Page 175 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 175
Surveys
Questionnaires
Checklists
One-on-one meetings
Interviews
Determining which mechanism to employ is based on the culture of
the organization and the types of risks and assets involved. It is
common for several methods to be employed simultaneously and their
results compared and contrasted in the final risk analysis report to
upper management.
Scenarios
The basic process for all these mechanisms involves the creation of
scenarios. A scenario is a written description of a single major threat.
The description focuses on how a threat would be instigated and what
effects its occurrence could have on the organization, the IT
infrastructure, and specific assets. Generally, the scenarios are limited
to one page of text to keep them manageable. For each scenario, one or
more safeguards are described that would completely or partially
protect against the major threat discussed in the scenario. The analysis
participants then assign to the scenario a threat level, a loss potential,
and the advantages of each safeguard. These assignments can be
grossly simple—such as High, Medium, and Low or a basic number
scale of 1 to 10—or they can be detailed essay responses. The responses
from all participants are then compiled into a single report that is
presented to upper management. For examples of reference ratings
and levels, please see Table 3-6 and Table 3-7 in National Institute of
Technology (NIST) Special Publication (SP) 800-30:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
The usefulness and validity of a qualitative risk analysis improves as
the number and diversity of the participants in the evaluation
increases. Whenever possible, include one or more people from each
level of the organizational hierarchy, from upper management to end
user. It is also important to include a cross section from each major
