Saturday, August 14, 2010

CISSP - Information Security and Risk Management

RFC 2196 - Site Security Handbook


Total Risk = Threat * Vulnerability * Asset Value

Annual Loss Expectancy = Single Loss Expectancy * Annualized Rate of Occurence

Residual Risk = Annual Loss Expectancy * Control Gap

Single Loss Expectancy = Asset Value * Exposure Factor

Risk Analysis

FRAP - Facilitated Risk Analysis Process - team gets together to brainstorm through. 26 commong controls.

Delphi - answers are in written form - good for getting some quiet opinions - not good for discussion

Risk Assessment Steps
1. Reduce, Transfer, or avoid risk
2. Derive annual loss potential
3. Perform a threat analysis
4. Estimate potential loss
5. assign value to assets


Government = Unclassified -> Top Secret

Commercial = Public -> Confidential


Information Security Officer - Functional Role of Security

Auditors -> provide reports on effectiveness to senior management

Senior Management - ultimately responsible for security

No comments:

Post a Comment