SlideShare a Scribd company logo

FAIR Basic Risk Assessment Guide

Download as DOCX, PDF
A
adkinspaige22

The document provides an overview of the basic FAIR risk assessment process. It describes the four stages of the process: 1) identify scenario components by identifying the asset and threat, 2) evaluate loss event frequency by estimating threat event frequency, threat capability, control strength, and vulnerability, 3) evaluate probable loss magnitude by estimating worst-case and probable loss, and 4) derive and articulate the risk by determining loss event frequency and probable loss magnitude. The document provides guidance for completing each of the 10 steps in the basic FAIR analysis.

Education
1 of 32
Risk Management Insight FAIR (FACTOR ANALYSIS OF INFORMATION RISK) Basic Risk Assessment Guide FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC NOTE: Before using this assessment guide… Using this guide effectively requires a solid understanding of FAIR concepts ‣ As with any high-level analysis method, results can depend upon variables that may not be accounted for at this level of abstraction ‣ The loss magnitude scale described in this section is adjusted for a specific organizational size and risk capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.) may need to be adjusted when analyzing organizations of different sizes ‣ This process is a simplified, introductory version that may not be appropriate for some analyses
Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 – Identify scenario components 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 – Evaluate Loss Event Frequency (LEF) 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 – Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4 – Derive and articulate Risk 10. Derive and articulate Risk Risk Loss Event Frequency Probable Loss
Magnitude Threat Event Frequency Vulnerability Contact Action Control Strength Threat Capability Primary Loss Factors Secondary Loss Factors Asset Loss Factors Threat Loss Factors Organizational Loss Factors External Loss Factors FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC
Stage 1 – Identify Scenario Components Step 1 – Identify the Asset(s) at risk In order to estimate the control and value characteristics within a risk analysis, the analyst must first identify the asset (object) under evaluation. If a multilevel analysis is being performed, the analyst will need to identify and evaluate the primary asset (object) at risk and all meta-objects that exist between the primary asset and the threat community. This guide is intended for use in simple, single level risk analysis, and does not describe the additional steps required for a multilevel analysis. Asset(s) at risk: _____________________________________________________ _ Step 2 – Identify the Threat Community In order to estimate Threat Event Frequency (TEF) and Threat Capability (TCap), a specific threat community must first be identified. At minimum, when evaluating the risk associated with malicious acts, the analyst has to decide whether the threat community is human or malware, and internal or external. In most circumstances, it’s appropriate to define the
threat community more specifically – e.g., network engineers, cleaning crew, etc., and characterize the expected nature of the community. This document does not include guidance in how to perform broad-spectrum (i.e., multi-threat community) analyses. Threat community: _____________________________________________________ _ Characterization FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Stage 2 – Evaluate Loss Event Frequency Step 3 – Threat Event Frequency (TEF) The probable frequency, within a given timeframe, that a threat agent will act against an asset Contributing factors: Contact Frequency, Probability of Action Very High (VH) > 100 times per year High (H) Between 10 and 100 times per year Moderate (M) Between 1 and 10 times per year
Low (L) Between .1 and 1 times per year Very Low (VL) < .1 times per year (less than once every ten years) Rationale FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 4 – Threat Capability (Tcap) The probable level of force that a threat agent is capable of applying against an asset Contributing factors: Skill, Resources Very High (VH) Top 2% when compared against the overall threat population High (H) Top 16% when compared against the overall threat population Moderate (M) Average skill and resources (between bottom 16% and top 16%) Low (L) Bottom 16% when compared against the overall threat population Very Low (VL) Bottom 2% when compared against the overall
threat population Rationale FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 5 – Control strength (CS) The expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force Contributing factors: Strength, Assurance Very High (VH) Protects against all but the top 2% of an avg. threat population High (H) Protects against all but the top 16% of an avg. threat population Moderate (M) Protects against the average threat agent Low (L) Only protects against bottom 16% of an avg. threat population Very Low (VL) Only protects against bottom 2% of an avg. threat population Rationale
FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 6 – Vulnerability (Vuln) The probability that an asset will be unable to resist the actions of a threat agent Tcap (from step 4): CS (from step 5): Vulnerability VH VH VH VH H M H VH VH H M L Tcap M VH H M L VL L H M L VL VL VL M L VL VL VL VL L M H VH Control Strength Vuln (from matrix above): FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC Step 7 – Loss Event Frequency (LEF) The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset TEF (from step 3): Vuln (from step 6): Loss Event Frequency VH M H VH VH VH H L M H H H TEF M VL L M M M L VL VL L L L VL VL VL VL VL VL VL L M H VH Vulnerability LEF (from matrix above): FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC Stage 3 – Evaluate Probable Loss Magnitude Step 8 – Estimate worst-case loss Estimate worst-case magnitude using the following three steps: ‣ Determine the threat action that would most likely result in a worst-case outcome ‣ Estimate the magnitude for each loss form associated with that threat action ‣ “Sum” the loss form magnitudes Loss Forms Threat Actions Productivity Response Replacement Fine/Judgments Comp. Adv. Reputation Access Misuse Disclosure Modification Deny Access Magnitude Range Low End Range High End Severe (SV) $10,000,000 -- High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999 Moderate (M) $10,000 $99,999 Low (L) $1,000 $9,999 Very Low (VL) $0 $999 FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 9 – Estimate probable loss Estimate probable loss magnitude using the following three steps: ‣ Identify the most likely threat community action(s) ‣ Evaluate the probable loss magnitude for each loss form ‣ “Sum” the magnitudes Loss Forms Threat Actions Productivity Response Replacement Fine/Judgments Comp. Adv. Reputation Access Misuse Disclosure Modification
Deny Access Magnitude Range Low End Range High End Severe (SV) $10,000,000 -- High (H) $1,000,000 $9,999,999 Significant (Sg) $100,000 $999,999 Moderate (M) $10,000 $99,999 Low (L) $1,000 $9,999 Very Low (VL) $0 $999 FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Stage 4 – Derive and Articulate Risk Step 10 – Derive and Articulate Risk The probable frequency and probable magnitude of future loss Well-articulated risk analyses provide decision-makers with at least two key pieces of information: ‣ The estimated loss event frequency (LEF), and ‣ The estimated probable loss magnitude (PLM) This information can be conveyed through text, charts, or both.
In most circumstances, it’s advisable to also provide the estimated high-end loss potential so that the decision-maker is aware of what the worst-case scenario might look like. Depending upon the scenario, additional specific information may be warranted if, for example: ‣ Significant due diligence exposure exists ‣ Significant reputation, legal, or regulatory considerations exist Risk Severe H H C C C High M H H C C PLM Significant M M H H C Moderate L M M H H Low L L M M M Very Low L L M M M VL L M H VH LEF LEF (from step 7): PLM (from step 9): WCLM (from step 8): Key Risk Level
C Critical H High M Medium L Low FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Code Galore Caselet: Using COBIT® 5 for Information Security Company Profile – Code Galore Background Information The Problems Your Role Your Tasks Figures Notes Questions 2 Agenda © 2013 ISACA. All rights reserved. Profile Start-up company founded in 2005 One office in Sunnyvale, California, USA
10 remote salespeople and a few with space at resellers’ offices Approximately 100 total staff; about one-third work in engineering 3 Company Profile – Code Galore 4 What we do Org. Structure Operational Industry Products Sales Financials Background Information Building a comprehensive business function automation software that performs many functions (decision making in approaching new initiatives, goal setting and tracking, financial accounting, a payment system, and much more). The software is largely the joint brainchild of the Chief Technology Officer (CTO) and a highly visionary Marketing Manager who left the company a year ago 5 What we do Org. Structure Operational Industry Products Sales Financials Background Information – What We Do
Financed 100% by investors who are extremely anxious to make a profit. Investors have invested more than US $35 million since inception and have not received any returns. The organization expected a small profit in the last two quarters. However, the weak economy led to the cancellation of several large orders. As a result, the organization was in the red each quarter by approximately US $250,000. 6 Background Information – Financials What we do Org. Structure Operational Industry Products Sales Financials Code Galore is a privately held company with a budget of US $15 million per year. Sales last year totaled US $13.5 million (as mentioned earlier, the company came within US $250,000 of being profitable each of the last two quarters). The investors hold the preponderance of the company’s stock; share options are given to employees in the form of stock options that can be purchased for US $1 per share if the company ever goes public. Code Galore spends about five percent of its annual budget on marketing. Its marketing efforts focus on portraying other financial function automation applications as ‘point solutions’ in contrast to Code Galore’s product. 7 Background Information – Financials What we do Org. Structure
Operational Industry Products Sales Financials 8 Background Information – Org. Structure Figure 1—Code Galore Organisational Chart CEO CSO VP, Finance VP, Business CTO VP, Human Resources Security Administrator Sales Mgr Accounting Dir. Sr. Financial Analyst Infrastructure Mgr.
Sys. Dev. Mgr. HR Manager What we do Org. Structure Operational Industry Products Sales Financials The board of directors: Consists of seasoned professionals with many years of experience in the software industry Is scattered all over the world and seldom meets, except by teleconference Is uneasy with Code Galore being stretched so thin financially, and a few members have tendered their resignations within the last few months 9 Background Information – Org. Structure What we do Org. Structure Operational Industry Products Sales Financials The CEO: Is the former chief financial officer (CFO) of Code Galore that replaced the original CEO who resigned to pursue another opportunity two years ago Has a good deal of business knowledge, a moderate amount of experience as a C-level officer, but no prior experience as a
CEO As a former CFO, tends to focus more on cost cutting than on creating a vision for developing more business and getting better at what Code Galore does best Background Information – Org. Structure 10 What we do Org. Structure Operational Industry Products Sales Financials Engineers perform code installations. The time to get the product completely installed and customized to the customer’s environment can exceed one month with costs higher than US $60,000 to the customer. Labour and purchase costs are too high for small and medium- sized businesses. So far, only large companies in the US and Canada have bought the product. C-level officers and board members know that they have developed a highly functional, unique product for which there is really no competition. They believe that, in time, more companies will become interested in this product, but the proverbial time bomb is ticking. Investors have stretched themselves to invest US $35 million in the company, and are unwilling to invest much more. 11 Background Information – Operational What we do Org. Structure
Operational Industry Products Sales Financials Business function automation software is a profitable area for many software vendors because it automates tasks that previously had to be performed manually or that software did not adequately support. The business function automation software arena has many products developed by many vendors. However, Code Galore is a unique niche player that does not really compete (at least on an individual basis) with other business automation software companies. Background Information – Industry 12 What we do Org. Structure Operational Industry Products Sales Financials The product is comprehensive—at least four other software products would have to be purchased and implemented to cover the range of functions that Code Galore’s product covers. Additionally, the product integrates information and statistics throughout all functions—each function is aware of what is occurring in the other functions and can adjust what it does accordingly, leading to better decision aiding. Background Information – Products 13
What we do Org. Structure Operational Industry Products Sales Financials Sales have been slower than expected, mainly due to a combination of the economic recession and the high price and complexity of the product. The price is not just due to the cost of software development; it also is due to the configuration labour required to get the product running suitably for its customers. Background Information – Sales 14 What we do Org. Structure Operational Industry Products Sales Financials Acquisition Code Galore is in many ways fighting for its life, and the fact that, four months ago, the board of directors made the decision to acquire a small software start-up company, Skyhaven Software, has not helped the cash situation. Skyhaven consists of approximately 15 people, mostly programmers who work at the company’s small office in Phoenix, Arizona, USA. Originally, the only connection between your network and Skyhaven’s was an archaic public switched telephone network (PSTN).
Setting up a WAN Two months ago, your company’s IT director was tasked with setting up a dedicated wide area network (WAN) connection to allow the former Skyhaven staff to remotely access Code Galore’s internal network and vice versa. You requested that this implementation be delayed until the security implications of having this new access route into your network were better understood, but the CEO denied your request on the grounds that it would delay a critical business initiative, namely getting Skyhaven’s code integrated into Code Galore’s. 15 The Problems Information Security More recently, you have discovered that the connection does not require a password for access and that, once a connection to the internal network is established from outside the network, it is possible to connect to every server within the network, including the server that holds Code Galore’s source code and software library and the server that houses employee payroll, benefits and medical insurance information. Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive files, but a recent vulnerability scan showed that both servers have vulnerabilities that could allow an attacker to gain unauthorised remote privileged access. You have told the IT director that these vulnerabilities need to be patched, but because of the concern that patching them may cause them to crash or behave unreliably and because Code Galore must soon become profitable or else, you have granted the IT director a delay of one month in patching the servers.
16 The Problems – Overview Bots What now really worries you is that, earlier today, monitoring by one of the security engineers who does some work for you has shown that several hosts in Skyhaven’s network were found to have bots installed in them. Source Code Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code (which is to be integrated into Code Galore’s source code as soon as the Skyhaven programmers are through with the release on which they are currently working) is on just about every Skyhaven machine, regardless of whether it is a workstation or server. 17 The Problems – Overview Code Galore vs. Skyhaven Employee knowledge Code Galore employees are, in general, above average in their knowledge and awareness of information security, due in large part to an effective security awareness programme that you set up two months after you started working at Code Galore and have managed ever since. You offer monthly brown bag lunch events in a large conference room, display posters reminding employees not to engage in actions such as opening attachments that they are not expecting, and send a short monthly newsletter informing employees of the direction in which the company is going in terms of security and how they can help.
Very few incidents due to bad user security practices occurred until Skyhaven Software was acquired. Skyhaven’s employees appear to have almost no knowledge of information security. You also have discovered that the Skyhaven employee who informally provides technical assistance does not make backups and has done little in terms of security configuration and patch management. 18 The Problems – Overview 19 Your Role Hired two years ago as the only Chief Security Officer (CSO) this company has ever had. Report directly to the Chief Executive Officer (CEO). Attend the weekly senior management meeting in which goals are set, progress reports are given and issues to be resolved are discussed. The Information Security Department consists of just you; two members of the security engineering team from software are available eight hours each week. 10 years of experience as an information security manager, five of which as a CSO, but you have no previous experience in the software arena. Four years of experience as a junior IT auditor. Undergraduate degree in managing information systems and have earned many continuing professional education credits in information security, management and audit areas. Five years ago, you earned your CISM certification. The focus here is not on a business unit, but rather on Code
Galore as a whole, particularly on security risk that could cripple the business. Due primarily to cost-cutting measures the CEO has put in place, your annual budget has been substantially less than you requested each year. Frankly, you have been lucky that no serious incident has occurred so far. You know that in many ways your company has been tempting fate. You do the best you can with what you have, but levels of unmitigated risk in some critical areas are fairly high. Your Role and the Business Units 20 Mr. Wingate’s focus on cost cutting is a major reason that you have not been able to obtain more resources for security risk mitigation measures. He is calm and fairly personable, but only a fair communicator, something that results in your having to devote extra effort in trying to learn his expectations of your company’s information security risk mitigation effort and keeping him advised of risk vectors and major developments and successes of this effort. 21 Your Role and the CEO, Ernest Wingate Code Galore’s IT director is Carmela Duarte. She has put a system of change control into effect for all IT activities
involving hardware and software. This system is almost perfect for Code Galore—it is neither draconian nor too lax and very few employees have any complaints against it. You have an excellent working relationship with her, and although she is under considerable pressure from her boss, the CTO, and the rest of C-level management to take shortcuts, she usually tries to do what is right from a security control perspective. She is working hard to integrate the Skyhaven Software network into Code Galore’s, but currently, there are few resources available to do a very thorough job. She would also do more for the sake of security risk mitigation if she had the resources. Carmela has worked with Code Galore since 2006, and she is very much liked and respected by senior management and the employees who work for her. 22 Your Role and the IT Director, Carmela Duarte You believe that Code Galore’s (but not Skyhaven Software’s) security risk is well within the risk appetite of the CEO and the board of directors. You have a good security policy (including acceptable use provisions) and standards in place, and you keep both of them up to date. You have established a yearly risk management cycle that includes asset valuation, threat and vulnerability assessment,
risk analysis, controls evaluation and selection, and controls effectiveness assessment, and you are just about ready to start a controls evaluation when you suddenly realise that something more important needs to be done right away (outlined in The Problem section). 23 Your Tasks © 2013 ISACA. All rights reserved. Using the figure 4 template, you need to modify the qualitative risk analysis that you performed six months ago to take into account the risk related to Skyhaven Software. The major risk events identified during this risk analysis are shown in figure 2. You must not only head this effort, but for all practical purposes, you will be the only person from Code Galore who works on this effort. 24 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. Your revision of the last risk analysis will not only bring Code Galore up to date concerning its current risk landscape, but will also provide the basis for your requesting additional resources to mitigate new, serious risk and previously unmitigated or unsuitably mitigated risk. You may find that some risk events are lower in severity than before, possibly to the point that allocating further resources to mitigate them would not be appropriate. This may help optimise your risk mitigation investments. To the degree that you realistically and accurately identify new and changed risk, you will modify the direction of your
information security practice in a manner that, ideally, lowers the level of exposure of business processes to major risk and facilitates growth of the business. Failure to realistically and accurately identify new and changed risk will result in blindness to relevant risk that will lead to unacceptable levels of unmitigated risk. 25 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. You must revise the most recent risk analysis, not only by reassessing all the currently identified major risk, but also by adding at least three risk events that were not previously identified. COBIT 5 provides tools that might be helpful in determining the best approach reassessing and prioritising the major risk events, in EDM03, Ensure risk optimisation. You must also provide a clear and complete rationale for the risk events, their likelihood, and impacts (outlined in the section Alternatives With Pros and Cons of Each section). 26 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. The rationale for each security-related risk that you select must include a discussion of the pros and cons associated with identifying and classifying each as a medium-low risk or higher. For example, suppose that you decide that a prolonged IT outage is no longer a medium- to low-level risk, but instead is now a low risk.
The pros (purely hypothetical in this case) may be that outage- related risk events are now much lower than before due to, for example, the implementation of a new backup and recovery system that feeds data into an alternative data center (not true in this caselet). In this case allocating additional resources would therefore be a waste of time and money. 27 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. On the con side, lowering the severity of a prolonged IT outage risk may result in underestimation of this source of risk, which could result in failing to allocate resources and in a much higher amount of outage-related loss and disruption than Code Galore could take, given its somewhat precarious state. 28 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. Exhibits – Major Risk 29 © 2013 ISACA. All rights reserved. Figure 2—Major Risk Figure 3—Network Diagram 30 © 2013 ISACA. All rights reserved.
31 Figure 4—Risk Analysis Template © 2013 ISACA. All rights reserved. Since Code Galore is in the business function automation software arena it should be consider using business process automation (BPA), a strategy an business uses to automate processes in order to contain costs. It consists of integrating applications, restructuring labor resources and using software applications throughout the organization. Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical right now. Yet, this company has opened itself up to significant levels of security risk because of acquiring Skyhaven Software and the need for former Skyhaven programmers to access resources within the corporate network. Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and assesses the magnitude of security risk from acquiring Skyhaven and opening the Code Galore network to connections from the Skyhaven network and prescribes appropriate controls, given Code Galore’s cash crunch, not many resources (money and labour) are likely to be available for these controls. 32 Notes © 2013 ISACA. All rights reserved.
All the CSO may be able to do is document the risk and make prioritised recommendations for controls, waiting for the right point in time when the company’s financial situation gets better. If an information security steering committee exists, the CSO must keep this committee fully apprised of changes in risk and solicit input concerning how to handle this difficult situation. At the same time, the CSO should initiate an ongoing effort (if no such effort has been initiated so far) to educate senior management and key stockholders concerning the potential business impact of the new risk profile. (Note: The kind of situation described in this caselet is not uncommon in real- world settings.) 33 Notes © 2013 ISACA. All rights reserved. What are the most important business issues and goals for Code Galore? What are the factors affecting the problem related to this case? What are the managerial, organizational, and technological issues and resources related to this case? What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications? What are some of the emerging IT security technologies that should be considered in solving the problem related to the case? 34 Discussion Questions 1-5 © 2013 ISACA. All rights reserved. In what major ways and areas can information security help the
business in reaching its goals? Which of the confidentiality, integrity and availability (CIA) triad is most critical to Code Galore’s business goals, and why? Change leads to risk, and some significant changes have occurred. Which of these changes lead to the greatest risk? Imagine that three of the greatest risk events presented themselves in worst-case scenarios. What would be some of these worst-case scenarios? How can the CSO in this scenario most effectively communicate newly and previously identified risk events that have grown because of the changes to senior management? 35 Discussion Questions 6-10 © 2013 ISACA. All rights reserved.

Recommended

Risk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxRisk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxmadlynplamondon
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxgertrudebellgrove
 
Risk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxRisk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxgertrudebellgrove
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxtarifarmarie
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxpoulterbarbara
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxChandan Singh Ghodela
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 

Recommended

Risk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxRisk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxmadlynplamondon
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxgertrudebellgrove
 
Risk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxRisk Management Insight FAIR(FACTOR ANA.docx
Risk Management Insight FAIR(FACTOR ANA.docxgertrudebellgrove
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxtarifarmarie
 
Risk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxRisk Management Insight FAIR(FACTOR AN.docx
Risk Management Insight FAIR(FACTOR AN.docxpoulterbarbara
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxChandan Singh Ghodela
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
R af d
R af dR af d
R af dWilliam L. McGill
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Mitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation SlidesMitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
Mitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation SlidesMitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation SlidesSlideTeam
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Session 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis ISession 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis IMuizz Anibire
 
Global Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health CoGlobal Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health CoMatthewTennant613
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxbagotjesusa
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50Rick Lemieux
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesSlideTeam
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides SlideTeam
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaPankaj K Sinha
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementAndrew Valenti
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 
. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docx. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docxadkinspaige22
 
.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docx.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docxadkinspaige22
 

More Related Content

Similar to FAIR Basic Risk Assessment Guide

Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Mitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation SlidesMitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation SlidesSlideTeam
 
Mitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation SlidesMitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation SlidesSlideTeam
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Session 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis ISession 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis IMuizz Anibire
 
Global Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health CoGlobal Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health CoMatthewTennant613
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxbagotjesusa
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesSlideTeam
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides SlideTeam
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaPankaj K Sinha
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementAndrew Valenti
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides SlideTeam
 

Similar to FAIR Basic Risk Assessment Guide (20)

Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
R af d
R af dR af d
R af d
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation SlidesRisk Assessment And Mitigation Plan PowerPoint Presentation Slides
Risk Assessment And Mitigation Plan PowerPoint Presentation Slides
 
Mitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation SlidesMitigation Plan PowerPoint Presentation Slides
Mitigation Plan PowerPoint Presentation Slides
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Mitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation SlidesMitigation Plan Powerpoint Presentation Slides
Mitigation Plan Powerpoint Presentation Slides
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Session 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis ISession 04_Risk Assessment Program for YSP_Risk Analysis I
Session 04_Risk Assessment Program for YSP_Risk Analysis I
 
Global Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health CoGlobal Health Comparison Grid TemplateGlobal Health Co
Global Health Comparison Grid TemplateGlobal Health Co
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
 
Dit yvol4iss50
Dit yvol4iss50Dit yvol4iss50
Dit yvol4iss50
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation Slides
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides Mitigation Planning PowerPoint Presentation Slides
Mitigation Planning PowerPoint Presentation Slides
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K Sinha
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk Management
 
Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides Risk Analysis PowerPoint Presentation Slides
Risk Analysis PowerPoint Presentation Slides
 

More from adkinspaige22

. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docx. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docxadkinspaige22
 
.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docx.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docxadkinspaige22
 
. Read the Harvard Business Review article  Link3. View this ve.docx
. Read the Harvard Business Review article  Link3. View this ve.docx. Read the Harvard Business Review article  Link3. View this ve.docx
. Read the Harvard Business Review article  Link3. View this ve.docxadkinspaige22
 
. Go to a news site and look at the headlines of several articles. A.docx
. Go to a news site and look at the headlines of several articles. A.docx. Go to a news site and look at the headlines of several articles. A.docx
. Go to a news site and look at the headlines of several articles. A.docxadkinspaige22
 
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docxadkinspaige22
 
-Do the schedule with Activity on Node and also draw the schedule.docx
-Do the schedule with Activity on Node and also draw the schedule.docx-Do the schedule with Activity on Node and also draw the schedule.docx
-Do the schedule with Activity on Node and also draw the schedule.docxadkinspaige22
 
.  Record your initial reaction to the work (suggested length of 1.docx
.  Record your initial reaction to the work (suggested length of 1.docx.  Record your initial reaction to the work (suggested length of 1.docx
.  Record your initial reaction to the work (suggested length of 1.docxadkinspaige22
 
-Describe the existing needs for cost information in healthcare firm.docx
-Describe the existing needs for cost information in healthcare firm.docx-Describe the existing needs for cost information in healthcare firm.docx
-Describe the existing needs for cost information in healthcare firm.docxadkinspaige22
 
--------250 words---------Chapter 18 – According to literatu.docx
--------250 words---------Chapter 18 – According to literatu.docx--------250 words---------Chapter 18 – According to literatu.docx
--------250 words---------Chapter 18 – According to literatu.docxadkinspaige22
 
-Please name the functions of the skeletal system.2-Where are lo.docx
-Please name the functions of the skeletal system.2-Where are lo.docx-Please name the functions of the skeletal system.2-Where are lo.docx
-Please name the functions of the skeletal system.2-Where are lo.docxadkinspaige22
 
-TOPIC= Civil Right Movement and Black Power Movement#St.docx
-TOPIC= Civil Right Movement and Black Power Movement#St.docx-TOPIC= Civil Right Movement and Black Power Movement#St.docx
-TOPIC= Civil Right Movement and Black Power Movement#St.docxadkinspaige22
 
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docxadkinspaige22
 
-What benefits can a diverse workforce provide to an organization.docx
-What benefits can a diverse workforce provide to an organization.docx-What benefits can a diverse workforce provide to an organization.docx
-What benefits can a diverse workforce provide to an organization.docxadkinspaige22
 
-How would you define or describe the American Great Migration m.docx
-How would you define or describe the American Great Migration m.docx-How would you define or describe the American Great Migration m.docx
-How would you define or describe the American Great Migration m.docxadkinspaige22
 
- We learned from our readings that the use of mobile devices in our.docx
- We learned from our readings that the use of mobile devices in our.docx- We learned from our readings that the use of mobile devices in our.docx
- We learned from our readings that the use of mobile devices in our.docxadkinspaige22
 
- Goals (short and long term) and how you developed them; experience.docx
- Goals (short and long term) and how you developed them; experience.docx- Goals (short and long term) and how you developed them; experience.docx
- Goals (short and long term) and how you developed them; experience.docxadkinspaige22
 
- Pick ONE Theme for the 5 short stories (ex setting, character.docx
- Pick ONE Theme for the 5 short stories (ex setting, character.docx- Pick ONE Theme for the 5 short stories (ex setting, character.docx
- Pick ONE Theme for the 5 short stories (ex setting, character.docxadkinspaige22
 
- Briefly summarize the Modernization Theory (discuss all four stage.docx
- Briefly summarize the Modernization Theory (discuss all four stage.docx- Briefly summarize the Modernization Theory (discuss all four stage.docx
- Briefly summarize the Modernization Theory (discuss all four stage.docxadkinspaige22
 
+16159390825Whats app the test online on time .docx
+16159390825Whats app the test online on time .docx+16159390825Whats app the test online on time .docx
+16159390825Whats app the test online on time .docxadkinspaige22
 
(philosophy1. why is mills philosophy closely identified with.docx
(philosophy1. why is mills philosophy closely identified with.docx(philosophy1. why is mills philosophy closely identified with.docx
(philosophy1. why is mills philosophy closely identified with.docxadkinspaige22
 

More from adkinspaige22 (20)

. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docx. Review the three articles about Inflation that are found below thi.docx
. Review the three articles about Inflation that are found below thi.docx
 
.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docx.         Find an invertebrate that is endemic to Florida. Endem.docx
.         Find an invertebrate that is endemic to Florida. Endem.docx
 
. Read the Harvard Business Review article  Link3. View this ve.docx
. Read the Harvard Business Review article  Link3. View this ve.docx. Read the Harvard Business Review article  Link3. View this ve.docx
. Read the Harvard Business Review article  Link3. View this ve.docx
 
. Go to a news site and look at the headlines of several articles. A.docx
. Go to a news site and look at the headlines of several articles. A.docx. Go to a news site and look at the headlines of several articles. A.docx
. Go to a news site and look at the headlines of several articles. A.docx
 
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx
-Describe the Plessy v. Ferguson Supreme Court Case of 1896; how was.docx
 
-Do the schedule with Activity on Node and also draw the schedule.docx
-Do the schedule with Activity on Node and also draw the schedule.docx-Do the schedule with Activity on Node and also draw the schedule.docx
-Do the schedule with Activity on Node and also draw the schedule.docx
 
.  Record your initial reaction to the work (suggested length of 1.docx
.  Record your initial reaction to the work (suggested length of 1.docx.  Record your initial reaction to the work (suggested length of 1.docx
.  Record your initial reaction to the work (suggested length of 1.docx
 
-Describe the existing needs for cost information in healthcare firm.docx
-Describe the existing needs for cost information in healthcare firm.docx-Describe the existing needs for cost information in healthcare firm.docx
-Describe the existing needs for cost information in healthcare firm.docx
 
--------250 words---------Chapter 18 – According to literatu.docx
--------250 words---------Chapter 18 – According to literatu.docx--------250 words---------Chapter 18 – According to literatu.docx
--------250 words---------Chapter 18 – According to literatu.docx
 
-Please name the functions of the skeletal system.2-Where are lo.docx
-Please name the functions of the skeletal system.2-Where are lo.docx-Please name the functions of the skeletal system.2-Where are lo.docx
-Please name the functions of the skeletal system.2-Where are lo.docx
 
-TOPIC= Civil Right Movement and Black Power Movement#St.docx
-TOPIC= Civil Right Movement and Black Power Movement#St.docx-TOPIC= Civil Right Movement and Black Power Movement#St.docx
-TOPIC= Civil Right Movement and Black Power Movement#St.docx
 
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx
- Wordcount 500 to 1000 words- Structure Cover, Table of Conte.docx
 
-What benefits can a diverse workforce provide to an organization.docx
-What benefits can a diverse workforce provide to an organization.docx-What benefits can a diverse workforce provide to an organization.docx
-What benefits can a diverse workforce provide to an organization.docx
 
-How would you define or describe the American Great Migration m.docx
-How would you define or describe the American Great Migration m.docx-How would you define or describe the American Great Migration m.docx
-How would you define or describe the American Great Migration m.docx
 
- We learned from our readings that the use of mobile devices in our.docx
- We learned from our readings that the use of mobile devices in our.docx- We learned from our readings that the use of mobile devices in our.docx
- We learned from our readings that the use of mobile devices in our.docx
 
- Goals (short and long term) and how you developed them; experience.docx
- Goals (short and long term) and how you developed them; experience.docx- Goals (short and long term) and how you developed them; experience.docx
- Goals (short and long term) and how you developed them; experience.docx
 
- Pick ONE Theme for the 5 short stories (ex setting, character.docx
- Pick ONE Theme for the 5 short stories (ex setting, character.docx- Pick ONE Theme for the 5 short stories (ex setting, character.docx
- Pick ONE Theme for the 5 short stories (ex setting, character.docx
 
- Briefly summarize the Modernization Theory (discuss all four stage.docx
- Briefly summarize the Modernization Theory (discuss all four stage.docx- Briefly summarize the Modernization Theory (discuss all four stage.docx
- Briefly summarize the Modernization Theory (discuss all four stage.docx
 
+16159390825Whats app the test online on time .docx
+16159390825Whats app the test online on time .docx+16159390825Whats app the test online on time .docx
+16159390825Whats app the test online on time .docx
 
(philosophy1. why is mills philosophy closely identified with.docx
(philosophy1. why is mills philosophy closely identified with.docx(philosophy1. why is mills philosophy closely identified with.docx
(philosophy1. why is mills philosophy closely identified with.docx
 

Recently uploaded

Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

Recently uploaded (20)

Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 

FAIR Basic Risk Assessment Guide

  • 1. Risk Management Insight FAIR (FACTOR ANALYSIS OF INFORMATION RISK) Basic Risk Assessment Guide FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC NOTE: Before using this assessment guide… Using this guide effectively requires a solid understanding of FAIR concepts ‣ As with any high-level analysis method, results can depend upon variables that may not be accounted for at this level of abstraction ‣ The loss magnitude scale described in this section is adjusted for a specific organizational size and risk capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.) may need to be adjusted when analyzing organizations of different sizes ‣ This process is a simplified, introductory version that may not be appropriate for some analyses
  • 2. Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 – Identify scenario components 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 – Evaluate Loss Event Frequency (LEF) 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 – Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4 – Derive and articulate Risk 10. Derive and articulate Risk Risk Loss Event Frequency Probable Loss
  • 3. Magnitude Threat Event Frequency Vulnerability Contact Action Control Strength Threat Capability Primary Loss Factors Secondary Loss Factors Asset Loss Factors Threat Loss Factors Organizational Loss Factors External Loss Factors FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC
  • 4. Stage 1 – Identify Scenario Components Step 1 – Identify the Asset(s) at risk In order to estimate the control and value characteristics within a risk analysis, the analyst must first identify the asset (object) under evaluation. If a multilevel analysis is being performed, the analyst will need to identify and evaluate the primary asset (object) at risk and all meta-objects that exist between the primary asset and the threat community. This guide is intended for use in simple, single level risk analysis, and does not describe the additional steps required for a multilevel analysis. Asset(s) at risk: _____________________________________________________ _ Step 2 – Identify the Threat Community In order to estimate Threat Event Frequency (TEF) and Threat Capability (TCap), a specific threat community must first be identified. At minimum, when evaluating the risk associated with malicious acts, the analyst has to decide whether the threat community is human or malware, and internal or external. In most circumstances, it’s appropriate to define the
  • 5. threat community more specifically – e.g., network engineers, cleaning crew, etc., and characterize the expected nature of the community. This document does not include guidance in how to perform broad-spectrum (i.e., multi-threat community) analyses. Threat community: _____________________________________________________ _ Characterization FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Stage 2 – Evaluate Loss Event Frequency Step 3 – Threat Event Frequency (TEF) The probable frequency, within a given timeframe, that a threat agent will act against an asset Contributing factors: Contact Frequency, Probability of Action Very High (VH) > 100 times per year High (H) Between 10 and 100 times per year Moderate (M) Between 1 and 10 times per year
  • 6. Low (L) Between .1 and 1 times per year Very Low (VL) < .1 times per year (less than once every ten years) Rationale FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 4 – Threat Capability (Tcap) The probable level of force that a threat agent is capable of applying against an asset Contributing factors: Skill, Resources Very High (VH) Top 2% when compared against the overall threat population High (H) Top 16% when compared against the overall threat population Moderate (M) Average skill and resources (between bottom 16% and top 16%) Low (L) Bottom 16% when compared against the overall threat population Very Low (VL) Bottom 2% when compared against the overall
  • 7. threat population Rationale FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 5 – Control strength (CS) The expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force Contributing factors: Strength, Assurance Very High (VH) Protects against all but the top 2% of an avg. threat population High (H) Protects against all but the top 16% of an avg. threat population Moderate (M) Protects against the average threat agent Low (L) Only protects against bottom 16% of an avg. threat population Very Low (VL) Only protects against bottom 2% of an avg. threat population Rationale
  • 8. FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 6 – Vulnerability (Vuln) The probability that an asset will be unable to resist the actions of a threat agent Tcap (from step 4): CS (from step 5): Vulnerability VH VH VH VH H M H VH VH H M L Tcap M VH H M L VL L H M L VL VL VL M L VL VL VL VL L M H VH Control Strength Vuln (from matrix above): FAIR™ Basic Risk Assessment Guide
  • 9. All Content Copyright Risk Management Insight, LLC Step 7 – Loss Event Frequency (LEF) The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset TEF (from step 3): Vuln (from step 6): Loss Event Frequency VH M H VH VH VH H L M H H H TEF M VL L M M M L VL VL L L L VL VL VL VL VL VL VL L M H VH Vulnerability LEF (from matrix above): FAIR™ Basic Risk Assessment Guide
  • 10. All Content Copyright Risk Management Insight, LLC Stage 3 – Evaluate Probable Loss Magnitude Step 8 – Estimate worst-case loss Estimate worst-case magnitude using the following three steps: ‣ Determine the threat action that would most likely result in a worst-case outcome ‣ Estimate the magnitude for each loss form associated with that threat action ‣ “Sum” the loss form magnitudes Loss Forms Threat Actions Productivity Response Replacement Fine/Judgments Comp. Adv. Reputation Access Misuse Disclosure Modification Deny Access Magnitude Range Low End Range High End Severe (SV) $10,000,000 -- High (H) $1,000,000 $9,999,999
  • 11. Significant (Sg) $100,000 $999,999 Moderate (M) $10,000 $99,999 Low (L) $1,000 $9,999 Very Low (VL) $0 $999 FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Step 9 – Estimate probable loss Estimate probable loss magnitude using the following three steps: ‣ Identify the most likely threat community action(s) ‣ Evaluate the probable loss magnitude for each loss form ‣ “Sum” the magnitudes Loss Forms Threat Actions Productivity Response Replacement Fine/Judgments Comp. Adv. Reputation Access Misuse Disclosure Modification
  • 12. Deny Access Magnitude Range Low End Range High End Severe (SV) $10,000,000 -- High (H) $1,000,000 $9,999,999 Significant (Sg) $100,000 $999,999 Moderate (M) $10,000 $99,999 Low (L) $1,000 $9,999 Very Low (VL) $0 $999 FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Stage 4 – Derive and Articulate Risk Step 10 – Derive and Articulate Risk The probable frequency and probable magnitude of future loss Well-articulated risk analyses provide decision-makers with at least two key pieces of information: ‣ The estimated loss event frequency (LEF), and ‣ The estimated probable loss magnitude (PLM) This information can be conveyed through text, charts, or both.
  • 13. In most circumstances, it’s advisable to also provide the estimated high-end loss potential so that the decision-maker is aware of what the worst-case scenario might look like. Depending upon the scenario, additional specific information may be warranted if, for example: ‣ Significant due diligence exposure exists ‣ Significant reputation, legal, or regulatory considerations exist Risk Severe H H C C C High M H H C C PLM Significant M M H H C Moderate L M M H H Low L L M M M Very Low L L M M M VL L M H VH LEF LEF (from step 7): PLM (from step 9): WCLM (from step 8): Key Risk Level
  • 14. C Critical H High M Medium L Low FAIR™ Basic Risk Assessment Guide All Content Copyright Risk Management Insight, LLC Code Galore Caselet: Using COBIT® 5 for Information Security Company Profile – Code Galore Background Information The Problems Your Role Your Tasks Figures Notes Questions 2 Agenda © 2013 ISACA. All rights reserved. Profile Start-up company founded in 2005 One office in Sunnyvale, California, USA
  • 15. 10 remote salespeople and a few with space at resellers’ offices Approximately 100 total staff; about one-third work in engineering 3 Company Profile – Code Galore 4 What we do Org. Structure Operational Industry Products Sales Financials Background Information Building a comprehensive business function automation software that performs many functions (decision making in approaching new initiatives, goal setting and tracking, financial accounting, a payment system, and much more). The software is largely the joint brainchild of the Chief Technology Officer (CTO) and a highly visionary Marketing Manager who left the company a year ago 5 What we do Org. Structure Operational Industry Products Sales Financials Background Information – What We Do
  • 16. Financed 100% by investors who are extremely anxious to make a profit. Investors have invested more than US $35 million since inception and have not received any returns. The organization expected a small profit in the last two quarters. However, the weak economy led to the cancellation of several large orders. As a result, the organization was in the red each quarter by approximately US $250,000. 6 Background Information – Financials What we do Org. Structure Operational Industry Products Sales Financials Code Galore is a privately held company with a budget of US $15 million per year. Sales last year totaled US $13.5 million (as mentioned earlier, the company came within US $250,000 of being profitable each of the last two quarters). The investors hold the preponderance of the company’s stock; share options are given to employees in the form of stock options that can be purchased for US $1 per share if the company ever goes public. Code Galore spends about five percent of its annual budget on marketing. Its marketing efforts focus on portraying other financial function automation applications as ‘point solutions’ in contrast to Code Galore’s product. 7 Background Information – Financials What we do Org. Structure
  • 17. Operational Industry Products Sales Financials 8 Background Information – Org. Structure Figure 1—Code Galore Organisational Chart CEO CSO VP, Finance VP, Business CTO VP, Human Resources Security Administrator Sales Mgr Accounting Dir. Sr. Financial Analyst Infrastructure Mgr.
  • 18. Sys. Dev. Mgr. HR Manager What we do Org. Structure Operational Industry Products Sales Financials The board of directors: Consists of seasoned professionals with many years of experience in the software industry Is scattered all over the world and seldom meets, except by teleconference Is uneasy with Code Galore being stretched so thin financially, and a few members have tendered their resignations within the last few months 9 Background Information – Org. Structure What we do Org. Structure Operational Industry Products Sales Financials The CEO: Is the former chief financial officer (CFO) of Code Galore that replaced the original CEO who resigned to pursue another opportunity two years ago Has a good deal of business knowledge, a moderate amount of experience as a C-level officer, but no prior experience as a
  • 19. CEO As a former CFO, tends to focus more on cost cutting than on creating a vision for developing more business and getting better at what Code Galore does best Background Information – Org. Structure 10 What we do Org. Structure Operational Industry Products Sales Financials Engineers perform code installations. The time to get the product completely installed and customized to the customer’s environment can exceed one month with costs higher than US $60,000 to the customer. Labour and purchase costs are too high for small and medium- sized businesses. So far, only large companies in the US and Canada have bought the product. C-level officers and board members know that they have developed a highly functional, unique product for which there is really no competition. They believe that, in time, more companies will become interested in this product, but the proverbial time bomb is ticking. Investors have stretched themselves to invest US $35 million in the company, and are unwilling to invest much more. 11 Background Information – Operational What we do Org. Structure
  • 20. Operational Industry Products Sales Financials Business function automation software is a profitable area for many software vendors because it automates tasks that previously had to be performed manually or that software did not adequately support. The business function automation software arena has many products developed by many vendors. However, Code Galore is a unique niche player that does not really compete (at least on an individual basis) with other business automation software companies. Background Information – Industry 12 What we do Org. Structure Operational Industry Products Sales Financials The product is comprehensive—at least four other software products would have to be purchased and implemented to cover the range of functions that Code Galore’s product covers. Additionally, the product integrates information and statistics throughout all functions—each function is aware of what is occurring in the other functions and can adjust what it does accordingly, leading to better decision aiding. Background Information – Products 13
  • 21. What we do Org. Structure Operational Industry Products Sales Financials Sales have been slower than expected, mainly due to a combination of the economic recession and the high price and complexity of the product. The price is not just due to the cost of software development; it also is due to the configuration labour required to get the product running suitably for its customers. Background Information – Sales 14 What we do Org. Structure Operational Industry Products Sales Financials Acquisition Code Galore is in many ways fighting for its life, and the fact that, four months ago, the board of directors made the decision to acquire a small software start-up company, Skyhaven Software, has not helped the cash situation. Skyhaven consists of approximately 15 people, mostly programmers who work at the company’s small office in Phoenix, Arizona, USA. Originally, the only connection between your network and Skyhaven’s was an archaic public switched telephone network (PSTN).
  • 22. Setting up a WAN Two months ago, your company’s IT director was tasked with setting up a dedicated wide area network (WAN) connection to allow the former Skyhaven staff to remotely access Code Galore’s internal network and vice versa. You requested that this implementation be delayed until the security implications of having this new access route into your network were better understood, but the CEO denied your request on the grounds that it would delay a critical business initiative, namely getting Skyhaven’s code integrated into Code Galore’s. 15 The Problems Information Security More recently, you have discovered that the connection does not require a password for access and that, once a connection to the internal network is established from outside the network, it is possible to connect to every server within the network, including the server that holds Code Galore’s source code and software library and the server that houses employee payroll, benefits and medical insurance information. Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive files, but a recent vulnerability scan showed that both servers have vulnerabilities that could allow an attacker to gain unauthorised remote privileged access. You have told the IT director that these vulnerabilities need to be patched, but because of the concern that patching them may cause them to crash or behave unreliably and because Code Galore must soon become profitable or else, you have granted the IT director a delay of one month in patching the servers.
  • 23. 16 The Problems – Overview Bots What now really worries you is that, earlier today, monitoring by one of the security engineers who does some work for you has shown that several hosts in Skyhaven’s network were found to have bots installed in them. Source Code Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code (which is to be integrated into Code Galore’s source code as soon as the Skyhaven programmers are through with the release on which they are currently working) is on just about every Skyhaven machine, regardless of whether it is a workstation or server. 17 The Problems – Overview Code Galore vs. Skyhaven Employee knowledge Code Galore employees are, in general, above average in their knowledge and awareness of information security, due in large part to an effective security awareness programme that you set up two months after you started working at Code Galore and have managed ever since. You offer monthly brown bag lunch events in a large conference room, display posters reminding employees not to engage in actions such as opening attachments that they are not expecting, and send a short monthly newsletter informing employees of the direction in which the company is going in terms of security and how they can help.
  • 24. Very few incidents due to bad user security practices occurred until Skyhaven Software was acquired. Skyhaven’s employees appear to have almost no knowledge of information security. You also have discovered that the Skyhaven employee who informally provides technical assistance does not make backups and has done little in terms of security configuration and patch management. 18 The Problems – Overview 19 Your Role Hired two years ago as the only Chief Security Officer (CSO) this company has ever had. Report directly to the Chief Executive Officer (CEO). Attend the weekly senior management meeting in which goals are set, progress reports are given and issues to be resolved are discussed. The Information Security Department consists of just you; two members of the security engineering team from software are available eight hours each week. 10 years of experience as an information security manager, five of which as a CSO, but you have no previous experience in the software arena. Four years of experience as a junior IT auditor. Undergraduate degree in managing information systems and have earned many continuing professional education credits in information security, management and audit areas. Five years ago, you earned your CISM certification. The focus here is not on a business unit, but rather on Code
  • 25. Galore as a whole, particularly on security risk that could cripple the business. Due primarily to cost-cutting measures the CEO has put in place, your annual budget has been substantially less than you requested each year. Frankly, you have been lucky that no serious incident has occurred so far. You know that in many ways your company has been tempting fate. You do the best you can with what you have, but levels of unmitigated risk in some critical areas are fairly high. Your Role and the Business Units 20 Mr. Wingate’s focus on cost cutting is a major reason that you have not been able to obtain more resources for security risk mitigation measures. He is calm and fairly personable, but only a fair communicator, something that results in your having to devote extra effort in trying to learn his expectations of your company’s information security risk mitigation effort and keeping him advised of risk vectors and major developments and successes of this effort. 21 Your Role and the CEO, Ernest Wingate Code Galore’s IT director is Carmela Duarte. She has put a system of change control into effect for all IT activities
  • 26. involving hardware and software. This system is almost perfect for Code Galore—it is neither draconian nor too lax and very few employees have any complaints against it. You have an excellent working relationship with her, and although she is under considerable pressure from her boss, the CTO, and the rest of C-level management to take shortcuts, she usually tries to do what is right from a security control perspective. She is working hard to integrate the Skyhaven Software network into Code Galore’s, but currently, there are few resources available to do a very thorough job. She would also do more for the sake of security risk mitigation if she had the resources. Carmela has worked with Code Galore since 2006, and she is very much liked and respected by senior management and the employees who work for her. 22 Your Role and the IT Director, Carmela Duarte You believe that Code Galore’s (but not Skyhaven Software’s) security risk is well within the risk appetite of the CEO and the board of directors. You have a good security policy (including acceptable use provisions) and standards in place, and you keep both of them up to date. You have established a yearly risk management cycle that includes asset valuation, threat and vulnerability assessment,
  • 27. risk analysis, controls evaluation and selection, and controls effectiveness assessment, and you are just about ready to start a controls evaluation when you suddenly realise that something more important needs to be done right away (outlined in The Problem section). 23 Your Tasks © 2013 ISACA. All rights reserved. Using the figure 4 template, you need to modify the qualitative risk analysis that you performed six months ago to take into account the risk related to Skyhaven Software. The major risk events identified during this risk analysis are shown in figure 2. You must not only head this effort, but for all practical purposes, you will be the only person from Code Galore who works on this effort. 24 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. Your revision of the last risk analysis will not only bring Code Galore up to date concerning its current risk landscape, but will also provide the basis for your requesting additional resources to mitigate new, serious risk and previously unmitigated or unsuitably mitigated risk. You may find that some risk events are lower in severity than before, possibly to the point that allocating further resources to mitigate them would not be appropriate. This may help optimise your risk mitigation investments. To the degree that you realistically and accurately identify new and changed risk, you will modify the direction of your
  • 28. information security practice in a manner that, ideally, lowers the level of exposure of business processes to major risk and facilitates growth of the business. Failure to realistically and accurately identify new and changed risk will result in blindness to relevant risk that will lead to unacceptable levels of unmitigated risk. 25 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. You must revise the most recent risk analysis, not only by reassessing all the currently identified major risk, but also by adding at least three risk events that were not previously identified. COBIT 5 provides tools that might be helpful in determining the best approach reassessing and prioritising the major risk events, in EDM03, Ensure risk optimisation. You must also provide a clear and complete rationale for the risk events, their likelihood, and impacts (outlined in the section Alternatives With Pros and Cons of Each section). 26 Your Tasks – Qualitative Risk Analysis © 2013 ISACA. All rights reserved. The rationale for each security-related risk that you select must include a discussion of the pros and cons associated with identifying and classifying each as a medium-low risk or higher. For example, suppose that you decide that a prolonged IT outage is no longer a medium- to low-level risk, but instead is now a low risk.
  • 29. The pros (purely hypothetical in this case) may be that outage- related risk events are now much lower than before due to, for example, the implementation of a new backup and recovery system that feeds data into an alternative data center (not true in this caselet). In this case allocating additional resources would therefore be a waste of time and money. 27 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. On the con side, lowering the severity of a prolonged IT outage risk may result in underestimation of this source of risk, which could result in failing to allocate resources and in a much higher amount of outage-related loss and disruption than Code Galore could take, given its somewhat precarious state. 28 Your Tasks – Pros and Cons © 2013 ISACA. All rights reserved. Exhibits – Major Risk 29 © 2013 ISACA. All rights reserved. Figure 2—Major Risk Figure 3—Network Diagram 30 © 2013 ISACA. All rights reserved.
  • 30. 31 Figure 4—Risk Analysis Template © 2013 ISACA. All rights reserved. Since Code Galore is in the business function automation software arena it should be consider using business process automation (BPA), a strategy an business uses to automate processes in order to contain costs. It consists of integrating applications, restructuring labor resources and using software applications throughout the organization. Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical right now. Yet, this company has opened itself up to significant levels of security risk because of acquiring Skyhaven Software and the need for former Skyhaven programmers to access resources within the corporate network. Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and assesses the magnitude of security risk from acquiring Skyhaven and opening the Code Galore network to connections from the Skyhaven network and prescribes appropriate controls, given Code Galore’s cash crunch, not many resources (money and labour) are likely to be available for these controls. 32 Notes © 2013 ISACA. All rights reserved.
  • 31. All the CSO may be able to do is document the risk and make prioritised recommendations for controls, waiting for the right point in time when the company’s financial situation gets better. If an information security steering committee exists, the CSO must keep this committee fully apprised of changes in risk and solicit input concerning how to handle this difficult situation. At the same time, the CSO should initiate an ongoing effort (if no such effort has been initiated so far) to educate senior management and key stockholders concerning the potential business impact of the new risk profile. (Note: The kind of situation described in this caselet is not uncommon in real- world settings.) 33 Notes © 2013 ISACA. All rights reserved. What are the most important business issues and goals for Code Galore? What are the factors affecting the problem related to this case? What are the managerial, organizational, and technological issues and resources related to this case? What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications? What are some of the emerging IT security technologies that should be considered in solving the problem related to the case? 34 Discussion Questions 1-5 © 2013 ISACA. All rights reserved. In what major ways and areas can information security help the
  • 32. business in reaching its goals? Which of the confidentiality, integrity and availability (CIA) triad is most critical to Code Galore’s business goals, and why? Change leads to risk, and some significant changes have occurred. Which of these changes lead to the greatest risk? Imagine that three of the greatest risk events presented themselves in worst-case scenarios. What would be some of these worst-case scenarios? How can the CSO in this scenario most effectively communicate newly and previously identified risk events that have grown because of the changes to senior management? 35 Discussion Questions 6-10 © 2013 ISACA. All rights reserved.