CompTIA® Security+ Exam Notes : Explain Risk Management Processes And Concepts

5. Risk Management

5.3 Explain risk management processes and concepts

Risk Response Features:

Risk mitigation: is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on

Risk avoidance: Elimination of the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but often not possible due to organizational requirements. Eliminating email to avoid the risk of email-borne viruses is an effective solution but not likely to be a realistic approach in the modern enterprise.

Risk assessment: Should include planning against both external and internal threats. During a risk assessment, it is important to identify potential threats and document standard responses.

Risk Transference: A risk or the effect of its exposure may be transferred by moving to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from equipment theft or data exposure.

While performing risk assessment for an organization. Following should be done during impact assessment and quantification

  • Asset identification - Identify organizational assets
  • Threat assessment - Identify the threats to the assets or resources
  • Impact definition and quantification - Study the likely loss to the assets or resources due to a given threat. The loss may be the brand image, and not necessarily a physical resource
  • Control design and evaluation - Put controls in place to mitigate the threat. The controls may be device based, software based, or personnel training.

Assets need to be identified first as part of risk assessment.

Vulnerability assessment is part of an organization's security architecture.

ALE: The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as: ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.

The risk-assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation it faces.

The following four strategies comprise the strategies that are normally used for risk:

1. Acceptance: Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level.

2. Transfer: The transfer strategy in managing risk is to give responsibility for the risk to someone outside the project. The risk does not go away; the responsibility of the risk is simply given to someone else.

3. Risk Avoidance: This strategy is used to make the risk cease to be a possibility. In risk avoidance, we completely eliminate the possibility of the risk. If the sponsor of the project agrees to allow a risk-filled deliverable to be removed from the project, the risk is removed along with the deliverable.

4. Mitigation: Risks that are above the risk tolerance maximum value are not acceptable risks and that something had to be done about them. Mitigation is a strategy where some work is done on unacceptable risks to reduce either their probability or their impact to a point where their severity falls below the maximum risk tolerance level.

Vulnerability testing:

Vulnerability testing is part of testing corporate assets for any particular vulnerability. These may include:

1. Blind testing: Here the hacker doesn't have a prior knowledge of the network. It is performed from outside of a network.

2. Knowledgeable testing: Here the hacker has a prior knowledge of the network.

3. Internet service testing: It is a test for vulnerability of Internet services such as web service.

4. Dial-up service testing: Here the hacker tries to gain access through an organization's remote access servers.

5. Infrastructure testing: Here the infrastructure, including protocols and services are tested for any vulnerabilities.

6. Application testing: The applications that are running on an organization's servers are tested here.

Any software is inherently prone to vulnerabilities. Therefore, software manufacturers provide updates or patches to the software from time to time. These updates usually take care of any known vulnerabilities. Therefore, it is important to apply these updates.

Additional functionality is also one of the reasons for applying software updates. However, many times, it is not the compelling reason to apply the updates.

Scenario: You are assessing the risk factor of an organization. You find that only one employee in your organization has been trained and solely responsible for the complete product life cycle. What is a possible risk resulting from this?

Solution: While assessing the risk of an organization, avoiding single point failures is one of the most important issues. A single point failure may be avoided by separation of duties, and training more than one employee in any given area of expertise.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad