5.2 Risk Management Flashcards
Risk identification
The only certainty is uncertainty
– Risk management helps to understand potential risks
– Identify weaknesses before they become an issue
* An important part of any organization
– Growth brings risk
– It’s useful to get ahead of any potential problems
* Risk management
– Manage potential risk
– Qualify internal and external threats
– Risk analysis helps plan for contingencies
Performing a risk assessment
Not all risk requires constant evaluation
– Or it might be required to always assess the
amount of risk
* One-time
– The assessment may be part of a one-time project
– Company acquisition, new equipment installation,
unique new security threats, etc.
* Continuous assessments
– May be part of an existing process
– Change control requires a risk assessment as part of
the change
Ad hoc assessments
An organization may not have a formal risk
assessment process
– Perform an assessment when the situation requires
* CEO is back from a conference
– Wants to know if the organization is protected from
a new attack type
* A committee is created and the risk assessment
proceeds
– Once the assessment is complete, the committee
is disbanded
– There may not be a need to investigate this specific
risk again
Recurring assessments
Recurring assessments
– The evaluation occurs on standard intervals
* An internal assessment
– Performed every three months at the beginning
of the quarter
* A mandated risk assessment
– Required by certain organizations
– Some legal requirements will mandate an assessment
– PCI DSS requires annual risk assessments
Qualitative risk assessment
Identify significant risk factors
– Ask opinions about the significance
– Display visually with traffic light grid or similar method
– Quantitative risk assessment
* ARO (Annualized Rate of Occurrence)
– How likely is it that a hurricane will hit?
In Montana? In Florida?
* Asset value (AV)
– The value of the asset to the organization
– Includes the cost of the asset, the effect on
company sales, potential regulatory fines, etc.
* Exposure factor (EF)
– The percentage of the value lost due to an incident
– Losing a quarter of the value is .25
– Losing the entire asset is 1.0
* SLE (Single Loss Expectancy)
– What is the monetary loss if a single event occurs?
– Asset value (AV) x Exposure factor (EF)
– Laptop stolen = $1,000 (AV) x 1.0 (EF) = $1,000 (SLE)
* ALE (Annualized Loss Expectancy)
– ARO x SLE
– Seven laptops stolen a year (ARO) x $1,000 (SLE) = $7,000
* The business impact can be more than monetary
– Quantitative vs. qualitative
Impact
Life
– The most important consideration
* Property
– The risk to buildings and assets
* Safety
– Some environments are too dangerous to work
* Finance
– The resulting financial cost
* Reputation
– An event can cause status or character problems
Likelihood and probability
Risk likelihood
– A qualitative measurement of risk
– Rare, possible, almost certain, etc.
* Risk probability
– A quantitative measurement of risk
– A statistical measurement
– Can be based on historical performance
* Often considered similar in scope
– Can be used interchangeably in casual
conversation
Risk appetite and tolerance
Risk appetite
– A broad description of risk-taking deemed acceptable
– The amount of accepted risk before taking any action
to reduce that risk
* Risk appetite posture
– Qualitative description for readiness to take risk
– Conservative, neutral, and expansionary
* Risk tolerance
– An acceptable variance (usually larger) from
the risk appetite
* Risk appetite
– A highway’s speed limit
– Government authorities have set the speed limit
– The limit is an acceptable balance between safety
and convenience
* Risk tolerance
– Drivers will be ticketed when the speed limit
is violated
– Ticketing usually occurs well above the posted limit
– This tolerance can change with road conditions,
weather, traffic, etc.
Risk register
Every project has a plan, but also has risk
– Identify and document the risk associated
with each step
– Apply possible solutions to the identified risks
– Monitor the results
* Key risk indicators
– Identify risks that could impact the organization
* Risk owners
– Each indicator is assigned someone to manage the risk
* Risk threshold
– The cost of mitigation is at least equal to the value
gained by mitigation
Risk management strategies
Transfer
– Move the risk to another party
– Buy some cybersecurity insurance
* Accept
– A business decision; we’ll take the risk!
– This is often the usual course
* Accept with exemption
– A security policy or regulation cannot be followed
– May be based on available security controls, size of the
organization, total assets, etc.
– Exemption may need approval
* Accept with exception
– Internal security policies are not applied
– Monthly security updates must be applied within 3
calendar days
– The monthly updates cause a critical software
package to crash
– An exception is made to the update timeframe
* Avoid
– Stop participating in a high-risk activity
– This effectively removes the risk
* Mitigate
– Decrease the risk level
– Invest in security systems
Risk reporting
A formal document
– Identifies risks
– Detailed information for each risk
* Usually created for senior management
– Make decisions regarding resources, budgeting,
additional security tasks
* Commonly includes critical and emerging risks
– The most important considerations
Recovery
Recovery time objective (RTO)
– Get up and running quickly
– Get back to a particular service level
– You’re not up and running until the database and
web server are operational
– How long did that take?
* Recovery point objective (RPO)
– How much data loss is acceptable?
– Bring the system back online; how far back does data go?
– The database is up, but only provides the last twelve
months of data
* Mean time to repair (MTTR)
– Average time required to fix an issue
– This includes time spent diagnosing the problem
– An important metric for determining the cost and
time associated with unplanned outages
* Mean time between failures (MTBF)
– The time between outages
– Can be used as a prediction or calculated based on
historical performance
– Total uptime / number of breakdowns
– Statistically plan for possible outages
