* Cloud computing: Platform as a Service; Software as a
Service; Infrastructure as a Service

* Control types: Technical; Management; Operational

* False positives

* Importance of policies in reducing risk: Privacy policy;
Acceptable use; Security policy; Mandatory vacations;
Job rotation; Separation of duties; Least privilege

* Risk calculation; Likelihood; ALE; Impact

* Quantitative vs. Qualitative

* Risk avoidance, transference, acceptance, mitigation,
deterrence

* Risk associated to Cloud Computing and Virtualization

* Implement security controls based on risk

* Change management

* Incident management

* User rights and permission reviews

* Perform routine audits

* Risk calculations: Threat vs. likelihood

* Cloud computing

As an administrator, you know that there are risks involved inworking with data. You know that data can become corrupt,can be accessed by those who shouldn't see it, can have valueschanged, and so on. If you think that being armed with this knowledge is enough to enableyou to take the steps to keep any harm from happening, however, you'll be sadly mistaken.One of the possible actions administrators can take to potential threats is to simply accept thatthey will happen. If the cost of preventing a particular risk from becoming a reality exceedsthe value of the harm that could be caused by the event, then a cost/benefit risk calculationdictates that the risk should remain.

Most risk calculations weigh a potential threat against the likelihood of it occurring.As frustrating as it may seem, you should always be able to accept the fact that sometimessome risks must remain. This chapter focuses on risk and various ways of dealing with it,all of which you will need to understand fully for the Security+ exam.

Risk Assessment

Risk assessment is also known as risk analysis. It deals with the threats, vulnerabilities,and impacts of a loss of information-processing capabilities or information itself. Eachrisk that can be identified should be outlined, described, and evaluated for the likelihoodof it occurring. The key is to think out of the box. Conventional threats/risks are oftentoo limited when considering risk assessment.

The key components of a risk-assessment process are outlined here:

Risks to Which the Organization Is Exposed This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system,server, or application may have known risks in certain environments. You should create a planfor how your organization will best deal with these risks and the best way to respond.

Risks That Need Addressing The risk-assessment component also allows an organizationto provide a reality check on which risks are real and which aren't likely. This process helpsan organization focus on its resources as well as on the risks that are most likely to occur.For example, industrial espionage and theft are likely, but the risk of a pack of wild dogsstealing the entire contents of the payroll file is very low. Therefore, resources should beallocated to prevent espionage or theft as opposed to the latter possibility.

Coordination with BIA The risk-assessment component, in conjunction with the BIA(Business Impact Analysis) which is discussed in Chapter 13, provides an organizationwith an accurate picture of the situation facing it. It allows an organization to make intelligent decisions about how to respond to various scenarios.

Computing Risk Assessment

When you're doing a risk assessment, one of the most important things to do is to prioritize.Not everything should be weighed evenly because some events have a greater likelihoodof happening; in addition, a company can live with some risks, whereas others wouldbe catastrophic. One method of measurement to consider is annualized rate of occurrence(ARO). This is the likelihood, often drawn from historical data, of an event occurringwithin a year. This measure can be used in conjunction with a monetary value assigned todata to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:

SLE x ARO = ALE

Thus, if you can reasonably expect that every SLE, which is equal to asset value(AV) times exposure factor (EF), will be equivalent to $1,000 and that there will beseven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is onlya 10 percent chance of an event occurring in a year (ARO = .1), then the ALE dropsto $100.

In Exercise 1.1, we'll walk through some risk-assessment computations.

Key to any risk assessment is identifying both assets and threats. You first have to identifywhat you want to protect and then what possible harms could come to those assets. Youthen analyze the risks in terms of either cost or severity.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative(cost-based and objective), depending upon whether you are focusing on dollar amountsor not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), andannualized rate of occurrence (ARO) are all based on doing assessments that lead to dollaramounts and are thus quantitative.

To understand the difference between quantitative and qualitative, it helps to use a simplisticexample. Imagine that you get an emergency call to help a small company that youhave never even heard from before. It turns out that their one and only server has crashedand their backups are useless. One of the files lost was the only copy of the company history.This file detailed the company from the day it began to the present day and had thevarious iterations of the mission statement as they changed over time. As painful a lossas this file represents to the company culture, it has nothing to do with filling orders andkeeping customers happy and its loss represents a qualitative loss.

Another loss was the customer database. This held customer contact information as well asa history of all past orders, charge numbers, and so on. The company cannot function withoutthis file and it needs to be re-created by pulling all the hard copy invoices from storage and reenteringthem into the system. This loss can be calculated by the amount of business lost andthe amount of time it takes to find/re-enter all the data, and thus it is a quantitative loss.

Acting on Your Risk Assessment

Once you've identified and assessed the risks that exist, for the purpose of the exam, youhave five possible actions you can choose to follow:

Risk Avoidance Risk...