Risk management

What is risk assessment

The process of identifying, prioritizing and deciding what to do about the risk to business asset.

Where can risk assessment be applied

Across the entire organization specific projects/departments

Name examples of high-values target in risk assessment

Servers, legacy system, intellectual property (IP) software licenses

risk assessment process

1: Risk awareness

2: gather cyber threat intelligence

3: Evaluate existing security controls

4: measure inherent and residual risk

5: Implement new controls

6: periodically review

What are environment risk

Natural floods and hurricanes

What are person-made risk

human threats like riots, terrorism , sabotage

What are internal risk

Insider threats or malware from within the organization

What are external risk?

External attacks like Distributed Denial of Service (DDos)

DDoS

attack is a type of cyberattack where multiple compromised computers flood a target, such as a website or server, with excessive traffic, making it slow or unavailable to legitimate users

What is risk mitigation

Proactively using control to reduce risk

What is risk transference

Shifting risk to a third part (cyber insurance )

What is risk avoidance

Choosing not to engage in risky activities

What is risk acceptance

Accepting a risk when it falls within the organization risk appetite

What is SLE

Expected monetary lose from a single incident SLE = AV EF ( example 24,000 assets * 25.5 Ef = 3000) ( Single loss expectancy)

What is ALE

Total expected loss per year ( ALE = SLE * ARO) ( Annualized Loss expectancy )

What is qualitative risk assessment?

Uses subject opinions to rate risk based on likelihood and impact

What is a risk register

A centralized log of all know risk , likehood, impact, owner and mitigation strategies

What is a risk heat map?

A visual (color-coded ) representation of risk severity and likeihood

What is a risk matrix

A table showing severity , likelihood of risk similar to a heat map but without color

Who are script kiddies?

Unskilled hackers using existing tools: external with low resources and sophistication

Who are hacktivists

Hackers with political/ social causes ; external and low in sophistication/funding

What is Shadow IT

Unauthorized IT use by employees (app/services) potentially creating vulnerabilties

What is an application allow list

A list of approved software/apps to reduce vulnerabilities

What are APTS

Nation-state backed, highly skilled, stealthy, prolonged attacks (advanced persistent threats)

What are nation state actors

(governemnt back groups using cyber esionage or strategic advantage

What is CVE

Common vulnerabilites and exposure: a public list of known threat

What is AIS

Real-time cybersecurity info exchange between organizations

What is TAXII

A system that shares cyber threat info like an RSS feeed

What is STIX

A data format for sharing structured threats information

What does CIS provide

Cybersecurity best practice

What does NIST RMF/CSF offer

Guidelines for managing cybersecurity risk

What do ISO.IEC 27001 and 27701 focus on

IT system and information security standards

What is SSAE SOC2 used for

Financial risk frameworks ensuring internal control

What is GDPR

EU regulation protecting personal data

What is HIPPAA

U.S law protecting patient health data

What is PCI DSS

Security standard for cardholder data (Visa/ Mastercard)

What is an AUP

Guidelines for proper use of company resources like email/web

What are account policies

Rules for security user account (e.g hardening access limits )

What is a data retention policy

Rules on how long data is kept (often by regulation)