Mike Chapple

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide


Скачать книгу

and loss

       Liability of asset loss

       Usefulness

       Relationship to research and development

      Assigning or determining the value of assets to an organization can fulfill numerous requirements by

       Serving as the foundation for performing a cost/benefit analysis of asset protection when performing safeguard selection

       Serving as a means for evaluating the cost-effectiveness of safeguards and countermeasures

       Providing values for insurance purposes and establishing an overall net worth or net value for the organization

       Helping senior management understand exactly what is at risk within the organization

       Preventing negligence of due care/due diligence and encouraging compliance with legal requirements, industry regulations, and internal security policies

      If a threat-based or threat-initiated risk analysis is being performed, then after the organization inventories threats and identifies vulnerable assets to those threats, asset valuation takes place.

      Identify Threats and Vulnerabilities

      For an expansive and formal list of threat examples, concepts, and categories, consult National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30r1 Appendix D, “Threat sources,” and Appendix E, “Threat events.” For coverage of threat modeling, see Chapter 1.

      In most cases, a team rather than a single individual should perform risk assessment and analysis. Also, the team members should be from various departments within the organization. It is not usually a requirement that all team members be security professionals or even network/system administrators. The diversity of the team based on the demographics of the organization will help exhaustively identify and address all possible threats and risks.

      The Consultant Cavalry

      Risk assessment is a highly involved, detailed, complex, and lengthy process. Often risk analysis cannot be properly handled by existing employees because of the size, scope, or liability of the risk; thus, many organizations bring in risk management consultants to perform this work. This provides a high level of expertise, does not bog down employees, and can be a more reliable measurement of real-world risk. But even risk management consultants do not perform risk assessment and analysis on paper only; they typically employ risk assessment software. This software streamlines the overall task, provides more reliable results, and produces standardized reports that are acceptable to insurance companies, boards of directors, and so on.

      Risk Assessment/Analysis

      Risk management is primarily the responsibility of upper management. However, upper management typically assigns the actual task of risk analyses and risk response modeling to a team from the IT and security departments. The results of their work will be submitted as a proposal to upper management, who will make the final decisions as to which responses are implemented by the organization.

      It is the responsibility of upper management to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. All risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care/due diligence.

      Once an inventory of threats and assets (or assets and threats) is developed, then each asset-threat pairing must be individually evaluated and its related risk calculated or assessed. There are two primary risk assessment methodologies: quantitative and qualitative. Quantitative risk analysis assigns real dollar figures to the loss of an asset and is based on mathematical calculations. Qualitative risk analysis assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions. Both methods are necessary for a complete perspective on organizational risk. Most environments employ a hybrid of both risk assessment methodologies in order to gain a balanced view of their security concerns.

      The goal of risk assessment is to identify risks (based on asset-threat pairings) and rank them in order of criticality. This risk criticality prioritization is needed in order to guide the organization in optimizing the use of their limited resources on protections against identified risks, from the most significant to those just above the risk acceptance threshold.

      The two risk assessment approaches (quantitative and qualitative) can be seen as distinct and separate concepts or endpoints on a sliding scale. As discussed in Chapter 1, a basic probability versus damage 3×3 matrix relies on innate understanding of the assets and threats and relies on a judgment call of the risk analyst to decide whether the likelihood and severity are low, medium, or high. This is likely the simplest form of qualitative assessment. It requires minimum time and effort. However, it if fails to provide the needed clarity or distinction of criticality prioritization, then a more in-depth approach should be undertaken. A 5×5 matrix or even larger could be used. However, each increase in matrix size requires more knowledge, more research, and more time to properly assign a level to probability and severity. At some point, the evaluation shifts from being mostly subjective qualitative to more substantial quantitative.

      Another perspective on the two risk assessment approaches is that a qualitative mechanism can be used first to determine whether a detailed and resource/time-expensive quantitative mechanism is necessary. An organization can also perform both approaches and use them to adjust or modify each other; for example, qualitative results can be used to fine-tune quantitative priorities.

      Qualitative Risk Analysis

       Brainstorming

       Storyboarding

       Focus groups

       Surveys

       Questionnaires

       Checklists