{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Annualized loss expectancy ale n risk analysis should

Info iconThis preview shows pages 4–5. Sign up to view the full content.

View Full Document Right Arrow Icon
Annualized Loss Expectancy (ALE) n Risk analysis should contain the following: n Valuation of Critical Assets n Detailed listing of significant threats n Each threats likelihood n Loss potential by threat n Recommended remedial safeguards Remedies n Risk Reduction - implementation of controls to alter risk position n Risk Transference – get insurance, transfer cost of a loss to insurance n Risk Acceptance – Accept the risk, absorb loss Qualitative Scenario Procedure n Scenario Oriented n List the threat and the frequency n Create exposure rating scale for each scenario n Scenario written that address each major threat n Scenario reviewed by business users for reality check n Risk Analysis team evaluates and recommends safeguards n Work through each finalized scenario n Submit findings to management Value Assessment n Asset valuation necessary to perform cost/benefit analysis n Necessary for insurance n Supports safeguard choices Safeguard Selection n Perform cost/benefit analysis n Costs of safeguards need to be considered including n Purchase, development and licensing costs n Installation costs n Disruption to production n Normal operating costs Cost Benefit Analysis ALE (PreControl) – ALE (PostControl) = Annualized value of the control
Background image of page 4

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Level of manual operations n The amount of manual intervention required to operate the safeguard n Should not be too difficult to operate Auditability and Accountability Safeguard must allow for auditability and accountability Recovery Ability n During and after the reset condition n No asset destruction during activation or reset n No covert channel access to or through the control during reset n No security loss after activation or reset n Defaults to a state that does not allow access until control are fully operational Security Awareness Training Benefits of Awareness n Measurable reduction in unauthorized access attempts n Increase effectiveness of control n Help to avoid fraud and abuse Periodic awareness sessions for new employees and refresh other Methods of awareness improvement n Live interactive presentations n CBTs n Publishing of posters and newsletters n Incentives and awards n Reminders, login banners Training & Education n Security training for Operators n Technical training n Infosec training n Manager training
Background image of page 5
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}