Hello again and welcome to the H C I s p p Certification course looks Library enterprise Risk Management, Part one
on your instructor, Shalane Hutchins.
Today we're going to discuss assets
exposure, likelihood and impact
vulnerability and risk
Organizations need to identify their information assets in order to categorize them based on criticality the business operations and to determine the threats to the confidentiality, integrity and availability of each asset
similar to risk analysis. Information valuation methods may be descriptive or metric.
include the creation and dissemination and data collection from checklists and surveys,
and metric or statistical measures may provide a more objective view off information valuation.
Tangible assets are generally those that have a physical presence.
These assets are typically valued based on the original cost of the assets, minus any depreciation
for a risk assessment purpose. The information security professional needs to be aware of the original cost,
but more importantly to replacing it cost
as suppliers and vendors come into the market and leave the market. The cost of replacing a specific appliance server or even type of lock may change due to supply and demand.
Additionally, assets originally depreciated making and value. If the supply is less than that, the man
certain assets may become outdated and new assets may be required to replace the functionality or utility provided.
Intangible assets are not physical, such as trademarks, copyrights, patents, business processes, brand recognition and intellectual property.
A definite intangible asset is an intangible asset with the definite expiration period, such as a patent.
Once the patent expires, it no longer has value.
an indefinite intangible asset
is with an indefinite expiration period. Like an organization's brand,
the brand is expected to be maintained and preserved into the foreseeable future,
so approximate value of an intangible asset. The following methods were generally acceptable
because to create the asset and the cost to replace it.
Capitalisation of historic profits,
meaning if getting a patent, creating a brand or developing a new process directly lead to increase profits.
Those profits can be considered part of the overall value of the asset
cost avoidance Sir Savings.
If acquiring that, the trademark of a product
or service allowed an organization tow. Avoid paying royalties. Those savings can be considered part of the asset about
health care. Professionals should seek the aid of a financial expert when attempting to determine the intangible value of an asset.
Let's talk about exposure
miter, a US non profit organization that maintains the common vulnerabilities and exposures or see the eat. It's a dictionary of names for vulnerabilities and exposures identified in In in the industry.
Miter defines an exposure as an information security exposure to a system configuration issue or a mistaken software that allows access to information or capabilities that can be used by a hacker as a stepping stone into a system or network.
Missed 800-30 revision one describes likelihood as awaited risk factor on analysis of the probability that a given threat is capable of exploiting the given vulnerability
Likely that is generally viewed as an actor, cereal and non as an AB material and mom at the cereal.
When considering the adversarial view, it's necessary to consider the atmosphere's capabilities intent and target
for the non at the cereal you. It's common to consider historical data
once the value has been determined for likelihood it has been associated with the impact so as to properly make a risk determination.
Missed 800-30 revision. One describes impact as the magnitude harm that can be expected to result from the consequences of an unauthorized disclosure, modification or destruction of information
or loss of information or information systems. Availability
on a health organization considers impact
in these. Also, consider other entities outside of itself.
For example, health organization may have data that belongs to a specific patient.
Therefore, that patient needs to be considered along with any other organization or entity that may be impacted.
In addition, each organization needs to explicitly define definitions for impact that may include anything such as loss of life,
loss of money or loss of reputation within their scale.
Impact is considered in the same manner as likelihood and given a value
that will be used in computing risk.
It is also important to note that within the industry, impact may be called consequences. In some, tax arms
threats are pre defined topical areas that can put an organization at risk. Most risk assessment methodologies have a threat table that is utilized to determine if a system given unique characteristics would actually be have exposure or is vulnerable to a threat.
For instance, ah, hurricane is an environmental threat, but a data center in Kansas City has a little exposure.
However, data center in New Orleans has significant exposure and is vulnerable to the adverse impacts from a hurricane
missed 830 revision. One describes a threat as any circumstance for event with the potential to adversely impact organizational operations and assets. Individuals and other organizations or the nation.
Threat sources are not always militias, as they may also be accidental.
Some common categories for threat sources are human.
A malicious outsider or insider or just human hair. Natural fire, flood, tornado, hurricane, snowstorm or earthquake.
Technical hardware or software failure. Malicious cold or wireless technologies.
Environmental meaning hazardous waste or biological Asian
and operational by process, whether manual or automated, that affects the confidentiality, integrity or availability of the information.
Now vulnerability is a weakness in an information system
system, security procedures, internal controls
or implementation that could be exploited by a threat. Source.
There are many software tools that could be used to scan and identify software vulnerabilities in the system,
but no, their vulnerabilities may exist in other areas than systems,
and a few examples of vulnerabilities are
a receptionist or guard was not at the front interest to limit access
patching and configuration of I T systems are done on ad hoc basis and neither documented or up to date
or no quality review process for manual changes made to a fax number on the form that IHS faxed electronica.
risk is determined by evaluating a number of factors and variables, along with potential impact that might occur as a result of a risk being exercise.
I sold 27,005. Definition of risk is the potential that a given threat will exploit the vulnerability.
This definition is a measure of the extent to which entities threaten by a potential circumstance or event that is typically a function of the adverse impacts that would arise if the circumstance or event occurs
and the likelihood of the currents
in summary. We've covered assets exposure, likelihood and impact,
threat, vulnerability and risk.
Next up is a risk management. Part two