Introduction to Network Security Comptia Security+ Exam Risk

advertisement
Introduction to Network Security
Comptia Security+ Exam
Domain 5
Risk Management
Trang Nguyen
Risk Management
„
„
„
A skill and a task that all managers do,
either deliberately or intuitively to reduce or
mitigate risk as an ongoing process.
An overall decision-making process of
identifying threats and vulnerabilities and
their potential impacts, determining the
costs to mitigate such events, and deciding
what actions are cost effective for controlling
these risks.
No one specific risk management.
Trang Nguyen
Key Terms
„
„
„
„
„
„
„
„
„
Risk
Risk management
Risk assessment or risk analysis
Asset
Threat
Vulnerability
Impact
Countermeasure (control or safeguard)
Mitigate
Trang Nguyen
1
Key Terms
„
Qualitative risk assessment
„
„
„
Subjective analysis using expert judgment,
experience and expertise
Can be in the form of 1 through 5
Quantitative risk assessment
„
Measurable analysis using metric or model
Trang Nguyen
Key Terms
„
Single loss expectancy (SLE)
„
„
Monetary loss or impact of each occurrence of a
threat
Exposure factor
„
A measure of the magnitude of loss of an asset
„
Use in calculating single loss expectancy
„
Annualized rate of occurrence (ARO)
„
Annualized loss expectancy (ALE)
Trang Nguyen
General Risk Management Model
„
Asset identification
„
Threat assessment
„
Impact identification and quantification
„
Control design and evaluation
„
Residual risk management
Trang Nguyen
2
Risk Response Strategies
„ Avoidance
„
„
„
Acceptance
Transfer
„
„
Risk avoidance involves changing to remove the
threat. This can be done by changing or reducing
the scope.
Risk transference involves shifting the impact of a
risk event and the ownership of the risk response
to a third party.
Mitigate
„
Reduce the probability or impact of a potential
risk event to a more acceptable level. This
included reducing the consequences of the risk.
Trang Nguyen
Risk Assessment
„
Apply both quantitative and qualitative
„
Accept some risk
„
Common objective model
„
Calculate single loss expectancy
„
Calculate annualized rate of occurrence
„
Calculate annualized loss expectancy
„
ALE is used in cost-benefit analysis
„
„
SLE = Asset Value * Exposure Factor
ALE = SLE * ARO
Trang Nguyen
Single Loss Expectancy
Single Loss Expectancy
„
SLE = Asset value * Exposure factor
SLE = 100,000 * 3 = $300,000
„
Asset value
„
Exposure factor
„
„
E-Business profit $100,000 per day
System down time is 3 days at a time
Trang Nguyen
3
Annualized Loss Expectancy
„
SLE = 100,000 * 3 = $300,000
„
Annualized Rate of Occurrence
„
„
„
Annualized Loss Expectancy
„
„
„
System down once every 3 years
ARO = 1/3
ALE = SLE * ARO
ALE = $300,000 * 1/3 = $100,000
Annual cost-benefit expenditure to mitigate
that risk is $100,000
Trang Nguyen
Risk Management Tools
„
„
„
Affinity grouping
Baseline identification and analysis
Cause and effect analysis
„
Cost-benefit analysis
Gantt charts
Interrelationship digraphs
„ Cause and effect relationship
Pareto charts
„ Histogram ranking of most to least frequent
PERT (program evaluation and review technique)
„
Risk management plan
„
„
„
„
Trang Nguyen
Software Risk Management Model
Software Engineering Institute Model
„
Identify
„
Analyze
„
Plan
„
Track
„
Control
Trang Nguyen
4
Download