Lesson 19

Question 1

•Phases of risk management

Answer 1

•Phases of risk management

1. Identify mission essential functions
2. Identify vulnerabilities
3. Identify threats
4. Analyze business impacts
5. Identify risk response
6. Identify mission essential functions—mitigating risk can involve a large amount
   of expenditure so it is important to focus efforts. Effective risk management must
   focus on mission essential functions that could cause the whole business to fail if
   they are not performed. Part of this process involves identifying critical systems
   and assets that support these functions.
7. Identify vulnerabilities—for each function or workflow (starting with the most
   critical), analyze systems and assets to discover and list any vulnerabilities or
   weaknesses to which they may be susceptible.
8. Identify threats—for each function or workflow, identify the threat sources and
   actors that may take advantage of or exploit or accidentally trigger vulnerabilities.
9. Analyze business impacts—the likelihood of a vulnerability being activated as a
   security incident by a threat and the impact of that incident on critical systems are
   the factors used to assess risk. There are quantitative and qualitative methods of
   analyzing impacts and likelihood.
10. Identify risk response—for each risk, identify possible countermeasures and
    assess the cost of deploying additional security controls. Most risks require some
    sort of mitigation, but other types of response might be more appropriate for
    certain types and level of risks.

Question 2

Risk assessment

Answer 2

Risk assessment

•Likelihood and impact

Question 3

Enterprise risk management (ERM) frameworks

Answer 3

Mostcompanies will institute enterprise risk management (ERM) policies and procedures,
based on frameworks such as NIST’s Risk Management Framework (RMF) or ISO 31K.

Question 4

• Risk and control self-assessment (RCSA)

* Risk and control assessment (RCA)

Answer 4

Most companies will institute enterprise risk management (ERM) policies and procedures,
based on frameworks such as NIST’s Risk Management Framework (RMF) or ISO 31K.
These legislative and framework compliance requirements are often formalized as
a Risk and Control Self-Assessment (RCSA). An organization may also contract an
external party to lead the process, in which case it is referred to as a Risk and Control
Assessment (RCA).
A RCSA is an internal process undertaken by stakeholders to identify risks and the
effectiveness with which controls mitigate those risks. RCSAs are often performed
through questionnaires and workshops with department managers. The outcome of an
RCSA is a report. Up-to-date RCSA reports are critical to the external audit process.

Question 5

Risk Types

Answer 5

External
•Cyber threat actors and natural or person-made disaster

Internal
•Risks that arise from assets that are owned/managed

Multiparty
•Ripple impacts in the supply chain

Intellectual property (IP) theft

Software compliance/licensing
•Shadow IT

Legacy systems

Question 6

Concrete values to risk factors (quantitative assessment)

Answer 6

• Single Loss Expectancy (SLE)
• Exposure Factor (EF)
• Annualized Loss Expectancy (ALE)
• Annualized Rate of Occurrence (ARO)

Question 7

• Single Loss Expectancy (SLE)

* Exposure Factor (EF)

Answer 7

Single Loss Expectancy (SLE)—the amount that would be lost in a single
occurrence of the risk factor. This is determined by multiplying the value of the
asset by an Exposure Factor (EF). EF is the percentage of the asset value that would
be lost.

Question 8

• Annualized Loss Expectancy (ALE)

* Annualized Rate of Occurrence (ARO)

Answer 8

Annualized Loss Expectancy (ALE)—the amount that would be lost over the
course of a year. This is determined by multiplying the SLE by the Annualized Rate
of Occurrence (ARO).

Question 9

Difficulty of forecasting likelihood

Difficulty of assessing impact/cost

Answer 9

The problem with quantitative risk assessment is that the process of determining and
assigning these values is complex and time consuming. The accuracy of the values
assigned is also difficult to determine without historical data (often, it has to be based
on subjective guesswork). However, over time and with experience, this approach can
yield a detailed and sophisticated description of assets and risks and provide a sound
basis for justifying and prioritizing security expenditure

Question 10

Qualitative Risk Assessment

Answer 10

• Seeks opinions and uses broad categorizations
• Heat map or traffic light impact matrix
• Security Categorizations (FIPS 199)
  
  • Low
  • Medium
  • High

Question 11

Inherent risk

Answer 11

Level of risk before any type of mitigation has been attempted

Question 12

Risk Posture

Answer 12

The overall status of
risk management is referred to as risk posture. Risk posture shows which risk response
options can be identified and prioritized.

Question 13

Risk posture and prioritization

Answer 13

Risk posture and prioritization [potential prioritization]
•Regulatory requirements
•High value asset, regardless of threat likelihood
•Threats with high likelihood
•Procedures, equipment, or software that increase the likelihood of threats
•Return on Security Investment (ROSI)

Question 14

Risk mitigation/remediation

Answer 14

Risk mitigation (or remediation) is the overall process of reducing exposure to orthe effects of risk factors.

Risk mitigation/remediation
•Deploy countermeasure
•Reduce likelihood or impact or both

Question 15

risk deterrence (or reduction)

Answer 15

If you deploy a countermeasure that reduces exposure to
a threat or vulnerability that is risk deterrence (or reduction). Risk reduction refers
to controls that can either make a risk incident less likely or less costly (or perhaps
both).

Question 16

Risk Avoidance and Risk Transference

Answer 16

Avoidance
•Stop doing the risky activity

Transference
•Assignrisk to a third-party
•Cybersecurity insurance
•Limits to transference

Question 17

cybersecurity insurance

Answer 17

Specific cybersecurity
insurance or cyberliability coverage protects against fines and liabilities arising from
data breaches and DoS attacks.

Question 18

Risk acceptance/tolerance

Answer 18

• Risk is assessed and monitored, but no countermeasure is put in place
• Do not ignore risk

Question 19

Residual risk

Answer 19

Likelihood and impact after mitigation

Question 20

Risk appetite

Answer 20

• Willingness to tolerate a certain level of risk

* Established at an organization or project level

Question 21

Control risk

Answer 21

Loss of countermeasure effectiveness over time

Control risk is a measure of how much less effective a security control has become
over time. For example, antivirus became quite capable of detecting malware on the
basis of signatures, but then less effective as threat actors started to obfuscate code.
Control risk can also refer a security control that was never effective in mitigating
inherent risk. This illustrates the point that risk management is an ongoing process,
requiring continual reassessment and re-prioritization.

Question 22

Risk Awareness

Answer 22

• Communicate risk factors to stakeholders
• Risk registers
  
  • Risk matrix/heat map
  • Graphs
  • Relevance to workflows

Question 23

Business impact analysis (BIA)

Answer 23

Business impact analysis (BIA) reports for threat scenarios
•Calculate impact as costs
•Justifies and prioritizes investment in security controls

Business impact analysis (BIA) is the process of assessing what losses might occur
for a range of threat scenarios. For instance, if a DDoS attack suspends an e-commerce
portal for five hours, the business impact analysis will be able to quantify the losses
from orders not made and customers moving permanently to other suppliers based
on historic data. The likelihood of a DoS attack can be assessed on an annualized basis
to determine annualized impact, in terms of costs. You then have the information
required to assess whether a security control, such as load balancing or managed
DDoS mitigation, is worth the investment.

Question 24

Business continuity planning/continuity of operations planning (COOP)

Answer 24

Business continuity planning/continuity of operations planning (COOP)
•Identifies controls and processes that maintain critical workflows

Where BIA identifies risks, business continuity planning (BCP) identifies controls and
processes that enable an organization to maintain critical workflows in the face of
some adverse event.

Question 25

mission essential function (MEF)

Answer 25

Business activities that cannot be deferred
•Contrast primary business functions (PBF)
•Metrics

A mission essential function (MEF) is one that cannot be deferred. This means
that the organization must be able to perform the function as close to continually as
possible, and if there is any service disruption, the mission essential functions must be
restored first.

Question 26

MEF metrics

Answer 26

(There is a graphic for this

Maximum tolerable downtime (MTD)
Recovery time objective (RTO)
Work Recovery Time (WRT).
Recovery Point Objective (RPO)

Question 27

Maximum tolerable downtime (MTD)

Answer 27

Maximum tolerable downtime (MTD) is the longest period of time that a
business function outage may occur for without causing irrecoverable business
failure.

….Each business process can have its own MTD, such as a range of minutesto hours for critical functions, 24 hours for urgent functions, seven days for normal
functions, and so on. MTDs vary by company and event. Each function may be
supported by multiple systems and assets. The MTD sets the upper limit on the
amount of recovery time that system and asset owners have to resume operations.
For example, an organization specializing in medical equipment may be able to
exist without incoming manufacturing supplies for three months because it has
stockpiled a sizable inventory. After three months, the organization will not have
sufficient supplies and may not be able to manufacture additional products,
therefore leading to failure. In this case, the MTD is three months.

Question 28

Recovery time objective (RTO)

Answer 28

is the period following a disaster that an individual
IT system may remain offline. This represents the amount of time it takes to identify
that there is a problem and then perform recovery (restore from backup or switch
in an alternative system, for instance).

Question 29

Work Recovery Time (WRT).

Answer 29

Following systems recovery, there may be additional
work to reintegrate different systems, test overall functionality, and brief system
users on any changes or different working practices so that the business function is
again fully supported.

Question 30

Recovery Point Objective (RPO)

Answer 30

Recovery Point Objective (RPO) is the amount of data loss that a system can
sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of
24 hours means that the data can be recovered (from a backup copy) to a point not
more than 24 hours before the database was infected.

….For example, a customer leads database might be able to sustain the loss of a few
hours’ or days’ worth of data (the salespeople will generally be able to remember
who they have contacted and rekey the data manually).

Question 31

Identification of Critical Systems

Answer 31

Supporting asset types (identification of critical systems)
•People, tangible assets, intangible assets, procedures

Business process analysis (BPA)
•Inputs
•Hardware
•Staff and other resources
•Outputs
•Process flow

Question 32

Supporting asset types (identification of critical systems)

Answer 32

To support the resiliency of mission essential and primary business functions, it
is crucial to perform an identification of critical systems. This means compiling an
inventory of business processes and the assets that support them. Asset types include:
• People (employees, visitors, and suppliers).
• Tangible assets (buildings, furniture, equipment and machinery [plant], ICT
equipment, electronic data files, and paper documents).
• Intangible assets (ideas, commercial reputation, brand, and so on).
• Procedures (supply chains, critical procedures, standard operating procedures).

Question 33

•Business process analysis (BPA)

Answer 33

For mission essential functions, it is important to reduce the number of dependencies
between components. Dependencies are identified by performing a business process
analysis (BPA) for each function. The BPA should identify the following factors:
• Inputs—the sources of information for performing the function (including the
impact if these are delayed or out of sequence).
• Hardware—the particular server or data center that performs the processing.
• Staff and other resources supporting the function.
• Outputs—the data or resources produced by the function.
• Process flow—a step-by-step description of how the function is performed.

Question 34

Single Points of Failure

Answer 34

Asset that causes the entire workflow to fail if it is damaged or otherwise not available (reducing dependencies helps with this)

Question 35

MTTF/MTBF

Answer 35

Mean time to failure (MTTF) and mean time between failure (MTBF)
•Determine how likely failures are to occur
•Provision redundancy

Mean time to failure (MTTF) and mean time between failures (MTBF) represent
the expected lifetime of a product. MTTF should be used for non-repairable assets.
For example, a hard drive may be described with an MTTF, while a server (which
could be repaired by replacing the hard drive) would be described with an MTBF.
You will often see MTBF used indiscriminately, however. For most devices, failure is
more likely early or late in life, producing the so-called “bathtub curve.”

Question 36

MTTF and and MTBF calculation

Answer 36

(not sure if you need this)

MTTF/MTBF can be used to determine the amount of asset redundancy a system
should have. A redundant system can failover to another asset if there is a fault and
continue to operate normally. It can also be used to work out how likely failures are
to occur.
• The calculation for MTBF is the total time divided by the number of failures. For
example, if you have 10 devices that run for 50 hours and two of them fail, the
MTBF is 250 hours/failure (1050)/2.
• The calculation for MTTF for the same test is the total time divided by the
number of devices, so (1050)/10, with the result being 50 hours/failure.

Question 37

Mean time to repair (MTTR)

Answer 37

Mean time to repair (MTTR)
•Time to correct fault
•Affects recovery time objective (RTO)

Mean time to repair (MTTR) is a measure of the time taken to correct a fault so
that the system is restored to full operation. This can also be described as mean
time to “replace” or “recover.” This metric is important in determining the overall
recovery time objective (RTO).

Question 38

Disasters

Answer 38

Internal versus external
•Whether or not threat actor/source has privileged access
•External disasters affecting supply chain

Person-made
•Internal or external disaster due to human agency
•Malicious or accidental

Environmental
•Could not be prevented by human agency

Site risk assessment
•Risk from natural disaster
•Resiliency of utility supply
•Health and safety risks

Question 39

Site risk assessment

Answer 39

Site risk assessment
•Risk from natural disaster
•Resiliency of utility supply
•Health and safety risks

Where cybersecurity generally has financial impacts, site safety can have impacts to life
and property. A site risk assessment evaluates exposure to the following types of factor:
• Risk from disaster events, such as earthquake, flood, and fire. These events can
occur naturally or from person-made causes.
• Risk from disruption to utilities, such as electricity, water, and transportation. These
risks are higher in geographically isolated sites.
• Risk to health and safety from on-premises electromechanical systems or chemicals.

Question 40

Disaster Recovery Plans

Answer 40

• Identify specific scenarios for disaster-level incidents
  
  • Risk and cost assessment
  • Threat modeling
• Identify tasks, resources, and responsibilities for response
• Train staff in disaster recovery and change management
• Notifications to stakeholders and agencies

Question 41

Functional Recovery Plans

Answer 41

Because disasters are extreme and (hopefully) rare events, it is very difficult to evaluate
how effective or functional a recovery plan is. There are four principal methods for
assessing the functionality of recovery plans:

• Demonstrate effectiveness through walkthroughs and exercises
• Walkthroughs, workshops, and orientation seminars
  
  • Presentation and description-oriented
• Tabletop exercises
  
  • Facilitator-led discussion scenarios
• Functional exercises
  
  • Action-based engagements using simulations
• Full-scale exercises
  
  • Action-based engagements simulating major events
  • More typical of public agencies

Question 42

SLE Equation and ALE equation

Answer 42

AV*EF=SLE

SLE*ARO=ALE