Risk Management Flashcards
Risk Categories (3)
Damage
Disclosure
Losses
5 Risk Factors
Physical Damage
Malfunction
Attacks
Human Error
Application Error
Security Policy Development
( 4 Steps)
- Security Procedures
- Security Guidelines
- Security Baselines
- Acceptance Use Policy
Risk Planning
(In Organizational mgt level / number of years)
Strategic 5 yr
Tactical 1 yr
Operating MQ
Response to Risk (6)
Acceptance
Mitigation
Assignment
Avoidance
Deterrence
Rejection
Primary Risk Management Framework
NIST 800-37
NIST 800-37 Steps
- Prepare
- Categorize
- Security Control
- Implement Security Control
- Assess the Controls
- Authorize the system
- Monitor Security Control
Types of Risk (3)
Residual
Inherent
Total
Total Risk
Formula
Threats * Vulnerabilities * Asset Value
Risk
Formula
Threat * Vulnerability
Methodology of Risk Assessment - Examples such as NIST….,
NIST SP 800-30
OCTAVE
FRAP
FMEA
Fault Tree Analysis
Risk Analysis Approach (2)
Quantitative Risk Analysis
Qualitative Risk Analysis
Risk Management Process (4) Steps
(FARM)
Frame Risk
Assess Risk
Respond to Risk
Monitor
Information Exhibits Vulnerabilities ( Data x 3)
Data at rest
Data in transit
Data in use
TOC/TOU
Time-of-check to Time-of-use
The Delphi Technique
Used in Qualitative Risk Analysis
Individual opinions taken in rounds
Residual Risk
(Threats * vulnerability * asset value) * control gap
Residual risk = Total Risk - Countermeasures
Value of safeguard to the organization
(Control Selection)
Formula
(ALE before implementing the safeguard) - (ALE after implementing the safeguard) - (Annual Cost of Safeguard)
NIST SP 800-39
(Holistic Risk Management)
Managing Information Security Risk
Define 3 Tiers to Risk:
Tier 1 - Organization View
Tier 2 - Mission/ Business Process view
Tier 3 - Information system view
Risk Analysis 4 Main Goals
- Identify assets and their value to the organization
- Determine the likelihood that a threat exploits a vulnerability
- Determine the business impact of these potential threats
- Provide an economic balance between the impact of the threat and the cost of the countermeasure
Risk Management methodology
NIST SP 800-30
-Focus: Computer systems and IT issues.
- Does not cover large organizational threats
- Focus on operational component of an enterprise
Risk Management Methodology
OCTAVE
- Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology.
- 7 Processes
- Created by Carnegie Mellon University
- People manage and direct the risk evaluation for information security within an organization.
- Idea: People who work here knows and best understand the risks
Facilitated workshops - All systems, apps and processes within an organization
Risk Management Methodology
FRAP
Facilitated Risk Analysis Process
By Thomas Peltier
Crux of this qualitative method focus only on the system that really need assessment to reduce cost
1 App 1 System at a time
Based on experience not numbers
Risk Management Methodology
FMEA
- Failure Modes and Effect Analysis
- (Block diagrams)
- Function identifying functional failures assessing the cause of failure
- And the cause of the failure through structured process
- Mainly used in product development and operational environments
- Identifying single point of failure
- 5-steps
Risk Management Methodology
Fault Tree Analysis
Accessing the Failure in most complex systems
Quantitative Risk Analysis
Single Loss Expectancy (SLE) -Definition
SLE is a monetary value is assigned to single event that represents the organization’s potential loss amount
Quantitative Risk Analysis
Annualized Loss Expectancy (ALE)
Annual effective amount that an organization should spend
Quantitative Risk Analysis
Exposure Factor (EF)
Exposure Factor represents the percentage of a loss a realized threat could have on a certain asset
Quantitative Risk Analysis
Annualized Rate of Occurrence (ARO)
ARO is a value represents the estimated frequency of a specific threat taking place within 12- month timeframe
Quantitative Risk Analysis
SLE (Single Loss Expectancy) Formula
Asset Value x Exposure Factor (EF) = Single Loss Expectancy
Quantitative Risk Analysis
ALE (Annualized Loss Expectancy) Formula
SLE x Annualized Rate of Occurrence (ARO) = ALE
Three main categories of control
Administrative
Technical
Physical
Administrative Control commonly Referred
Soft Controls
Technical Control also called as
Logical Control
Examples of Administrative Controls
Security Documentation
Risk management
Personnel Security
And Training
Examples of Technical Controls
Software or
Hardware Components
(Firewalls, IDS, and identification and authentication mechanisms)
Examples of Physical Controls
Security Guards
Locks
Fencing
Lightning
Defence-in-depth
Which is the coordinated use of multiple security controls in a layered approach
(6) Different types of Security Controls
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
Preventative Control Type
(Definition)
Intended to avoid an incident from occurring
Detective Control Type
(Definition)
Helps identify an incident’s activities and potentially an intruder
Corrective Control Type
(Definition)
Fixes components or systems after an incident has occurred
Deterrent Control Type
(Definition)
Intended to discourage a potential attacker
Recovery Control Type
(Definition)
Intended to bring the environment back to regular operations
Compensating Control Type
(Definition)
Provides an alternative measure of control
Preventative: Administrative
Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness
Preventative:Physical
Badges, Swipe cards
Guard, dogs
Fences, locks, mantraps
Preventative:Technical
Examples
Passwords, biometrics, smart cards
Encryption, secure protocols, call-back systems, database views, constrained user interfaces
Administrative software, access control lists, firewalls, IPS
What is a Control Assessment?
A Control Assessment is an evaluation of one or more controls to determine the extent to which they are:
- implemented correctly,
- operating as intended,
- and producing the desired outcome.
Verification vs. Validation
Verification: did we implement the control right?
Validation: did we implement the right control
Risk Monitoring is (3 things)
The ongoing process of
- adding new risks,
- reevaluating existing ones,
- removing moot ones,
- and continuously assessing the effectiveness of our controls at mitigating all risks to tolerable levels.
Risk Monitoring should focus on 3 key areas
Effectiveness
Change
Compliance
EDR stands for
Endpoint Detection and Response
Threat Working Group (TWG)
Part of Risk monitoring
Which consists of members of all major part of organization, meeting regularly to review the list of risks (risk registry)
Two (2) major sources of change impact your overall risk:
- Information Systems
- Business
Change Advisory Board (CAB) monitors (4)
- Number of unauthorized changes
- Average time to implement a change
- Number of failed changes
- Number of security incidents attributable to changes
General Data Protection Regulation (GDPR) came into effect in May 2018
Any organization that stores or processes data belonging to a person from the European Union (EU)
Risk Reporting
(3) Target Groups (People)
- Executives (and board members)
- Managers
- Risk owners
Typical Risk Maturity Model
Initial
Repeatable
Defined
Managed
Optimizing
NIST SP 800 - 161
Supply Chain Risk Management Practices for Federal information systems and Organizations.
3 Critical classes of requirements that should be included in a contractual agreement are
- Data Protection - Proactive
- Incident Response - Reactive
- Verification means
Suppliers ability to comply with is Contractual obligation.
External Evaluation (Standards like ISO )
- ISO 27001 Certification
- U.S. Department of Defence CyberSecurity maturity model certification (CMMC)
- Payment Card Industry Digital Security Standard (PCI DSS) Certification
- Service Organization Control 1 (SOC1) or 2 (SOC2) report
- U.S. Federal Risk and Authorization Management Program (FedRAMP)
CIA Triad
Confidentiality
Integrity
Availability
Due Diligence
Can be defined as doing everything within one’s power to prevent a bad thing from happening.
Prior Planning - Actions in Advance (Write Policies, Create Procedures, develop playbooks)
Means that company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats
Due Care
A Prudent person or reasonable person would do.
- Tactically and in the moment
- any reasonable security person would do in the moment
Business Continuity (BCP)
Business Continuity is an organization’s ability maintain business functions or quickly resume them in the event that risks are realized and result in disruption.
Disaster Recovery (DR) is..
- Disaster Recovery is the process of minimizing the effects of a disaster or major disruption.
- DR is part of BC
NIST 800-34
Contingency planning guide for Federal Information Systems
BCP and BCM
Business Continuity Planning and Business Continuity Management
BCP and BCM Steps
- Continuity Policy
- BIA
- Identify Preventative Controls
- Create Contingency Strategies
- Develop BCP
- Exercise, test, and drill
- Maintain BCP
BCM is Critical
Other standards-based organizations
- ISO/IEC 27031:2011
- ISO/IEC 22301:2019
- Business Continuity institute’s Good Practice Guidelines (GPG)
- DRI International Institute’s Professional Practices for BCM
BCP Should belong not to ___ but to ___
- Not to BCP Team or its Leader
- but to high-Level Executive Manager, Preferably member of executive board
BCP Committee must identify the threats to the organization and map to the following 5 items
- Maximum tolerable downtime and disruption for activities
- Operational disruption and Productivity
- Financial Considerations
- Regulatory Responsibilities
- Reputation
Group that developed “Ten Commandments of Computer Ethics”
Computer Ethics Institute
