Lesson 15 - CertMaster

Lesson Introduction

• Risk Management Practices: Involve systematic processes of identifying, assessing, mitigating, and monitoring organizational risks.

• Audits: Provide independent and objective evaluations of processes and controls, ensuring adherence to standards and identifying risks.

• Assessments: Evaluate the effectiveness of risk management strategies and identify vulnerabilities.

• Importance: Combining audits and assessments is essential for understanding risks and implementing controls to protect against potential threats.

Lesson Objectives

• Explain various risk management processes and concepts.

  • Risk management: Process of identifying, assessing, and mitigating vulnerabilities.

    • Likelihood: Chance of a risk event happens (subjective)

    • Probability: Chance of a risk event happens (determined by statistics)

    • Impact: How severe the risk will be as an incident.

    • Risk register: Document displaying the results of risk assessments in a comprehensible format.

    • Risk threshold: Limits/levels of risk an organization is willing to tolerate.

  • Risk management process:

    1. Identify critical systems/functions (risk identification)

    2. Identify highly probable vulnerabilities in critical systems (risk analysis)

    3. Identify threat sources/actors that may trigger vulnerabilities in critical systems (risk analysis)

    4. Analyze the business impact of activated vulnerabilities (business impact analysis, risk posture)

    5. Identify and assess the possible countermeasures (risk response)

  • Risk identification: Listing sources of cybersecurity risks, such as malware attacks, phishing, insider threats, or equipment failures.

  • Risk assessment: Determining the impact/significance of identified risks on the organization.

  • Risk analysis: Identifying and evaluating potential risks, and their defining characteristics.

    • Quantitative risk analysis: Method that aims to assign concrete numbers to risk factors. Include:

      • Single Loss Expectancy (SLE) - loss if a single occurrence occurred. Determined by multiplying the asset value (e.g., a $200,000 office building) by an exposure factor (how much would be lost, like 40%/0.4 for a tornado that damages the building).

      • Annualized Loss Expectancy (ALE) - a loss that would occur over a year. Determined by multiplying SLE by the annualized rate of occurrence (ARO, number of times a year an incident occurs).

    • Qualitative risk analysis - risk assessment dependent on subjective and qualitative factors.

    • Inherent risk: Level of risk before any type of mitigation has been attempted.

      • Risk posture: Level/type of risk an organization is willing to tolerate and identifies risk responses to prioritize.

  • Risk mitigation: Reducing exposure/effects of identified risks.

    • Avoidance: Stopping the risky activity.

    • Transference: Shifting the risk to a third party, often through insurance or outsourcing, to manage potential impacts.

    • Acceptance: Recognizing the risk and making a conscious decision to accept it, often because the costs of mitigation outweigh the potential impact.

  • Risk assessment types:

    • Ad hoc: Conducted as needed, normally in response to specific incidents (e.g., zero-day malware)

    • Recurring: Regularly scheduled risk assessments (quarterly, annually)

    • One-time: Comprehensive evaluations at a particular time point (e.g., when implementing new software).

    • Continuous: Constantly evaluated risk assessments - typically done by vulnerability scanners/IDS systems

• Understand business impact analysis concepts.

  • Starts with identifying critical business assets. Includes:

    1. People: Employees, vendors, suppliers

    2. Tangible assets: Buildings, computer equipment, machinery, digital data

    3. Intangible assets: Ideas, brand, commercial reputation

    4. Procedures: Supply chains, SOPs

  • For critical business functions - reduce dependencies by identifying:

    • Inputs - sources of information for performing the business function

    • Hardware - server or datacenter that does processing

    • Staff that support function

    • Outputs - data/resources produced by the function

    • Process flow - step-by-step description of how the function is performed

  • Mission essential function (MEF): A business function that cannot be deferred and must be performed as continually as possible.

  • Maximum tolerable downtime (MTD): The longest time period a business can experience an outage without causing irrecoverable failure (for example, a medical equipment manufacturer may be able to exist without incoming supplies for 3 months, and after this time, the organization won’t have sufficient supplies).

  • Recovery Time Objective (RTO): The target time set for the recovery of IT and business activities after a disruption.

  • Work Recovery Time (WRT): Time in addition to the RTO to perform reintegration of impacted business functions.

  • Recovery Point Objective (RPO): Quantity of data loss that a system can sustain, measured in time.

  • Mean time between failures (MTBF): Expected lifetime of a product; calculated from total operation time / # of failures.

  • Mean time to repair (MTTR): Measure of time taken to correct a fault after a failure occurs; less time = less harm to business operations

• Learn about risk responses, vendor assessments, and management practices.

  • Vendor assessment: evaluation of third-party vendor capabilities & security before engaging in business partnerships.

  • Conflict of interest: A situation where an individual has competing interests that could compromise their ability to act objectively.

  • Vendor assessment methods:

    • Penetration testing: Attempting to break into a system (legally) to report on exploitable vulnerabilities.

    • Right-to-audit-clause: Contract that grants an organization authority to conduct audits on vendor operations.

    • Evidence/documentation of external audits

    • Independent assessment of vendor capabilities

    • Supply chain analysis

• Explore internal and external assessment concepts.

• Understand different penetration testing methods.

5.2 Elements of Risk Management Process

Overview of Risk Management

• Risk Management Components: Includes identifying potential issues, assessing impact, and implementing controls to mitigate risks.

• Key Concepts: Risk identification, assessment, mitigation, and monitoring.

• Risk Appetite and Tolerance: Defines the levels of risk an organization is willing to accept.

Risk Identification and Assessment

• Risk Identification: Crucial for managing cybersecurity risks, includes recognizing risks like malware attacks and insider threats.

• Methods: Vulnerability assessments, penetration testing, security audits, and threat intelligence.

• Risk Assessment: Evaluates previously identified risks to determine their impact on the organization.

  • Methodologies: Can be ad hoc, one-time, recurring, or continuous assessments.

  • Ad Hoc Assessments: Conducted as needed, often in response to specific incidents.

  • Recurring Assessments: Scheduled at regular intervals to identify and assess risks.

  • Continuous Assessments: Provide real-time data about risks using specialized tools.

Risk Analysis and Assessment

Risk Analysis vs Risk Assessment

• Risk Analysis: Identifies and evaluates potential risks, examining causes, consequences, and concerns.

• Risk Assessment: A systematic approach estimating risk levels based on collected data, addressing likelihood and severity.

Quantitative Risk Assessment

• Objective: Assign concrete values to risks.

  • Single Loss Expectancy (SLE): Expected loss in a single occurrence, calculated by asset value and exposure factor.

  • Annualized Loss Expectancy (ALE): The yearly loss estimated by multiplying SLE by the annualized rate of occurrence (ARO).

Qualitative Risk Assessment

• Objective: Assess risks based on subjective judgment and qualitative factors.

• Strengths and Limitations: Simple and easy to use, but subjective and relies heavily on expert judgment.

Inherent Risk

• Definition: Level of risk before any mitigation efforts.

• Regulatory Requirements: Compliance with laws mandating security controls, such as SOX, HIPAA, and PCI DSS.

Risk Posture

• Definition: Overall status of risk management within an organization, prioritizing risk response options appropriately.

Risk Management Strategies

Categories of Strategies

1. Risk Mitigation: Reduces exposure and impacts via controls.

2. Avoidance: Stops the activity causing risk.

3. Transference: Transfers risk to third-party (e.g., insurance).

4. Acceptance: No countermeasures are put in place if risk is deemed acceptable.

Risk Reporting

• Effectiveness: Communicates risk profiles and effectiveness of risk management.

• Audience-Specific Content: Tailors reports based on the audience (board members vs operational managers).

Business Impact Analysis (BIA)

Definition and Importance

• Purpose: Understand potential effects of disruptions (e.g., accidents, disasters).

• Process: Involves identifying critical systems, assessing impacts, and creating recovery strategies.

Metrics Influencing BIA

• Maximum Tolerable Downtime (MTD): Longest period a business function can be downtime without irrecoverable failure.

• Recovery Time Objective (RTO): Time taken to restore individual IT systems post-disaster.

• Recovery Point Objective (RPO): Maximum permissible data loss in a disaster.

Topic 15B Vendor Management Concepts

Third-Party Risk Management

• Elements: Vendor due diligence, risk identification, ongoing monitoring, and incident response planning.

• Vendor Selection: Evaluate security practices, financial stability, and compliance.

Conflict of Interest

• Definition: When competing interests compromise the ability to act objectively.

• Importance: Addressing conflicts ensures unbiased vendor assessments.

Audits and Assessments

Types and Purposes

• Audits: Systematic evaluation of processes and compliance with standards.

• Assessments: Evaluate effectiveness of operations, cybersecurity, and controls.

Internal vs External Assessments

• Internal: Conducted by organization's employees; enhances internal controls and monitoring.

• External: Conducted by independent parties; validates compliance and provides unbiased evaluations.

Summary of Lesson 15

• Core Concepts: Risk management, business impact analysis, vendor management, and audits.

• Takeaways:

  • Continuous risk assessment and updating risk registers are vital.

  • Understanding and managing third-party risks are crucial components of an organization's risk strategy.

  • Penetration testing is a critical method for assessing security resilience.