Security + Exam Guide (Charles River Media Networking/Security)

Risk/Threat Identification

Risk management is the process or processes that a company or enterprise implements in order to reduce loss of assets or financial standings that can result from theft, accidents, or lack of proper management Due Care and responsibility. In simple terms, risk management focuses on the reduction of threats to a company's assets. For more specific network and security related study needs, it can be said that risk management focuses on the implementation of information security practices in order to identify possible hardware/software threats and vulnerabilities that exist both inside and outside of an organization.

In order to prevent or offset risk and the possible financial losses that exist if proper prevention methods are not put in place, one must identify what real risks and threats exist, know what assets are at risk, and analyze what, if any, controls should be put into place to avoid loss. Identifying risks includes the following:

• Knowing the actual threats that exist.

• Knowing the possible consequences or repercussions that exist.

• Knowing the possible likelihood that an event or disaster will take place.

Knowing if the event or disaster will reoccur and at what frequency.

Risks can be categorized or isolated to give you a better understanding of how to identify them. The following are categories of risks or threats that could possibly exist:

• Information warfare threats: Terrorism using Information Technology.

• Data threats: Viruses or malicious code.

• Personnel or employee threats: Unauthorized physical or virtual access.

• Criminal threats: Theft or vandalism.

• Environmental threats: Natural disasters and facility-related failure.

• System/Computer: Hardware/software failures.

After you have identified all risks that present a threat to your security, it is important that you evaluate what systems, people, and other assets are vulnerable to these risks. Once vulnerabilities are identified, a control process can be implemented. Once again, the type of controls, insurance, and safeguards are all determined by the mighty dollar.

Management buy-in concerning the protection of an organization against threat is a must.

Risk Analysis/Assessment

Risk analysis includes identifying important assets and identifying possible risks to these assets. Risk analysis also includes implementing safeguards to prevent or offset the risks or threats that exist.

There are three major items you should be familiar with when preparing a risk analysis. You should be able to estimate the possible losses that could occur, analyze/assess potential risks, and be able to produce an Annualized Loss Expectancy report (ALE). In order to produce an annualized loss expectancy figure, and for the exam, you should know the following:

• SLE (Single Loss Expectancy): This is the expected financial loss due to single failure or event.

• ARO (Annualized Rate of Occurrence): This is the estimated amount of times or frequency that the failure or event will occur within a year.

In order to produce an ALE, you must multiply the SLE by the ARO.

The ALE should include a list of all assets, all possible threats, the potential for threats, the financial and physical loss that can occur from these threats, and recommended remedies to reduce the risk potential.

There are several types or approaches of risk analysis that you should familiar with for the exam. They are as follows:

• Quantitative risk analysis: This type of risk analysis is based on two factors-the probability that an event will occur and an estimate of the amount of loss that will result. This type of analysis is less popular than qualitative risk analysis because it is based on data that is not factual. In other words, the probability that an event will occur cannot always be accurately measured. With this type of analysis, the risks are guessed and money is appropriated as a means to offset or take care of the aftermath if an event should occur.

• Qualitative risk analysis: This type of risk analysis is much more popular. It is based only on potential loss not probability. With a qualitative risk analysis, threats and vulnerabilities are analyzed and defined. Then, controls are put into place to offset the risk. These controls are deterrent, preventive, corrective, and detective.