Risk Management Flashcards
What is risk management?
- systematic process of identifying, assessing, and managing risks to information assets and systems
- understanding potential threats, vulnerabilities, and the impact of potential incidents on an organization’s security posture
Who decides how risks are handled?
management
What is a risk category?
group of potential causes of a risk
What are the different risk categories? Describe each.
- Damage
- results in a physical loss of an asset or the inability to access the asset
- Loss
- might be permanent or temporary, including altered data or inaccessible data
- Disclosure
- disclosing critical information regardless of where or how it was disclosed
What is a risk factor?
something that increases risk or susceptibility
What are the risk factors?
- physical damage
- natural disasters, vandalism, power loss
- malfunction
- failure of systems, networks or peripherals
- attack
- purposeful acts whether from the inside or outside
- human
- usually considered accidental, whereas attacks are purposeful incidents
- application errors
- failures of the application, including operating system
Acronym: Police Must Accept Happy Anarchists
What are the different types of risk?
- Residual Risk
- Inherent Risk
- Total Risk
What is Residual Risk?
- risk that remains even with all conceivable safeguards are in place
- exists AFTER security controls are implemented
What is Inherent Risk?
- newly identified risk not yet addressed with risk management strategies
- the amount of risk that exists in the absence of controls
- inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed
- exists BEFORE security controls are implemented
What is Total Risk?
- amount of risk that an organization would face if no safeguards are implemented
- exists WITHOUT security controls
What is risk identification?
- systematically identifying and documenting potential risks that could negatively impact the confidentiality, integrity, or availability of information assets
- identifying internal and external threats and potential impacts
What techniques are used to identify risks?
- risk assessments
- threat modeling
- vulnerability assessments
- asset inventories
What is risk assessment?
- analyzing and evaluating identified risks to determine their likelihood of occurrence and potential impact
- helps prioritize risks based on their severity and the likelihood of occurrence
What parameters does risk assessment consider?
- value of the assets at risk
- the potential impact on the organization’s operations
- financials, reputation, and compliance requirements
What is a risk response?
- developing and implementing strategies to address identified risks
- includes determining the most effective and efficient controls and countermeasures to reduce the risk to an acceptable level
What are the possible ways of risk response?
- Risk Avoidance
- Risk Rejection
- Risk Mitigation
- Risk Assignment/Transfer
- Risk Acceptance
- Risk Deterrence
Acronym: All Romans Must Attack All Docks
What is risk avoidance?
- avoiding the risk altogether by ceasing the activity or not engaging in the vulnerable process
- e.g. opening a private cloud facility in Utah instead of Texas to avoid hurricanes
What is risk rejection?
unacceptable possible response to risk by rejecting or ignoring the risk
What is risk mitigation?
- implementing controls and countermeasures to reduce the likelihood or impact of the risk
- can include implementing security controls, applying patches and updates, or enhancing employee training
- accepts the residual risk
What is risk assignment/transfer?
- transferring the risk to a third party, such as through insurance or outsourcing
- shifts the financial burden or responsibility for managing the risk to another entity
What is risk acceptance?
- accepting the risk and consciously deciding to tolerate the potential consequences
- typically done for risks with a low likelihood or impact, or when the cost of mitigation outweighs the potential harm
What is risk deterrence?
- implementing deterrents to would-be violators of security and policy
- includes things like security cameras or security guards
Describe Risk Monitoring and Review
- risk management is an ongoing process, and organizations need to continuously monitor, review, and reassess risks
- periodic risk assessments and reviews ensure that risk management practices remain up to date and aligned with the evolving security needs of the organization
Describe Risk Communication
- effective risk management includes clear and concise communication of risks, their potential impacts, and recommended mitigation strategies to stakeholders
- enables stakeholders to understand the potential impacts, make informed decisions, and participate in risk management activities
What does risk management documentation include?
risk management process, risk assessments, risk treatment decisions, and the implementation and effectiveness of security controls
What is Risk Appetite (Risk Tolerance)?
- level of risk that an organization or individual is willing to accept or tolerate in pursuit of its objectives
- involves finding the right balance between risk-taking and risk avoidance
What business needs to consider, so that risk management efforts are in line with the overall organizational strategy?
business priorities, strategic goals, and risk appetite
What should risk management consider as one of the top priorities?
- legal and regulatory requirements applicable to the organization’s industry and jurisdiction
- compliance with laws, regulations, and industry standards is an integral part of risk management, ensuring that the organization operates within legal boundaries and meets its obligations to protect sensitive information
What are the two different ways to evaluate risk to assets?
- quantitative
- qualitative
What is quantitative risk analysis?
- assigns a dollar value to evaluate the effectiveness of countermeasures
- labor intensive - employs data collection and analysis
- objective - involves hard data
What is qualitative risk analysis?
- uses a scoring system to rank threats and effectiveness of countermeasures relative to the system or the environment
- subjective - involves opinion
What does business need to consider when doing risk analysis?
- Loss Potential
- what would be lost, if the threat agent is successful at exploiting vulnerability
- Delayed Loss
- amount of loss that can occur over time
- Threat Agents
- entities that cause the threats by exploiting vulnerabilities
What are the key steps in risk analysis?
- Risk Identification
- Risk Assessment
- Risk Evaluation
- Risk Treatment
- Risk Communication
- Ongoing Monitoring and Review
Acronym: I Am Evaluating The Current Offensive
What is the Delphi Technique?
- anonymous feedback-and-response process used to arrive at consensus
- used in qualitative risk analysis
What is a Risk Management Framework?
- provides organizations with structured approaches and guidelines for identifying, assessing, and managing risks across various domains
- the frameworks and standards offer methodologies, processes, and best practices to help organizations establish effective risk management practices
What are the steps in risk management framework NIST 800-37?
- Prepare
* evaluation phase before the entire process of RMF is triggered
- Prepare
- Categorize
* categorize the information system based on the impact that a potential compromise or loss of confidentiality, integrity, or availability would have on the organization
- Categorize
- Select
* organization selects appropriate security controls based on the system’s security categorization
- Select
- Implement
* once the security controls are selected, they need to be implemented within the system
- Implement
- Assess
* implemented security controls are then assessed to ensure they are operating effectively and providing the intended security before the systems are put in production
- Assess
- Authorize
* organization makes a risk-based decision regarding the system’s readiness for operation
- Authorize
- Monitor
* once the system is operational, ongoing monitoring and continuous assessment of security controls are necessary to ensure they remain effective
- Monitor
What does NIST 800-37 emphasize?
the need for organizations to tailor the risk management framework to their specific needs
What is OCTAVE and what does the acronym mean?
- risk management framwork
- Operationally Critical Threat, Asset, and Vulnerability Evaluation
What are the 3 basic characteristics of OCTAVE?
- Risk-Based Approach
- takes a risk-based approach, focusing on identifying and mitigating risks that are critical to an organization’s operations and objectives
- Asset-Centric
- centers around understanding and protecting an organization’s critical assets, such as data, systems, processes, or physical infrastructure
- Team Collaboration
- involves cross-functional teams that include stakeholders from different areas of the organization, such as business units, IT, and security
What are the three main phases of OCTAVE?
- Phase 1: Build Asset-Based Threat Profile
- Phase 2: Identify Risks
- Phase 3: Develop Risk Mitigation Strategies
Describe OCTAVE phase 1 and its steps
- Identify and Categorize Assets
- Identify Threats
- Assess Vulnerabilities
- Build Asset-Based Threat Profiles
Describe OCTAVE phase 2 and its steps
- Identify Risks
- Prioritize Risks
Describe OCTAVE phase 3 and its steps
- Develop Strategies
- Implement and Monitor
What are the benefits of OCTAVE?
- Holistic Risk Assessment
- Stakeholder Engagement
- Risk Prioritization
- Actionable Risk Mitigation
What are the limitations of OCTAVE?
- Resource Intensive
- Expertise Required
- Scalability
What is TARA and what does the acronym mean?
- risk management framework that focuses on assessing risks posed by threat agents or adversaries
- Threat Agent Risk Assessment
What are the key aspects of TARA?
- Threat Agent Identification
- the first step is to identify and characterize potential threat agents or adversaries that could pose risks to the organization
- Risk Assessment
- involves evaluating the threats identified in the previous step
- each threat agent is analyzed based on their capabilities, intentions, and likelihood of exploiting vulnerabilities or causing harm
- Vulnerability Assessment
- vulnerabilities within the organization’s systems, processes, and infrastructure are identified and evaluated
- Impact Analysis
- assesses the potential consequences or impacts of successful attacks or incidents caused by threat agents
- Risk Mitigation Strategies
- once the threats, vulnerabilities, and impacts have been identified, organizations can develop risk mitigation strategies
- Risk Treatment and Monitoring
- involves implementing the selected risk mitigation strategies and continuously monitoring the effectiveness of the controls
What is FAIR and what does the acronym mean?
- risk management framework that provides a structured and quantitative approach to assessing and analyzing information and cybersecurity risks
- Factor Analysis of Information Risk
What are the steps of the FAIR framework?
- Identify Scope and Context
- Define Risk Factors
- Assess Frequency
- Assess Magnitude
- Calculate Risk
- Evaluate and Prioritize Risks
- Implement Risk Mitigation
- Monitor and Review
What should be done when a risk is accepted?
maintain detailed documentation of the risk acceptance process to satisfy auditors in the future - should happen before implementing security controls, etc.
What’s the most effective assessment approach for risk assessment for analyzinig tangible and intangible assets?
combining of quantitative and qualitative risk assessment
What’s Risk Maturity Model (RMM) used for?
designed for the purpose of assessing enterprise risk management programs
When conducting quantitative business impact assessment to collect data to determine dollar cost of downtime, what information is needed from outages during the previous year to calculate cost of those outages to business?
- total amount of time business was down
- number of presonnel hours worked to recover from the outage
- business lost during the outage per hour in dollars
- average employee wage per hour
Use of a probability/impact matrix is the hallmark of which risk assessment?
qualitative
What are the valid uses for key risk indicators (KRIs)?
- provide warnings before issue occur
- provide historical views of past incidents
- provide insight into risk tolerance for the organization
What is the most important element of a qualitative risk assessment?
determining the probability and impact of each risk upon the organization
What are these:
* RMF
* COSO’s ERM
* ISACA’s Risk IT
* OCTAVE
* FAIR
* TARA
risk management frameworks
What does risk reporting involve?
production of a risk report and a presentation of that report to the interested/relevant parties
What is a risk register or risk log?
document that inventories all of the identified risks to an organization or system or within an individual project
What is a risk matrix or risk heat map?
form of risk assessment that is performed on a basic graph or chart
What covers the evaluation of countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions, concerns, priorities, and resources; and providing a proposal of response options in a report to senior management?
Risk response
What is the effort to increase the knowledge of risks within an organization called?
risk awarness
What is risk management is composed of?
risk assessment and risk response
What’s the name for the examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk?
Risk assessment or risk analysis
What’s exposure?
the presence of a vulnerability when a related threat exists
Is risk every instance of an exposure?
yes
What is Exposure?
being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited
When controls are not cost effective, they are not worth implementing. What is the appropriate risk response in this case?
risk acceptance
Does risk acceptance documentation include risk mitigation controls to address acceptable risks?
no
What should risk acceptance documentation include?
- thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable
- for acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination
- documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation
What term best describes a review of the risk management program in an organization and developing an analysis of all of the risks facing the organization and their quantitative impact
- risk profile
- quantitative analysis of all of the risks facing an organization and their potential impact
What does ISO 31000 have in common with NIST 800-37?
they are risk management frameworks, that help companies to run a risk management program
Cost of the risk management program, the number of risks identified, the number of risks that have occurred are all examples of what?
risk management metric
What is the difference between safeguard and countermeasures?
- safeguards: proactive (reduce likelihood)
- countermeasures (reduce the impact after occurance)
What are the risk management frameworks that are relevant to cloud computing?
- ISO 31000:2018 guidance standard
- ENISA’s cloud computing risk assessment
- NIST 800-37, Risk Management Framework
What is the purpose of NIST Special Publication 800-146 “Cloud Computing Synopsis and Recommendations”?
provide definitions of various cloud computing terms
What does ENISA provide to address risk management?
guide that identifies various categories of risk and recommendations for organizations to consider when evaluating cloud computing
What are some of the key cybersecurity metrics that companies can track to present a measurable data to company stakeholders?
-
patching levels
- how many devices are fully patched and up-to-date
- unpatched devices contain exploitable vuls
-
time to deploy patches
- how many devices receive required patches in defined time frames
- useful measure of how effective a match management is at reducing the risk of known vuls
-
intrusion attempts
- how many times have unknown actors tried to breach cloud systems
- increased intrusion attempts can be an indicator of increased risk likelihood
-
MTTD (Detect), MTTC (Contain), MTTR (Resolve)
- how long does it take for security teams to become aware of a potential security incident, contain the damage and resolve the incident
- inadequate tools or resources for reactive risk mitigation can increase the impact of risk occurring
