5.4 Summarize risk management process and concepts Flashcards

1
Q

Risk Types

A

Risk types can be broken down into six categories. Let’s now look at each of these in turn, starting with external risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

External

A

There are many different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Their ability to attack depends on the level of sophistication of their tools, and this is very much dependent on how much funding they have. If it is a foreign government, they are well organized and well-funded and have many assets at their disposal. There are also external environmental threats, such as fire and floods, and man-made threats, such as the accidental deletion of data or lasers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internal

A

One type of internal threat is a malicious insider; that is, a threat actor who, for instance, has been overlooked for promotion or is not happy with their current salary. The other internal threat is human error, which is when data is accidentally deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Legacy Systems

A

The risk with legacy systems is that they might not have any vendor support because the vendor has deemed that the system has reached the end of its service life and there will be no more patches. As technologies improve, so do the hacking tools, and the legacy systems may have limited or no protection against them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Multiparty

A

This is where a contractor wins a contract and then sub-contracts some of the parts of the contract to other companies, who in turn subcontract again. Sometimes that can mean many contractors being involved in a single contract, and if any of them becomes bankrupt, then they can no longer provide that service and cause disruption to the company. Each party in the contract needs to ensure that their security is as strong as that of the customer and the main contractor.

Example: A contract is awarded to us to build a row of houses. Water, gas, electricity, and roads may be contracted out to other agencies. Many different parties would be involved, and we could be attacked by anyone working in the supply chain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Intellectual Property (IP) Theft

A

An IP theft could steal your copyright material, trade secrets, and patents. This would result in a loss of revenue. This data could be used in other countries where a legal route to recover your data or seek damages is impossible. We should use Data Loss Protection (DLP) or document management systems to protect against this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Software Compliance/Licensing

A

Software should only be purchased from reputable vendors to ensure that the software purchased is exactly what was ordered. Software purchased elsewhere may not be licensed, and this would lead to a regulatory fine, or the software itself may contain malware and attack you. One of the risks to your company is that employees may use more copies of the company-purchased software than the licenses that you purchase, sometimes for personal use. This is called a license compliance violation. Exam TipIP theft can steal your patents, secrets, and copyright material, and these can be taken to a country where you cannot mount a legal challenge. From there, they can manufacture your products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Management Strategies

A

In a risk treatment, the risk owner, who is the best person to classify an asset, looks at each individual risk; they (the risk owner) will then decide what action is best to reduce the risk to the company. The risk will then be included in the company’s risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every 6 months because risks change as frequently as technology changes. Let’s look at risk management strategies, starting with risk acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Acceptance

A

This entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low. For example, say I had company premises in Scotland and I was quoted $1,000 a year to insure the building against earthquakes. I would not take the insurance and would accept the risk as Scotland last had an earthquake in 1986, and the magnitude was 2.0, which means it was generally not felt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Transference

A

Risk transference is where you decide that the risk is great and you want to offload the responsibility to a third party. This could be insurance or outsourcing any of your IT functions. For example, say I purchase a car and decide that there is a high risk of someone crashing into the car, so I take out car insurance to transfer the risk to the insurance company. The car is insured, but I am still the owner. Companies are now taking out cybersecurity insurance that would cover financial loss due to cyberattacks, legal fees due to lawsuits, and the ability to employ a private investigator to catch the criminal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cybersecurity insurance

A

Cybersecurity insurance helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage. Traditional insurance policies often exclude cybersecurity risks such as the loss of data or extortion from criminals using ransomware. Organizations purchase cybersecurity insurance to cover the gaps left by traditional insurance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Mitigation

A

Risk mitigation is where you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack. For example, say you leave your home in the morning to go to work – if you leave the door open, someone will enter your property and take some of your possessions. You then adopt risk mitigation by closing and locking the door. Another example is if you purchase 50 new laptops for your company, with software installed, but there is no anti-virus software. There is a high risk that you could encounter a virus; therefore, you decide to mitigate the risk by installing anti-virus software on all laptops. Risk mitigation is a technical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk Analysis

A

Risk analysis is the use of techniques to analyze risks so that you have an overall picture of the risks that your company may face. Let’s look at each of these in turn, starting with the risk register:

Exam Tip

Insurance of any kind, whether it is for a car or cybersecurity, is risk transference.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk Register

A

When we look at the overall risk for a company, we use a risk register. This is a list of all of the risks that a company could face. The risk to the finance department with be assessed by the financial director, and IT-related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners – they are responsible for the risk. The risk register must be updated on an annual basis to make it effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Matrix/Heat Map

A

A risk matrix is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Control Assessment

A

This occurs when a company checks that the risk controls that they have in place are still effective with changing technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Risk Control Self-Assessment

A

This is a process where all company employees decide to have a meeting or send out a survey. Management encourages the employees to evaluate existing risk controls so that they can decide whether the current risk controls are adequate and report back to the management. This is a bottom-up approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk Awareness

A

This is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks and making recommendations to management on how to reduce those risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Inherent Risk/Residual Risk

A

Inherent risk is the raw risk, prior to any risk mitigation strategies being implemented. Residual risk is the amount of risk remaining after you mitigate the risk. Remember that you cannot eliminate risk completely.

20
Q

Control Risk

A

This is where a risk control is measured after it has been in place for some time, to evaluate whether it is still effective.

21
Q

Risk Appetite

A

This is the amount of risk mitigation that a company is willing to do so that they can be compliant with current regulations and also be protected.

22
Q

Regulations that affect risk posture

A

Regulations that affect risk posture include EU GDPR, Sarbanes-Oxley Act (SOX), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI), and Data Security Standard (DSS) regulations.

23
Q

Risk Assessment Types

A

There are two risk assessment types: qualitative and quantitative. Let’s look at each of these in turn

24
Q

Qualitative Risk Analysis

A

A qualitative risk analysis is where the risk is identified as a high, medium, or low risk. The words start with most of the word quality.

25
Q

Quantitative Risk Analysis

A

A quantitative risk analysis is where you look at the high qualitative risks and give them a numeric value so that you can associate them with a cost for the risk. This is calculated by multiplying the probability with the impact of the risk. Sometimes probability is known as likelihood. The words start with most of the word quantity.

26
Q

Impact

A

Impact is the magnitude of harm resulting from a risk. It includes the negative results of an event, such as the loss of confidentiality, integrity, or availability of a system or data.

27
Q

Asset value

A

The asset value is an important element in a quantitative risk assessment. It may include the revenue value or replacement value of an asset. A web server may generate $10,000 in revenue per hour. If the web server fails, the company will lose $10,000 in direct sales each hour it’s down, plus the cost to repair it. It can also result in the loss of future business if customers take their business elsewhere. In contrast, a library workstation’s failure may cost a maximum of $1,000 to replace.

28
Q

Single Loss Expectancy (SLE)

A

The SLE is to do with the loss of one item. For example, if my laptop is worth $1,000 and I lose it while traveling, then my SLE would be $1,000.

29
Q

Annualized Rate of Occurrence (ARO)

A

The ARO is the number of times that an item has been lost in a year. If an IT team loses six laptops in a year, the ARO would be six.

30
Q

Annualized Loss Expectancy (ALE)

A

The ALE is calculated by multiplying the SLE by the ARO – in the previous examples, we have $1,000 x 6 = $6,000. The ALE is the total loss in a year.

31
Q

Disasters

A

There are different types of disasters that pose a risk to companies. Let’s look at these, starting with environmental threats

32
Q

Environmental Threat

A

This threat is based on environmental factors, for example, the likelihood of a flood, hurricane, or tornado. If you live in Florida, there is a peak season for hurricanes from mid-August to October. However, if you live in Scotland, hurricanes are very infrequent. Florida has a high risk of having a hurricane, whereas Scotland would be extremely low risk.

33
Q

Man-Made Threat

A

This is a human threat – it could be a malicious insider attack, where an employee deliberately deletes data, or it could just be an accidental deletion by an incompetent member of staff. Lasers and bombs are also man-made threats.

34
Q

Internal Threat versus External Threat

A

An internal risk could be a flood, power failure, or maybe internal structural damage to a building. An external risk could be threat actors or natural disasters such as an earthquake or hurricanes.

35
Q

Business Impact Analysis

A

Business Impact Analysis (BIA) is the process of looking into disasters and calculating the loss of sales, regulatory fines, and the purchase of new equipment. BIA looks at financial loss following a disaster.

36
Q

Recovery Time Objective (RTO)

A

The RTO is the time that a company needs to be returned to an operational state. In the preceding RPO scenario, we would like the RTO to be before 16:00. If the RTO is beyond 16:00, then once again it has an adverse effect on the business.Exam TipThe most important factor that an auditor will look at when assessing BIA is the single point of failure. They will also take the RPO and RTO into consideration.

37
Q

Recovery Point Objective (RPO)

A

The RPO is how long a company can last without its data before the lack of data starts to affect operations. This is also known as acceptable downtime; if a company agrees that it can be without data for 3 hours, then the RPO is 3 hours. If the IT systems in a company suffer a loss of service at 13:00, then the RPO would be 16:00. Any repair beyond that time would have a negative impact on the business as the company cannot operate without its data beyond that point.

38
Q

Mean Time to Repair (MTTR)

A

The MTTR is the average amount of time it takes to repair a system. If my car breaks down at 14:00 and it was repaired at 16:00, the MTTR would be 2 hours.

39
Q

Mean Time Between Failures (MTBF)

A

The MTBF shows the reliability of a system. If I purchased a new car for $50,000 on January 1, then it breaks down on January 2, 4, 6, and 8, I would take it back to the garage as the MTBF would be pretty high. For $50,000, I want a more reliable car. MTBF measures reliability.

40
Q

Functional Recovery Plans

A

Functional recovery plans use structure walkthroughs, tabletop exercises, and simulations.

41
Q

Single Point of Failure

A

The single point of failure is any single component that would prevent a company from remaining operational. This is one of the most critical aspects of BIA

42
Q

Disaster Recovery Plan (DRP)

A

There are many different types of disasters and there needs to be a DRP for each of them to recover from a failure as quickly as possible. Any downtime will have a financial impact on a company.

43
Q

Mission Essential Functions/Identification of Critical Systems

A

When we look at BIA as a whole, we have to see what the company’s mission-essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail, it would result in a loss of revenue. Critical systems for the airline would be the server that the website was placed on and its ability to contact a backend database server, such as SQL, that holds ticketing information, processes credit card transactions, and contains the order history for each customer.

44
Q

Identification of critical systems

A

A business impact analysis (BIA) is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organization’s success. These critical systems support mission-essential functions. Mission-essential functions are the activities that must continue or be restored quickly after a disaster.

45
Q

Site Risk Assessment

A

This is an assessment of all of the risks and hazards that could happen on a construction site. This could be the spillage of chemicals, power outages, floods, fires, and earthquakes. The site losing its health and safety certificate should be considered a site risk.Exam TipWhen purchasing a new system, the MTBF measures the reliability of the system. You might also seek a system with a low MTTR so that it is reliable and can be repaired quickly.