Chapter 4 Notes

Chapter 4 Notes - Chapter 4 Learning Objectives Upon...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Chapter 4 Learning Objectives Upon completion of this material, you should be able to: Define risk management, risk identification, and risk control Understand how risk is identified and assessed Assess risk based on probability of occurrence and impact on an organization Grasp the fundamental aspects of documenting risk through the creation of a risk assessment Describe the risk mitigation strategy options for controlling risks Identify the categories that can be used to classify controls Recognize the conceptual frameworks that exist for evaluating risk controls and be able to formulate a cost benefit analysis Understand how to maintain and perpetuate risk controls Introduction Risk management: process of identifying and controlling risks facing an organization Risk identification: process of examining an organization’s current information technology security situation Risk control: applying controls to reduce risks to an organization’s data and information systems An Overview of Risk Management Know yourself: identify, examine, and understand the information and systems currently in place Know the enemy: identify, examine, and understand threats facing the organization Responsibility of each community of interest within an organization to manage risks that are encountered The Roles of the Communities of Interest Information security, management and users, and information technology all must work together Management review: Verify completeness/accuracy of asset inventory Review and verify threats as well as controls and mitigation strategies Review cost effectiveness of each control Verify effectiveness of controls deployed Risk Identification Assets are targets of various threats and threat agents Risk management involves identifying organization’s assets and identifying threats/vulnerabilities Risk identification begins with identifying organization’s assets and assessing their value Asset Identification, Valuation, and Prioritization Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) n Assets are then classified and categorized People, Procedures, and Data Asset Identification Human resources, documentation, and data information assets are more difficult to identify People with knowledge, experience, and good judgment should be assigned this task These assets should be recorded using reliable data-handling process Asset attributes for people: position name/number/ID; supervisor; security clearance level; special skills
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Asset attributes for procedures: description; intended purpose; what elements it is tied to; storage location for reference; storage location for update Asset attributes for data: classification; owner/creator/ manager; data structure size; data structure used; online/offline; location; backup procedures employed
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 05/27/2011 for the course ITS 375 taught by Professor Thomas during the Fall '10 term at N.C. State.

Page1 / 7

Chapter 4 Notes - Chapter 4 Learning Objectives Upon...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online