BIT361 Security Management and Governance Assignment
- Subject Code :
BIT361
- University :
Melbourne Polytechnic Exam Question Bank is not sponsored or endorsed by this college or university.
- Country :
Australia
BIT361 Security Management and Governance
Risk Management Worksheets
Contents
The Information Asset Register. 1
Classifying and Categorizing Assets. 4
Threat, Vulnerability, Asset (TVA) Table (Short Version) 6
Threat, Vulnerability, Asset (TVA) Table (Long Version) 7
Common Terms and Formulas in Risk Management. 9
The Information Asset Register
This step should be done without prejudging the value of each asset; values will be assigned later in the process.
ID No. |
Information Asset Name |
Asset Type (People, Process, Network, Hardware, Software) |
Data Classification (Secret, Confidential, Private, Public) |
Department |
Location |
Retention |
Threats ? |
Eg. (0) |
Web Server |
Hardware |
Private |
Marketing |
Head office |
Security Disposal |
DDOS Hardware failure |
1 |
|||||||
2 |
|||||||
3 |
|||||||
4 |
|||||||
5 |
|||||||
6 |
|||||||
7 |
|||||||
8 |
|||||||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
|
|||||||
|
Threats
A list like the one should be created for each information asset to document its vulnerability to each possible or likely attack.
Asset Name: ________________________ eg (Webserver) Date Evaluated: ________________________ Evaluated By: __________________________ |
|
Threat |
Possible Vunerability |
Software Attacks |
IP is vulnerable to denial-of-service attacks (DDOS). Outsider IP fingerprinting activities can reveal sensitive information unless suitable controls are implemented. |
Classifying and Categorizing Assets
Once the initial inventory is assembled, you must determine whether its asset categories are meaningful to the organizations risk management program.
System Name: ________________________ Date Evaluated: ________________________ Evaluated By: __________________________ |
||
Information Assets |
Data Classification |
Impact to Profitability |
Classification 1: |
||
Classification 2: |
||
Classification 3: |
||
Notes: |
||
Listing Assets in Order of Importance The Asset Priority Table (Weighted Factor Analysis Worksheet)
Table 1: Asset Priority Table (Weighted Factor Analysis Worksheet) |
||||
Information Assets |
Criterion 1: Impact on __________ |
Criterion 2: Impact on __________ |
Criterion 2: Impact on __________ |
Weighted Score |
Criterion weight (1100); must total 100 |
||||
(Asset 1) |
||||
(Asset 2) |
||||
(Asset 3) |
||||
(Asset 4) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
(Asset ..) |
||||
Threat, Vulnerability, Asset (TVA) Table (Short Version)
Table 2: Threat, Vulnerability, Asset (TVA) Table |
|||||
Threats -v |
Assets-> |
Asset 1 Name ___________ |
Asset 2 Name ___________ |
Asset 3 Name ___________ |
Asset 4 Name ___________ |
Threat 1 ________________ |
|||||
Threat 2 ________________ |
|||||
Threat 3 ________________ |
|||||
Threat 4 ________________ |
|||||
Threat ______________ |
|||||
Threat ______________ |
|||||
Threat, Vulnerability, Asset (TVA) Table (Long Version)
Table 2: Threat, Vulnerability, Asset (TVA) Table |
|||||
Threats |
Assets-> |
Asset 1 Name ___________ |
Asset 2 Name ___________ |
Asset 3 Name ___________ |
Asset 4 Name ___________ |
Threat 1 ________________ |
|||||
Threat 2 ________________ |
|||||
Threat 3 ________________ |
|||||
Threat 4 ________________ |
|||||
Threat ______________ |
|||||
Threat ______________ |
|||||
Threat ______________ |
|||||
Threat ______________ |
|||||
|
|||||
|
|||||
Notes* |
|||||
Priority Risk Table
Table 3: Risk. |
|||||
Asset |
Threat |
Vulnerability |
Vulnerability Likelihood |
Impact |
Priority |
Common Terms and Formulas in Risk Management.
Definitions
Term |
Definition |
Annual Cost Of The Safeguard (ACS) |
Annual cost of the safeguard (Control) |
Annualised Loss Expectancy (ALE) |
A comparative estimate of the losses (SLE) from successful attacks on an asset over one year. |
ALE (precontrol) |
ALE of the risk before the implementation of the control |
ALE (postcontrol) |
ALE examined after the control has been in place for a period of time |
Annualized Rate Of Occurrence (ARO) |
Indicates how often you expect a specific type of attack to occur. |
Asset Value (AV) |
Financial value or worth of each information asset |
Cost-Benefit Analysis (CBA) |
Determines whether the benefit from a control alternative is worth the associated cost of implementing and maintaining the control. |
Exposure Factor (EF) |
The percentage loss that would occur from a given vulnerability being exploited |
Likelihood |
The probability that a specific vulnerability will be exploited. |
Single Loss Expectancy (SLE) |
The calculated value associated with the most likely loss from a single occurrence of a specific attack |
Formulas
ALE = Single Loss Expectancy (SLE) x Annualized Rate of occurrence (ARO)
SLE = asset value (AV) x exposure factor (EF)
CBA = ALE (pre - control) ALE(post - control) ACS
