Sec345‐InformationAssurance‐TechJournal2 - ConnorEast/Tech-Journal GitHub Wiki

1. Types of bias:

  • Affinity Bias ---> Similarities end up not allowing us to see how we differ.
  • Halo Effect ---> When you believe great things about someone without them having to show their wings.
  • Attribution Bias ---> Our perception of ourselves is kind whereas we tend to assume incompetence in other.
  • Confirmation Bias ---> We look for evidence that confirms our worldview, regardless of others.
  • Conformity Bias ---> Positive or negative attribution misplacement based on how well they fit in.

2. Risk Management Framework:

  • RMF is a framework that provides guidelines for info-tech in an organization. It is a USA federal goverment standard; developed by NIST. It explains managing security and privacy risk. This includes control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. It promotes real-time risk management and gives leaders the needed information to make efficient, cost effective, risk management decisions regarding structure. The steps required are prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

Calculation for Risk:

  • Risk == Likelihood X Impact

What is the purpose of a risk assessment?

  • Risk assessments are used to identify relevant threats, vulnerabilities, impact, and likelihood. Risk assessments help manage what each step in management hierarchy must do. The hierarchy consists of Tier 1: Organization, Tier 2: Business Process, and Tier 3: Information systems. Risk assessments can be done either qualitatively or quantitatively.

Qualititative Risk Analysis: Doesn't use exact dollar figures. Is calculated by loss, threat, and scale

Quantitative Risk Analysis: Uses exact dollar figures for asset loss. Concrete Probability Percentage.

7 Steps:

  • prepare ---> This step is used to prepare organizational units to manage security and privacy. Some duties are as follows, Identifying key risk management roles, Risk Tolerance Determination, full scale risk assessment, creation/implamentation or continuous monitoring strategy, and identification of common controls.
  • Categorize ---> With the key risks identified categorize them into sectors based on, risk, vulnerability, loss of CIA systems information proccessed, stored, and sent data. Some duties of this sector include the documentation of system characteristics, Categorization of the system and its information, and approval from a second party and or upper management.
  • Select ---> Tailor a document with the specific controls that will be used to protect the system based on the companies risk. This includes selected and tailored controls, System-specific control documentation, allocation of controls by system components, Continuous monitoring strategy development, and approved documentation.
  • Implement ---> Use the information from the documents you made and implement them organization wide. This section controls implementation pland and updates to reflect the controls implemented.
  • Assess ---> Are the implemented steps working and producing the correct outcome.
  • Authorize ---> Get a senior official to authorize the security and privacy of the controls is acceptable.
  • Monitor ---> Keep continuous monitoring of the systems to confirm the posture of the system.