IT Examiner School

Performing Risk Analysis The process used to identify and understand risks to confidentiality, integrity, and availability • Requires: 1. Identifying assets 2. Identifying vulnerabilities 3. Identifying threats 4. Determining risks, Risk Treatment, Monitor & Manage • Evaluate cost of safeguards vs. cost of loss • Cost of loss is guide for security budget • If annualized cost of safeguards is greater than cost of loss, it is not worth it. Perhaps better to: • Accept the risk • Transfer risk (insurance)

7

Risk Treatment (Controls) Physical controls • “I am physically securing the asset…” • Doors, locks, keys, fences Administrative controls • “I am telling you…” • Policies • Security • Acceptable use • Staff screening and training Technical controls • “I am implementing technology to control…”

• Firewalls and intrusion detection/prevention systems • Authentication systems

8