Chapter 1: IT Risk Identification Flashcards
IT Risk Management Good Practices
- COBIT 5
- ISO/IEC 27005: 2011 - IT - Security techniques-Information security risk management
- ISO31000:2009- Risk Management Principles and Guidelines
- NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments
- NIST Special Publication 800-39: Managing Information Security Risk
Enumerate the ISO/IEC27005 Process Steps
- Context Establishment
- Risk Assessment
- Risk Identification
- Risk Analysis
- Risk Evaluation
- Risk Treatment
- Risk Acceptance
- Risk Communication and Consultation
- Risk Monitoring and Review
The IT Risk Management program should be:
- Comprehensive
- Complete
- Auditable
- Justifiable
- Legal
- Monitored
- Up to date
- Managed
Ways to identify risk
- Historical or evidence-based methods
- Systematic approach (expert opinion)
- Inductive approach (theoretical analysis)
Enumerate the business related IT risk types
- Investment or expense risk
- Access or security risk
- Integrity risk
- Relevance risk
- Availability risk
- Infrastructure risk
- Project ownership risk
Investment or expense risk
Risk that the IT investment fails to provide value for money or is otherwise excessive or wasteful
Access or security risk
Risk that confidential or otherwise sensitive information may be divulged or made available to those without appropriate authority
Integrity risk
Risk that data cannot be relied on because they are unauthorized, incomplete, or inaccurate
Relevance risk
Risk associated with not getting the right information to the right people at the right time to allow the right action to be taken
Availability risk
Risk of loss of service or risk that data are not available when needed
Infrastructure risk
Risk that the enterprise does not have an IT infrastructure and systems that can effectively support the current and future needs of the business in an efficient,cost - effective, and well-controlled fashion
Project ownership risk
Risk of IT projects failing to meet objectives due to lack of accountability and commitment
Challenges in conducting interviews:
- Exaggeration
2. Inaccuracies
Important detail to obtain during the interview
the level of impact that previous incidents have had on the organization including how the incident was handled, results of post incident review and root cause analysis and current status of any noted remediation activities from prior activities
Risk culture
Reflects the balance between weighing the negative, positive, and regulatory elements of risk
Risk culture elements
- Behavior toward taking risk
- Behavior toward policy compliance
- Behavior toward negative outcomes
Symptoms of inadequate or problematic risk culture
- Misalignment between real risk appetite and translation into policies
- Existence of a blame culture
Consequences of poor communication on risk:
- A false sense of confidence at all levels of the enterprise
- Lack of direction or strategic planning
- Unbalanced communication to the external world on risk
- The perception that the enterprise is trying to cover up known risk from stakeholders
IT Risk is…
the IT-enabled business risk that stems from the use of IT
Senior management support
An important part of the risk management process
Risk management depends on
business goals and objectives
What is a critical component of risk management?
History
Merger or acquisition results in
emergence of new risks that creates uncertainty and stress. This can further result in poor judgment or inappropriate actions by personnel
What influences the effectiveness of the risk management effort?
The positioning of risk management function within the organizational structure.
In a large organization, the organization of the risk management group should follow…
the same model and the organization of the business continuity management team
RACI
Responsible
Accountable
Consulted
Infromed
4 Main Types of Roles involved in the risk management process:
- Individuals responsible for managing risk
- Individuals accountable for the risk management effort
- Individuals who provide support and assistance to the risk management effort (consulted)
- Individuals who evaluate or monitor the effectiveness of the risk management effort
How does the RACI model help?
It can assist in outlining the roles and responsibilities of the various stakeholders. The purpose of the RACI model is to clearly show the relationships between the various stakeholders, the interaction between the stakeholders and the roles that each stakeholder plays in the successful completion of the risk management effort.
What is risk culture?
Set of shared values and beliefs that govern attitudes toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.
Ethics are related to…
An individual’s perception of right and wrong and are not necessarily linked to the law
Ethics also applies to…
How people believe they have been treated
Failure to comply with regulations may result in…
Financial penalties or loss of a license to operate as well as damage to the reputation of the organization
To ensure compliance, an organization must…
Have the ability to monitor and measure controls in use
In cases where there is noncompliance,
A justification for the reasons of noncompliance should be provided
When risk is considered on a system-by-system or project-by-project basis,
The result is a spotty risk solution that has many individually good efforts but no consistency or interoperability among the risk solutions that are implemented
The risk practitioner must be sensitive to the following before recommending a risk management approach or framework
- local departmental cultures
- priorities
- regulations
- restraints
- goals
A critical part of establishing the risk management process is
The development and approval of a risk management policy
What is information security?
Protecting of information and information systems (including technology) from risk events
What is likelihood?
Likelihood = Probability. The measure of frequency of which an event may occur and is used to calculate the level of risk facing an organization based on the number of risk events that may occur within a time period and is often measured on an annual basis
What are the factors that can affect likelihood?
- volatility
- velocity
- proximity
- interdependency
- motivation
- skill
- visibility
What is the relation of volatility to risk?
Volatility=how much the situation varies. Varies greatly, harder to predict likelihood. Risk will be higher priority because of higher unpredictability (dynamic range)
What is risk velocity?
Speed of onset. A measure of how much prior warning and preparation time an organization may have between the event’s occurrence and impact. Can be split into speed of reaction and speed of recovery.
What is proximity?
The time from the even occurring and the impact on the organization
What is interdependency?
Consideration of risk in various combinations. Materialization of two or more risks and their impact on the organization.
What is the relation of motivation to risk?
More motivated attacker = higher risk
What is the relation of skill to risk?
More skillful attacker = higher risk
What is visibility?
How well known a vulnerability is
What is risk impact?
The calculation of the amount of loss or damage that an organization may incur due to a risk event
How is loss measured?
- quantitative
- semi quantitative
- qualitative
Risk management should be based on
Calculated actions and justified controls, not on emotion and perception
One method of calculating risk is evaluating the impact of the event on…
The confidentiality, integrity, and availability (CIA) of information or information systems
Risk associated with information system is primarily about
Business risk and the impact that the failure or compromise of a system or information would have on the overall business
The factors that affect the impact of an event may be measured in two ways:
- The impact due a compromise or loss of information
2. The impact due to the loss or compromise of an information system
What will evaluate the impact of a breach according to a range of levels?
Qualitative risk assessment approach
What is confidentiality?
The requirement to maintain the secrecy and privacy of data
What is a breach of confidentiality?
Improper disclosure of information to an unauthorized party
What are some factors that could lead to disclosure of data?
- improperly managed access controls
- social engineering
- aggregation of data
What does need to know mean?
It means that individuals are given access only to information that is needed in order for them to perform their job functions
What is least privilege?
Restriction of data access of an individual or process to only the minimum level of access needed to perform their functions
What is integrity?
The guarding against improper information modification, exclusion, or destruction and includes ensuring information nonrepudiation and authenticity
Maintaining integrity requires the protection of information from:
improper modification by internal authorized users, unauthorized users, or other processes or activities operating on the system
How is the authenticity of information protected?
By identifying the sources of the data and ensuring that it has not been tampered with or destroyed
What is authenticity?
Often called nonrepudiation. Ensures that a link can be made between an action and the source of the action
What is availability?
Providing timely and reliable access to information
How do you measure availability?
Using a gap analysis
Where is the required level of availability usually found?
In the BIA (business impact analysis)
What is Segregation of Duties?
The principle of ensuring that no one person controls an entire transaction or operation that could result to fraudulent acts or errors
How do you circumvent SOD?
Through collusion, when two people agree to bypass the SOD control
What is mutual exclusivity?
Means that a person cannot execute both parts of the same transaction
What is job rotation?
The process of cross-training and developing personnel with various skills that can step up when needed
What is secure state?
The principle that a transaction or process should be in and maintain a secure condition at all times as it goes through its various activities
Access control is usually addressed through the following concepts:
- identification
- authentication
- authorization
- accountability
How is identification performed?
Through checking of a user ID or other unique element that identifies a person or process
What is authentication?
The process of validating an identity and ensures that one person cannot spoof an identity or masquerade as or impersonate another user
What are the three methods of performing authentication?
- knowledge
- ownership
- characteristics
What is the risk in using knowledge (passwords)?
Passwords are often subject to replay attacks and can be learned by another user
What is the problem with using ownership (possession) for authentication?
Cost of installing the system, issuing the cards, and operating and maintaining the system
What is authorization?
The privileges or permissions the person will have in the system
What is temporal isolation?
A person’s authorization that is only granted for a period of time that the permissions are required
What is accountability/auditing?
This action logs or records all activity on a system and indicates the user ID responsible for the activity
What is identity management?
The process of managing identities of the entities requiring access to information or information systems
What is an asset?
Something of either tangible or intangible value that is worth protecting
What is an asset value?
An asset may be valued according to what another person would pay for it, or by its measure of value to the company
What is impact?
The magnitude of loss resulting from a threat exploiting a vulnerability
What is impact analysis?
A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods.
What is impact assessment?
A review of the possible consequences of a risk
What is likelihood?
The probability of something happening
What is threat?
Anything that is capable of acting against an asset in a manner that can cause harm
What is a threat agent?
Methods and things used to exploit a vulnerability
What is a threat analysis?
An evaluation of the type, scope, and nature of events and actions that can result in adverse consequences; identification of threats against an enterprise
What is a threat vector?
The path or route used by the adversary to gain access to the target
What is a vulnerability?
A weakness in the design, implementation, operation, or internal control of a process that could expose the system to threats from threat events
What is a vulnerability analysis?
Process of identifying and classifying vulnerabilities
What is a vulnerability scanning?
An automated process to proactively identify security weaknesses in a network or individual system
Risk is influenced more by
Lack of training than by lack of equipment
The risk environment includes:
- the context, criticality, and sensitivity of the system or process being reviewed
- the dependencies and requirements of the system or process being reviewed
- The operational procedures, configuration, and monitoring of the system or business process
- The training of users and administrators
- the effectiveness of the controls and monitoring of the system or business process
- the manner in which data and system components are decommissioned
Risk only occurs if
The adversary has intent (motivation) and capability
To implement a justifiable risk strategy, start with
Identifying the organization’s assets and determining the value of those assets
When calculating asset value, one technique is to base it on
Impact of a loss of CIA
What are contributing factors to calculating asset value?
- financial penalties for legal noncompliance
- impact on business processes
- damage to reputation
- additional costs of repair/replacement
- effect on third parties/ business partners
- injury to staff or other personnel
- violations of privacy
- breach of contracts
- loss of competitive advantage
- legal costs
Threats can be…
Intentional or unintentional
External or internal
Categories of threats
Physical Natural events Loss of essential services Disturbance due to radiation Compromise of information Technical failures Unauthorized actions Compromise of functions
What are sources of information on threats?
Service providers threat monitoring agencies Security companies Audits Management Business continuity Finance Insurance companies Product vendors Government publications Assessments Users Human resources Media
The trusted or malicious insider threat to an organization can be…
A current or former employee
Contractor
Business partner
Who has or had authorized access to an organization’s system, network, or data and intentionally infiltrated, interrupted, modified, or fabricated data on an organization’s information system
Samples of external threats
Espionage Theft Sabotage Terrorism Criminal acts Software errors Hardware flaws Mechanical failures Lost assets Data corruption Facility flaws Supply chain interruption Industrial accidents Disease Seismic activity Flooding Power surge / utility failure Severe storms
What are indications of emerging threats?
Unusual activity on a system, repeated alarms, slow system or network performance, new or excessive activity in logs
Why are new technologies a new threat source?
Because most technologies are built with an emphasis on function and purpose without due consideration for the security implications associated with the new technology
What are network vulnerabilities?
Related to misconfiguration of equipment, poor architecture, or traffic interception
(network equipment should be hardened to disable unneeded services, ports, or protocols)
Testing for physical security vulnerabilities include testing
Locks Security guards Fire suppression systems Heating ventilation Air conditioning controls Lighting Cameras Motion sensors
What are common application vulnerabilities?
Buffer overflows Logic flaws Injection attacks Bugs Incorrect control over user access
OWASP
Open Web Application Security Project
What are the different cloud deployment models?
Private
Public
Hybrid
Community
Characteristics of a private cloud
Operated solely for an enterprise
May be managed by the enterprise or a third party
May exist on or off premise
Characteristics of a public cloud
Made available to the general public or a large industry group
Owned by an organization selling cloud services
Characteristics of a community cloud
Shared by several enterprises
Supports a specific community that has a shared mission or interest
May be managed by the enterprises or a third party
May reside on or off premise
Characteristics of a hybrid cloud
A composition of two or more clouds that remain unique entities but are bound together by a standardized or proprietary technology that enables data and application portability
When outsourcing data processing
It does not remove the liability of the outsourcing organization to ensure data are properly protected and the transmission of data is compliant with laws on data transfer
What is a vulnerability assessment?
Careful examination of a target environment to discover any potential points of compromise and weakness
Samples of vulnerabilities
Network vulnerabilities Poor physical access controls Insecure applications Poorly designed or implemented web facing services Disruption to utilities Unreliable supply chain Untrained personnel Inefficient processes Poorly maintained or old equipment
What is penetration testing?
A targeted testing against a potential vulnerability or against an attack vector commonly used by an attacker that simulates the activities and approach used by an attacker
What is full knowledge testing?
The testing team is familiar with the entire infrastructure being tested
What is zero knowledge testing?
The testing team is in the position of the external hacker
What is the risk associated with intellectual property?
Failure to protect IP from improper use, disclosure, or duplication that may result in loss of IP for a product
What is risk scenario?
A description of a possible event that, when occurring, will have an uncertain impact on the achievement of the enterprise’s objectives. The impact can be positive or negative.
The development of risk scenarios is based on…
Describing a potential risk event and documenting the factors and areas that may be affected by the risk event
Risk events may include…
System failure Loss of key personnel Theft Network outages Power failures Natural disasters
The key to developing effective scenarios is…
To focus on real and relevant potential risk events
Ways a risk scenario can be developed
Top down
Bottom up
Top down approach starts with
Business goals to come up with risk scenarios
Based on understanding business goals and how a risk event could affect the achievement of those goals
Bottom up approach starts with
Generic risk scenarios to more specific risk scenarios
Based on describing risk events that are specific to individual enterprise situations
What is a risk scenario?
A description of an IT related risk event that can lead to a business impact
Components of a risk scenario
Actor: internal or external party that generates the threat
Threat type: nature of the threat event
Event: the security incident
Asset: the entity affected by the risk event
Time: if relevant to the scenario (i.e. Duration, timing, detection, time lag between event and the consequence)
A risk awareness program creates…
An understanding of risk, risk factors, and the various types of risk that an organization faces
A risk awareness program should not…
Disclose vulnerabilities or ongoing investigations except when the problem has been addressed
An awareness program for management should highlight…
The need for management to play a supervisory role in protecting systems and applications from attack
Awareness training for senior management should highlight…
The liability, need for compliance, due care and due diligence, and the need to create the tone and culture of the organization through policy and good practice
Criteria for risk acceptance
Consideration of the availability of mitigating controls
The needs of regulation
Cost benefit analysis of a control option
The risk versus reward incentive that management is willing to consider
What is residual risk?
Risk that remains after the implementation of risk treatment controls
What is risk tolerance?
Acceptable variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
Ownership of risk is ultimately the responsibility of…
The asset owners, or in most cases, senior management
Risk acceptance must not exceed the…
Risk capacity of the organization
What is risk capacity?
The objective amount of loss an enterprise can tolerate without risking its continued existence
Risk capacity and risk appetite are defined by
The board and executive management at the enterprise level
What are risk tolerance levels?
Tolerable deviations from the level set by the risk appetite definitions
The risk register shows the…
Severity, source, and potential impact of a risk
Identifying the risk owner and the current status and disposition of risk
The purpose of a risk register is…
To consolidate risk data into one place and permit the tracking of risk
Contains all the risk identified in audits, vulnerability assessments, penetration tests, incident reports, process reviews, management inputs, risk scenario creation, and security assessments
The owner of the risk also owns the…
Controls and is responsible for monitoring its effectiveness
What is a control?
It is a means of managing risk, including policies, procedures, guidelines, practices or organizational structures
Developing a manageable and relevant set of risk scenarios requires:
Expertise and experience
A thorough understanding of the environment
The intervention and common views of all parties involved
A brainstorming/ workshop approach
What is systemic risk?
Something happens with an important business partner, affecting a large number of enterprises within an area or industry
What is contagious risk?
Events that happen at several of the enterprise’s business partners within a very short time frame
