SECURITY-MANAGEMENT PRACTICES
- Three goals of risk management are to identify risks, quantify the impact of potential threats, and find an economic balance between the impact of the risk and the cost of the countermeasure.
- A threat is a natural or man-made event that could have a negative impact on the organization. A vulnerability is a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage.
- There are two approaches to dealing with risk:
Quantitative analysis Assigns real numbers or dollar amounts to the costs of countermeasures and the amount of damage that can occur. Pure quantitative risk analysis is not possible.
Qualitative analysis Looks at different scenarios of risk possibilities and ranks the seriousness of the threats and the sensitivity of the assets.
- Formulas used for quantitative analysis include
EF (exposure factor) = Percentage of an asset loss caused by an identified threat
SLE (single loss expectancy) = Asset value
Exposure factor ALE (annualized loss expectancy) = Single loss expectancy
Annualized rate of occurrence - Risk is dealt with in the following ways (these can be combined):
Risk reduction Implements a countermeasure to alter or reduce the risk
Risk transference Purchases insurance to transfer a portion or all of the potential cost of a loss to a third party
Risk acceptance Deals with risk by accepting the potential cost and loss
Risk rejection Pretends risk doesn't exist and ignores the risk
- Security policies can be regulatory, advisory, or informative.
- Security must flow from the top of the organization.
- Types of security documents include
Policies General statements produced by senior management
Standards Tactical documents that are more specific than policies
Guidelines Point to a statement in a policy or procedure by which to determine a course of action
Procedures The lowest level in the policy that provide step-by-step instructions to achieve a certain task
Категории