The risk assessment process

Loading...

来自 University System of Georgia 的课程

The Business of Cybersecurity Capstone

24 个评分

University System of Georgia

The Business of Cybersecurity Capstone

24 个评分

课程 4（共 4 门，Specialization Cybersecurity: Developing a Program for Your Business）

This course intends to make the student familiar with information security management. When you have finished with this course you will know more about: • Governance: including the mission, roles and responsibilities of the InfoSec governance function, and the strategic planning process and InfoSec’s role in the organization’s strategic planning effort. • You will understand the various types of InfoSec policies and how effective information security policy is created and used. • Risk management and the risk management process • Certain laws and ethical issues impacting information security in the organization. And some common information security management practices such as benchmarking and performance measures.

从本节课中

Risk Management

This module will define risk management and explore the processes used by organizations to identify and control risk. This will include basic techniques used to identify and assess risk as well as exploration of the risk control strategies that can be used to help control risk. You will also experiment with reading an industry standard risk report that you will summarize and analyze as you assess operational risk for higher management as part of the ongoing case-based project.

The risk identification process4:51

The risk assessment process4:18

Executive viewpoint on risk management methodology2:15

与讲师见面

Dr. Humayun Zafar
Associate Professor of Information Security and Assurance
Information Systems
Dr. Traci Carte
Associate Professor Chair, Information Systems
Information Systems
Herbert J. Mattord, Ph.D., CISM, CISSP, CDP
Associate Professor in Information Security and Assurance
Information Systems
Mr. Andy Green
Lecturer of Information Security and Assurance
Kennesaw State University - Department of Information Systems
Michael Whitman, Ph.D., CISM, CISSP
Professor of Information Security
Information Systems

[SOUND] In order to begin the risk assessment phase,

the organization uses the list of information

assets it has identified and prioritizes assets and

the threats facing them to compare information assets to threats.

The resulting list of vulnerabilities are those that remain risks to

the organization.

This list should be created for each information asset

to document its vulnerability to each possible or likely attack.

The best way found to do this documentation is the threat vulnerability

asset, or TVA, Table.

As shown, it would list assets along the x-axis from most to least

valuable and lists threats along the y-axis from most to least dangerous.

At the intersection of the asset and threat pair,

list the vulnerabilities that the threat might use to cause a loss to the asset.

Now, we move onto assess the risk that exists in each of the TVA tables.

Risk is commonly calculated as the likelihood that a threat to an asset will

result in an adverse impact which is then multiplied by the consequences or

impact of that attack.

[INAUDIBLE] That value is then

increased by an estimate of how reliable our values of both likelihood and

impact are, known as a confidence interval.

Many approaches to assessing likelihood exist.

One example of some likelihood ratings on a scale of 0 to 5 is shown here.

Likewise, there are many ways to assess impact.

Here is an example of some impact ratings on a scale of zero to five.

Before the organization can proceed with the final phase of risk management,

activities, which is risk control,

it needs to understand how much risk is acceptable to management.

Some organizations have a very low tolerance for risk.

Such as banking and other financial services firms.

Other types of organization may tolerate more risk.

The amount of risk that remains after all current levels are implemented

is known as residual risk.

Any organization may reach a point in the risk management process and

find that the documented residual risk is low enough to accept

being within the bounds of its risk appetite.

They would end the current risk management cycle and document everything for

the next cycle.

Once the organization has assessed the current level of risk facing its

information assets and

defined its risk appetite, it can move to the final phase of risk management.

[SOUND] And that's called Risk Control.

In the Risk Control phase, organizations employ one or

more of the five strategies of risk control.

Defense, which is applying safeguards that eliminate or

reduce the remaining uncontrolled risk.

Transference, which is shifting risk to other areas or outside entities.

Mitigation, which is reducing the impact to

information assets should an attacker successful exploit a vulnerability.

Acceptance.

That's understanding the consequences of choosing to leave a risk uncontrolled and

then formally accepting the risk that remains without an attempt at control.

And the final is termination.

And that's removing or discontinuing the information asset from the organization's

operating environment all together.

Risk management is an essential process for every organization.

There are many formalized models for risk management in the marketplace, and

many organizations are using consulting resources to assist them in finding

the optimum means to reduce operational risk.

[NOISE]

探索我们的目录

免费加入并获得个性化推荐、更新和优惠。

Coursera 致力于普及全世界最好的教育，它与全球一流大学和机构合作提供在线课程。

© 2019 Coursera Inc. 保留所有权利。

通过 App Store 下载

通过 Google Play 获取