Beruflich Dokumente
Kultur Dokumente
RISK
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).
In information system, risk is defined as "the potential that a given threat will exploit value of an asset or group of assets and thereby cause harm to the organization"
Risk factors
Risk factors are factors whose presence increases the probability of negative outcomes. Risk factors may include individual factors such as size of project, new software, or malicious employees. Some studies combine risk factors from various sources such as task, technology, or actors
Risk in workplace
In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.
Types of risk
Project risk (projects that cannot be completed within budget, schedule and/or quality constraints). functionality risk (projects that fail to deliver functionality). political risk (systems that change power relationships with suppliers). security risk (systems that are insecure).
Causes of risk
Inadequate information quality. Inadequate information accessibility. Inadequate information presentation. Inadequate information security. Inadequate performance in terms of productivity, consistency, cycle time, activity rate, or other measures.
causes
Bandwidth usage The accidental or intentional use of communications bandwidth for other then intended purposes
An accidental configuration error during the initial installation or upgrade of hardware, software, communication equipment or operational environment.
Acts of nature
All types of natural occurrences (e.g., earthquakes, hurricanes, tornadoes) that may damage or affect the system/application. Any of these potential threats could lead to a partial or total outage, thus affecting availability
Accidental disclosure
Risk management
Risk management is the identification & assessment of risks followed by coordinated and economical application of resources to Minimize , monitor, and control the probability and impact of unfortunate events or to maximize the realization of opportunities.
PROCEDURE
Planning how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget. Assigning a risk officer - a team member other than a project manager who is responsible for foreseeing potential project problems.
Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance.
Creating anonymous risk reporting channel. Each team member should have the possibility to report risks that he/she foresees in the project.
Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled what, when, by who and how will it be done to avoid it or to minimize its consequences.
Making Summary of plan to be used and faced risks, effectiveness of mitigation activities, and effort spent for the risk management
Risk managing
The NIST methodology consists of 8 steps: Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Impact Analysis Step 6: Risk Determination Step 7: Control Recommendations Step 8: Results Documentation
OCTAVE
The Software Engineering Institute (SEI) at Carnegie Mellon University developed the Operationally Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process. The main goal in developing OCTAVE is to help organizations improve their ability to manage and protect themselves from information security risks
The outputs of the OCTAVE process are: Protection Strategy Mitigation Plan Action List
FRAP
The Facilitated Risk Assessment Process (FRAP) is the creation of Thomas Peltier. It is based upon implementing risk management techniques in a highly cost-effective way. FRAP uses formal qualitative risk analysis methodologies using Impact Analysis, Threat Analysis and Questionnaires.
COBRA
The Consultative, Objective and Bi-functional Risk Analysis (COBRA) process was originally created by C & A Systems Security Ltd. in 1991. It takes the approach that risk assessment is a business issue rather than a technical issue. It consists of tools that can be purchased and then utilized to perform selfassessments of risk.
The primary knowledge bases are: IT Security Operational Risk 'Quick Risk' or 'high level risk' e-Security Risk Consultant can create reports and make recommendations by using these knowledge bases.
Risk watch
Risk Watch is another tool that uses an expert knowledge database to walk the user through a risk assessment and provide reports on compliance as well as advice on managing the risks. Risk Watch includes statistical information to support quantitative risk assessment, allowing the user to show various strategies. Risk Watch has several products, each focused along different compliance needs.
Thanks,,,,,,,,,,,