5.4 Summarize risk management process and concepts Flashcards
Risk Types
Risk types can be broken down into six categories. Let’s now look at each of these in turn, starting with external risks
External
There are many different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Their ability to attack depends on the level of sophistication of their tools, and this is very much dependent on how much funding they have. If it is a foreign government, they are well organized and well-funded and have many assets at their disposal. There are also external environmental threats, such as fire and floods, and man-made threats, such as the accidental deletion of data or lasers.
Internal
One type of internal threat is a malicious insider; that is, a threat actor who, for instance, has been overlooked for promotion or is not happy with their current salary. The other internal threat is human error, which is when data is accidentally deleted.
Legacy Systems
The risk with legacy systems is that they might not have any vendor support because the vendor has deemed that the system has reached the end of its service life and there will be no more patches. As technologies improve, so do the hacking tools, and the legacy systems may have limited or no protection against them.
Multiparty
This is where a contractor wins a contract and then sub-contracts some of the parts of the contract to other companies, who in turn subcontract again. Sometimes that can mean many contractors being involved in a single contract, and if any of them becomes bankrupt, then they can no longer provide that service and cause disruption to the company. Each party in the contract needs to ensure that their security is as strong as that of the customer and the main contractor.
Example: A contract is awarded to us to build a row of houses. Water, gas, electricity, and roads may be contracted out to other agencies. Many different parties would be involved, and we could be attacked by anyone working in the supply chain.
Intellectual Property (IP) Theft
An IP theft could steal your copyright material, trade secrets, and patents. This would result in a loss of revenue. This data could be used in other countries where a legal route to recover your data or seek damages is impossible. We should use Data Loss Protection (DLP) or document management systems to protect against this.
Software Compliance/Licensing
Software should only be purchased from reputable vendors to ensure that the software purchased is exactly what was ordered. Software purchased elsewhere may not be licensed, and this would lead to a regulatory fine, or the software itself may contain malware and attack you. One of the risks to your company is that employees may use more copies of the company-purchased software than the licenses that you purchase, sometimes for personal use. This is called a license compliance violation. Exam TipIP theft can steal your patents, secrets, and copyright material, and these can be taken to a country where you cannot mount a legal challenge. From there, they can manufacture your products.
Risk Management Strategies
In a risk treatment, the risk owner, who is the best person to classify an asset, looks at each individual risk; they (the risk owner) will then decide what action is best to reduce the risk to the company. The risk will then be included in the company’s risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every 6 months because risks change as frequently as technology changes. Let’s look at risk management strategies, starting with risk acceptance
Risk Acceptance
This entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low. For example, say I had company premises in Scotland and I was quoted $1,000 a year to insure the building against earthquakes. I would not take the insurance and would accept the risk as Scotland last had an earthquake in 1986, and the magnitude was 2.0, which means it was generally not felt.
Risk Transference
Risk transference is where you decide that the risk is great and you want to offload the responsibility to a third party. This could be insurance or outsourcing any of your IT functions. For example, say I purchase a car and decide that there is a high risk of someone crashing into the car, so I take out car insurance to transfer the risk to the insurance company. The car is insured, but I am still the owner. Companies are now taking out cybersecurity insurance that would cover financial loss due to cyberattacks, legal fees due to lawsuits, and the ability to employ a private investigator to catch the criminal.
Cybersecurity insurance
Cybersecurity insurance helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage. Traditional insurance policies often exclude cybersecurity risks such as the loss of data or extortion from criminals using ransomware. Organizations purchase cybersecurity insurance to cover the gaps left by traditional insurance.
Risk Mitigation
Risk mitigation is where you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack. For example, say you leave your home in the morning to go to work – if you leave the door open, someone will enter your property and take some of your possessions. You then adopt risk mitigation by closing and locking the door. Another example is if you purchase 50 new laptops for your company, with software installed, but there is no anti-virus software. There is a high risk that you could encounter a virus; therefore, you decide to mitigate the risk by installing anti-virus software on all laptops. Risk mitigation is a technical control.
Risk Analysis
Risk analysis is the use of techniques to analyze risks so that you have an overall picture of the risks that your company may face. Let’s look at each of these in turn, starting with the risk register:
Exam Tip
Insurance of any kind, whether it is for a car or cybersecurity, is risk transference.
Risk Register
When we look at the overall risk for a company, we use a risk register. This is a list of all of the risks that a company could face. The risk to the finance department with be assessed by the financial director, and IT-related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners – they are responsible for the risk. The risk register must be updated on an annual basis to make it effective.
Risk Matrix/Heat Map
A risk matrix is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red
Risk Control Assessment
This occurs when a company checks that the risk controls that they have in place are still effective with changing technology.
Risk Control Self-Assessment
This is a process where all company employees decide to have a meeting or send out a survey. Management encourages the employees to evaluate existing risk controls so that they can decide whether the current risk controls are adequate and report back to the management. This is a bottom-up approach.
Risk Awareness
This is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks and making recommendations to management on how to reduce those risks.