www.dbeBooks.com - An Ebook Library [...]... whether or not the data is addressed to that node This is particularly significant because the unencrypted user IDs and secret passwords of users logging on to the host are subject to compromise 7 AU1707_book.fm Page 8 Friday, October 31, 2003 3:44 PM OFFICIAL (ISC)2 GUIDE TO THE CISSP ® EXAM 8 by the use of “sniffers” as this data travels from the user’s workstation to the host Any confidential information... program, the lead person could be expected to devote 50 to 75% of his or her time to the process of establishing and executing the balance of the IRM tasks, the first of which follows immediately below Funds should be allocated according (1) to the above minimum staffing and (2) to acquire and be trained in the use of a suitable automated risk assessment tool Establish IRM Methodology and Tools There are... Friday, October 31, 2003 3:44 PM OFFICIAL (ISC)2 GUIDE TO THE CISSP ® EXAM 12 the process may be characterized as fully quantitative It is virtually impossible to conduct a purely quantitative risk analysis project, because the quantitative measurements must be applied to some qualitative properties, that is, characterizations of vulnerability of the target environment For example, “failure to impose... tricking other people to break normal security procedures For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get him to reveal information that compromises the network’s security The following sections discuss Security Management as a whole, which includes the following topics:... acceptance and having, later, to retrofit necessary information security measures There are numerous variations on this risk management process, based on the degree to which the technique applied is quantitative and how thoroughly all steps are executed For example, the asset identification 17 AU1707_book.fm Page 18 Friday, October 31, 2003 3:44 PM OFFICIAL (ISC)2 GUIDE TO THE CISSP ® EXAM 18 and valuation... and in the form necessary — is closely related to the availability of the information processing technology Whether because the process is unavailable, or the information itself is somehow unavailable, makes no difference to the organization dependent on the information to conduct its business or mission The value of the information’s availability is reflected in the costs incurred, over time, by the organization,... October 31, 2003 3:44 PM OFFICIAL (ISC)2 GUIDE TO THE CISSP ® EXAM 14 Central Tasks of Information Risk Management The following sections describe the tasks central to the comprehensive information risk management process These tasks provide concerned management with the identification and assessment of risk as well as costjustified recommendations for risk reduction, thus allowing the execution of well-informed... and placed them in areas of the system where they can be accessed by unauthorized persons • Masqueraders A masquerader is an authorized, or unauthorized, user of the system who has obtained the password of another user and thus gains access to files available to the other user by pretending to be the authorized user Masqueraders are often able to read and copy confidential files Masquerading, therefore,... consideration to such an action before taking the chance, so to speak Perhaps we would even go so far as to calculate the odds (chance) of experiencing the undesirable outcome and, further, take steps to reduce the chance of experiencing the undesirable outcome To effectively calculate the chance of experiencing the undesirable outcome, as well as its magnitude, one must have an awareness of the elements... methodologies are discussed Project Sizing In virtually all project methodologies, there are a number of elements to be addressed to ensure that all participants, and the target 23 AU1707_book.fm Page 24 Friday, October 31, 2003 3:44 PM OFFICIAL (ISC)2 GUIDE TO THE CISSP ® EXAM 24 audience, understand and are in agreement about the project These elements include: • • • • • • • Background Purpose Scope Constraints . Friday, October 31, 2003 3:44 PM 1 2 OFFICIAL (ISC) 2® GUIDE TO THE CISSP ® EXAM • The importance of risk management practices and tools to identify, rate, and reduce the risk to specific. subject to compromise AU1707_book.fm Page 7 Friday, October 31, 2003 3:44 PM 7 8 OFFICIAL (ISC) 2® GUIDE TO THE CISSP ® EXAM by the use of “sniffers” as this data travels from the. another user and thus gains access to files available to the other user by pretend- ing to be the authorized user. Masqueraders are often able to read and copy confidential files. Masquerading, therefore,