« Version 4.1 - 7.6 Security audit and validation | Main | Version 4.1 - 7.8 Change management process »

Version 4.1 - 7.7 Risk Assessment

For this section, I went back to my CISSP books. This is something that is covered in CISSP classes and ITIL classes.

Risk Management's main function is to _mitigate risk_ . Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization. Risk can never be totally eliminated - unless you cease operations. Think of it this way - you don't eat off sterile plates. You eat off _clean_ plates. Clean plates have reduced the amount of material and bacteria to the point where you probably won't get sick. Same thing with risk - you are lowering the risk to the point where your business probably won't be impacted past its pain point.

There are four basic elements in identification of risk:

# The actual threat

# The possible consequences of the realized threat

# The probable frequency of the occurrence of a threat

# The extent of how confident we are that the threat will happen

A "threat" is the presence of any potential event that causes an undesirable impact on the organization.
A "vulnerability" is the absence or weakness of a safeguard.
A "safeguard" is the control or countermeasure employed to reduce the risk associated with a specific threat or group of threats.

Some terms you may want to be familiar with: Exposure Factor (EF), Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO) and Annualized Loss Expectancy (ALE).

There are three generic remedies to risk:

+ Risk Reduction - taking measures to alter or improve the risk position of an asset (remediate vulnerabilities)
+ Risk Transference - assign or transfer the potential cost of a risk to another party (insurance)
+ Risk Acceptance - accepting the level of loss that will occur and absorbing that loss

If you ever have to create documentation like the DITSCAP or DIACAP, you know this. The first thing you have to do is list all the possible threats. Then you evaluate your devices/environment to determine if you are vulnerable to those threats. You also have to determine the likely occurrence of those events. Once you determine the "risk," you have to outline your countermeasures and mitigating factors. Your risk minus the countermeasures equals your Residual Risk. The Residual Risk must be either reduced, transferred or accepted.

This is important because now you're talking in management/business terms. This is also how you need to present your requests for equipment and tools (if you want them to be approved). If you can show that the control/tool you want to use costs less than the damage that could be done if you don't use the tool - that carries a lot of weight! An organization may be exposed to legal liability if the cost to implement a safeguard is less than the cost resulting from the threat realized and the organization does not implement the safeguard. [You have not performed due diligence.]

I like to think of it this way: you do not buy a $40 lock to secure a $10 bicycle; you do not use a $10 lock to secure a bank vault.


Powered by
Movable Type 3.2