10: 2 Risk Management Flashcards
Risk Management
Systematically Analyzing potential responses to each risk and implementing strategies to control those risks appropriately
Risk Management Strategies (4)
Avoidance, Transference, Mitigation, or Acceptance
Risk Avoidance
Change the organization’s business practice so risk can no longer affect business
Risk Transference
Shifting impact of risk to another organization (i.e. insurance)
Risk Mitigation
Reduces likelihood or impact of risk
Risk Acceptance
Accept risk without taking further action
Risk Profile
Full set of risks facing an organization
Inherent Risk
Risk that exists without any controls in place
Residual Risk
Risk that exists after a control has been implemented
Control Risk
Risk added by adding a control
Security Controls
Procedures and mechanisms that an organization puts in place to manage security risks
Defense in Depth
More than 1 control used to protect against one objective
Preventitive Control
Goal is to stop an issue from occurring in the first place (firewall)
Detective Control
Identify that a potential security issue has taken place (intrusion detection system)
Corrective Control
Remediate security issues that have already controlled (restoring from backup)
Deterrent Control
Prevent an attacker from seeking to violate security policies
Physical Controls
Impact the physical world
Compensating Control
Fill a known gap in a security environment
Technical Controls
Use of technology to achieve security objectives
Operational Controls
Use Human-Driven processes to manage technology in a secure manner
Management Controls
Improve the security of the risk management process itself
Risk Control Assessment timespan
Single Point in Time
Control Assessment
Test control effectiveness
Measuring Control effectiveness
Compromised end-user accounts, Vulnerabilities in Public-Facing systems, critical findings in scans, data breaches requiring notification
Risk Management Framework
provides proven, time-tested techniques for risk management
NIST SP 800-37
Risk Management Framework - widely adopted by organizations
6 Steps in Managing Risk
Categorize, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Information Systems, Monitor Security Controls
1) Categorize Information System
Gather information in two categories (technology architecture and organization inputs)
Control Frameworks
Guide Security Program Design
COBIT
Control Objectives for IT - Business focused control framework
ISO 27001
covers cybersecurity control objectives
ISO 27002
covers cybersecurity control implementations
ISO 27701
Covers Privacy Controls
ISO 31000
Cover Risk management program guidance
NIST 800-53
Mandatory for Federal Agencies
NIST Cybersecurity Framework
Provides a common language for cybersecurity risk, helps identity and prioritize actions, aligns security actions across control types
Risk Register
Maintains risk visibility, tracking risk information
Risk Register Contents
Description, Category, Probability and Impact, Risk Rating
Risk Register Information Sources
Risk Assessment Results, Audit Findings, Team Member Outputs, Threat Intelligence
Threat Intelligence
Sharing of threat knowledge across organizations, may be used both strategically and operationally
Risk Matrix
Quickly summarizes risks using color scheme.
Data Controller
Determines the reasons for processing personal info and direct the methods of processing
Data processor
Service providers that process personal information on behalf of a data controller
Data owner
Business leaders with overall responsibility for the data - sets policies and guidelines
Data steward
Handle the day-to-day governance activities
Data Custodian
Store and process information, often IT staff members
DPO
Data Protection Officer
