1. threats to its assets 2. vulnerabilities present in the environment 3. The likelihood of a threat 4. the impact of an exposure 5. countermeasures available 6. the residual risk Various methodologies: 1. COSO(5 areas of internal control) 2. ITIL (34 books to improve IT service management) 3. COBIT (examine effectiveness, efficiency, confidentiality, integrity, compliance and reliability aspects of high level control objectives) and integrates the following frameworks:- a. Cobit 4.1 b. Val IT 2.0 c. Risk IT d. IT assurance framework (ITAF) e. Business Model for Information Security (BMIS) NIST SP 800-30 (process): 1. system characterisation 2. vulnerability identification 3. threat identification 4. countermeasure identification 5. likelihood determination 6. impact determination 7. risk determination 8. additional countermeasures recommendations 9. document results 2
ISO 27000 (main areas):
1. information security policy 2. organising information security 3. asset management 4. human resources security 5. physical and environmental security 6. communications and operations management 7. access control 8. information systems acquisition development and maintenance 9. information security incident management 10. business continuity management 11. compliance Octave: This is defined as a situation where people from an organisation manage and direct an information security risk evaluation for their organisation. They are a set of principles attributes and outputs. o principles e.g. self-direction o attributes e.g. distinctive qualities or characteristics o outputs e.g. required outputs results of each phase of the evaluation Countermeasure control examples: accountability auditability trusted source independence consistently applied cost effective reliable independence ease of use automation sustainable secure protects CIA of assets can be backed out in event of issue creates no additional operational issues leaves no residual data 3