QUESTION NUMBER 21-24
21. How risk assessment is carries out at the information system of risk management hierarchy.
The Tier 2 context and the system development life cycle determine the purpose and define the scope of risk assessment activities at Tier 3. While initial risk assessments (i.e., risk assessments performed for the first time, rather than updating prior risk assessments) can be performed at any phase in the system development life cycle, ideally these assessments should be performed in the Initiation phase.In the Initiation phase, risk assessments evaluate the anticipated vulnerabilities and predisposing conditions affecting the confidentiality, integrity, and availability of information systems in the context of the planned environments of operation. Such assessments inform risk response, enabling information system owners/program managers, together with mission/business owners to make the final decisions about the security controls necessary based on the security categorization and the environment of operation. Risk assessments are also conducted at later phases in the system development life cycle, updating risk assessment results from earlier phases. These risk assessment results for as-built or as-deployed information systems typically include descriptions of vulnerabilities in the systems, an assessment of the risks associated with each vulnerability (thereby updating the assessment of vulnerability severity), and corrective actions that can be taken to mitigate the risks. The risk assessment results also include an assessment of the overall risk to the organization and the information contained in the information systems by operating the systems as evaluated. Risk assessment results at Tier 3 are communicated to organizational entities at Tier 1 and Tier 2.
Risk assessment activities can be integrated with the steps in the Risk Management Framework (RMF), as defined in NIST Special Publication 800-37. The RMF, in its system development life cycle approach, operates primarily at Tier 3 with some application at Tiers 1 and 2, for example, in the selection of common controls. Risk assessments can be tailored to each step in the RMF as reflected in the purpose and scope of the assessments described in Section 3.1. Risk assessments can also help determine the type of security assessments conducted during various phases of the system development life cycle, the frequency of such assessments, the level of rigor applied during the assessments, the assessment methods used, and the types/number of objects assessed.
22. Explain the quantitative risk assessment.
Quantitative Analysis
• Quantitative analysis is much more formulaic and therefore requires lots more information as input. • Therefore where historical data is available, the frequency of attack is known and losses can be measured in numerical terms, quantitative analysis may be the most suitable approach.
• The advantage of this approach is that the risk can be very accurately measured and the process used iteratively.
• The downside is that it requires comprehensive records to be kept and is therefore not so good at dealing with new risks when they arise. Of course, the quality of the analysis will depend greatly on the accuracy and completeness of the input data.
• Specific risk analysis tools are often used for quantitative analysis. These have the advantages of being efficient (once the input data is collected), allowing data to be re-used and allowing the focus of resources to be placed on the analysis of the results.
• During a quantitative risk assessment such as asset valuation; costing controls; determining Return On Security Investment (ROSI); and calculating values for Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annual Loss Expectancy (ALE). This is by no means a comprehensive examination of all aspects of quantitative risk assessment, merely a brief examination of some of the details of that approach so that you can see that the numbers that form the foundation of all the calculations are themselves subjective.
Results of the Quantitative Risk Analyses
• The input items from the quantitative risk analyses provide clearly defined goals andbresults. The following items generally are derived from the results of the previous steps:
1. Assigned monetary values for assets
2. A comprehensive list of significant threats
3. The probability of each threat occurring
4. The loss potential for the company on a per-threat basis over 12 months
5. Recommended safeguards, controls, and actions
23. Compare the quantitative and qualitative risk assessment approaches.
24. List and explain the steps in risk assessment process.
For this question refer question number 2
No comments:
Post a Comment