Lesson 19 Risk Management Flashcards
Phases of Risk Management
Identify:
1. Mission essential functions
- Vulnerabilities and Weakness for each function or workflow
- Threats for each function or workflow which attackers may exploit
- Analyze business impacts of vulnerability being activated
- Risk response, countermeasures, and cost for mitigation of the risk
- Safety is number one
- cost/money is second
Likelihood of occurrence
The probability of the threat being realized
Impact of realized security incident
Impact is the severity of the risk
MTBF - Mean Time Between Failures
Mean Time Between Failures (MTBF)
How often failures are expected to happen
total time / number of failures
Calculation:
( 10 devices)(50 hours)/(2 failures) = 250 hours/failure
MTTR - Mean Time To Repair/Replace/Recover
Mean Time to Repair (MTTR)
the average amount of time to repair/replace/recover the product or to correct a fault
important for determining RTO
SPoF - Single Point of Failure
Single Point of Failure (SPoF)
a component or system that would cause a complete interruption of a service if it failed
Mitigate by provisioning redundant components
RTO - recovery Time Objective
Recovery Time to Objective (RTO)
Time taken to get system up again
or
The planned max amount of recovery and restoration time
RTO+WRT must not exceed MTD
WRT - work recovery time
Work Recovery Time
Following system recovery, how long to get system working again
RTO+WRT must not exceed MTD
RPO - Recovery Point Objective
Recovery Point Objective (RPO)
maximum time an organization can tolerate lost data being unrecoverable
aka which backups to use during recovery
MEF - Mission Essential Function
Mission Essential Function
a critical function of the mission which cannot be deferred for more than a few hours, if at all
MTD - Maximum Tolerable Downtime
Maximum Tolerable Downtime (MTD)
longest period of time a business can be inoperable without causing irrecoverable business failure
RTO+WRT must not exceed MTD
Risk Register
a document showing the results of a risk assessment in an easy to read format
Should be shared amongst all shareholders to help them understand the risk associated with the workflows they manage
Identify potential risks and their impact/likelihood
Display the company’s mitigation plan for each risk
Assign responsibility for the execution of those plans
Track the status of each plan (complete, in-progress, not started, etc)
Quantitative Risk Analysis
Annualized Loss Expectancy calculations
know for test
SLE - Single Loss Expectancy
ARO - Annualized Rate of Occurrence
ALE - Annualized Loss Expectancy
SLE * ARO = ALE
know for test: ‘the incident costs X’ is the SLE
SLE
Single Loss Expectancy
the amount which would be lost in a single occurrence of the risk factor
determine by Exposure Factor EF and Asset Value
SLE = EF * AV
ARO
Annualized Rate of Occurrence
ALE
know how to calculate this
Annualized Loss Expectancy
The amount which would be lost over the course of a year
ALE = SLE * ARO
DRP - Disaster Recovery Plan
Disaster Recover Plan
a plan of how to recover the system or site to a working state following a disaster level event
Identify - scenarios - tasks - resources - responsibilities Train staff
FRP - functional recovery plans
Functional Recovery Plans
Due to rare occurrence of disasters, functional recovery plans determine how effective the recovery plan is
Perform:
- Training though walkthroughs workshops and seminars
- Tabletop exercises
- Functional exercises
- Full-scale exercises
Risk types
External
Internal
Multiparty - arrises from supplier relationships
Intellectual Property Theft
SW Compliance/Licensing
Legacy Systems - not as secure due to lack of patching
Risk Mitigation or remediation
process of reducing exposure to or the effects of risk factors Risk Deterrence Risk Reduction Risk Avoidance Risk Transference
Risk Deterrence vs Risk Reduction
Risk deterrence is deploying a countermeasure to reduce exposure to a threat or vulnerability
Risk reduction are controls which make a risk incident less likely or less costly or both
Risk Avoidance
means to stop doing the activity which is risk bearing
Risk Transference
Assigning risk to a third party
Inherent Risk
Risk before being mitigated
Residual Risk
likelihood and impact after mitigation, transference, or acceptance measures have been applied
Control Risk
risk that arises when a control does not provide the level of mitigation that was expected
could be a security control which was never effective in mitigating inherent risk