Week 1 Discussion Posting

After reading chapter 1, define the following terms risk, threat, vulnerability, asset, and impact of loss. After you define each term identify their role within an organizations secuirty posture. The initial post must be completed by Thursday at 11:59 eastern. You are also required to post a response to a minimum of two other student in the class by the end of the week. You must use at least one scholarly resource. Every discussion posting must be properly APA formatted.

500 words, APA format

PFA Chp 1

CHAPTER 1

Risk Management Fundamentals

 

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe the components of and approaches to effective risk management in an organization.

 

Risk and its relationship to threat, vulnerability, and asset loss

Classifying business risk in relation to the seven domains of a typical IT infrastructure

Risk identification techniques

Risk management process

Strategies for handling risk

Learning Objective(s)

Key Concepts

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Is Risk?

Risk: The likelihood that a loss will occur; losses occur when a threat exposes a vulnerability that could harm an asset

Threat: Any activity that represents a possible danger

Vulnerability: A weakness

Asset: A thing of value worth protecting

Loss: A loss results in a compromise to business functions or assets.

Tangible

Intangible

 

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk-Related Concerns for Business

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Compromise of business functions

 

 

Compromise of business assets

 

 

Driver of business costs

 

 

Profitability versus survivability

 

 

Threats, Vulnerabilities, Assets, and Impact

Threats can be thought of as attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset:

Confidentiality: Preventing unauthorized disclosure of information

Integrity: Ensuring data or an IT system is not modified or destroyed

Availability: Ensuring data and services are available when needed

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Vulnerabilities

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

A vulnerability is a weakness

 

 

A loss to an asset occurs only when an attacker is able to exploit the vulnerability

 

 

Vulnerabilities may exist because they’ve never been corrected

 

 

Vulnerabilities can also exist if security is weakened either intentionally or unintentionally

 

 

Assets

Tangible value is the actual cost of the asset:

Computer systems—Servers, desktop PCs, and mobile computers

Network components—Routers, switches, firewalls, and any other components necessary to keep the network running

Software applications—Any application that can be installed on a computer system

Data—Includes large-scale databases and the data used and manipulated by each employee or customer

 

 

 

The intangible value cannot be measured by cost, such as client confidence or company reputation:

Future lost revenue—Any purchases customers make with another company are a loss to the company

Cost of gaining the customer—If a company loses a customer, the company’s investment is lost

Customer influence—Customers commonly share their experience with others, especially if the experience is exceptionally positive or negative

Reputation—One customer’s bad experience could potentially influence other current or potential customers to avoid future business transactions

 

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Impact

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Very High

 

 

Indicates multiple severe or catastrophic adverse effects

 

 

High

 

 

Indicates a severe or catastrophic adverse effect

 

 

Moderate

 

 

Indicates a negligible adverse effect

 

 

Low

 

 

Very Low

 

 

Indicates a serious adverse effect

 

 

Indicates a limited adverse effect

 

 

Classify Business Risks

Risks posed by people:

Leaders and managers

System administrators

Developer

End user

Risks posed by a lack of process:

Policies

Standards

Guidelines

 

Risks posed by technology:

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Classify Business Risks (Cont.)

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Seven Domains of a Typical IT Infrastructure

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Identification Techniques

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify threats

 

 

Identify vulnerabilities

 

 

Estimate impact and likelihood of a threat exploiting a vulnerability

 

 

Identifying Threats and Vulnerabilities

Component Type or Source
Threats External or internal Natural or man-made Intentional or accidental
Vulnerabilities Audits Certification/accreditation records System logs Prior events Trouble reports Incident response teams

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Balancing Risk and Cost

Consider the cost to implement a control and the cost of not implementing the control

Spending money to manage a risk rarely adds profit; important point is that spending money on risk management can help ensure a business’s survivability

Cost to manage a risk must be balanced against the impact value

Reasonableness: “Would a reasonable person be expected to manage this risk?”

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Balancing Risk and Cost (Cont.)

Low Impact (0%—10%) Medium Impact (11%—50%) High Impact (51%—100%)
High-threat likelihood—100% (1.0) 10 × 1 = 10 50 × 1 = 50 100 × 1 = 100
Medium-threat likelihood—50% (.50) 10 × .50 = 5 50 × .50 = 25 100 × .50 = 50
Low-threat likelihood—10% (.10) 10 × .10 = 1 50 × .10 = 5 100 × .10 = 10

A threat-likelihood-impact matrix.

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Management Process

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Risk Management

 

 

Risk: Probability of loss

 

 

Vulnerability: System weakness

 

 

Threat: Potential harm

 

 

Risk Management Process (Cont.)

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Assess risks

 

 

Identify risks to manage

 

 

Select controls

 

 

Implement and test controls

 

 

Evaluate controls

 

 

Cost-Benefit Analysis

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Principle of Proportionality

 

 

Cost-benefit analysis (CBA)

 

 

Cost of control

 

 

Projected benefits

 

 

The amount spent on controls should be proportional to the risk

 

 

Helps determine which controls, or countermeasures, to implement

 

 

Profitability Versus Survivability

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Out-of-pocket costs

 

 

Lost opportunity costs

 

 

Future costs

 

 

Client and stakeholder confidence

 

 

Total cost of security

 

 

Risk-Handling Strategies

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

Various Techniques of Risk Management

 

 

Avoiding

 

 

Sharing or transferring

 

 

Mitigating

 

 

Accepting

 

 

Residual Risk

 

 

Summary

Risk and its relationship to threat, vulnerability, and asset loss

Classifying business risk in relation to the seven domains of a typical IT infrastructure

Risk identification techniques

Risk management process

Strategies for handling risk

 

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

 

10/8/2020

 

21

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.