Section 3 Risk Management

What is the main responsibility of a cyber security professional

To manage risk

Risks can be divided as

Internal or External

Internal Risk

Risks that arise from inside the organization

External Risk

Risks that arise outside the organization

Multiparty Risks

Risks that affect more than one organization

Intellectual Property theft poses a risk to what kind of organizations?

Knowledge-based

Legacy Systems should

be replaced with modern solutions or have strong controls around them

Software license compliance issues risk what?

Risk fines and legal action

Risk Assessment

the process of identifying and triaging the risks facing an organization based on likelihood of occurrence and extended impact on the organization

Threats

External forces that jeopardize security

Threat Vector

Methods used by an attacker to get to your target

Vulnerabilities

Weaknesses in your security controls

Risks

Are the combination of a threat and a vulnerability

What are the two factors in which risks are ranked

By their likelihood and impact

Qualitative Risk Assessment

Uses subjective ratings to evaluate risk, likelihood, and impact

Quantitative Risk Assessment

Uses objective numeric ratings to evaluate risk likelihood and impact

Risk Treatment

Analyzes and implements possible responses to control risk

The 4 basic risk treatment options

1. Risk Avoidance

2. Risk Transference

3. Risk Mitigation

4. Risk Acceptance

Risk Avoidance

changing the business practices to make a risk irrelevant

Risk Transference

shifts the impact of a risk from one org to another (Insurance)

Risk Mitigation

actions that reduce likelihood and impact of a risk

Risk Acceptance

is the choice to continue operations in the face of risk

Risk Profile

The combination of risks that affect an organization

Risk Tolerance

the level of risk an org is willing to accept

Security Controls

Reduce the likelihood and impact of a risk and helps identify issues

Defense in Depth

Uses overlapping security controls to achieve the same objective

Can group controls based on what two things

Their purpose or control mechanism

Preventative Controls

Stops a security issue from occurring (purpose)

Detective Controls

Identifies security issues requiring investigation (purpose)

Recovery Controls

Remediate security issues that have occurred (purpose)

Technical controls

uses technology to achieve control objectives

What is another term for Technical Controls?

Logical Controls

Administrative Controls

uses processes to achieve control objectives

Physical Controls

impacts the physical world

Configuration Management

Tracks specific device settings

Baselines

provide a configuration snapshot

Versioning

Assigns numbers to each version

Diagrams

Serve as important configuration artifacts