RFC 2196 - Site Security Handbook
Formulai
Total Risk = Threat * Vulnerability * Asset Value
Annual Loss Expectancy = Single Loss Expectancy * Annualized Rate of Occurence
Residual Risk = Annual Loss Expectancy * Control Gap
Single Loss Expectancy = Asset Value * Exposure Factor
Risk Analysis
FRAP - Facilitated Risk Analysis Process - team gets together to brainstorm through. 26 commong controls.
Delphi - answers are in written form - good for getting some quiet opinions - not good for discussion
Risk Assessment Steps
1. Reduce, Transfer, or avoid risk
2. Derive annual loss potential
3. Perform a threat analysis
4. Estimate potential loss
5. assign value to assets
Labeling
Government = Unclassified -> Top Secret
Commercial = Public -> Confidential
Roles
Information Security Officer - Functional Role of Security
Auditors -> provide reports on effectiveness to senior management
Senior Management - ultimately responsible for security
No comments:
Post a Comment