INFORMATION SECURITY AND AUDIT
1. Overview of information security
2. Information and Network Security Policies
3. Cryptography and PKI
4. Network security applications
5. Design Principles
6. Compliance, Evaluation system and Law
7. Malicious logic and attacks
8. Vulnerability analysis and IT Audit
9. Intrusion detection and log analysis
LAB WORK -ISA
SOLVED PRACTICE QUESTIONS
PREV

Risk

Risk in information security refers to the potential for loss, damage, or harm to an organization's information assets due to a threat exploiting a vulnerability. Risk is typically quantified in terms of:

  1. Likelihood: The probability that a threat will exploit a vulnerability.
  2. Impact: The potential damage or loss resulting from a successful exploitation.

Qualitative and Quantitative Risk

Qualitative Risk Analysis:

  • Subjective: Relies on judgement and experience to assess risks.
  • Descriptive: Uses terms like "high," "medium," or "low" to describe the likelihood and impact of a risk.
  • Quick and Easy: Useful for initial risk identification and prioritization.
  • Examples: "There's a high chance of bad weather delaying the construction project."

Quantitative Risk Analysis:

  • Objective: Uses data and statistics to assess risks.
  • Numerical: Assigns probabilities and cost estimates to the likelihood and impact of a risk.
  • More Detailed: Provides a more precise understanding of potential losses.
  • Time-consuming and Complex: Requires more data and expertise to conduct.
  • Examples: "There's a 70% chance of rain delaying the project by 2 weeks, resulting in an additional cost of $10,000."

Risk Analysis

Risk analysis is the process of identifying, assessing, and prioritizing risks. It involves evaluating the likelihood and impact of potential threats and vulnerabilities. The steps involved in risk analysis typically include:

  1. Identify Assets:
    • Determine what information, systems, and resources need protection.
  2. Identify Threats:
    • Recognize potential threats that could exploit vulnerabilities (e.g., cyberattacks, natural disasters, insider threats).
  3. Identify Vulnerabilities:
    • Identify weaknesses in systems, processes, or controls that could be exploited by threats.
  4. Assess Likelihood and Impact:
    • Estimate the probability of each threat exploiting a vulnerability and the potential consequences.
  5. Calculate Risk:
    • Combine the likelihood and impact assessments to quantify the risk. This can be done using qualitative, quantitative, or hybrid approaches.

Risk Management Cycle

The risk management cycle is an ongoing process of identifying, assessing, managing, and monitoring risks. It ensures that risks are continually addressed as the organization evolves and new threats emerge. The typical steps in the risk management cycle are:

  1. Risk Identification:
    • Continuously identify new risks as the organization changes and as new threats emerge. This involves regular review of assets, threats, and vulnerabilities.
  2. Risk Assessment and Analysis:
    • Evaluate the identified risks in terms of their likelihood and impact. Use qualitative or quantitative methods to prioritize the risks.
  3. Risk Mitigation:
    • Develop and implement strategies to manage and mitigate identified risks. Common strategies include:
      • Avoidance: Eliminate the risk by removing the cause.
      • Reduction: Implement controls to reduce the likelihood or impact.
      • Transfer: Shift the risk to a third party (e.g., through insurance).
      • Acceptance: Acknowledge the risk and decide to accept it without further action.
  4. Implementation of Controls:
    • Apply the chosen risk mitigation strategies. This can involve technical controls (e.g., firewalls, encryption), administrative controls (e.g., policies, training), and physical controls (e.g., locks, surveillance).
  5. Monitoring and Review:
    • Continuously monitor the effectiveness of implemented controls and review risks regularly. This involves:
      • Audits and Assessments: Regularly checking compliance and control effectiveness.
      • Incident Response: Being prepared to respond to security incidents and adjust controls as necessary.
      • Risk Reassessment: Periodically reassessing risks to account for new threats or changes in the environment.
  6. Communication and Reporting:
    • Communicate risk management activities and findings to stakeholders. Ensure that decision-makers are informed about the risk posture and any necessary actions.

Real World Example

Scenario: An organization wants to protect its customer data from cyber threats.

  1. Risk Identification:
    • Identify assets (customer data), threats (hackers, malware), and vulnerabilities (unpatched software, weak passwords).
  2. Risk Assessment and Analysis:
    • Assess the likelihood of a hacker exploiting the unpatched software and the potential impact of a data breach.
  3. Risk Mitigation:
    • Decide to patch software (reducing vulnerability), implement multi-factor authentication (reducing likelihood), and purchase cyber insurance (transferring residual risk).
  4. Implementation of Controls:
    • Apply patches, enforce multi-factor authentication, and arrange for cyber insurance.
  5. Monitoring and Review:
    • Continuously monitor for new vulnerabilities, conduct regular security audits, and review the effectiveness of multi-factor authentication.
  6. Communication and Reporting:
    • Report the risk management actions to senior management and ensure all staff are aware of the new authentication policies.
PREV