Control Analysis-Information Security and Systems-Lecture Notes, Study notes of Information Systems

Information Security and Systems is one of courses in Computer Science major. Its connected to database system, business, security. This lecture handout was provided by Dr. Anjli Gujral at Biyani Girls College. Its main points are: Control, Analysis, Likelihood, Determination, Vulnerability, Technical, Exercised, Reduced, Management

Typology: Study notes

2011/2012

Uploaded on 08/04/2012

shalabh_li43y
shalabh_li43y 🇮🇳

4.5

(18)

88 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Control Analysis
This phase includes assessment of controls already been implemented or planned, probability that
they can be broken, assessment of potential loss despite such controls existing. Controls are also
classified as non-technical controls also called management controls and technical controls –
software, hardware controls. The output of this step is current or planned controls used for the IT
system to measure the likelihood of vulnerability being exercised and reduce the impact of loss.
37.1 Likelihood Determination
xThis phase determines that a potential vulnerability could be exercised by a given
threat-source. Following table will help us to define and understand the likelihood
definitions.
The input to this phase is
xThreat source motivation
xThreat capacity
xNature of vulnerability
xCurrent Controls
The output to this phase is a likelihood rating to be used further in the risk assessment process.
37.2 Impact Analysis
This phase determines the adverse impact resulting from a successful threat exercise of
vulnerability. Following information is required before conducting an impact analysis.
1. System mission e.g. the process performed by IT system.
2. System and data criticality e.g. the system’s value or importance to an organization
3. System and data sensitivity
The information can be obtained from existing organizational documentation.
The threat source lacks motivation
or capability or controls are in
place to prevent or at least
significantly impede the
vulnerability from being exercised.
Low
The threat source is motivated and
capable but controls are in place
that may impede the successful
exercise of the vulnerability.
Medium
The threat source is highly
motivated and sufficiently capable
and controls to prevent the
vulnerability from being exercised
are ineffective
High
Likelihood DefinitionLikelihood level
The threat source lacks motivation
or capability or controls are in
place to prevent or at least
significantly impede the
vulnerability from being exercised.
Low
The threat source is motivated and
capable but controls are in place
that may impede the successful
exercise of the vulnerability.
Medium
The threat source is highly
motivated and sufficiently capable
and controls to prevent the
vulnerability from being exercised
are ineffective
High
Likelihood DefinitionLikelihood level
docsity.com
pf3

Partial preview of the text

Download Control Analysis-Information Security and Systems-Lecture Notes and more Study notes Information Systems in PDF only on Docsity!

Control Analysis

This phase includes assessment of controls already been implemented or planned, probability that they can be broken, assessment of potential loss despite such controls existing. Controls are also classified as non-technical controls also called management controls and technical controls – software, hardware controls. The output of this step is current or planned controls used for the IT system to measure the likelihood of vulnerability being exercised and reduce the impact of loss.

37.1 Likelihood Determination  This phase determines that a potential vulnerability could be exercised by a given threat-source. Following table will help us to define and understand the likelihood definitions.

The input to this phase is  Threat source motivation  Threat capacity  Nature of vulnerability  Current Controls The output to this phase is a likelihood rating to be used further in the risk assessment process.

37.2 Impact Analysis This phase determines the adverse impact resulting from a successful threat exercise of vulnerability. Following information is required before conducting an impact analysis.

  1. System mission e.g. the process performed by IT system.
  2. System and data criticality e.g. the system’s value or importance to an organization
  3. System and data sensitivity

The information can be obtained from existing organizational documentation.

The threat source lacks motivation or capability or controls are in place to prevent or at least significantly impede the vulnerability from being exercised.

Low

The threat source is motivated and capable but controls are in place that may impede the successful exercise of the vulnerability.

Medium

The threat source is highly motivated and sufficiently capable and controls to prevent the vulnerability from being exercised are ineffective

High

Likelihood level Likelihood Definition

The threat source lacks motivation or capability or controls are in place to prevent or at least significantly impede the vulnerability from being exercised.

Low

The threat source is motivated and capable but controls are in place that may impede the successful exercise of the vulnerability.

Medium

The threat source is highly motivated and sufficiently capable and controls to prevent the vulnerability from being exercised are ineffective

High

Likelihood level Likelihood Definition

docsity.com

Impact needs to be measured by defining certain levels. E.g. high medium low as qualitative categories or quantifying the impact by using probability distribution.

 Mission Impact Analysis  Assess criticality assessment  Data criticality  Data sensitivity

The output of this phase is impact rating.

37.3 Risk Determination The purpose of this step is to assess the level of risk to the IT system. The determination of particular threat can be expressed as a function of

  1. The likelihood of a given threat-source’s attempting to exercise a given vulnerability (system flaw)
  2. The magnitude of the impact should a threat source successfully exercise a vulnerability
  3. The adequacy of planned or existing security controls for reducing or eliminating risk.

This phase also presumes the definition of risk levels in order to classify the risks. The is more of a discretionary act on part of the management. Levels can be defined as high medium low and allocating various probability ranges. Risk levels are made to compare them with the ranges of impact.

Once the risk of loss has been determined using probability of occurrence and level of impact, such risk amounts may then be classified at the discretion of management.

  1. Risk scale Low if loss is less than Rs. 1,
  2. Risk scale medium if loss is less than > Rs. 1,000 but < Rs. 5,
  3. Risk scale high if loss is less than > Rs. 5,

The inputs of to this phase are

  1. Likelihood of threat exploitation
  2. Magnitude of impact
  3. Adequacy of planned and current controls

High – 6,000 30,000 60, 60%

Medium – 3,000 15,000 30, 30%

10,000 5,000 10, x10% = 1,

Low – 10%

High Rs. 100,

Medium Rs. 50,

Low Rs. 10,

Threat Likelihoo d

Level of Impact

High – 6,000 30,000 60, 60%

Medium – 3,000 15,000 30, 30%

10,000 5,000 10, x10% = 1,

Low – 10%

High Rs. 100,

Medium Rs. 50,

Low Rs. 10,

Threat Likelihoo d

Level of Impact

docsity.com