Annualized loss expectancy ale n risk analysis should

Info icon This preview shows pages 4–5. Sign up to view the full content.

View Full Document Right Arrow Icon
Annualized Loss Expectancy (ALE) n Risk analysis should contain the following: n Valuation of Critical Assets n Detailed listing of significant threats n Each threats likelihood n Loss potential by threat n Recommended remedial safeguards Remedies n Risk Reduction - implementation of controls to alter risk position n Risk Transference – get insurance, transfer cost of a loss to insurance n Risk Acceptance – Accept the risk, absorb loss Qualitative Scenario Procedure n Scenario Oriented n List the threat and the frequency n Create exposure rating scale for each scenario n Scenario written that address each major threat n Scenario reviewed by business users for reality check n Risk Analysis team evaluates and recommends safeguards n Work through each finalized scenario n Submit findings to management Value Assessment n Asset valuation necessary to perform cost/benefit analysis n Necessary for insurance n Supports safeguard choices Safeguard Selection n Perform cost/benefit analysis n Costs of safeguards need to be considered including n Purchase, development and licensing costs n Installation costs n Disruption to production n Normal operating costs Cost Benefit Analysis ALE (PreControl) – ALE (PostControl) = Annualized value of the control
Image of page 4

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Level of manual operations n The amount of manual intervention required to operate the safeguard n Should not be too difficult to operate Auditability and Accountability Safeguard must allow for auditability and accountability Recovery Ability n During and after the reset condition n No asset destruction during activation or reset n No covert channel access to or through the control during reset n No security loss after activation or reset n Defaults to a state that does not allow access until control are fully operational Security Awareness Training Benefits of Awareness n Measurable reduction in unauthorized access attempts n Increase effectiveness of control n Help to avoid fraud and abuse Periodic awareness sessions for new employees and refresh other Methods of awareness improvement n Live interactive presentations n CBTs n Publishing of posters and newsletters n Incentives and awards n Reminders, login banners Training & Education n Security training for Operators n Technical training n Infosec training n Manager training
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern