5.4 Risk Management Processes Flashcards
carried out to formally identify hazards or risks involved to employees and other when carrying out a task. This helps the employer put into place adequate measures to protect people form harm. But the importance of risk assessments goes beyond the fact they’re a legal requirement.
• Identify assets that could be affected by an attack
– Define the risk associated with each asset
– Hardware, customer data, intellectual property
• Identify threats
– Loss of data, disruption of services, etc.
• Determine the risk - High, medium, or low risk
• Assess the total risk to the organization
– Make future security plans
Risk assessment
• External threats
– Outside the organization
– Hacker groups, former employees
• Internal threats
– Employees and partners
– Disgruntled employees
• Legacy systems
– Outdated, older technologies
– May not be supported by the manufacturer
– May not have security updates
– Depending on the age, may not be easily accessible
• Intellectual Property (IP) theft
– Theft of ideas, inventions, and creative expressions
– Human error, hacking, employees with access, etc.
– Identify and protect IP
– Educate employees and increase security
• Software compliance/licensing
– Operational risk with too few licenses
– Financial risk with budgeting and over-allocated
licenses
– Legal risk if proper licensing is not followed
Risk assessments - types
• Breaches involving multiple parties
– Often trusted business relationships
– Events often involve many different parties
• May 2019 - American Medical Collection Agency
– Provided debt collection for many different
organizations
– Data breach disclosed personal information on 24
million individuals
– Twenty-three healthcare organizations affected by
this single breach
– A single breach can cause a ripple effect
Multi-party risk
• Acceptance
– A business decision; we’ll take the risk!
• Risk-avoidance
– Stop participating in a high-risk activity
• Transference
– Buy some cybersecurity insurance
• Mitigation
– Decrease the risk level
– Invest in security systems
Risk management strategies
Evaluating risk is making a decision about its severity and ways to manage it.
• Risk register - a table of project risks that allows you to track each identified risk and any vital information about it. Standard columns included in a project risk register are: Identification number (to quickly refer to or identify each risk) Name or brief description of the risk.
– Every project has a plan, but also has risk
– Identify and document the risk associated
with each step
– Apply possible solutions to the identified risks
– Monitor the results
• Risk matrix / risk heat map - a tool that is normally used to assess the level of risk and assist the decision-making process. It takes into consideration the category of probability, or likelihood, against the category of consequence severity.
- the map - is a data visualization tool for communicating specific risks an organization faces. A risk map helps companies identify and prioritize the risks associated with their business.
– View the results of the risk assessment
– Visually identify risk based on color
– Combines the likelihood of an event with
the potential impact
– Assists with making strategic decisions
Evaluating risk
[this] model - a conceptual tool applied by auditors to evaluate and manage the various risks arising from performing an audit engagement. The tool helps the auditor decide on the types of evidence and how much is needed for each relevant assertion.
• Inherent risk - the inherent probability that a cybersecurity event may occur as a result of a lack of countermeasures.
– Impact + Likelihood
– Risk that exists in the absence of controls
– Some models include the existing set of controls
• Residual risk - the risk that remains after efforts to identify and eliminate some or all types of risk have been made.
– Inherent risk + control effectiveness
– Risk that exists after controls are considered
– Some models base it on including additional controls
• Risk appetite - the amount of risk an organization is willing to take in pursuit of objectives it deems have value. Risk appetite can also be described as an organization’s risk capacity, or the maximum amount of residual risk it will accept after controls and other measures have been put in place.
– The amount of risk an organization is willing to take
Audit risk model
Risk control is the set of methods by which firms evaluate potential losses and take action to reduce or eliminate such threats. It is a technique that utilizes findings from risk assessments.
Risk control assessment
• Risk has been determined
– Heat maps have been created
• Time to build cybersecurity requirements
– Based on the identified risks
• Find the gap
– Often requires a formal audit
– Self-assessments* may be an option
• Build and maintain security systems based on the
requirements
– The organizational risk determines the proper
controls
• Determine if existing controls are compliant or noncompliant
– Make plans to bring everything into compliance
Risk control assessment
the raising of understanding within the population of what risks exist, their potential impacts, and how they are managed.”
• A constantly changing battlefield
– New risks, emerging risks
– A nearly overwhelming amount of information
– Difficult to manage a defense
• Knowledge is key
– Part of every employee’s daily job role
– Part of the onboarding process for employees
and partners
• Maintaining awareness
– Ongoing group discussions
– Presentations from law enforcement
– Attend security conferences and programs
Risk awareness
Regulations that affect risk posture
• Many of them
– Regulations tend to regulate
• Regulations directly associated to cybersecurity
– Protection of personal information, disclosure of
information breaches
– Requires a minimum level of information security
• HIPAA - Health Insurance Portability and
Accountability Act
– Privacy of patient records
– New storage requirements, network security,
protect against threats
• GDPR - General Data Protection Regulation
– European Union data protection and privacy
– Personal data must be protected and managed
for privacy
Regulations that affect risk posture
based more so on subjectivity and the knowledge of the assessor
• Identify significant risk factors
– Ask opinions about the significance
– Display visually with traffic light grid or
similar method
Qualitative risk assessment
a formal and systematic method using measurable, objective data to determine an asset’s value, the probability of loss and other associated risks.
• Likelihood
– Annualized Rate of Occurrence (ARO)
– How likely is it that a hurricane will hit?
In Montana? In Florida?
• SLE (Single Loss Expectancy)
– What is the monetary loss if a single event occurs?
– Laptop stolen (asset value* or AV) = $1,000
• ALE (Annualized Loss Expectancy)
– ARO x SLE
– Seven laptops stolen a year (ARO) x
$1,000 (SLE) = $7,000
• The business impact can be more than monetary
– Quantitative vs. qualitative
Quantitative risk assessment
• Environmental threats
– Tornado, hurricane, earthquake, severe weather
• Person-made threats
– Human intent, negligence, or error
– Arson, crime, civil disorder, fires, riots, etc.
• Internal and external
– Internal threats are from employees
– External threats are from outside the organization
Disaster types
an organization's method of regaining access and functionality to its IT infrastructure after events like a natural disaster, cyber attack, or even business disruptions • Recovery time objective (RTO) – Get up and running quickly – Get back to a particular service level • Recovery point objective (RPO) – How much data loss is acceptable? – Bring the system back online; how far back does data go? • Mean time to repair (MTTR) – Time required to fix the issue • Mean time between failures (MTBF) – Predict the time between outages
Recovery
In conjunction with the business continuity plan, businesses should develop IT disaster recovery plans in the event IT systems stop functioning. The recovery strategies should aim at restoring data, applications and hardware in time to meet the needs of the recovery of business functions.
• Recover from an outage – Step-by-step guide • Contact information – Someone is on-call – Keep everyone up to date • Technical process – Reference the knowledge base – Follow the internal processes • Recover and test – Confirm normal operation
Functional recovery plans
a potential risk posed by a flaw in the design, implementation or configuration of a circuit or system. SPOF refers to one fault or malfunction that can cause an entire system to stop operating.
• A single event can ruin your day
– Unless you make some plans
• Network configuration
– Multiple devices (the “Noah’s Ark” of networking)
• Facility / Utilities
– Backup power, multiple cooling devices
• People / Location
– A good hurricane can disrupt personnel travel
• There’s no practical way to remove all points of failure
– Money drives redundancy
Removing single points of failure
