Monday, June 20, 2016

Security and Risk Management - Some basic terms

  1.  Risk is the probability of threat agent exploiting vulnerability.
  2. Threat is the danger of threat agent exploiting vulnerability.
  3.  Data Classification is a way of putting information under named categories (mostly by Data Owner) based on it's worth and loss involved if wiped off/ leaked out / edited by unauthorized person. Ultimately based on category were information is lying, Data Custodian may choose different controls and spend more or less to keep the data safe and destroy safely when no longer needed.
  4.  AV (Asset Value) is the $ worth of entity under risk of exposure to threat under quantitative risk analysis.
  5.  EF (Exposure Factor) is percentage loss of asset value a single exposure may do.
  6.  SLE (Single Loss Expectancy) defines how much money an organization may probably loose when exposure happens once. Under quantitative risk analysis, Asset value is multiplied by Exposure Factor to get SLE. Say, I have laptop (asset) worth $200 (asset value) and if my son (threat agent) finds laptop kept on the table (not closing it and locking is vulnerability) and he throws water on it (threat), based on previous experience, I know it costs $100 to change damaged parts. So EF (Exposure Factor) is 100/200 (= 0.5). So next time I don't use cupboard (Physical control) to lock laptop, there is a risk of my son (threat agent) to throw water on it (exploit vulnerability). And SLE will be $200 (AV) * 0.5 (EF) = $100 (SLE), the single repair cost. EF is uncertainty here, next time threat agent may have more water in his glass.
  7.  ARO (Annualized Rate of Occurrence) defines probable yearly frequency of exposure. Under quantitative risk analysis, this is multiplied by SLE (single loss expectancy) to get ALE (annual loss expectancy). Say, if ARO is 5, it means exposure may happen five times in a year, if ARO is 0.5, it means threat agent may be successful once in two years.
  8.  Policy is version controlled and dated set of principles and concise & unambiguous statements formulated to ensure compliance with industry standards, to define behavior and activities of subjects or just to inform the subjects, thereby playing the role of an enabler to achieve business objectives. It should clearly define consequences of noncompliance with policy documented.
  9.  SLA (Service Level Agreements); as discussed under CobiT > Deliver & Support > Define service levels; is a ‘formal’ / ‘legal and formal’ agreement between customer and vendor where various essential properties of service are defined including ways to measure & report deviation and corresponding ownership is agreed upon. Customer and vendor could be two departments of same organization too. Based upon what type of service is being formally documented, SLA could include mandatory level of availability, response time to issues based on category, reporting planned downtime, who is responsible for what and who takes up ‘unforeseen things not documented here’ and so on.
  10.  CobiT (Control Objectives for Information and Related Technology) is business-focused, process-oriented, controls-based and measurement-driven IT (Information Technology) Governance framework developed and promoted by ISACA (Information Systems Audit and Control Association) and ITGI (IT Governance Institute) for IT management targeting needs of internal/external stakeholders across the enterprise.

No comments:

Post a Comment