Risk Management
Goal - Determine impact of the threat and risk of threat occurring.
The primary goal of risk management is to reduce risk to an acceptable level.
Step 1:
Prepare for assessment (purpose/scope)
Step 2:
Conduct Assessment
- Identify threat sources and events
- Identify vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
Step 3:
Communicate Risks (results)
Step 4:
Maintain / repeat assessment regularly
Risk management Concepts
Threat = Damage
Vunerability = Weakness to threat vector
Likelihood = Chance it will happen
Impact = Overall effects
Residual Risk = Amount left over
Organizations own the risk
Risk is determined as a byproduct of likelihood and impact
Risk Concepts
Inherant: The chance of making an error when no controls are in place
Control: Chance that controls are in place that will prevent, detect or control errors
Detection: Chance that auditors won't find an error
Residual: Risk remaining after control in place
Business: Concerns about effects of unforeseen circumstances
Overall: Combination of all risks aka Audit Risk
Analysis steps:
Identify Assets
Identify Threats
Calculate Risk
US Government risk management standard: ISO 27005
Source material: Sunflower CISSP Guide Version 2.0 (2017) by Maarten de Frankrijker
No comments:
Post a Comment