Embed Size (px)
Citation preview
Risk Management
AcknowledgmentsMaterial is sourced from: CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission. All-in-One CISSP Exam Guide, 4th Ed. / Shon Harris, McGraw Hill,
2008
Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives
Students should be able to:Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual riskDefine treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transferenceDescribe threat types: natural, unintentional, intentional, intentional (non-physical)Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders Describe risk analysis strategies: qualitative, quantitativeDefine vulnerability, SLE, ARO, ALE, due diligence, due care
How Much to Invest in Security?How much is too much? Firewall Intrusion Detection/Prevention Guard Biometrics Virtual Private Network Encrypted Data & Transmission Card Readers Policies & Procedures Audit & Control Testing Antivirus / Spyware Wireless Security
How much is too little? Hacker attack Internal Fraud Loss of Confidentiality Stolen data Loss of Reputation Loss of Business Penalties Legal liability Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
Risk Management
Internal Factors External Factors
Regulation
Indu
stryCulture
Corporate HistoryManagement’s
Risk Tolerance
Organizational
Maturity
Structure
Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: The level of risk that management is comfortable with
Risk Appetite
Do you operate your computer with or without antivirus software?
Do you have antispyware? Do you open emails with forwarded attachments from
friends or follow questionable web links? Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk
Risk Management Process
Continuous Risk Mgmt Process
Identify &Assess Risks
Develop RiskMgmt Plan
Implement RiskMgmt Plan
ProactiveMonitoring
RiskAppetite
Risks change with time as business & environment changesControls degrade over time and are subject to failureCountermeasures may open new risks
Security Evaluation: Risk AssessmentFive Steps include:1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability
3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Risk Leverage = (Risk exposure before reduction) – (risk
exposure after reduction) / (cost of risk reduction)
Step 1: Determine Value of AssetsIdentify & Determine Value of Assets (Crown Jewels): Assets include:
IT-Related: Information/data, hardware, software, services, documents, personnel
Other: Buildings, inventory, cash, reputation, sales opportunities What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this? How much liability would we be subject to if the asset
were compromised? Helpful websites: www.attrition.org
Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs
Matrix of Loss Scenario(taken from CISM Exhibit 2.16)
Size of Loss
Repu-tation
Law-suit Loss
Fines/
Reg. Loss
Mar-ket Loss
Exp.
Yearly Loss
Hacker steals customer data; publicly blackmails company
1-10K Records
$1M-
$20M
$1M-
$10M
$1M-
$35M
$1M-
$5M
$10M
Employee steals strategic plan; sells data to competitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust. data found in garbage; makes front-page news
10M Records
$20M $20M $10M $5M $200K
Contractor steals employee data; sells data to hackers
10K Records
$5M $10M Min. Min. $200K
Step 1: Determine Value of AssetsAsset
Name
$ ValueDirect Loss: Replacement
$ ValueConsequential
Financial Loss
Confidentiality, Integrity, and Availability Notes
Registration Server
$10,000 Breach Not. Law=$520,000Registration loss per day =$16,000Forensic help = $100,000
Affects: Confidentiality, Availability.Conf=> Breach Notification Law=>Possible FERPA Violation=>Forensic HelpAvailability=> Loss of Registrations
Grades Server
$10,000 Lawsuit = $1 millionFERPA = $1 millionForensic help = $100,000
Affects: Confidentiality, Integrity.Integrity => Student Lawsuit Confidentiality => FERPA violationBoth => Forensic help
Student(s) and/or Instructor(s)
$2,000 per student (tuition)$8,000 per instructor (for replacement)
Lawsuit= $1 MillionInvestigation costs= $100,000Reputation= $400,000
(E.g.,) School Shooting: Availability (of persons lives)Issues may arise if we should have removed a potentially harmful student, or did not act fast.
Workbook
Category Breach Type Avg. cost per
compromised recordData breach cost – total
Malicious or criminal attack (44% of breaches)
$246
Employee error (31% of breaches) $171System glitch (25% of breaches) $160Average $201
Data breach cost – components
Indirect costs: Internal employee time and abnormal churn of customers
$134
External expenses: forensic expertise, legal advice, victim identity protection services
$67
Statistics from Ponemon Data Breach Study 2014
sponsored by IBM
More 2014 Ponemon Statistics
Prob of Breach Cost per record Churn rate
Communications 15.6% 219 1.2Consumer 19.9% 196 2.6Education 21.1% 254 2.0Energy 7.5% 237 4.0Financial 17.1% 236 7.1Health care 19.2% 316 5.3Hospitality 19.5% 93 2.9Industry 9.0% 204 3.6Media 19.7% 183 1.9Pharmaceutical 16.9% 209 3.8Public sector 23.8% 172 0.1Research 11.5% 73 0.7Retail 22.7% 125 1.4Services 19.8% 223 4.2Technology 18.9% 181 6.3Transportation 13.5% 286 5.5
Consequential Financial Loss Calculations
Consequential Financial
Loss
Total Loss Calculations or Notes
Lost business for one day (1D)
1D=$16,000
Registration = $0-500,000 per day in income (avg. $16,000)
Breach not. law $752,000 Breach Not. Law Mailings=$188 x 4000 Students =$752,000
Lawsuit $1 Million Student lawsuit may result as a liability.
Forensic Help $100,000 Professional forensic/security help will be necessary to investigate extent of attack and rid system of hacker
FERPA $1 Million Violation of FERPA regulation can lead to loss of government aid, assumes negligence.
Step 2: Determine Loss Due to ThreatsPhysical ThreatsNatural: Flood, fire, cyclones, hail/snow, plagues and earthquakesUnintentional: Fire, water, building damage/collapse, loss of utility services and equipment failureIntentional: Fire, water, theft and vandalism
Human ThreatsEthical/Criminal: Fraud, espionage, hacking, social engineering, identity theft, malware, vandalism, denial of serviceExternal Environmental: industry competition, contract failure, or changes in market, politics, regulation or tech.Internal: management error, IT complexity, organization immaturity, accidental data loss, mistakes, software defects, incompetence and poor risk evaluation
Threat Agent Types
Hackers/ Crackers
Challenge, rebellion Unauthorized access
Criminals Financial gain, Disclosure/ destruction of info.
Fraud, computer crimes
Terrorists/ Hostile Intel. Service
Spying/ destruction/ revenge/ extortion
DOS, info warfare
Industry Spies Competitive advantage
Info theft, econ. exploitation
Insiders Opportunity, personal issues
Fraud/ theft, malware, abuse
Step 2: Determine Threats Due to Vulnerabilities
System Vulnerabilities
Behavioral:Disgruntled employee,
uncontrolled processes,poor network design,improperly configured
equipment
Misinterpretation:Poorly-defined
procedures,employee error,Insufficient staff,
Inadequate mgmt,Inadequate compliance
enforcement
Coding Problems:
Security ignorance,poorly-defined requirements,
defective software,unprotected
communication
Physical Vulnerabilities:
Fire, flood,negligence, theft,kicked terminals,no redundancy
Step 3: Estimate Likelihood of ExploitationBest sources: Past experience National & international standards & guidelines:
NIPC, OIG, FedCIRC, mass media Specialists and expert advice Economic, engineering, or other models Market research & analysis Experiments & prototypesIf no good numbers emerge, estimates can be used,
if management is notified of guesswork
Category Specific Threats Small-Medium Org.
Large Businesses
Who: Internal Incidents (14%)
Cashier, waiter, bank teller (financial)60% 14%
End user (mix: finance and espionage)13% 24%
System admin (mainly espionage)4% 31%
Who: External Incidents (92%)
Organized crime (financial)57% 49%
State-affiliated (espionage)20% 24%
Activist, Former Employee<3% <2%
Malware (40%) Spyware (keystroke loggers, form grabbers) 86% 55%Backdoor (secret computer access)
51% 82%Stealing data (mainly for spying)
54% 73%Hacking (52%) Password copying or guessing
88% 74%Remote control (botnet, backdoor)
36% 62%Social (29%) Phishing (email 79%, in person 13%)
71% 82%Misuse (13%) Privilege Abuse
43% 87%Unapproved hardware
52% 22%Embezzlement
54% 4%Physical (35%) Tampering (ATM, PoS device)
74% 95%Error (2%) Misconfigurations (violations of policy)
Not avail. Not avail.Error (67%)(VERIS Study)
Media confidentiality (loss of media) (29%), user confidentiality (20%), user availability (18%)
Not avail. Not avail.
Step 4: Compute Expected Loss Risk Analysis Strategies
Qualitative: Prioritizes risks so that highest risks can be addressed first
Based on judgment, intuition, and experience May factor in reputation, goodwill, nontangibles
Quantitative: Measures approximate cost of impact in financial terms
Semiquantitative: Combination of Qualitative & Quantitative techniques
Step 4: Compute Loss UsingQualitative Analysis
Qualitative Analysis is used: As a preliminary look at risk With non-tangibles, such as reputation,
image -> market share, share value When there is insufficient information to
perform a more quantified analysis
Vulnerability Assessment Quadrant Map
Threat(Probability)
Vulnerability(Severity)
Hacker/CriminalMalware
Disgruntled Employee
Fire
Terrorist
FloodSpy
Snow emergencyIntruder
Workbook
Step 4: Compute Loss UsingSemi-Quantitative Analysis
Impact1. Insignificant: No
meaningful impact2. Minor: Impacts a small
part of the business, < $1M3. Major: Impacts company
brand, >$1M4. Material: Requires
external reporting, >$200M5. Catastrophic: Failure or
downsizing of company
Likelihood1. Rare2. Unlikely: Not seen
within the last 5 years3. Moderate: Occurred in
last 5 years, but not in last year
4. Likely: Occurred in last year
5. Frequent: Occurs on a regular basis
Risk = Impact * Likelihood
SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
SEVERE
HIGHM
EDIUM
LOW
Likelihood
Imp
act
Step 4: Compute Loss Using Quantitative AnalysisSingle Loss Expectancy (SLE): The cost to the organization if
one threat occurs once Eg. Stolen laptop=
Replacement cost + Cost of installation of special software and data Assumes no liability
SLE = Asset Value (AV) x Exposure Factor (EF) With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ALE = SLE x ARO
Risk Assessment Using Quantitative Analysis
Quantitative: Cost of HIPAA accident with insufficient
protectionsSLE = $50K + (1 year in jail:) $100K = $150KPlus loss of reputation…
Estimate of Time = 10 years or less = 0.1 Annualized Loss Expectancy (ALE)=
$150 x .1 =$15K
Annualized Loss ExpectancyAsset Value->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K
10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50K
Asset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
QuantitativeRisk
Asset Threat Single LossExpectancy (SLE)
AnnualizedRate of
Occurrence(ARO)
Annual LossExpectancy
(ALE)
Registra-tion Server
System or Disk Failure
System failure: $10,000Registration x 2 days: $32,000
0.2(5 years)
$8,400
Registra-tion Server
Hacker penetration
Breach Not. Law: $752,000Forensic help: $100,000Registration x 2days: $32,000
0.20(5 years)
$884,000x.2 =$176,800
Grades Server
Hacker penetration
Lawsuit: $1 millionFERPA: $1 millionForensic help: $100,000Loss of Reputation = $10,000
0.05(20 years)
$2110,000x0.05=$105,500
Workbook
Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary E.g.: Comet hits Ignore risk if risk exposure is negligibleRisk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize vulnerability E.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal responsibility
cannotRisk Planning: Implement a set of controls
System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk AssessmentReport
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &planned controls
List of threats& vulnerabilities
System boundarySystem functions
System/data criticalitySystem/data sensitivity
Activity Output
Company historyIntelligence agency
data: NIPC, OIG
Audit &test results
Business ImpactAnalysis
Data Criticality & Sensitivity analysis
Input
NIST RiskAssessmentMethodology
Hardware, software
Current and PlannedControls
Threat motivation/capacity
Likelihood of threat exploitation
Magnitude of impactPlan for risk
Control Types
ThreatCompensating
Control
Impact
Vulnerability
CorrectiveControl
DeterrentControl
DetectiveControl
PreventiveControl
Attack
Reduceslikelihood of
Decreases
Resultsin
Reduces
Protects
Creates
Reduceslikelihood of
Triggers
Discovers
Controls & Countermeasures
Cost of control should never exceed the expected loss assuming no control
Countermeasure = Targeted ControlAimed at a specific threat or vulnerabilityProblem: Firewall cannot process packets fast
enough due to IP packet attacksSolution: Add border router to eliminate
invalid accesses
Analysis of Risk vs. ControlsWorkbook
Cost of Some Controls is shown in Case Study Appendix
Risk ALE Score ControlCost ofControl
Stolen Faculty Laptop
$2K$10,000 (FERPA)
Encryption $60
Registration System orDisk Failure
$8,400 RAID(Redundant
disks)
$750
Registration HackerPenetration
$176,800 Unified Threat Mgmt
Firewall
$1K
Extra Step:Step 6: Risk MonitoringStolen Laptop In investigation $2k, legal issues
HIPAA Incident Response
Procedure being defined – incident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physical security
Training occurred $200K
Report to Mgmt status of security Metrics showing current performance Outstanding issues Newly arising issues How handled – when resolution is expected
Security Dashboard, Heat chart or Stoplight Chart
Training Importance of following policies & procedures Clean desk policy Incident or emergency response Authentication & access control Privacy and confidentiality Recognizing and reporting security incidents Recognizing and dealing with social engineering
Security Control Baselines & MetricsBaseline: A measurement
of performance Metrics are regularly and
consistently measured, quantifiable, inexpensively collected
Leads to subsequent performance evaluation
E.g. How many viruses is help desk reporting?
0
10
20
30
40
50
60
70
80
90
Year 1 Year 2 Year 3 Year 4
Stolen Laptop
Virus/Worm
% Misuse
(Company data - Not real)
Risk Management
Risk Management is aligned with business strategy & direction
Risk mgmt must be a joint effort between all key business units & IS
Business-Driven (not Technology-Driven)Steering Committee:• Sets risk management priorities• Define Risk management objectives to achieve business strategy
Risk Management Roles
Governance & Sr Mgmt:Allocate resources, assess& use risk assessment results
Chief Info OfficerIT planning, budget,performance incl. risk
Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process
Security TrainersDevelop appropriate training materials, includingrisk assessment, to educate end users.
Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals
System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.Sign off on changes
IT Security PractitionersImplement security requirem.into IT systems: network,system, DB, app, admin.
Due DiligenceDue Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RALiability minimized if reasonable precautions taken
Senior Mgmt SupportRisk
Assessm
ent
Backup & Recovery
Policies & Procedures
Adequate Security Controls
Compliance
Monitoring
& Metrics Business Continuity &
Disaster Recovery
3 Ethical Risk Cases1. On eve of doomed Challenger space shuttle launch, an executive
told another: “Take off your engineering hat and put on your management hat.”
2. In Bhopal, India, a chemical leak killed approx. 3000 people, settlement was < 1/2 Exxon Valdez oil spill’s settlement. Human life = projected income (low in developing nations)
3. The Three Mile Island nuclear disaster was a ‘success’ because no lives were lost
1. Public acceptance of nuclear technologies eroded due to the environmental problems and the proven threat
It is easy to underestimate the cost of others’ lives, when your life is not impacted.
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring
2. Answers the question: What risks are we prone to, and what is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of risks, and evaluation of controls
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring
2. Answers the question: What risks are we prone to, and what is the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of risks, and evaluation of controls
Question
The FIRST step in Security Risk Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
Question
Single Loss Expectancy refers to:
1. The probability that an attack will occur in one year
2. The duration of time where a loss is expected to occur (e.g., one month, one year, one decade)
3. The cost when the risk occurs to the asset once
4. The average cost of loss of this asset per year
Question
The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is:
1. The Chief Information Officer
2. The Chief Risk Officer
3. The Chief Information Security Officer
4. Enterprise governance and senior business management
Question
Which of these risks is best measured using a qualitative process?
1. Temporary power outage in an office building
2. Loss of consumer confidence due to a malfunctioning website
3. Theft of an employee’s laptop while traveling
4. Disruption of supply deliveries due to flooding
Question
The risk that is assumed after implementing controls is known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
Question
The primary purpose of risk management is to:
1. Eliminate all risk
2. Find the most cost-effective controls
3. Reduce risk to an acceptable level
4. Determine budget for residual risk
Question
Due Diligence ensures that1. An organization has exercised the best possible security
practices according to best practices2. An organization has exercised acceptably reasonable
security practices addressing all major security areas3. An organization has implemented risk management and
established the necessary controls4. An organization has allocated a Chief Information
Security Officer who is responsible for securing the organization’s information assets
Question
ALE is:1. The average cost of loss of this asset, for a
single incident2. An estimate using quantitative risk
management of the frequency of asset loss due to a threat
3. An estimate using qualitative risk management of the priority of the vulnerability
4. ALE = SLE x ARO
HEALTH FIRST CASE STUDY
Analyzing Risk
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Step 1: Define Assets
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity, and
Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity, and
Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $
Medical Malpractice (M) $
HIPAA Liability (H) $
Notification Law Liability (NL)
$
HIPAA Criminal Penalties
$ Penalty Imprison-ment
Offense
Up to $50K Up to one year
Wrongful disclosure of individually identifiable health information
Up to $100K
Up to 5 years
…committed under false pretenses
Up to $500K
Up to 10 years
… with intent to sell, achieve personal gain, or cause malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
Normal threats: Threats common to all organizations
Inherent threats: Threats particular to your specific industry
Known vulnerabilities: Previous audit reports indicate deficiencies.
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
Slow Down Business Temp. Shut Down Business Threaten Business
222
333
111
444
1 week
1 year
10 years (.1)
5 years (.2)
Vulnerability (Severity)
20 years (.05)
50 years (.02)
Threat (Probability)
Snow Emergency
Hacker/Criminal
Loss of Electricity
Malware
Failed Disk
Stolen Laptop
Stolen Backup Tape(s)
Social Engineering
Intruder
Fire
Flood
Earthquake
Pandemic
Tornado/Wind Storm
Step 4: Compute Expected LossStep 5: Treat RiskStep 4: Compute E(Loss)
ALE = SLE * ARO
Asset Threat Single Loss
Expectancy (SLE)
Annualized
Rate of Occurrence
(ARO)
Annual Loss
Expectancy (ALE)
Step 5: Treat Risk Risk Acceptance: Handle
attack when necessary Risk Avoidance: Stop doing
risky behavior Risk Mitigation: Implement
control to minimize vulnerability
Risk Transference: Pay someone to assume risk for you
Risk Planning: Implement a set of controls
ReferenceSlide # Slide Title Source of Information
6 Risk Management Process CISM: page 97 Exhibit 2.2
8 Continuous Risk Mgmt Process CISM: page 97 Exhibit 2.3
9 Security Evaluation: Risk Assessment CISM: page 100
12 Matric of Loss Scenario CISM: page 114 Exhibit 2.15
14 Step 2: Determine Loss Due to Threats CISM: page 105
16 Step 2: Determine Threats Due to Vulnerabilities CISM: page 105
17 Step 3: Estimate Likelihood of Exploitation CISM: page 107-110
18 Likelihood of Exploitation Sources of Losses CISM: page 118 Exhibit 2.11
19 Step 4; Compute Expected Loss Risk Analysis Strategies CISM: page 108- 110
20 Step 4: Compute Loss Using Qualitative Analysis CISM: page 108
22 Step 4: Compute Loss Using Semi- Quantitative Analysis CISM: page 108,109
23 SemiQuantitative Impact Matrix CISM: page 109 Exhibit 2.12
24 Step 4: Compute Loss Using Quantitative Analysis CISM: page 109, 110
26 Annualized Loss Expectancy CISM: page 110
28 Step 5: Treat Risk CISM: page 110, 111
29 NIST Risk Assessment Methodology CISM: page 102 Exhibit 2.7
30 Control Types CISM: page 186 Exhibit 3.18
32 Controls & Countermeasures CISM: page 184, 185
36 Security Control Baselines & Metrics CISM: page 191-193
37 Risk Management CISM: page 91, 92
38 Risk Management Roles CISM: page 94
