QUESTION NUMBER 11-16
11. What are the various domains & corresponding processes of COBIT?
COBIT stands for “Control Objectives for Information and related Technology”. COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT uses a maturity model as a means of assessing the maturity of the processes described in the domains:-
1) non-existent
2) initial / ad hoc
3) repeatable but intuitive
4) defined process
5) managed and measurable
6) optimised
COBIT is made up of a number of „domains‟, „processes‟ & „activities‟. Here they are:
DOMAIN
1) Plan & Organise (PO)
PROCESSES
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment (ITIL related: Financial Management for IT Services)
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
DOMAIN
2) Acquire & Implement (AI)
PROCESSES
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes (ITIL related: Change Management)
AI7 Install and Accredit Solutions and Changes (ITIL related: Release Management)
DOMAIN
3) Deliver & Support (DS)
PROCESSES
DS1 Define and Manage Service Levels (ITIL related: Service Level Management)
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity (ITIL related: Capacity Management)
DS4 Ensure Continuous Service (ITIL related: IT Service Continuity Management)
DS5 Ensure Systems Security (ITIL related: Security Management)
DS6 Identify and Allocate Costs (ITIL related: Financial Management for IT Services)
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents (ITIL related: Incident Management)
DS9 Manage the Configuration (ITIL related: Configuration Management)
DS10 Manage Problems (ITIL related: Problem Management)
DS11 Manage Data (ITIL related: Availability Management)
DS12 Manage the Physical Environment
DS13 Manage Operations
DOMAIN
4) Monitor & Evaluate (ME)
PROCESSES
ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
COBIT identifies four classes of IT resources:
1) people
2) applications
3) information
4) infrastructure
12. Explain any 2 methods of quantitative risk assessment.
Or
16. How are the values of asset derived in quantitative risk assessment approach?
1)Single loss expectancy (SLE):
calculation of value associated with most likely loss from an attack
– Based on asset value and expected percentage of loss that would occur from a particular attack: SLE = asset value (AV) x exposure factor (EF)
Where EF = the percentage loss that would occur from a given vulnerability being exploited.
This information is usually estimated.
In most cases, probability of a threat occurring is the probability of loss from an attack within a given time frame
– Commonly referred to as the ARO, or annualized rate of occurrence
2)The Cost Benefit Analysis (CBA) Formula
CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated
– Before a control or safeguard is implemented to determine if the control is worth implementing
OR
– After controls have been implemented and have been functioning for a time:
CBA = ALE(prior) – ALE(post) – ACS
– ALE(prior to control) is the annualized loss expectancy of the risk before the implementation of the control
– ALE(post control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard
3) Benchmarking
– Seeking out and studying practices of other organizations that produce desired results
– Measuring differences between how organizations conduct business
When benchmarking, an organization typically uses one of two measures to compare practices:
– Metrics-based measures are comparisons based on numerical standards
– Process-based measures are generally less focused on numbers and are more strategic
In the field of information security, two categories of benchmarks are used:
– Standards of due care and due diligence, and
– Best practices
Within best practices, the gold standard is a subcategory of practices that are typically viewed as “the best of the best”
13. Explain with diagram OCTAVE method.
The OCTAVE Method has been designed for large organizations having multi-layered hierarchy and maintaining their own computing infrastructure. The organisational, technological and analysis aspects of an information security risk evaluation are undertaken by a three-phased approach with eight processes:
Build asset-based threat profiles (organizational evaluation)—The analysis team determines critical assets and what is currently being done to protect them. The security requirements for each critical asset are then identified. Finally, the organisational vulnerabilities with the existing practices and the threat profile for each critical asset are established.
• Phase 2:
Identify infrastructure vulnerabilities (technological evaluation)—The analysis team identifies network access paths and the classes of IT components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks and establishes the technological vulnerabilities that expose the critical assets.
• Phase 3:
Develop security strategy and mitigation plans (strategy and plan development)—The analysis team establishes risks to the organisation’s critical assets based on analysis of the information gathered and decides what to do about them. The team creates a protection strategy for the organisation and mitigation plans to address identified risks. The team also determines the ‘next steps’ required for implementation and gains senior management’s approval on the outcome of the whole process.
OCTAVE-S OCTAVE-S
is suited for smaller organisations with flat hierarchical structures. The method is similar and based on the three phases described in the OCTAVE Method; however, it is streamlined into just four processes (figure 4):
• Process 1:
Identify organisational information-Processes one to three of the OCTAVE Method are performed here in just one step as small organisations are assumed to have a flat organisational hierarchy.
• Process 2:
Build asset-based threat profiles-This is mapped to process 4 of the OCTAVE Method to identify current organizational vulnerabilities and the threats to each critical asset.
• Process 3:
Identify infrastructure vulnerabilities-This is mapped to processes 5 and 6 of the OCTAVE Method. The analysis team examines the computing infrastructure to identify components related to the critical assets and establish technology vulnerabilities.
• Process 4:
Develop protection strategy and mitigation plan-This is mapped to processes 7 and 8 of the OCTAVE Method.
14. Explain with diagram OCTAVE allegro.
OCTAVE Allegro is focused on risk assessment in an organizational context, but offers an alternative approach and attempts to improve an organization’s ability to perform risk assessment in a more efficient and effective manner. One of the insights acquired from earlier experiences has been the need to move to a more information-centric risk assessment.
One of the guiding philosophies of Allegro has been that when information assets are the focus of the security risk assessment, all other related assets are considered ‘information containers’, storing, processing or transporting the information assets.
Information containers can be people(since people access information and gain knowledge), objects (piece of paper) or technology (database). Thus, threats to information assets are analyzed by considering where they live and effectively limiting the number and types of assets brought into the process.
Some key drivers that led SEI to formulating this new methodology include:
• Improving ease of use
• Refining the definition of assessment scope by introducing the container concept
• Streamlining data collection and threat identification processes
• Reducing training and knowledge requirements
• Improving institutionalization and repeatability
• Reducing the technology view
The OCTAVE Allegro approach comprises eight processes and is organized into four phases (figure 5):
• Phase 1: Establish drivers—
The organisation develops risk
measurement criteria consistent with organisational drivers.
Phase 2: Profile assets—
Information assets that are determined to be critical are identified and profiled. This profiling process establishes clear boundaries for the asset; identifies its security requirements; and identifies all of the locations where the asset is stored, transported or processed.
• Phase 3: Identify threats—
Threats to critical information assets are identified in the context of the locations where the asset is stored, transported or processed.
• Phase 4: Identify and mitigate risks—
Risks to information assets are identified and analysed and the development of mitigation approaches commences.
15. What are the various risk framing components & explain relationship among them?
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and
Operational decisions.
Figure 2 illustrates the fundamental components in organizational risk frames and the relationships among those components.
Organizations can use a single risk assessment methodology or can employ multiple assessment methodologies, with the selection of a specific methodology depending on, for example: (i) the time frame for investment planning or for planning policy changes; (ii) the complexity/maturity of organizational mission/business processes (by enterprise architecture segments); (iii) the phase of the information systems in the system development life cycle; or (iv) the criticality/sensitivity18 of the information and information systems supporting the core organizational missions/business functions.
1.Risk models define the risk factors to be assessed and the relationships among those factors.20 Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments.
2. Assessment Approaches
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur.
3. Analysis Approaches
Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability oriented.
4. Effects of Organizational Culture on Risk Assessments
Culture can also predispose organizations to employ risk models that require detailed analyses using quantitative assessments (e.g., nuclear safety). Alternately, organizations may prefer qualitative or semi quantitative assessment approaches. In addition to differences among organizations, differences can also exist within organizations
No comments:
Post a Comment