Section 4: Risk Management Flashcards
Risk Management
The process of identifying, assessing, and determining how to handle known risks
Threat
Potential for unwanted harm to personnel or an organizational asset
Vulnerability
A weakness in an organizational asset that can cause harm
Risk Formula
Risk = Threats * Vulnerabilities
A threat with no vulnerability means there’s no risk
A vulnerability without a threat means there’s no risk
Both must exist for there to be a risk
NIST SP 800-30
Guide for Conducting Risk Assessments
Which phase of NIST SP 800-30 involves understanding how the organization reacts to risks?
Frame
Which phase of NIST SP 800-30 involves analyzing organizational assets to discover possible risks?
Assess
Which phase of NIST SP 800-30 involves determining the best course of action to address a risk?
Respond
Which phase of NIST SP 800-30 is continuous involves verifying the risk response implementation remains compliant and effective?
Monitor
Risk Mitigation
Reducing the risk to an acceptable level
Risk Assignment
Allocate the risk responsibility to someone else (transfer the risk)
Insurance company for example
Risk Deterrence
Implementing deterrent controls to reduce risk
Risk Avoidance
Don’t introduce changes that will increase the level of risk
Risk Acceptance
The risk exists and you accept the consequences if it occurs
Risk Monitoring
Verify the risk response implementation remains compliant and effective
Deterrent Control
Discourage unauthorized actions
Guards, warning banners, etc
Preventative Control
Stop unauthorized actions
IPS, access control mechanisms
Detective Control
Discover unauthorized actions
IDS, log review, etc
Corrective Control
Correct or modify unauthorized actions
Employee reprimand
Compensating Control
Support other controls
Awareness training, backups, UPS
Directive Control
Direct compliance with security policy
Security policy, warning signs and messages
Recovery Control
Recover from an event
UPS, archives, etc
A service provider recently identified a range of potential security threats to its critical infrastructure. They aim to implement measures that will not only reduce the likelihood of these risks, but also discourage malicious actors from violating security policies. Which type of risk response would BEST meet this objective?
Risk deterrence
After a breach, an organization implemented a control designed to stop similar violations from occurring in the future by adjusting system configurations and restricting user privileges. What type of control was MOST likely implemented to mitigate further policy violations?
Corrective control
NIST SP 800-137
Information Security Continuous Monitoring
ISO 27004
Monitoring, measurement, analysis and evaluation
Continuous Monitoring Steps
DEFINE strategy based on risk tolerance levels
ESTABLISH metrics, methods, frequencies, scope
IMPLEMENT methods to collect monitoring data
ANALYZE the collected data and REPORT the findings to senior management
RESPOND to known risks using security controls
REVIEW/UPDATE the monitoring program by adjusting strategies to meet the organizational needs
NIST IR 7622
National Supply Chain Risk Management Practices for Federal Information Systems
CNSSD 505
Supply Chain Risk Management
ISO 28000
Specification for security management systems for the supply chain
The CISO wants to implement a strategy that provides real-time visibility into the organization’s security posture, while promptly identifying and mitigating risks as they emerge. With high-value assets spread across different geographic regions, what is the MOST effective method to maintain ongoing risk awareness and adapt to evolving threats?
Conducting continuous monitoring
