introduction .. an overview of risk...
TRANSCRIPT
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
UNIT III --- SECURITY ANALYSIS
TABLE OF CONTENTS 3.1. Risk Management ……………………………….………………………………………………..……
Introduction ..…………………………………………………………………………………………….
An overview of risk Management ..……………………………………………………………...
3.2. Risk Identification…………………………………………………………………………….…………
3.3. Assessing Risk………………………………………………………………….........................................
3.4. Risk Control Strategies……………………………………………………………..…………………
3.5. Selecting a risk control Strategy………………………………………………..………………..
3.6. Risk Management Discussion Points …………………………………………………………..
3.7. Summary …………………………………………………………………………………………………….
3.8. Review Questions ………………………………………………………………………………………..
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Risk Management CHAPTER 1
Introduction:
The formal process of identifying and controlling the risks facing an organization is called
risk management.
This process is made up of two major undertakings:
a) Risk Identification
b) Risk Control
The first of these, Risk Identification, is process of examining and documenting the
security posture of an organization’s information technology and the risks it faces. Risk
assessment is the documentation of the results of risk identification.
The second major undertaking, risk control, is the process of paalying controls to reduce to
an organization’s data and information systems.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Risk management is also used in the public sector to identify and mitigate risk to critical
infrastructure. For the most part, these methodologies consist of the following elements,
performed, more or less, in the following order.
identify assets and identify which are most critical
identify, characterize, and assess threats
assess the vulnerability of critical assets to specific threats
determine the risk (i.e. the expected consequences of specific types of attacks on
specific assets)
identify ways to reduce those risks
prioritize risk reduction measures based on a strategy
An Overview of Risk Management:
“If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer
a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
a) Know yourself
b) Know the enemy
In an organization, it is the responsibility of each community of interest to manage the risks
that organization encounters. Each community of interest has a role to play, as outlined
below:
a) Information Security
b) Management and users
c) Information Technology
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Risk Identification CHAPTER 2
3.1. Risk management
Risk management involves identifying, classifying and prioritizing organization’s
information assets, threats and vulnerabilities. Risk Identification ascertains which risks
have the potential of affecting the project and documenting the risks’ characteristics. Risk
Identification begins after the Risk Management Plan is constructed and continues
iteratively throughout the project execution. The Risk Identification process naturally
progresses into the Qualitative Risk Analysis or the Quantitative Risk Analysis Process.
Sometimes it is wise to include the identification of a risk and its response in order for it to
be included in Risk Response Planning.
At the beginning of the Risk Identification process it is a good idea to have gathered all of
the inputs you and your team will need. The inputs to the Risk Identification Process are:
an understanding of the project’s mission, scope, schedule, cost, Work Breakdown
Structure (WBS), quality criteria, and other elements.
Risk Management Plan - The Risk Management Plan provides the blueprint of overseeing
risk management throughout the project describing who, what, when, where, why, and
how. The Risk Management Plan provides the following four critical inputs to Risk
Identification:
Assignment of roles and responsibilities - identifying the who of risk
management by assigning the handling of specific tasks and roles to specific
individuals.
Budget provisions for risk-management activities - The approved funds
available for risk-management activities. You will need to track your actual costs
against these approved budget numbers.
Schedule for risk management - The revised schedule including the time needed
for risk-management activities over the duration of the project’s life cycle.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Categories of risk - The risk categories are used during Risk Identification to
organize and prioritize risks as they are identified. Alternatively, the Risk
Breakdown Structure (RBS) may be the source of risk categories.
Project Scope Statement - The project scope statement defines the project
boundaries and assumptions. During Risk Identification, risks to boundaries must
be identified in order to mitigate scope creep, and assumptions must be reassessed
to identify risks associated with them.
Organizational process assets - Organizational process assets provide information
from prior projects including historical information and lessons learned.
Enterprise environmental factors - These factors include any and all external
environmental factors and internal organizational environmental factors that
surround or influence the project’s success, such as organizational culture and
structure, infrastructure, existing resources, commercial databases, market
conditions, and project management software. After gathering all necessary inputs,
it is tie to employ the recommended tools and techniques of risk identification. The
tools and techniques are:
Documentation reviews - Documentation reviews involve comprehensively
reviewing the project documents and assumptions from the project overview and
detailed scope perspective in order to identify areas of inconsistency or lack of
clarity. Missing information and inconsistencies are indicators of a hidden risk.
Information gathering techniques - Information gathering techniques are used to
develop lists of risks and risk characteristics. Each technique is helpful for collecting a
particular kind of information. The five techniques are:
Brainstorming - Brainstorm is employed as a general data-gathering and creativity
technique which identifies risks, ideas, or solutions to issues. Brainstorming uses a
group of team members or subject-matter experts spring boarding off each other’s
ideas, to generate new ideas.
Delphi technique - The Delphi technique gains information from experts,
anonymously, about the likelihood of future events (risks) occurring. The technique
liminates bias and prevents any one expert from having undue influence on the others.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Interviewing - Interviewing in a face-to-face meeting comprised of project participants,
stakeholders, subject-matter experts, and individuals who may have participated in
similar, past projects is a technique for gaining first-hand information about and benefit
of others’ experience and knowledge.
Root cause identification - Root cause identification is a technique for identifying
essential causes of risk. Using data from an actual risk event, the technique enables you
to find out what happened and how it happened, and understand why it happened, so
that you can devise responses to prevent recurrences.
Strengths, weaknesses, opportunities, and threats (SWOT) analysis – A SWOT
analysis examines the project from the perspective of each project’s strengths,
weaknesses, opportunities, and threats to increase the breadth of the risks considered
by risk management.
Checklist analysis - Checklists list all identified or potential risks in one place.
Checklists are commonly developed from historical information or lessons learned. The
Risk Breakdown Structure (RBS) can also be used as a checklist. Just keep in mind that
checklists are never comprehensive, so using another technique is still necessary.
Assumptions analysis - All projects are initially planned on a set of assumptions and
what if scenarios. These assumptions are documented in the Project Scope Document.
During Risk Identification, assumptions are analyzed to determine the amount of
inaccuracy, inconsistency, or incompleteness associated with them.
Diagramming techniques - Diagramming techniques, such as system flow charts,
cause-and-effect diagrams, and influence diagrams are used to uncover risks that aren’t
readily apparent in verbal descriptions.
Cause and effect diagrams - Cause and effect diagrams or fishbone diagrams are used
for identifying causes of risk
System or process flow charts - Flow charts illustrate how elements and processes
interrelate.
Influence diagrams - Influence diagrams depict causal influences, time ordering of
events and other relationships between input variables and output variables. Risk
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
identification begins with identifying organization’s assets and assessing their value as
shown in Figure
Components of risk Managment
3.2. ASSET IDENTIFICATION AND VALUATION
This iterative process begins with identification of assets that includes all elements of an
organization’s system (people, procedures, data and information, software, hardware,
networking). Assets are then classified and categorized that is shown Table
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
3.2.1 People, Procedures, and Data Asset Identification
Human resources, documentation, and data information assets are more difficult to
identify. People with knowledge, experience, and good judgment should be assigned this
task. These assets should be recorded using reliable data-handling process. Asset attributes
for people are position name, number, ID, supervisor; security clearance level and special
skills.
Asset attributes for procedures are description, intended purpose relationship to
software, hardware and storage location for reference and update. Asset attributes for data
are classification, owner, creator, manager, data structure size, data structure used,
online/offline, location, backup procedures employed.
3.2.2 Hardware, Software, and Network Asset Identification
What information attributes to track depends on:
Needs of organization/risk management efforts
Management needs of information security/information technology communities
Asset attributes to be considered are: name; IP address; MAC address; element type; serial
number; manufacturer name; model/part number; software version; physical or logical
location; controlling entity.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
3.2.3 Information Asset Classification
Many organizations have data classification schemes (e.g., confidential, internal, public
data). Classification of components must be specific to allow determination of priority
levels. Categories must be comprehensive and mutually exclusive.
3.2.4 Information Asset Valuation
Questions help develop criteria for asset valuation: which information asset
is most critical to organization’s success?
generates the most revenue/profitability?
would be most expensive to replace or protect?
would be the most embarrassing or cause greatest liability if revealed?
The following Figure shows a sample worksheet for the Asset Identification of information
system.
3.2.5 Listing Assets in Order of Importance
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Weighting should be created for each category based on the answers to questions. The
relative importance of each asset is calculated using weighted factor analysis. The assets in
order of importance are listed using a weighted factor analysis worksheet. In the following
Table , the scores range from 0.1 to1.0, which is recommended by NIST.
2 Accessing Risks
3 Controlling Risks
3.2.6 Data Classification and Management
Corporate and military organizations use a variety of classification schemes. Information
owners are responsible for classifying the information assets and the same must be
reviewed periodically to provide protection.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
The information classifications are as follows
Confidential: Used for the most sensitive information that must be tightly
controlled.
Internal: Used for all internal information
External: Used for all information approved for public release.
3.2.7 Security Clearances
For a security clearance in organizations each data user must be assigned a single level of
authorization indicating the classification level. Before accessing specific set of data,
employee must meet need-to-know requirement Extra level of protection ensures
information confidentiality is maintained.
3.2.8 Management of Classified Data
Management of classified data includes its storage, distribution, portability, and destruction
of classified data. All information that is not unclassified or public must be clearly marked
as such. A Clean desk policy requires all information be stored in appropriate storage
container daily; unneeded copies of classified information should be destroyed after double
verification. Dumpster diving can retrieve information and compromise information
security
3.2.9 Threat Identification
After identifying and performing a preliminary classification of an organization’s
information assets, the analysis phase moves onto an examination of the threats facing the
organization. The realistic threats need to be investigated further while the unimportant
threats are set aside.
The examination of identify, prioritize threats and threat agents is known as threat
assessment. Each threads can be addressed based on the following few questions.
Which threats present danger to assets?
Which threats represent the most danger to information?
How much would it cost to recover from attack?
Which threat requires greatest expenditure to prevent?
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
3.2.10 Vulnerability Identification
Specific avenues threat agents can exploit to attack an information asset are called
vulnerabilities. Examine how each threat could be perpetrated and list organization’s
assets and vulnerabilities. Process works best when people with diverse backgrounds
within organization work iteratively in a series of brainstorming sessions At end of risk
identification process, list of assets and their vulnerabilities is achieved.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Assessing Risks CHAPTER 3
3.1. Risk assessment
Risk assessment is a step in a risk management process. Risk assessment is the
determination of quantitative or qualitative value of risk related to a concrete situation and
a recognized threat (also called hazard). Quantitative risk assessment requires calculations
of two components of risk: R, the magnitude of the potential loss L, and the probability p
that the loss will occur.
3.2.Risk assessment in information security
There are two methods of risk assessment in information security field, qualitative
and quantitative. Purely quantitative risk assessment is a mathematical calculation based
on security metrics on the asset (system or application). Qualitative risk assessment is
performed when the organization requires a risk assessment be performed in a relatively
short time or to meet a small budget, a significant quantity of relevant data is not available,
or the persons performing the assessment don’t have the sophisticated mathematical,
financial, and risk assessment expertise required. Qualitative risk assessment can be
performed in a shorter period of time and with less data. Qualitative risk assessments are
typically performed through interviews of a sample of personnel from all relevant groups
within an organization charged with the security of the asset being assessed. Qualitative
risk assessments are descriptive versus measurable.
3.3. Likelihood
Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the
information asset minus the percentage of risk mitigated by current controls plus the
uncertainty of current knowledge of the vulnerability. Risk assessment evaluates the
relative risk for each vulnerability and assigns a risk rating or score to each information
asset.
3.4. Valuation of Information Assets
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Assign weighted scores for value of each asset; actual number used can vary with needs of
organization. To be effective, assign values by asking questions:
Which threats present danger to assets?
Which threats represent the most danger to information?
How much would it cost to recover from attack?
Which threat requires greatest expenditure to prevent?
Finally: which of the above questions for each asset is most important to protection
of organization’s information?
3.5. Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability
occurrence TIMES value (or impact) MINUS percentage risk already controlled PLUS an
element of uncertainty.
For example
Information asset A has a value score of 50 and has one vulnerability: Vulnerability
1 has a likelihood of 1.0 with no current controls and you estimate that the
assumptions and data are 90% accurate.
Information asset B has a value score of 100 and has two vulnerability 2 has a
likelihood of 0.5 with a current control that addresses 50% of its risk. Vulnerability
3 has a likelihood of 0.1 with no current controls.
The resulting ranked list of risk ratings for the three vulnerabilities:
Asset A: Vulnerability 1 rated as 55 = (50 x 1.0) –0% + 10%
Where 55 = (50 x 1.0) – ( ( 50x 1.0)x0.0) + ( ( 50x1.0) x 0.1)
55 = 50 - 0 + 5
Asset B: Vulnerability 2 rated as 35 = (100 x 0.5) – 50% + 20%
Where 35 = (100 x 0.5) – ( (100 x 0.5)x 0.5) + ( ( 100 x0.5) x 0.2)
35 = 50 – 25 + 10
Asset C: Vulnerability 3 rated as 12 = (100 x 0.1) – 0% + 20%
Where 12= (100 x 0.1) – ((100 x 0.1) x 0.0) + ((100 x0.1) x 0.2)
12 = 10 - 0 + 2
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
3.6. Identify Possible Controls
For each threat and associated vulnerabilities that have residual risk, create preliminary
list of control ideas. Residual risk is the risk that remains to information asset even after
existing control has been applied.
3.7 Access Controls
Access controls specifically addresses admission of a user into a trusted area of
organization. It consists of a combination of policies & technologies. The different ways to
control access are
Mandatory access controls (MAC) – give users limited control over access to
information resources.Lattice-based access control: variation of MAC; users
assigned matrix of authorizations for areas of access.
Nondiscretionary controls - managed by a central authority in organization; can be
based on individual’s role (role-based controls) or a specified set of assigned tasks
(task-based controls).
Discretionary access controls (DAC) - implemented at discretion or option of data
user.
3.8 Documenting the Results of Risk Assessment
The goal of this process is to identify the information assets, list them, and rank according
to those most needing protection. The final summarized is the ranked vulnerability risk
worksheet. The worksheet details are organized as asset, asset impact, vulnerability, and
vulnerability likelihood and risk-rating factor. The ranked vulnerability risk worksheet is
initial working document for next step in risk management process: assessing and
controlling risk .The following Table shows a sample list of the worksheets.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Risks Control Strategies CHAPTER 4
Once the ranked vulnerability risk worksheet has created, they must choose one of
following four strategies to control each risk:
Apply safeguards (avoidance) that eliminate or reduce the remaining uncontrolled
risks for the vulnerability.
Transfer the risk (transference) to other areas or to outside entities.
Reduce impact (mitigation) should the vulnerability be exploited.
Understand consequences and accept risk (acceptance) without control or
mitigation.
Avoidance
Attempts to prevent exploitation of the vulnerability
Preferred approach; accomplished through countering threats, removing asset
vulnerabilities, limiting asset access, and adding protective safeguards
Three common methods of risk avoidance:
Application of policy
Training and education
Applying technology
Transference
Control approach that attempts to shift risk to other assets, processes, or
organizations
If lacking, organization should hire individuals/firms that provide security
management and administration expertise
Organization may then transfer risk associated with management of complex
systems to another organization experienced in dealing with those risks.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Mitigation
Attempts to reduce impact of vulnerability exploitation through planning and
Preparation
Approach includes three types of plans:
Incident response plan (IRP)
Disaster recovery plan (DRP)
Business continuity plan (BCP)’
Acceptance
Doing nothing to protect a vulnerability and accepting the outcome of its
exploitation
Valid only when the particular function, service, information, or asset does not
justify cost of protection
Risk appetite describes the degree to which organization is willing to accept risk
as trade-off to the expense of applying controls.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Selecting a Risk Control Strategy CHAPTER 5
Risk controls involve selecting one of the four risk control strategies for each vulnerability.
The flowchart is shown in the following Figure
When weighing the benefits of the different strategies, keep in mind that the level of thread
and value of the asset should play a major role in strategies selection. Rules of thumb on
strategy selection can be applied:
When vulnerability exists
When vulnerability can be exploited
When attacker’s cost is less than potential gain
When potential loss is substantial
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
3.5.1.Evaluations, Assessment, and Maintenance of Risk Controls
Once a control strategy has been implemented, it should be monitored and measured on an
ongoing basis to determine the effectiveness of the security controls and the accuracy of
the estimate of the residual risk. The following Figure shows how this cyclical process is
continues for as long as the organization continues to function.
3.5.2.Categories of Controls
Controlling risk through avoidance, mitigation or transference is accomplished by
implementing controls. There are four effective approaches to select controls by category:
Control function: Controls (safeguards) designed to defend systems are either preventive
or detective.?
Architectural layer: Some controls apply to one or more layers of organization’s technical
architecture
Strategy layer: Controls sometimes classified by risk control strategy (avoidance,
mitigation, transference) in which they operate.
Information security principle: Controls can be classified according to the characteristics
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
of secure information they are intended to assure. These characteristics include:
confidentiality, integrity, availability, authentication, authorization, accountability and
privacy.
3.5.3.Feasibility Studies
Before deciding on strategy, all information about economic/non-economic consequences
of vulnerability of information asset must be explored. A number of ways exist to
determine advantage of a specific control.
a) Cost Benefit Analysis (CBA)
Most common approach for information security controls is economic feasibility of
implementation. CBA is begun by evaluating worth of assets to be protected and the loss in
value if those assets are compromised. The formal process to document this is called cost
benefit analysis or economic feasibility study. Items that impact cost of a control or
safeguard include: cost of development; training fees; implementation cost; service costs;
cost of maintenance.
Benefit is the value an organization realizes by using controls to prevent losses associated
with vulnerability. Asset valuation is process of assigning financial value or worth to each
information asset; there are many components to asset valuation.
Once worth of various assets is estimated, potential loss from exploitation of vulnerability
is examined. Process results in estimate of potential loss per risk. Expected loss per risk
stated in the following equation:
Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMES Annualized
rate of occurrence (ARO) Where SLE is equal to asset value times exposure factor (EF).
b) The Cost Benefit Analysis (CBA) Formula
CBA determines whether or not control alternative being evaluated is worth cost incurred
to control vulnerability. CBA most easily calculated using ALE from earlier assessments,
before implementation of proposed control:
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
CBA = ALE (prior) – ALE (post) – ACS
ALE (prior) is annualized loss expectancy of risk before implementation of control
ALE (post) is estimated ALE based on control being in place for a period of time
ACS is the annualized cost of the safeguard.
c) Benchmarking
An alternative approach to risk management is Benchmarking. Benchmarking is process of
seeking out and studying practices in other organizations that one’s own organization
desires to duplicate. One of two measures typically used to compare practices:
Metrics-based measures
Process-based measures
Metrics-based measures are comparisons based on numerical standards, such as
Numbers of successful attacks
Staff-hours spent on systems protection
Dollars spent on protection
Numbers spent on protection
Estimated value in dollars of the information lost in successful attacks
Lose in productivity hours associated with successful attacks
Process-based measures are generally less focused on numbers and more strategic than
Metrics-based measures. It enables the organization to examine the activities an individual
company performs in pursuit of its goals rather than the specific of how goals are attained.
There are various legal reasons. They are:
Standard of due care: when adopting levels of security for a legal defense, organization
shows it has done what any prudent organization would do in similar circumstances.
Due diligence: demonstration that organization is diligent in ensuring that implemented
standards continue to provide required level of protection. Failure to support standard of
due care or due diligence can leave organization open to legal liability.
Best business practices: security efforts that provide a superior level protection of
information.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
When considering best practices for adoption in an organization, consider:
Does organization resemble identified target with best practice?
Are resources at hand similar?
Is organization in a similar threat environment?
3.5.4.Base lining
Organizations don’t talk to each other (biggest problem)
No two organizations are identical
Best practices are a moving target
Knowing what was going on in information security industry in recent years
through
benchmarking doesn’t necessarily prepare for what’s next
Analysis of measures against established standards. In information security, base lining is
comparison of security activities and events against an organization’s future performance.
Useful when base lining to have a guide to the overall process.
3.5.5. Other Feasibility Studies
Operational: examines how well proposed information security alternatives will
contribute to organization’s efficiency, effectiveness, and overall operation
Technical: examines whether or not organization has or can acquire the technology
necessary to implement and support the control alternatives
Political: defines what can/cannot occur based on consensus and relationships between
communities of interest
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Risk Management Discussion Points CHAPTER 6
Organizations must define level of risk it can live with
Risk appetite: defines quantity and nature of risk that organizations are willing to accept
as tradeoffs between perfect security and unlimited accessibility are weighed.
Residual risk: risk that has not been completely removed, shifted, or planned for. The
following Figure illustrates how residual risks remains after safeguards are implemented.
Documenting Results
At minimum, each information asset-threat pair should have documented control strategy
clearly identifying any remaining residual risk. Another option: document outcome of
control strategy for each information asset-vulnerability pair as an action plan. Risk
assessment may be documented in a topic-specific report.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Recommended Practices in Controlling Risk
Convince budget authorities to spend up to value of asset to protect from identified threat.
Final control choice may be balance of controls providing greatest value to as many asset-
threat pairs as possible. Organizations looking to implement controls that don’t involve
such complex, inexact and dynamic calculations. The qualitative measures are Spectrum of
steps described previously—performed with real numbers—known as a quantitative
assessment
Qualitative assessment: based on characteristics that do not use numerical measures.
Limitations
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of
losses that are not likely to occur. Spending too much time assessing and managing unlikely
risks can divert resources that could be used more profitably. Unlikely events do occur but
if the risk is unlikely enough to occur it may be better to simply retain the risk and deal
with the result if the loss does in fact occur. Qualitative risk assessment is subjective and
lack consistency. The primary justification for a formal risk assessment process is legal and
bureaucratic.
Prioritizing too highly the risk management processes could keep an organization from ever
completing a project or even getting started. This is especially true if other work is
suspended until the risk management process is considered complete.
MCE14 INFORMATION SECURITY
CCET PREPARED BY : S.PON SANGEETHA /AP
Review Questions 8
1. What is risk management? Who is responsible for risk management in an
organization?
2. What are the strategies for controlling risk?
3. What are the components of risk management?
4. Describe risk avoidance. Name three common methods of risk avoidance.
5. Describe risk transference. Describe how outsourcing can be used for risk
transference.
6. Discuss the risk handling decision points with suitable diagram.
7. What is a cost benefit analysis?
8. Describe the Risk control cycle with neat diagram.
9. What is residual risk?
10. Describe risk mitigation. What are the approaches to mitigate risk?
11. In risk management strategies, why must periodic review be a part of the process?