3rd party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.
Overall risk management is the process of identifying factors that could damage or disclose data, evaluating those factors in light or data value and countermeasure cost, and implementing a cost-effective solution for mitigating or reducing risk is knows as risk management. Risk management lays the foundation for reducing risk overall.
Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To do so, the following must be analyzed:
assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches.
Threats come from numerous sources, including IT, humans and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives.
Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of the intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat’s potential frequency and the resulting damage; the result is a cost/benefit analysis of safeguards.
Exposure Factor (EF) is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
(SLE) Single Loss Expectancy is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. SLE=AV*EF
(ARO) Annualized Rate of Occurrence is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur within a single year.
(ALE) Annualized Loss Expectancy is an element of quantitative risk analysis that represents the possibly yearly cost of all instances of a specific realized threat against a specific asset. ALE=SLE*ARO
Use the ALE formula before and after a safeguard is implemented, (ALE before – ALE after) – cost of safeguard = value of safeguard to company.
Qualitative risk analysis is based on scenarios than calculations. exact dollar amounts are not assigned in possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects.
The Delphi technique is simply an anonymous feedback-and-response process used to arrive at a consensus to properly evaluate risks and implement solutions.
Reducing risk, risk mitigation, implementing safeguards and countermeasures. Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.
Total risk is the amount of risk an organization would face is no safeguards were implemented. To calculate total risk, use this formula: threats * vulnerabilities * asset value = total risk. residual risk is the risk that management has chosen to accept rather than mitigate. the difference between total risk and residual risk is the controls gap. to calculate residual risk: total risk = controls gap = residual risk.
To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. be developing these mechanisms, you ensure that new hires are aware of the required security standards.
Separation of duties is the security concept of dividing critical, significant, and sensitive work tasks among several individuals, ensuring no one person can compromise system security.
Least privilege, users are granted the minimum amount of access necessary to do their tasks/jobs. Limiting user access limits vulnerability of sensitive information.
Job rotation serves: knowledge redundancy, reduces risk of fraud, data modification, theft sabotage and misuse of information.
Mandatory vacations are used to audit and verify the work tasks and privileges of employees to detect abuse, fraud or negligence.
Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. These are usually called SLAs.
Termination policy defines the procedures for terminating employees. Right? It should include items such as always having a witness, disabling the employee’s network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.
Before training and education can take place, awareness of security as a recognized entity must be created, then can come training, teaching employees to perform their work tasks and to comply with the security policy. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy.
In order to manage the security function, an organization must implement proper and sufficient security governance. the act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security functio. this also relates to budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.