Risk Assessment

 We can determine the relative risk for each of the vulnerabilities through a process called risk assessment.

 Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process.

Introduction to Risk Assessment:

 Risk Identification Estimate Factors

– Likelihood

– Value of Information Assets

– Percent of Risk Mitigated

– Uncertainty

Risk Determination:

For the purpose of relative risk assessment:

risk =minus plus

likelihood of vulnerability occurrence times value (or impact)

percentage risk already controlled an element of uncertainty.

Identify Possible Controls:

 For each threat and its associated vulnerabilities that have any residual risk, create a preliminary list of control ideas

 Residual risk is the risk that remains to the information asset even after the existing control has been applied.

Access Controls:

 One particular application of controls is in the area of access controls

 Access controls are those controls that specifically address admission of a user into a trusted area of the organization

 There are a number of approaches to controlling access

 Access controls can be

– discretionary

– mandatory

– nondiscretionary

Types of Access Controls:

 Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user

 Mandatory Access Controls (MACs) are structured and coordinated with a data classification scheme, and are required

 Nondiscretionary Controls are those determined by a central authority in the organization and can be based on that individual‘s role (Role-Based Controls) or a specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be based on specified lists maintained on subjects or objects.

Lattice-based Control:

 Another type of nondiscretionary access is lattice-based control, where a lattice structure (or matrix) is created containing subjects and objects, and the boundaries associated with each pair is contained

 This specifies the level of access each subject has to each object

 In a lattice-based control the column of attributes associated with a particular object are referred to as an access control list or ACL

 The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table.

Documenting Results of Risk Assessment:

 The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first

 In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience

Introduction to Risk Assessment

 The process you develop for risk identification should include designating what function the reports will serve, who is responsible for preparing the reports, and who reviews them

 We do know that the ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk