Download Chapter 20 Outline

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
Document related concepts
no text concepts found
Transcript 
Chapter 20 Outline
I.
An Overview of Risk Management
A. Risk management encompasses all the actions taken to reduce complexity,
increase objectivity, and identify important decision factors.
B. Depending on the size of the project or business, and the amount of risk inherent
in an activity, risk management can be simple or complex.
C. There are a number of key terms that users should know to manage risk.
1.
Risk: The possibility of suffering harm or loss.
2.
Risk management: The overall decision-making process of identifying
threats and vulnerabilities and their potential impacts, determining the costs
to mitigate such events, and deciding what actions are cost effective for
controlling these risks.
3.
Risk assessment (or risk analysis): The process of analyzing an environment
to identify the threats, vulnerabilities, and mitigating actions to determine
(either quantitatively or qualitatively) the impact of an event that would
affect a project, program, or business.
4.
Asset: Resource or information an organization needs to conduct its
business.
5.
Threat: Any circumstance or event with the potential to cause harm to an
asset.
6.
Vulnerability: Characteristic of an asset that can be exploited by a threat to
cause harm.
7.
Impact: The loss resulting when a threat exploits a vulnerability.
8.
Control (also called countermeasure or safeguard): A measure taken to
detect, prevent, or mitigate the risk associated with a threat.
9.
Qualitative risk assessment: The process of subjectively determining the
impact of an event that affects a project, program, or business. It usually
involves the use of expert judgment, experience, or group consensus to
complete the assessment. It is often used to attach a potential monetary loss
to a threat.
10. Quantitative risk assessment: The process of objectively determining the
impact of an event that affects a project, program, or business. It usually
involves the use of metrics and models to complete the assessment.
11. Mitigate: To reduce the likelihood of a threat from occurring.
12. Single loss expectancy (SLE): The monetary loss or impact of each
occurrence of a threat.
13. Exposure factor: A measure of the magnitude of loss of an asset. Used in
the calculation of single loss expectancy.
14 Annualized rate of occurrence (ARO): The frequency with which an event
is expected to occur on an annualized basis.
15. Annualized loss expectancy (ALE): Determines how much an event is
expected to cost per year.
II. What Is Risk Management?
A. Risk management is based upon what can possibly go wrong and what actions
should be taken. The following three definitions of risk management show why
it is sometimes considered difficult to understand.
1.
The dictionary defines risk as the possibility of suffering harm or loss.
2.
Carnegie Mellon University's Software Engineering Institute (SEI) defines
continuous risk management as: processes, methods, and tools for managing
risks in a project. It provides a disciplined environment for proactive
decision-making to:
a)
Assess continuously what could go wrong (risks).
b) Determine which risks are important to deal with.
c)
Implement strategies to deal with those risks (SEI, Continuous Risk
Management Guidebook [Pittsburgh, PA: Carnegie Mellon University,
1996], 22).
3.
The Information Systems Audit and Control Association (ISACA) states,
“In modern business terms, risk management is the process of identifying
vulnerabilities and threats to an organization's resources and assets and
deciding what countermeasures, if any, to take to reduce the level of risk to
an acceptable level based on the value of the asset to the organization”
(ISACA, Certified Information Systems Auditor (CISA) Review Manual,
2002 [Rolling Meadows, IL:ISACA, 2002], 344).
B. The three choices when managing risk are:
1.
Accept the risk.
2.
Take steps to mitigate or minimize the risk.
3.
Transfer the risk to a company that specializes in managing a specific type
of risk (the most common way to transfer risk is to purchase specialized
insurance).
III. Business Risks
A. In today's technology-dependent business environment, risk is often divided into
two areas: business risk and technology risk.
B. The most common business risks include:
1.
Treasury management
2.
Revenue management
3.
Contract management
4.
Fraud
5.
Environmental risk management
6.
Regulatory risk management
7.
Business continuity management
8.
Technology
C. The most common technology risks include:
1.
Security and privacy
2.
Information technology operations
3.
Business systems control and effectiveness
4.
Business continuity management
5.
Information systems testing
6.
Reliability and performance management
7.
Information technology asset management
8.
Project risk management
9.
Change management
IV. Risk Management Models
A. There are several models for managing risk through its various phases. The
selected model should align with the business objectives, strategies, and
performance goals of an organization.
B. The risk assessment process used by an enterprise should be standardized and
coordinated to ensure consistency in the assessment approach. This ensures
greater insight and understanding by the senior management. It also enables the
management at all levels to evaluate options and decide the best actions.
C. General risk management model.
1.
The following steps can be used in any risk management process.
a)
Asset identification: Includes identification and classification of assets,
systems, and processes that need protection because they are vulnerable
to threats. This classification enables the prioritization of assets,
systems, and processes and the evaluation of the costs of associated
risks. Assets can include:
(1) Tangible assets: Includes inventory, buildings, cash, information
and data, hardware, software, services, documents, and
personnel.
(2) Intangible assets: Includes brand recognition, organization
reputation, and goodwill.
b) Threat assessment: Identify the possible threats and vulnerabilities
associated with each asset and the likelihood of their occurrence.
(1) Threats can be defined as any circumstance or event with the
potential to cause harm to an asset.
(2) Common classes of threats include natural disasters, man-made
disasters, terrorism, errors, malicious damage or attacks, fraud,
theft, and equipment or software failure.
(3) Vulnerabilities are characteristics of resources that can be
exploited by a threat to cause harm. Examples of vulnerabilities
include unprotected facilities, unprotected computer systems,
unprotected data, insufficient procedures and controls, and
insufficient or unqualified personnel.
c)
Impact definition and quantification: An impact is the loss created
when a threat exploits a vulnerability.
(1) When a threat is realized, it turns risk into impact.
(2) Impacts can be tangible or intangible.
(3) Tangible impacts include direct loss of money, endangerment of
staff or customers, loss of business opportunity, reduction in
operational efficiency or performance, and interruption of a
business activity.
(4) Intangible impacts include breach of legislation or regulatory
requirements, loss of reputation or goodwill (brand damage), and
breach of confidence.
d) Control design and evaluation: Controls (also called countermeasures
or safeguards) are designed to control risk by reducing vulnerabilities
to an acceptable level.
(1) Controls can be actions, devices, or procedures.
(2) Preventive controls are designed to prevent the vulnerability from
being exploited by a threat, thus causing an impact.
(3) Detective controls are those that detect a vulnerability that has
been exploited by a threat so that action can be taken.
e)
Residual risk management: Any risks that remain after implementing
controls are termed residual risks.
(1) Residual risks can be further evaluated to identify where
additional controls are required to reduce risk.
(2) When processes change as a result of business process
reengineering or organizational changes, the status of risk
management activities should be reviewed. Management shakeups and reorganizations can create new risks or weaken existing
control activities designed to mitigate risks.
D. Software Engineering Institute Model.
1.
Software Engineering Institute (SEI) model uses the paradigm (SEI,
Continuous Risk Management Guidebook [Pittsburgh, PA: Carnegie Mellon
University, 1996], 23).
2.
Although the terminology varies slightly from the previous model, the
relationships are apparent, and either model can be applied wherever risk
management is used.
a)
Identify: Look for risks before they become problems.
b) Analyze: Convert the data gathered into information that can be used to
make decisions.
(1) Evaluate the impact, probability, and timeframe of the risks.
(2) Classify and prioritize each of the risks.
c)
Plan: Review and evaluate the risks and decide what actions to take to
mitigate them. Implement those mitigating actions.
d) Track: Monitor the risks and the mitigation plans.
(1) Trends may provide information to activate plans and
contingencies.
(2) Review periodically to measure progress and identify new risks.
e)
Control: Make corrections for deviations from the risk mitigation plans.
(1) Correct products and processes as required.
(2) Changes in business procedures may require adjustments in plans
or actions, as do faulty plans and risks that become problems.
V. Qualitatively Assessing Risk
A. To assess risk qualitatively, compare the impact of the threat with the
probability of occurrence.
B. In reality, there are usually a few threats that can be identified as presenting
high-risk exposure and a few threats that present low-risk exposure. The threats
that fall somewhere in-between tend to be those that need to be evaluated by
judgment and management experience.
C. Monitoring these areas for a period of time or collecting and analyzing more
data enable users to decide how to address these threats.
D. If the analysis is more complex, requiring three levels of analysis, such as low,
medium, high or green, yellow, red, there are nine possible combinations as
shown in Figure 20-4. The darkest boxes probably require action, the white
boxes may not require action, and the gray boxes require judgment or
monitoring. (In Figure 20-4, the first term in each box refers to the magnitude of
the impact, while the second term refers to the probability of the threat.)
Figure 20-1: Three levels of analysis
E. Other levels of complexity are also possible and the resulting matrices do not
have to be symmetrical.
1.
If the probability is assessed with three values (low, medium, high) and the
impact has five values (very low, low, medium, high, very high), the
analysis would be as shown in Figure 20-5.
Figure 20-5: A 3 by 5 level analysis
F.
Qualitative risk assessment can be adapted to a variety of attributes and
situations in combination with each other.
VI. Quantitatively Assessing Risk
A. Qualitative risk assessment relies on judgment and experience, while
quantitative risk assessment applies historical information and trends to attempt
to predict future performance.
1.
This type of risk assessment is dependent on the historical data, and
gathering such data can be difficult.
2.
Quantitative risk assessment may also rely on models that provide decisionmaking information in the form of quantitative metrics, which attempts to
measure risk levels across a common scale.
B. Key assumptions underlie any model, and different models will produce
different results even when given the same input data.
1.
Adding objectivity to a qualitative assessment
a)
Quantitative assessment can be as simple as assigning numeric values
to one of the tables shown in Figure 20-4 and Figure 20-5.
b) The impacts can be prioritized from highest to lowest and then
weighted with Business Impact weighted the most and Difficulty to Fix
weighted the least.
c)
Qualitative assessments can be made more objective by assigning a
value to each assessment that reflects, for example, the number of
unresolved critical issues.
d) The overall risk value can be calculated for each risk area by
multiplying the weights by assessed values and then summing the
products:
Risk = W1 * V1 + W2 * V2 + …W4 * V4
e)
The assessed areas can then be ordered from highest to lowest based on
the calculated risk value. This aids management to focus on the risk
areas with the greatest potential impact.
2.
A common objective approach
a)
More complex models permit a variety of analyses based on statistical
and mathematical models.
b) A common method is the calculation of the annualized loss expectancy
(ALE).
(1) This calculation begins by calculating single-loss expectancy
(SLE) using the following formula:
SLE = asset value * exposure factor
(2) The ALE is then calculated by multiplying the SLE by the number
of times the event is expected to occur in a year, which is called
the annualized rate of occurrence (ARO). ALE = SLE * ARO. For
example, if the event is expected to occur once in 20 years, then
the annualized rate of occurrence is 1/20.
(3) Typically, the ARO is defined by historical data, either from a
company's own experience or from industry surveys.
(4) The ALE determines a threshold for evaluating the cost/benefit
ratio of a given countermeasure.
VII. Qualitative versus Quantitative Risk Assessment
A. It is impossible to conduct risk management that is purely quantitative.
1.
Risk management includes both qualitative and quantitative elements,
requiring both analysis and judgment or experience.
2.
It is possible to accomplish purely qualitative risk management.
B. The decision of whether to use qualitative or quantitative risk management
depends on the criticality of the project, the resources available, and the
management style. The decision will be influenced by the degree to which the
fundamental risk management metrics, such as asset value, exposure factor, and
threat frequency can be quantitatively defined.
VIII.
Tools
A. The following tools can be used during the various phases of risk assessment to
add objectivity and structure to the process.
1.
Affinity grouping: A method of identifying related items and then
identifying the principle that ties them in a group.
2.
Baseline identification and analysis
a)
It is the process of establishing a baseline set of risks.
b) It produces a “snapshot” of all the identified risks at a given point in
time.
3.
Cause and effect analysis: Identifying relationships between a risk and the
factors that can cause it.
4.
Cost/benefit analysis: A straightforward method for comparing cost
estimates with the benefits of a mitigation strategy.
5.
Gantt charts: A management tool for diagramming schedules, events, and
activity duration.
6.
Interrelationship digraphs: A method for identifying cause-and-effect
relationships by clearly defining the problem to be solved, identifying the
key elements of the problem, and then describing the relationships between
each of the key elements.
7.
Pareto charts: A histogram that ranks the categories in a chart from most
frequent to least frequent, thus facilitating risk prioritization.
8.
PERT (program evaluation and review technique) charts: A diagram
depicting interdependencies between project activities, showing the
sequence and duration of each activity.
a)
When complete, the chart shows the time to complete the project and
the activities that determine that time (the critical path).
b) The earliest and latest start and stop times for each activity and the
available slack times can also be shown.
9.
Risk management plan: A comprehensive plan documenting how risks will
be managed on a given project.
a)
It contains processes, activities, milestones, organizations,
responsibilities, and details of each major risk management activity and
how it is to be accomplished.
b) It is an integral part of the project management plan.
Related documents
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Testimony - American Security Project
Testimony - American Security Project
Overview of Database Security
Overview of Database Security
Sociological Research Methods
Sociological Research Methods
Asset Related Risk
Asset Related Risk
12/2 study guide ch 17 due
12/2 study guide ch 17 due
Chapter 1: Security Problems in Computing
Chapter 1: Security Problems in Computing
File
File
File - Cuda Sports Marketing
File - Cuda Sports Marketing
A Global Disease Needs a Global Response
A Global Disease Needs a Global Response
456-sp15-8-identifying-risk
456-sp15-8-identifying-risk