Risk

Risk

The possibility of negative impact on something

Vulnerability

A weakness that can be exploited by a threat

How are risks managed?

Applying controls to bring the risk to an acceptable level

Risk Assessments

Identifying and determining:

• Impact

• Likelihood

of a risk

Steps to conduct a risk assessment

1. Identify potential hazards

2. Idenitfy who could be harmed by the hazards

3. Evaluate risk (severity and likelihood)

4. Establish precautions

5. Implement controls and record findings

6. Review and re-assess

4 Ways to manage risk

• Risk mitigation: applying technically controls (patches, firewalls) and administrative controls (policies, procedures)

• Risk transfer: Shift cost of loss to somewhere else (insurance)

• Risk accept: accept unavoidable risks and consequences

• Risk avoid: Prevent risks by eliminating hazards

Policy

A plan of intent that outlines specific goals, principles, and courses of action for an organization.

Why are policies used?

Policies are used to provide guidance, ensure compliance with laws and regulations, and establish a framework for decision-making within an organization.

Common policy examples

Acceptable Use Policy (AUP): Defines user behaviour on the organisation’s network.ines consequences if violated

Service Level Agreement (SLA): Dictates services provided, performance level, response times, reprecussions if service not provided

Bring Your Own Device (BYOD): Establishes rules for personal device usage in the workplace.

Memorandum of Understanding (MOU): Formally outlines an agreement but is not legally binding (yet)

Standard Operating Procedures (SOP)

Step by step instructions for routine tasks to ensure consistency.

Compliance

Adherence to laws, regulations, and internal policies to ensure operational and legal integrity.

Why are compliance frameworks important?

• Increase trust between customers and partners

• Often legal requirement

• Ensures good level of security (better equipped to respond to security events, reducing risk and impact)

GDRP General Data Protection Regulation

• In EU law for data protection and privacy

• Data controllers and processors must have technical and organisational measures to protect data privacy like anonymisation

• They must have one of the following to store personal data:

  • Consent

  • contract

  • public task

  • vital interest

  • legitimate interest

  • legal requirement

• Data controllers must disclose data collection, purpose, how long its retained

ISO 27001

Specifies management system for information security management control and requirements

Organisations meeting requirements can be certified after an audit

PCI DSS

• Payment Card Industry Security Standard

• For organisations handling major card brand payments

• Reduce credit card fraud

• Validation of compliance is based on how many transactions the org handles:

  • Self Assessment Questionnaire (SAQ) - smaller

  • External Qualified Security Assessor (QSA) - moderate

  • Firm specific Internal Security Assessor (ISA) - larger

HIPAA

Health Insurance Portability and Accountability Act

For orgs in US that handle health info and personal details

Technical controls for HIPAA

encryption, authentication, password complexity, access auditing, segmentation

Procedural controls for HIPAA

password policies, incident reponse plans, contingency plans, audit procedures

Change management

Ensuring changes in an org are planned, supported, documented, and auditable

In cybersecurity it lets us easily find accountability if a change results in a security risk

Patch Management

Ability to deploy patches and security fixes to IT assets

WSUS Windows server update services

• Allows IT trams to deploy latest microsoft product updates

• at least one WSUS server (updtream server) on the network must be able to connect to microsoft update to get update info

• This means endpoints and servers dont need to have an internet connection to download patches themselves

SCCM Microsoft System Center Configuration Manager

• Paid solution acting as asset inventory, software installation, deploys updates and security patches to systems across network

• Uses Microsoft’s WSUS but also provides additional patch management control (when/how)

• Made for windows systems primarily

Functionality offered by ManageEngine Patch Manager Plus

• Deploy patches to windows, MacOS, Linux

• update OS

• update Microsoft office software

• update 3rd party applications e.g. adobe, browsers, utilities

• Scan endpoints to detect missing patches

True/False orgs only use one patching solutions

False