Risk |
potential for negative impact on the organization, its goals or
objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability. |
Threat |
A threat is a negative event that can lead to an undesired outcome, such as damage to,
or loss of, an asset. |
Threat Actor |
A person or entity that is capable of intentionally or accidentally compromising an asset’s security.
Hacker, Disgruntled employee, Fire, Failure of HVAC,
Severity: Skill level, Motivation, Opportunity, Size
|
Threat Vector |
Path the threat takes to exploit the vuln and create harm
Example:
Ransomware - Phishing email --> user clicks on the phishing link --> Malware get downloaded --> Download public key--> Encrypt the data --> ask for ransom
|
Vulnerability |
A vulnerability is a weakness or gap that exists within a system that may be exploited (by a threat actor) to compromise an asset’s security or trigger a risk event.
In above example - Email gateway - lack of definitions, Low security awareness --> Lack of detection at parameter firewall --> Web proxy not detecting malicious IP (URL)
Other - Unpatched App / OS, Weak access control etc
Severity: Ease of Discovery, Ease of Exploit, Awareness to public
|
Asset |
Anything of value to the organisation (People, process and information)
Above Example - Information
|
Risk Management |
Includes all the processes to identify threats and vuln, analyse, evaluate and respond in a timely manner
Four Steps - Identify, analyse, Evaluate, Respond
|
Inherent Risk |
Risk before the controls is applied |
Residual Risk |
Risk after control is applied
Risk before controls for ransomware is applied - Critical
|
Risk Assessments |
Set of activities to identify risk, analyse, determine Impact and Likelihood to quantify the Risk |
Identification |
Identify the Assets which can be impacted
Identify the Asset Value (for prioritization)
Identify the Threats (Threat Modelling, Risk Scenarios)
Identify the Vulnerabilities (VA, Pentest, Assessment, Audits) |
Risk Analysis |
Determine Likelihood (based on existing controls, exposure,
Likelihood - Severity of threats (Skill level, motivation, opportunity, Size)
Vulnerability (Ease of Discovery, Ease of Exploit, Awareness to public)
|
|
Determine Impact
Asset Value
Technical Impact - Loss of confidentiality, Integrity, Availability and accountability
Business Impact - Loss of productivity, Downtime,
Financial, Reputational, Non-compliance (Regulatory -Privacy, Contractual)
|
Qualitative Risk Analysis |
More Subjective | Expressed in Critical/High/Medium/Low
1. Asset Value - Mission Critical, Business Critical
2. Likelihood (1-5) - Certain (5), Very Likely, Likely, Less Likely, Rare
3 Impact (1-5) - Catastrophic (5), High, Medium, Low, Negligible
Representation - Heat map on scale of Impact and Likelihood
Advantage: Skill level required is low, Faster, Followed by most organisations
Risk Quantification:
Likelihood (4) X Impact (5) = 20 (High)
|
Quantitative Risk Analysis |
Analysis in Quantitative terms (Dollar value)
1. Asset Value - USD (Cost of asset, cost of recovery/re-establish)
2. Likelihood (1-5) - Certain (5), Very Likely, Likely, Less Likely, Rare
3. Impact: USD Financial (impact from downtime, cost of response and recovery, Cost of data) + Reputational impact (2X Financial) + Compliance (Regulator + contractual)
Risk Quantification:
SLE = AV X EF (% of asset damage)
ALE = SLE X ARO
|
Risk Evaluation |
Compare Risk with organisation's Risk profile or Risk Tolerance
Mapping (Own Experience – not covered under CISSP):
Within Risk appetite
On Risk Appetite
Out of Risk appetite
On Risk Tolerance Threshold
Out of Risk Tolerance Threshold
Out of Risk Capacity
|
Risk Response |
Risk Avoidance: Eliminate the activity or technology or use an alternate method (Sometimes very difficult)
Risk Mitigation: Organisation decides to remediate the risk to reduce it's likelihood or Impact (MFA, Encryption, Vuln Remediation, resolving dependencies)
Risk Transfer: Transfer risk liability to other party (Outsourcing, Insurance etc). Complete risk transfer is not possible but can be shared (Risk Sharing)
Risk Acceptance: Organisation accepts the risk. Within Risk acceptance - Sometimes may not be. If no other option works - than this is the default mechanism. |
Control |
A security control is a safeguard (Preventive) or a countermeasure (corrective) measure to reduce the likelihood or impact of the risk.
Control Categories: (Manual/Automated)
Technical / Logical - Hardware, software or firmware
Operational/Physical: Related to Day-to-Day operations - E.g. Security Guards, Lighting, Gate etc
Management / Administrative: Polices, Security Awareness
Control Types:
Preventive: First line controls - prevent risk from happening
Firewall, Backup, Security Awareness, Input validation
Detective: Audits, door alarms, IDS
Corrective: Minimize impact and repair damages.
Software patches, Conjuration modification, policy updating to address root cause
Recovery: Complement corrective controls
System backups, Disaster recovery sites, RAID,
Deterrent: Discourage attackers E.g.- Fencing, Security guard, Guard dog,
Compensating Controls: used in addition to or in leu of primary control - many not fully mitigate the risk. but to certain level.
|
Control Implementation |
Most common Risk response option
Selection and implementation of one or more controls around People, process and Technology. Factors to consider
Security Effectiveness: Will the control address the identified risk?
E.g., Encrypting all the data is good, but is that effective if the risk pertains to Availability?
Cost Effectiveness: is the control cost effective?
Perform Cost: Benefit Analysis
Control Cost Effectiveness: ALE after implementing control (Residual Risk) + Cost of control < ALE before Control Implementation (Inherent Risk)
Operational Impact: IS there a Negative operational impact.
E.g., you Noticed that the Identity thefts are increasing and many of the employee passwords have been compromised in recent time. As a CISO you decided to increase password length from 8 Character to 15 characters, with complexity. As a result, you see an increased count of helpdesk support tickets related to password reset.
Cost Effectiveness Use Case:
Cost Effectiveness:
Cybernous is facing 05 Laptop Theft in a Year.
Asset cost (Information + Laptop) under the scope of threat = 10,000 USD
EF is 10%
Cost of implementation and maintenance of Encryption = 8500 USD
|
Control Assessment |
Controls must be tested periodically
Self assessments or through external assessments (Examination, Interview and test)
Examine: understand, clarify and obtain evidences
Interview: Discussions with individuals/group
Test: Compare actual with expected output | implemented as documented |
Monitoring and Measurement |
Monitoring control effectiveness through KPI and KRI, security Scorecards |
Reporting |
Report the performance of controls to top management
Formal reports of assessments and audits
Document and report risk to Leadership |
Continuous Improvement |
Continuously improve the security posture and ROI - controls implementation should be at optimal level (not too many - not too less)
How we do it
Risk Maturity Assessments |
How to select the right Framework? |
ISO 31000:2018
Consistent: Control environment should be consistent with IS and privacy requirements
Measurable: Set goals and measure progress, Framework should provide control assessment standards
Standardization: Bring your security program or RM program to be compared with industry standards
Comprehensive: Should address minimum legal, regulatory and industry requirements in line with your line of Business
Modular: Framework should be flexible enough to changes or integrating with other frameworks.
ISO 31000:2018 - Applicable for all type of organisations arrest to governance structure or industry. ISO 31000:2018 is more generic - enterprise wide
Aligned with ISO 27001
8 principles of ISO/IEC 31000:2018
customized - Framework can be customized as per the organisation requirement (structure / risk levels)
Inclusive: All stakeholders should come together for success
Comprehensive : Structured and complete coverage
Integrated: Integrate Risk Management in all organisation activities
Dynamic: Anticipate, detect, acknowledge and respond to risk timely
Best Available information: Consider if the information is limited
Human and Culture Factors: Improve overall risk culture and shared responsibility
Continual improvement: optimize RM function through learning and experience
|
|
ISO 27005 - “Information technology—Security
techniques —Information security risk management,”
Provides detail and structure to the information security risks by defining the context for information security risk decision-making. |
NIST RMF |
NIST Risk Management Framework (NIST RMF)
800-37 - “Guide for Applying the Risk Management Framework to Federal Information Systems,”
6 steps
1. Categorize Systems - categorise all information Systems based on value to organoiron and impact (CIA)| Systems must be inventories along with Value |
2. Select Control: Prepare baseline set of controls (based on category and impact) for implementation
3. Implement Controls: Implement control
4. Assess Controls: evaluate effectiveness and appropriateness
5. Authorise System: once assurance is obtained that the control is operating as expected and able to minimize risk to acceptable level - Management provides formal approval for use of the control
6. Monitor - Continuously monitor
|
COBIT and Risk IT (ISACA) |
COBIT can be implemented for Enterprise IT
Differentiate Governance (5 process) with Management (32 process)
Highly flexible framework and is compatible with other frameworks like ISO 27001, ITIL, SOX, TOGAF)
RISK IT: Contains 3 domains with 3 process each
1. Risk Governance
2. Risk Evaluation
3. Risk Response |
