Risk Management
What is Risk Management?
Defined as a holistic process to:
Identify, assess, respond to, and monitor risks impacting organizational operations, assets, individuals, and the nation from information systems.
Reference: NIST SP 800-30
Key Steps in Risk Management
Framing Risk
Establish the context, assumptions, and risk tolerance; describe the environment for risk-based decisions.
Assessing Risk
Identify:
Threats to organizational operations, assets, or individuals.
Vulnerabilities (internal and external).
Harm and impacts of exploiting vulnerabilities.
Likelihood of harm occurring.
Final goal: Determine risk based on harm and likelihood.
Responding to Risk
Develop consistent organizational responses:
Create alternative courses of action.
Evaluate options.
Choose actions respecting organizational risk tolerance.
Implement selected risk responses.
Monitoring Risk
Purpose:
Assess the ongoing effectiveness of responses.
Identify changes in organizational systems affecting risk.
Ensure compliance with information security requirements and policies.
Importance of Risk Management
Purpose: Informed decision-making across three tiers:
Tier 1: Organization-wide governance and strategy.
Tier 2: Mission/business process operational priorities.
Tier 3: Information systems and technical controls.
Goal: Protect against threats such as cyberattacks, human errors, and natural disasters that can compromise confidentiality, integrity, and availability.
Example: CrowdStrike Incident
A problematic software update by CrowdStrike caused a global IT outage affecting various sectors like airlines, banks, and hospitals.
Risk Management Failure:
Inadequate testing led to vulnerabilities.
Lack of phased deployment worsened the impact.
Lesson Learned: Improve risk monitoring and response strategies to mitigate similar non-adversarial threats.
Risk Management Process in Action
Framing Risk: Define scope, assumptions, and acceptable risk tolerance (e.g., acceptable downtime).
Assessing Risk: Quantify threats like ransomware and vulnerabilities from unpatched systems.
Responding to Risk: Prioritize actions like patch management over backups.
Monitoring Risk: Regularly track changes to maintain awareness of new exploits.
Example: Healthcare Ransomware Attack
Event: ALPHV/BlackCat ransomware exploited vulnerabilities in Change Healthcare’s systems, leading to disruptions in U.S. healthcare billing.
Risk Management Insight: Poor vulnerability management and delayed responses increased impact.
Lesson: Emphasize proactive monitoring and quick responses to mitigate adversarial threats.