Objective 5.4 - Risk Management Processes and Concepts

Risk types: External

any risks from outside an organization. This includes and threats from external attackers It also includes and natural threats, such as hurricanes, earthquakes, and tornadoes. Sometimes predictable, often not.

Risk Types: Internal

any risks from within an organization. This includes employees and all the hardware and software used within the organization. These risks are generally predictable and can be mitigated with standard security controls.

Risk Types: Legacy Systems

The primary risk is that vendors do not support these systems. If vulnerabilities become known, the vendor doesn't release patches, and anyone using the system is at risk.

Risk Types: Multiparty

occur when an organization contracts with an external organization for goods or services. If the third-party suffers an attack it may expose the contracting organization to additional threats.

Risk Types: IP theft

Intellectual Property (IP) includes things like copyrights, trademarks, patents, and trade secrets. Intellectual Property is valuable to an organization and IP theft represents a significant risk.

Risk Types - Software Compliance/Licensing

If individuals or organizations use software without buying a license, the development company loses money. Similarly, an organization can lose money if it buys licenses but does not protect them.

Risk Management Strategies

- Acceptance

- Avoidance

- Transference

- Mitigation

Acceptance

When the cost of a control outweighs the risk, an organization will often accept the risk.

Avoidance

An organization can avoid a risk by not providing a service or not participating in a risky activity.

Transference

The organization transfers the risk to another entity or at least shares the risk with another entity. The most common method is by purchasing insurance.

Mitigation

The organization implements controls to reduce risks. These controls either reduce the vulnerabilities or reduce the impact of the threat.

Cybersecurity Insurance

helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage.

Risk Analysis

identifies potential issues that could negatively impact an organization's goals and objectives.

Risk register

Lists all known risks and their source, an estimation of unknown risks and the response to be taken to each risk.

risk matrix/heat map

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

Risk control assessment

examines an organization's known risks and evaluates the effectiveness of in-place controls.

Risk Control Self-Assessment

A risk control assessment but employees perform it.

Risk Awareness

the practice of identifying, monitoring, and limiting risks to a manageable level. It doesn't eliminate risks but instead identifies methods to limit or mitigate them.

Inherent Risk

refers to the risk that exists before controls are in place to manage risk

Residual Risk

is the amount of risk that remains after managing or mitigating risk to an acceptable level. Senior management is ultimately responsible for residual risk and they are responsible for choosing the acceptable level of risk based on the organization's goals.

Control Risk

refers to the risk that exists if in-place controls do not adequately manage risks. Imagine systems have antivirus software installed, but they don't have a reliable method of keeping it up to date. Additional controls are needed to manage this risk adequately.

Risk Appetite

refers to the amount of risk that an organization is willing to accept. This varies between organizations based on their goals and strategic observations.

Regulations that affect risk posture

HIPPA, GBLA, SOX, GDPR

Risk Assessment Types

Qualitative risk analysis and quantitative risk analysis

Qualitative Risk Assessment

A risk assessment that uses judgment to categorize risks. it is based on impact and likelihood of occurrence.

Quantitative Risk Assessment

A risk assessment that uses specific monetary amounts to identify cost and asset value. It then uses the SLE and ARO to calculate the ALE.

likelihood of occurrence

The probability that something will occur. It is used with impact in a qualitative risk assessment. Compare with impact.

Impact

The magnitude of harm that could be caused by a threat's exercise of a vulnerability.

Asset Value

An element of a risk assessment. It identifies the value of an asset and can include any product, system, resource, or process. The value can be a specific monetary value or a subjective value.

Single Loss Expectancy (SLE)

Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.

Annualized Loss Expectancy (ALE)

Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.

Annualized Rate of Occurrence (ARO)

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.

Disasters: Environmental

This can include natural disasters, such as hurricanes, floods, earthquakes, and tornadoes. It can also include things like fires caused by lightning strikes rather than by humans.

Disasters - Person-made

refer to disasters caused by human activity. This includes fires and train wrecks cause by human error. Within an organization, human error can cause software and hardware failures and data loss. Attacks are also person-made

Disasters: Internal vs. external

Internal: occurs within an organization. For instance, a fire within a data center

External: Occurs outside of the organization but impacts the organization. For instance, a wildfire which takes down power lines and disrupts power to a data center

Business Impact Analysis (BIA)

A process that helps an organization identify critical systems and components that are essential to the organization's success.

Recovery Time Objective (RTO)

the maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system

Recovery Point Objective (RPO)

The point in time to which data must be restored in order to successfully resume processing.

Mean Time to Repair (MTTR)

The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.

Mean Time Between Failures (MTBF)

A statistical value that is the average time until a component fails, cannot be repaired, and must be replaced.

Functional Recovery Plans

single point of failure

A component or entity in a system which, if it no longer functions, would adversely affect the entire system.

Disaster Recovery Plan (DRP)

a plan to restore an organization's IT capability in the event that its data center is destroyed

Mission-Essential Functions

refer to functions that need to be immediately functional at an alternate site until normal operations can be restored.

Identification of critical systems

Distinguishing important functions that make up the mission-essential functions in an organization.

Site Risk Assessment

The assessment of all risks and hazards that could happen at a particular site. Includes spillage of chemicals, power outages, loss of health and safety certificates, etc.