the asset needs to be available 0 Some assets may need to be available 24 hours a day 7 days a week 0 Other assets may only need to be available Monday through Friday during business hours 0 Email Whitelist A list of approved email addresses or email domains For example adding an email to the whitelist an ensure it never being marked as spam mail Email Blacklist The opposite of whitelist in that they are automatically marked as spam Identifying and Evaluating Relevant Threats A threat is any potential danger o The danger can be to the data the hardware or the systems Reviewing Historical Data 0 You can save a lot of time by reviewing historical data to identify realistic threats I Attacks If your website is attacked before it is likely it will be attacked again The success of the next attack will depend on the level of protection implemented since then I Natural Events If hurricanes have hit your location before they likely will do so again in the future Most organizations that are in risk zones for natural disasters have disaster recovery plans in place Example of such disasters include hurricanes tornadoes and earthquakes These plans should be reviewed at least once a year I Accidents Can be any event that affects confidentiality integrity or availability This includes users accidentally deleting data and can also include user errors or mishaps in the workplace I Equipment Failures These result in outages Some systems are more prone to failure than others and may have a much greater impact on the mission of the business Threat Modeling A process used to identify possible threats on a system It attempts to look at a system from the attacker s perspective The result of threat modeling is a document called threat model The threat model provides information on O O The system Includes background information on the system Threat profile This is a list of threats It identifies what the attacker may try to do to the system including possible goals of the attack Threat analysis Each threat in the threat profile is analyzed to determine if an asset is vulnerable Threat analysis includes reviewing existing controls to determine their effectiveness against the threat Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Anthony Lee UC Santa Barbara

"I bought an awesome study guide, which helped me get an A in my Math 34B class this quarter!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.