によって r r 3年前.
393
 
                            
                        もっと見る
Presenting to mgmt
Risk Owners to accept
Residual Risk
Avoid
Don't Implement Tech
Transfer
Contracts
SLAs
Accept
Regular Reviews Needed
Cost/Benefit Analysis output
Reduce
Implement Controls
Residual risk = Inherent risk – Treated risk
— the rationale for selection of the treatment options, including the expected benefits to be gained; — those who are accountable and responsible for approving and implementing the plan; — the proposed actions; — the resources required, including contingencies; — the performance measures; — the constraints; — the required reporting and monitoring; — when actions are expected to be undertaken and completed.
Exposure factor (EF) This factor, expressed as a percentage, represents a measure of the extent of loss or impact on the value of the asset. For example, it is estimated that on average a computer attack affects three quarters of a network, the exposure factor of this threat would be 75%. Single Loss Expectancy (SLE) This value determines the monetary loss for a single risk occurrence. Calculating the single loss expectancy loss: the asset value x exposure factor (SLE = AV X EF). For example, if the value of computer equipment is $100,000 and that the exposure factor is 75%, the single loss expectancy (SLE) would then be $75,000. Annual rate of occurrence (ARO) This term characterizes, on an annual basis, the frequency that a risk occurs. This annual rate of occurrence is between 0 (never) and 1 (always). For example, if the probability of a cyber attack on a specific computer equipment, to occur, during the year, is once in a thousand years, the annual rate of occurrence (ARO) is 0.001. If the probability was once every 5 years, the annual rate of occurrence would be 0.2. Annual Loss Expectancy (ALE) The expected annual loss is the combination of the anticipated loss and the anticipated annual rate of occurrence. It determines the maximum amount to spend to protect an asset against a particular threat. The calculation is as follows ALE = SLE x ARO For example, if the single loss expectancy (SLE) was $75,000 and the annual rate of occurrence is 0.2, then the expected annual loss (ALE) is $15,000
NOTE: SUPPORTING is Laptop and File Server
NOTE: PRIMARY is Patient data and Client contracts
ISO/IEC 27005, Annex E.2.3 Example 2 — Ranking of Threats by Measures of Risk A matrix or table such as that shown in Table E.3 can be used to relate the factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects). The first step is to evaluate the consequences (asset value) on a predefined scale, e.g. 1 through 5, of each threatened asset (column “b” in the table). The second step is to evaluate the likelihood of threat occurrence on a predefined scale, e.g. 1 through 5, of each threat (column “c” in the table). The third step is to calculate the measure of risk by multiplying (b × c). Finally, the threats can be ranked in order of their associated measure of risk. Note that, in this example, 1 is taken as the lowest consequence and the lowest likelihood of occurrence.
Example presentation of impact
Human Impact
Monetary
generally most times you'll do a qualitative assessment
Identify Consequences/Impact
Real Life Example
Quantitatively
Qualitatively
Identify Vulnerabilities
Example
existing controls
Threats ISO/IEC 27005, clause 8.2.3
See ANNEX C, ISO 27005
Examples
Natural
Deliberate
Accidental
3.1 Assets
Supporting Assets
assign value
Each asset must have an owner
Primary Assets
Business process and activities
Information
Scanning Tools
Code Review
Pen testing
Vulnerability scanning
Documentation Review
Interviews
cover all subjects
take notes
Open-ended questions and clarify responses
Questionanaires
OCTAVE-Allegro
OCTAVE-S
Constraints - Annex A.3
Organisational
managerial
development
admin
Maintenance
Operation
Methods
Time
Environmental
Financial
Technical
Interfaces have to be taken into account
Exclusions have to be justified and documented
Risk Acceptance (clause 7.2.4) Annex E 2.2
Quantitative or Qualitative
Acceptance Maintenance Criteria
technology
social and humanitarian factors
finance
operations
business criteria
Impacts (to the org caused by an info sec event)
impairment of operations (internal or 3rd party)
breaches of info sec (CIA)
damage to rep
classificaion of impacted info asset
Evaluation of Risk (clause 7.2.2)
stakeholders' expectations and perceptions
operational and business importance of CIA
criticality of the info assets involved
strategic value of business info process
Internal Polocies
Market
Standards
Laws and Regulations
Establish Internal and External Context
Strategies
Ask people "what keeps you up and night?"
STEP (Social, Technical, Economical, Political)
PEST (Political, Economic, Social, Technological)
SWOT (Strengths Weaknesses, Opportunties, Threats)
Understand Key Processes
Objectives
Values
Mission
Risk Management Objectives
CRAMM
NIST 800-30
MEHARI
OCTAVE
Output
List of assessed risks that are prioritsed
Action
Risks Idenified, quantitavely or qualitiively
Input
Scope
Is readily available within the organisation
Becomes part of the culture of the organisation
Identify individuals who have the accountability and authority to manage risk
Risk Management = core business responsibility
Internal audit
Public relations
Legal service
regulatory and contractual
IT Technician
implement technical solutions for measuring and managing the daily operations
Info Sec
Identify controls to manage risk
HR
Finance
Cost/Benefit analysis
Top Mgmt
Assign to roles
Support from senior leaders