Risk Management Concepts Flashcards
Risk Vector
Payment processing - Human resources - Emergency.
-Sensitive data - do we know what we have and where it is?
- Third-party access.
Physical Risk Vectors
Access control vestibules (mantraps)
Server room access
Limit USB bootable devices
Risk Management Frameworks (RMFs)
Center for Internet Security (CIS)- cybersecurity best practices.
NIST Risk Management Framework (RMF)/Cybersecuirty Framework (CSF) - Cybersecurity risk management.
International Organization for Electrotechnical Commission (ISO/IEC) - 27001/27002/ 27701/31000 - IT systems and information security.
Financial RMFs
Statement on standards for attestation engagements system and organization controls (SSAE SOC 2)
- Financial statement integrity
- Internal controls
- Type I and Type II.
RMFs
NIST Special Publication (SP) 800-30, Rev. 1
Data Privacy Regulations and Standards
General Data Protection regulation (GDPR)
Protects EU citizens private data.
Health Insurance Portability and Accountability Act (HIPAA)
Protect American patient medical information
Payment Card Industry Data Security Standard (PCI DSS)
Protect cardholder information.
Typers of Security Policies
- Acceptable use policy (AUP) * E-mail, social media, web browsing
- Resources access policies * App or file access.
- Account policies * Account hardening.
Security Controls:
Solution that mitigates threats. Example: malware scanner mitigates malware infections
Implemented differently based platform/vendor/user. Network infrastructure devices. (switches, routers, firewalls)
Security Control Categories:
Managerial/administrative - what should be done? employee background checks.
operational - how often must we do it? periodic review of security policies
Technical - how exactly will we do it? firewall rule configuration.
Security Control Types
Physical - Access control vestibule (mantrap)
Detective - Log analysis
Corrective - Patching known vulnerabilities.
Deterrent - Device logon warning banners
Compensating - Network isolation for internet of things (loT) devices
What are cloud security control documents?
Cloud Security Alliance (CSA) - Cloud Controls Matrix (CCM)
Payment Card Industry Data Security Standard (PCI DSS) - Security controls must be in place to be compliant.
What are Risk Examples?
Risk - theft of online banking credentials.
Attack Vectors - spoofed e-mail message with a link to spoofed website tricking an end user
Mitigation through Security Controls - User security awareness. Antivirus software, spam filters.
Risk Assessments and Treatments
Risk Assessment - Prioritization of threats against assets and determining what to do about it. Applicable to: Entire organization. - a single project or department.
Targets: Servers, Legacy systems, Intellectual property (IP), Software Licensing
What is the Risk Assessment Process?
- Risk Awareness - Cybersecurity intelligence sources.
- Evaluate Security Controls - Inherent (current) and residual risk.
- Implement Security Controls
- Periodic Review
What Are Risk Types?
Environmental Flood, & Hurricane
Person-Made- Riots, terrorism, sabotage
Internal - Malicious insider, malware infections.
External - Distributed denial of service (DDoS)
What Are Risk Treatments?
Mitigation/Reduction - security controls are proactively put in place before undertaking the risk.
Transference/Sharing - some risk is transferred to a third party in exchange for payment. - example cybersecurity insurance
Avoidance - avoid an activity because the risks outweigh potential gains.
Acceptance - the current level of risk is acceptable. The risk falls within the organization’s risk appetite.
