Risk Analysis and Assessment

Description

YYYY

Reviews
Shared by: Jason Batman
Categories
Tags
Stats
views:
192
rating:
not rated
reviews:
0
posted:
1/23/2009
language:
English
pages:
0
APPENDIX J-2 Risk Analysis and Assessment Additional Information Why? While risk analysis and assessment is a requirement of 1 TAC 202, there are many other reasons to conduct periodic information security risk assessments. Risk assessments provide the agency with: A snapshot of agency status regarding of security risks and compliance issues. A basis for selecting the most appropriate and cost-efficient protection measures. (This helps to eliminate over-spending for safeguards. Why spend money on protection if threats are unlikely?) An equilibrium of asset loss to countermeasures. Information on the likelihood of a threat and its occurrence and the impact(s) on information assets. (This is the only process that provides such information.) Due diligence. (Ensures reasonable steps are taken to prevent loss of assets.) The foundation of all risk management programs. The identification of areas for reducing weaknesses before and simultaneously with recovery planning. BONUS—Helps to create an awareness within the agency. What do you know? The risk assessment analyst needs to have a knowledge base to begin. They need to: Know the current and historical internal environment (assets, personnel, services provided…). Know the current and historical external environment (natural disasters, potential attackers…). Understand dependencies and vulnerabilities. Understand threat profiles. Understand countermeasure choices and related costs. Be able to apply cost-benefit analysis to risks and countermeasures. Quantitative Risk Analysis vs. Qualitative Risk Analysis The following tables illustrate some of the differences between these two methodologies and some of the “pros” and “cons” of each. In the real world, risk Practices for Protecting Information Resources Assets Appendix J-2. Risk Analysis and Assessment (Additional Information) J-2.1 analysis almost always involves both quantifiable measurements and judgements based on experience and knowledge. Quantitative Objective Numeric Values Asset value Impact Frequency of threats Countermeasure cost-effectiveness Use of complex calculations; i.e., algorithm factors such as probability, uncertainty, exposure factor, frequency of occurrence, annual rate of occurrence (ARO), effectiveness factor, single loss expectancy/exposure (SLE) and annual loss expectancy/exposure (ALE) Qualitative Descriptive, Immeasurable Values Characteristics No quantifiable data No ALE (annual loss expectancy) Measures generally are yes/no, low/medium/high, vital/critical/important. good/bad Rankings are based on judgement           + + + + + Pros Processes and results are derived + Calculations, if any, are uncomplicated objectively, easily supported. and unsophisticated. Calculations for value of assets, threat. + Areas of critical risks are referred to in general terms. frequency and impacts, countermeasures cost/benefit, etc., are consistent and + Typically requires much less time. repeatable. Evaluating resulting risk management is easy. Asset valuations are reflected monetarily. Can be automated, quicker, easier to understand, repeatable more reliable. Cons – Calculations are complex and require – Calculations for value of assets, threat good explanations. frequency and impacts, countermeasures cost/benefit, etc., are non-existent. – Information gathering is a considerable up-front task. – Process results are subjective and may not be repeatable. – Could require up to 20 times the effort if done manually without automated tools. – Evaluating resulting risk management cannot be accomplished objectively. – Asset values are perceived and may not be realistic. J-2.2 Practices for Protecting Information Resources Assets Appendix J-2. Risk Analysis and Assessment (Additional Information) Automated or Manual Tools? Decision Considerations Listed below are some decision factors to consider when looking at automated tools for risk analysis vs. manual efforts. 1 Time and other resources. A good automated tool can sometimes save up to 80% or more in time to complete a major risk assessment. Consistency. Repeatability. Surveys/Interviews. Surveys can be conducted faster electronically; they can save time, travel, and money. Responses are converted to electronic database without analyst interpretation. Some face-to-face interviews are still needed. Manual surveys give the analyst chance to see environment first hand. Analytical Phase. This phase of the process is quicker with an automated tool. Analysts spend more time up front on risk factors and there is less chance of human error in the analysis phase. Aggregation. Electronic tools allow easy aggregation for organization vulnerability profiles. Accuracy. Scope of the Project. Look at the size of the project vs. expense and time. Experience and Knowledge Base. Quality automated packages come with a tried and tested knowledge base and complex logic is built in. This provides the analyst with additional expertise. Efficiency. Electronic tools allow the analyst to conduct multiple surveys over multiple sites and wide areas of coverage. This can be a more efficient use of the analyst’s time. Information Gathering. Up front configurations on an electronic tool help to avoid the collection of unnecessary or insignificant information. Training. Risk analysis and assessment has a learning curve whether the assessment is done manually or using an automated tool. Consideration should be given to what type and how much training is needed. Availability. Off-the-shelf software can be available immediately with a known quality. In-house development using spreadsheets, etc., can still be effective, but much more experience and knowledge is needed. Security. Methodology. Methodologies differ. When considering an electronic tool, ask what the tool is measuring and make sure the results you get are what you need. 1 An older but still useful guide for selecting automated risk analysis tools can be found in NIST SP 500-14, 1989. See . Practices for Protecting Information Resources Assets Appendix J-2. Risk Analysis and Assessment (Additional Information) J-2.3 J-2.4 Practices for Protecting Information Resources Assets Appendix J-2. Risk Analysis and Assessment (Additional Information)

Related docs
RISK ANALYSIS The Risk Analysis is an assessment of the
Views: 284  |  Downloads: 67
CHAPTER 2 RISK ASSESSMENT AND VULNERABILITY ANALYSIS
Views: 2  |  Downloads: 0
Risk Assessment_
Views: 9  |  Downloads: 0
Risk Assessment
Views: 65  |  Downloads: 7
RISK ASSESSMENT
Views: 45  |  Downloads: 6
Risk Assessment for
Views: 1  |  Downloads: 0
RISK ASSESSMENT
Views: 3  |  Downloads: 1
Risk Assessment
Views: 20  |  Downloads: 1
risk analysis
Views: 1701  |  Downloads: 204
Risk Assessment
Views: 2  |  Downloads: 0
Risk Analysis
Views: 410  |  Downloads: 104
Information Security Risk Assessment Program
Views: 905  |  Downloads: 364
A Risk Analysis of Risk Analysis
Views: 219  |  Downloads: 57
Other docs by Jason Batman
Palsgraf v Long Island R R Co
Views: 415  |  Downloads: 9
Notice of auction of remaining corporate assets by liquidating trustees
Views: 197  |  Downloads: 1
Tips to Weight Loss Success
Views: 477  |  Downloads: 13
Orlowski Hendrick Briefs
Views: 196  |  Downloads: 1
dv250
Views: 93  |  Downloads: 0
Burger King Corp v Rudzewicz
Views: 578  |  Downloads: 3
A Shield About Me
Views: 304  |  Downloads: 1
Complementary and Alternative Medicine
Views: 297  |  Downloads: 6
Strawbridge MasRandazzoOlson Belleville
Views: 298  |  Downloads: 1
Magnificat
Views: 277  |  Downloads: 3
Holy Ground
Views: 239  |  Downloads: 1
Entrepreneurship Outline for Final
Views: 441  |  Downloads: 12
The Nails in Your Hands
Views: 222  |  Downloads: 1
Persian Essay
Views: 1138  |  Downloads: 9
cr161
Views: 122  |  Downloads: 0