Avoidance of competitive disadvantage
The adoption and implementation of a business model, method, technique, resource, or technology prevent being a out performed by a competing an organization; working to keep pace with the competition and innovation, rather than falling behind
Competitive advantage
The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to out perform the competition
Risk assessment
A determination of the extent to which an organization's information assets are exposed to risk
Risk control
The application of controls that reduce the risks to an organization's information assets to an acceptable level
Risk identification
The enumeration and documentation of risks to an organization's information assets
Risk management
Process of identifying risk, assessing its relative magnitude, taking steps to reduce it to an acceptable level
Residual risk
The amount of risk that remains to an information asset even after the organization has applied its desired level controls
Risk appetite
The amount of risk organization is willing to accept
Field change order (FCO)
An authorization issued by an organization for the repair, modification, or update of a piece of equipment
Data classification scheme
Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
Security clearance
A component of data classification scheme that assigns a status level to employees to designate maximum level classified data they may access
Clean desk policy
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every workday
Dumpster diving
An information attack that involves searching through a organization's trash and recycling bins for sensitive information
asset valuation
A process of assigning financial value or worth to each information asset
Threat assessment
And evaluation of the threats to information assets, including a determination of their potential to endanger the organization
Threat-vulnerabilities-assets triples
A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expressed in the format TVA, where there may be one or more vulnerabilities between the threat and asset.
Threats-vulnerabilities-assets worksheet
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings
attack success probability
The number of successful attacks that are expected to occur within a specified time period.
Likelihood
The probability that a specific vulnerability within an organization will be the target of an attack
Loss frequency
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range
Asset exposure
Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack
Loss magnitude
Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack
Defense Control Strategy
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards
transfer control strategy
The risk control strategy that attempts to shift residual risk to other assets, other processes, or other organizations
mitigation control strategy
The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation
acceptance control strategy
The risk control strategy that indicates an organization is willing to accept the current level of residual risk
termination control strategy
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
Annualized cost of a safeguard
In a cost-benefits analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use
Annualized Loss expectancy
In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
Annualized rate of occurrence (ARO)
In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis
cost avoidance
The process of preventing the financial impact of an incident by implementing a control
Cost benefit analysis (CBA)
AKA an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control; contrasted with its projected value to the organization
Exposure Factor (EF)
In a cost benefit analysis, the expected percentage of loss that would occur from a particular attack
Single Loss Expectancy (SLE)
In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor
Qualitative assessment
An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures
Quantitative Assessment
As asset valuation approach that attempts to assign absolute numerical measures
Benchmarking
The process of comparing other organization's activities against the practices used in one's own organization to produce results it would like to duplicate
Best business practices
Security efforts that seek to provide a superior level of performance in the protection of information. AKA best practices or recommended practices.
Metrics-based measures
Performance measures or metrics based on observed numerical data
Performance gap
The difference between an organization's observed and desired performance
Process-based measures
Performance measures or metrics based on intangible activities
Baseline
A performance value or metric used to compare changes in the object being measured
Baselining
The comparison of past security activities and events against the organization's current performance
behavioral feasibility
An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders
Operational feasibility
An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders
organizational feasibility
An assessment of how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization
Political feasibility
An assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest
technical feasibility
An assessment of whether the organization can acquire the technology necessary to implement and support the proposed control
SLE = Exposure Factor (EF) x Asset Value
Single Loss Expectancy Formula
ALE = Single Loss Expectancy (SLE) x Annualized Rate of Occurance (ARO)
Annualized Loss Expectancy (ALE)
CBA = ALE (prior) - ALE (post) - ACS (Annualized Cost of Safeguard)
Cost-Benefit Analysis (CBA)
NIST SP 800-37, Rev. 1
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach
NIST SP 800-27, Rev. A
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
NIST SP 800-26
Security Self-Assessment Guide for Information Technology Systems
Things to consider when considering Best Practices for your organization
1) Does your organization resemble the identified target organization? Is your organization in a similar industry as the target?
2) Can your organization expend resources similar to those identified with the best practice?
3) Is your organization in a sim
Federal Agencies Security Practices (FASP)
A web site established by the U.S. government to share best practices in Information Security
Two measures to compare benchmarking practices
Metrics-based and Process-based measures
FUD
Fear, uncertainty, and doubt (FUD) emotions of upper management officials
Primary factors to consider when selecting a risk control strategy
Level of the threat and value of the asset
The most common mitigation plans are:
Contigency Plans (IR, DR, BC plans)
The Defense Strategy includes 3 common methods
1) Application of policy (Managerial control)
2) Education and training (Operational control)
3) Application of technology (Technological control)
FAIR Approach to Risk Assessment
Stage 1: Identify scenario components
Stage 2: Evaluate Loss Event Frequency (LEF)
- Threat Event Frequency (TEF)
- Threat capability (TCap)
- Control strength (CS)
- Vulnerability (Vuln)
Stage 3: Evaluate Probable Loss Magnitude (PLM)
Stage 4: Derive and
Risk Formula
Risk = Loss frequency x Loss magnitude + uncertainty
Loss Event Frequency (LEF) Formula
LEF = Likelihood of attack x attack success probability
Compartmented Information
Named projects requiring an extreme-need-to-know before access is allowed
The Reasoned Approach to Risk
One that balances the expense of controlling vulnerabilities against possible losses if the vulnerabilities are exposed
...
...