Cisa Exam Cram 2

Senior management must support risk analysis in the organization for it to be successful. Risk analysis is the process of identifying risk in the organization, quantifying the impact of potential threats, and providing cost/benefit justification for the implementation of controls. The organization must establish the purpose of the risk-management program, which might vary by organization but should include specific objectives such as reducing the cost of insurance in the organization or ensuring that background-screening processes are cost-effective. Clearly defining the purpose of the program enables senior managers to evaluate the results of risk management and determine its effectiveness. Generally, the executive director working with the board of directors defines the purpose for the risk-management program. As with all programs in the organization, the risk-management program must have a person or team charged with developing and implementing the program. The risk-management committee and associated team will be utilized at all levels within the organization and will need the help of the operations staff and board members to identify areas of risk and develop suitable mitigation strategies.

Risk analysis can use either a quantitative approach, which attempts to assign real numbers to the cost of threats and the amount of damage, or a qualitative approach, which uses a ranking method to analyze the seriousness of the threat against the sensitivity of the asset.

As an example of a risk-management process, let's take a look at the identification of a critical asset, threats, and vulnerabilities, and the review of implementing controls.

The organization has servers located at one of its satellite offices in San Diego, California. The servers are critical to the organization's business objectives. Although redundant servers and data are available via a redundant facility, the organization wants to ensure that it can resume business operations in San Diego as quickly as possible. The organization has performed a vulnerability assessment of the servers in San Diego. The facility has not been hit by an earthquake, but it wants to identify the likelihood that it will and to identify specific controls to mitigate this risk. As a result of the vulnerability assessment, the organization discovered that a relatively small earthquake (leaving the facility intact) could cause disruption to the servers if the racks topple or are disconnected from the network. For this scenario, we review our summary of the risk equation:

Risk = Threat x Vulnerability x Cost of asset

Threat = Earthquake (5 in the last 15 years large enough to damage the facility or at least move or topple office equipment)

Vulnerability = Annualized rate of occurrence. 15 years ÷ 5 earthquakes = .33 expected earthquakes per year.

Cost of asset = Total hardware (rack + servers) = $35,000 + outage cost per day ($3,000) x 3 days (time to bring up secondary servers) = $9,000 + 35,000 = $42,000

The organization could put in place quite a few controls to mitigate the risk.

It could develop a hot site that contains up-to-date information from the servers in San Diego, at the cost of $125,000 annually. It could implement earthquake-proof controls (earthquake rack-mounting equipment), for a one-time cost of $5,000. The organization could move the servers from San Diego to another satellite office, headquarters, or hosting facility, for a one-time cost of $10,000 and an annual cost of $15,000.

All three solutions would mitigate the risk associated with earthquakes at the San Diego facility, but we will use our equation to identify which is cost-effective:

Threat = (15 ÷ 5) = Vulnerability = .33 x Cost of asset = 42,000 = 13,860

The equation states that the cost of the control should not exceed $13,860 annually, so we can compare this against the cost associated with the hot site ($125,000), the earthquake rack ($12,000), and the server move ($15,000), and readily identify that the earthquake rack-mounting is the most cost-effective control for this threat. Keep in mind that this scenario identifies only one threat and the cost of the control to mitigate that threat. In actuality, the total of all controls for all threats would be compared against the cost of the asset to determine cost-effectiveness.

Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission objectives by protecting the IT systems and data that support their organization's objectives.

Категории