Domain 2 Information Risk Management Flashcards
Introduction
- Risk
- Exposure
- Business Value
Introduction
- Risk - combination of probability/likelihood of an event and its consequences/impact
- Exposure - aka attack surface; exposure is affected by the extent and effectiveness of controls and where specific devices are located within a NW (i.e. device in middle has less exposure then one on perimeter)
- Business Value - classify assets by business value; business value is a combination of sensitivity or criticality of asset; should develop classification scheme to determine potential impact to organization if asset is compromised
- Risk Management Overview
- Controls
- Countermeasures
- Risk Communication Plan
- Risk Management Overview - Risk Mgmt is achieving optimal balance between realizing opportunities for gain and minimizing vulnerabilities for loss; ensuring there is an acceptable level of assurance and predictability to the desired outcomes; accomplished by ensuring impacts of threats exploiting vulnerabilities are within acceptable limits and costs and balancing risk exposure, implementing appropriate controls and countermeasures; RISK IS INHERENT IN ALL ACTIVITIES; provides rationale and justification for virtually all security activities;
- Controls - part of Risk Management Framework; incorporates policies, standards, procedures, etc; provides assurance that business objectives are achieved and undesired events are prevented, detected, or addressed; Framework includes people, process, technology and takes into consideration strategic, tactical, administrative, and operational components to be effective
- Countermeasures - process that counters specific threats, aka targeted control
- Risk Communication Plan - defines frequency, types, and recipients of information about risk; reduces overload or ‘risk noise’ of non-relevant information;
Define Risk Assessment
Define Business Value
Four phases of Risk Assessment
Risk Assessment - coupled with BIA or information asset classification process to determine criticality and/or sensitivity of assets (business value); basis for identifying appropriate and cost-effective controls or countermeasures to mitigated identified risk;
- Risk IDENTIFICATION
- A thorough assessment of Threat Landscape, a Vulnerability Assessment, and consideration of exposures;
- Then, determine risk scenarios (ways compromise may occur) and possible outcomes
- Risk ANALYSIS
- deep analysis of identified risk through various methods, usually performing BIAs to develop a clear understanding of potential impacts
- combining vulnerability and threat information to determine risk in terms of likelihood and impact (i.e. VAR, ALE, ROSI, etc)
- Risk EVALUATION
- uses results of analysis to determine if risk falls within acceptable limits or it must be mitigated;
- compare results against established criteria for risk acceptance and determine if further if any treatment is needed;
-
Risk RESPONSE/TREATMENT
* risk ACCEPTANCE, risk MITIGATION, risk TRANSFER, risk AVOIDANCE
- Risk Awareness Program
- Who are the first to be aware of problems?
- Risk Awareness Program - Awareness creates culture, shapes ethics, influences behavior; Risk Awareness acknowledges that risk is an integral part of business; using attacks on other organizations will bring awareness; important to achieve level of integration with other parts of organization, this will accomplish 1 of 6 governance outcomes (Assurance Process Integration); another governance outcome achieved is an Effective Risk Management Program)
- Who are the first to be aware of problems? - Staff and operational teams
Developing a Risk Management Program
- Establish Context and Purpose
- Define Scope and Charter
- Define Authority, Structure, and Reporting
- Ensure Asset Identification, Classification, and Ownership
- Determine Objectives
- Determine Methodologies
- Designate Program Development Team (Implementation Team)
Developing a Risk Management Program
- Establish Context and Purpose
- Establish purpose for creating Risk Mgmt Program;
- Identify desired outcomes and Define objectives
- If there are several Risk Mgmt Functions within Org, determine how they will be integrated to maximize cost-effectiveness, reduce gaps in protection, reduce cross-purposes
- Context involves defining internal external environment; structure; authority;process;etc
- Determine risk appetite, risk tolerance;
- More effective with top-down approach;
- Deciding if risk-averse (cautious) or risk-aggressive (willing to take impacts)
-
Define Scope and Charter
* Since there are typically multiple units that manage risks, define Scope of responsibility and authority; this prevents gaps, improves consistency, and duplication efforts (i.e. creating RACI chart) -
Define Authority, Structure, and Reporting
* A lack of clear governance and integration of risk management activities will lead to dire consequences and confusion. There should be clear structure on who has the authority to make decisions. -
Ensure Asset Identification, Classification, and Ownership
* Important to have accurate asset register; Assets need to be classified by business value, sensitivity, and criticality; Assets must have an owner, just as risk must have an owner with defined responsibilities; this promotes accountability for policy compliance; -
Determine Objectives
* Clear objectives and priorities; some risks cannot be address and must be accepted, some can wait, some need to be addressed immediately; determine priority by doing risk analysis -
Determine Methodologies
* Determine standard approach for organization to use -
Designate Program Development Team (Implementation Team)
* Determine team or individual that will be responsible for developing and implementing the risk management program
The Risk Management Process
The Risk Management Process
- Establish Scope and Boundaries - scope of responsibility internally and externally
- Identify Information Assets and Valuations - determine the assets at risk and potential impacts of compromise
- Perform Risk Assessment - risk IDENTIFICATION (threats, vulnerabilities, exposures), risk ANALYSIS (level of risk and potential impact), risk EVALUATION (whether risk meets criteria for acceptance)
- Determine Risk Treatment/Response - selecting strategy to deal with risk exceeding acceptable risk level; (transfer (share), accept (retain), mitigate (reduce), avoid (terminate))
- Accept Residual Risk - management decision to accept remaining risk after treatment;
-
Communicate About and Monitor Risk - communicate and monitor internally and externally to stakeholders
7.
Reference Model
A reference model will reflect the desired state; it is a snapshot of future state the organization would like their program to be at
Defining a Risk Management FRAMEWORK
- Policy - policy needs to define risk management, objectives, commitment; should be relevant to business goals; management should ensure policy is understood and standards are developed and maintained at all levels
- Planning and Resourcing - identify resource requirements like trained personnel
- Implementation Program - define steps to implement effective risk management system
- Management Review - senior management conduct periodic review; retain records of review
- Risk management Process
- Risk Management Documentation
- Defining the External Environment
- Defining the Internal Environment
- Gap Analysis within Risk Management
- Defining the External Environment - specifying environment in which the organization operates including the local market, competition, social, cultural conditions, etc
- Defining the Internal Environment - organization structure & culture, assets, goals, internal stakeholders, key business drivers
- Gap Analysis within Risk Management - gap between control effectiveness and control objective; important to periodically test controls for effectiveness. ineffective control fails to meet control objective and to achieve acceptable risk therefore needing to be modified or supplemented
Determining the Risk Management CONTEXT
- Range of the organization and the processes to be assessed
- Full scope of risk management activities
- Roles and responsibilities of various parts of the organization participating in the risk management process
- Organizational culture in terms of risk-averseness or aggressiveness
- Information Asset Identification and Valuation
- Information Asset Valuation Strategies
*
- Information Asset Valuation Strategies
-
Information Asset Identification and Valuation -This is the FIRST step in Risk Assessment; locate and inventory all assets and approximate their business value (i.e. sensitivity and/or criticality); Business value is part of risk determination; RISK = LIKELIHOOD x IMPACT; Business value helps classify assets and justify levels of protection (EXAMPLES: HW can be valued by replacement costs; value of information can be based on cost of recreating, restoring; value could be regulatory sanctions, theft losses, loss of share value, etc)
-
Information Asset Valuation Strategies - Asset valuation is not often done; having accurate inventory is rare; EFFECTIVE resource valuation does not have to be accurate, but there needs to be an approach. One approach could be a Matrix of Loss Scenarios and ranking impact of risk scenario;
*
-
Information Asset Valuation Strategies - Asset valuation is not often done; having accurate inventory is rare; EFFECTIVE resource valuation does not have to be accurate, but there needs to be an approach. One approach could be a Matrix of Loss Scenarios and ranking impact of risk scenario;
General Risk Assessment Steps (Explain risk level and cost-benefit priorities)
NIST Risk Assessment Methodology
- Aggregated Risk
- Cascading Risk
- Systemic Risk
- Contagious Risk
- Aggregated Risk - multiple minor vulnerabilities, when combined, can cause a significant impact
- Cascading Risk - one failure leads to a chain reaction of failures
- Systemic Risk - incident occurs with business partner which affects large group within the area or industry
- Contagious Risk - events that happen at several enterprise’s business partner within a very short time
Risk Assessment Methodology
- Factor Analysis of Information Risk (FAIR)
Risk Assessment Methodology
- Factor Analysis of Information Risk (FAIR) - primarily a complement to other assessment approaches with the objective of increasing accuracy of risk assessment
- FAIR provides:
- Taxonomy - classification;
- Method for measuring - Metrics;
- A computational engine - mathematically simulating relationships among metrics
- A simulation model - use the above 3 to analyze risk scenarios of any size or complexity
- 4 primary components of risk taxonomy
- Frequency threat comes into contact with assets
- Probability threat will actually act against asset
- Probability of threat being successful of compromise
- Probable impact to assets
- With FAIR, probabilistic risk assessment (PRA) is popular analysis tool to evaluate risk at every SDLC step from initiation to disposal;
Techniques in Developing Risk Scenarios
Techniques in Developing Risk Scenarios
- Stay current with risk scenarios (always changing threat landscape)
- Use generic scenarios
- Scenarios should be relevant, not too many
- Ensure adequate personnel used to help
- Consider systemic and cascading risk
- Involve 1st line of defense; i.e. operations team will know a lot about current system vulnerabilities
- Derive complex scenarios from simple ones
- Look at historical information or similar organizations and their risk for reasonable predictions of risk
Top Down and Bottom Up Risk Scenario Approach
What makes a Risk Scenario
- Threats
- Internal Threats
- External Threats
-
Threats - threats are events with potential to cause harm to an information resource by exploiting vulnerabilities in the system; threats can be discovered through examining past failures, audit reports, media reports, N-CERTs, communication with internal groups
- Internal Threats - employees are the cause of significant impacts, intentional or unintentional; most employees have more access then their actual job requires; solution to this is only give access on a need to know basis/least privilege, thorough BG checks, NDA at time of hiring, RoB;
-
External Threats - Natural Events (i.e. Flood, earthquake); Hacker; Advanced Persistent Threats (APTs); Most breaches are a result of targets of opportunity, easy targets
*
- Advance Persistent Threats (APTs)
- Generic Lifecycle
- Typical Sources
APTs - highly skilled hacker that 1. pursues its objectives repeatedly over extended period of time; 2. adapts to organizations resistance; 3. maintains level of interaction needed to execute its objectives;
- Initial Compromise - attacker uses social engineering, spear phishing, zero day viruses
- Establish Foothold - attacker plants remote admin SW in NW or create backdoors
- Establish Privileges - use exploits or PW cracking
- Internal Reconnaissance - collect info
- Move Laterally - gain access to other workstations and collecting data
- Maintain Presence - ensure continued control
- Complete Mission - take data
- Vulnerabilities
- Vulnerabilities - weaknesses; the extent of exposure must be considered to determine probability that vulnerability is exploited; find vulnerabilities before an attacker through vulnerability assessments and pen testing
- Risk, Likelihood, and Impact
- Factors to consider Likelihood
- Diminishing Returns
- Organization Culture in regards to Risk - Risk-averse vs Risk-aggressive
- Risk, Likelihood, and Impact - threats x vulnerabilities x consequences = risk;
- Factors to consider Likelihood
- Volatility - when conditions vary, there may be times where the risk is greater then other times, increasing unpredictability and therefore requiring higher estimation of risk
- Velocity - the extent of prior warning of an event and the amount of time between event occurrence and subsequent impact; if the amount of time is short - higher risk
- Proximity - the time between event and impact (the greater the velocity, the closer the proximity)
- Interdependency - risk may effect several areas; never consider risk in isolation, but instead concurrently or sequentially
- Motivation - extent of attacker’s motive may determine which assets are attacked
- Skill - level of skill can determine type and value of assets attacked
- Visibility - high-visibility targets are more likely to be attacked
- Diminishing Returns - it is important to analyze cost benefit; there is a point of diminishing returns at which costs of additional controls rise faster than the benefit
- Organization Culture in regards to Risk; Risk-averse vs Risk-aggressive - risk-averse has lower risk acceptance, tighter security, higher control costs; risk-aggressive takes more chances, higher risk acceptance
- Risk Register
- Risk Profile and what is included
- Risk Register - central repository for identified risks including specific threats, vulnerabilities, exposures, and assets affected; should include asset owner, risk owner, other stakeholders; risk register should be filled out during assessment process; risk register serves as a reference point for all risk management activities
- Risk Profile - overall identified risks within organization which includes:
- Risk Register (Risk scenarios and Risk Analysis)
- Risk Action Plan
- Loss Events (historical and current)
- Risk Factors
- Independent Assessment Findings
- Risk Analysis
- What does risk analysis involve?
- Techniques to estimate impact and likelihood
- Risk analysis techniques
-
Risk Analysis - identified risk is assessed and the potential consequences determined; determines effectiveness of existing controls and the extent which the control mitigates the risk; Risk analysis involves
- examination of risk sources (threats and vulnerabilities)
- asset exposure
- impact - may not be clear unless BIA has been performed
- likelihood
- assessment of existing controls
- Techniques to estimate impact and likelihood - past experience, practices standards guidelines, research, specialist/expert, experiments
- Risk analysis techniques - interviews, use of existing models, statistical analysis