Domain1 - Risk Management

Risk

potential for negative impact on the organization, its goals or
objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability.

Threat 

A threat is a negative event that can lead to an undesired outcome, such as damage to,
 or loss of, an asset.

Threat Actor

A person or entity that is capable of intentionally or accidentally compromising an asset’s security.

 

Hacker, Disgruntled employee, Fire, Failure of HVAC,
 
Severity: Skill level, Motivation, Opportunity, Size

Threat Vector

Path the threat takes to exploit the vuln and create harm

Example:

Ransomware - Phishing email --> user clicks on the phishing link --> Malware get downloaded --> Download public key--> Encrypt the data --> ask for ransom

Vulnerability

A vulnerability is a weakness or gap that exists within a system that may be exploited (by a threat actor) to compromise an asset’s security or trigger a risk event.

 

In above example - Email gateway - lack of definitions, Low security awareness --> Lack of detection at parameter firewall --> Web proxy not detecting malicious IP (URL)
 Other - Unpatched App / OS, Weak access control etc
Severity: Ease of Discovery, Ease of Exploit, Awareness to public

Asset 

Anything of value to the organisation (People, process and information)

Above Example - Information

Risk Management

Includes all the processes to identify threats and vuln, analyse, evaluate and respond in a timely manner

Four Steps - Identify, analyse, Evaluate, Respond

Inherent Risk

Risk before the controls is applied

Residual Risk

Risk after control is applied

Risk before controls for ransomware is applied - Critical

Risk Assessments

Set of activities to identify risk, analyse, determine Impact and Likelihood to quantify the Risk 

Identification

Identify the Assets which can be impacted
 Identify the Asset Value (for prioritization)
 Identify the Threats (Threat Modelling, Risk Scenarios)
 Identify the Vulnerabilities (VA, Pentest, Assessment, Audits)

Risk Analysis

Determine Likelihood (based on existing controls, exposure, 

 

Likelihood - Severity of threats (Skill level, motivation, opportunity, Size)
Vulnerability (Ease of Discovery, Ease of Exploit, Awareness to public)

Determine Impact

 

Asset Value
Technical Impact - Loss of confidentiality, Integrity, Availability and accountability
Business Impact - Loss of productivity, Downtime,
 Financial, Reputational, Non-compliance (Regulatory -Privacy, Contractual)

Qualitative Risk Analysis

More Subjective | Expressed in Critical/High/Medium/Low
 1. Asset Value - Mission Critical, Business Critical
 2. Likelihood (1-5) - Certain (5), Very Likely, Likely, Less Likely, Rare
 3 Impact (1-5) - Catastrophic (5), High, Medium, Low, Negligible
 Representation - Heat map on scale of Impact and Likelihood
 Advantage: Skill level required is low, Faster, Followed by most organisations

 

Risk Quantification:
 Likelihood (4) X Impact (5) = 20 (High)

 

Quantitative Risk Analysis

Analysis in Quantitative terms (Dollar value)
1. Asset Value - USD (Cost of asset, cost of recovery/re-establish)
2. Likelihood (1-5) - Certain (5), Very Likely, Likely, Less Likely, Rare
3. Impact: USD Financial (impact from downtime, cost of response and recovery, Cost of data) + Reputational impact (2X Financial) + Compliance (Regulator + contractual)

 

Risk Quantification:
 SLE = AV X EF (% of asset damage)
 ALE = SLE X ARO

Risk Evaluation

Compare Risk with organisation's Risk profile or Risk Tolerance

 

Mapping (Own Experience – not covered under CISSP): 
 Within Risk appetite
 On Risk Appetite
 Out of Risk appetite
 On Risk Tolerance Threshold
 Out of Risk Tolerance Threshold
 Out of Risk Capacity

Risk Response

Risk Avoidance: Eliminate the activity or technology or use an alternate method (Sometimes very difficult)
Risk Mitigation: Organisation decides to remediate the risk to reduce it's likelihood or Impact (MFA, Encryption, Vuln Remediation, resolving dependencies)
Risk Transfer: Transfer risk liability to other party (Outsourcing, Insurance etc). Complete risk transfer is not possible but can be shared (Risk Sharing)
Risk Acceptance: Organisation accepts the risk. Within Risk acceptance - Sometimes may not be. If no other option works - than this is the default mechanism. 

Control 

A security control is a safeguard (Preventive) or a countermeasure (corrective) measure to reduce the likelihood or impact of the risk.

 

Control Categories: (Manual/Automated)
Technical / Logical - Hardware, software or firmware
Operational/Physical: Related to Day-to-Day operations - E.g. Security Guards, Lighting, Gate etc
Management / Administrative: Polices, Security Awareness  

 

Control Types:

Preventive: First line controls - prevent risk from happening

Firewall, Backup, Security Awareness, Input validation

 

Detective: Audits, door alarms, IDS

 

Corrective: Minimize impact and repair damages.

Software patches, Conjuration modification, policy updating to address root cause

 

Recovery: Complement corrective controls 

System backups, Disaster recovery sites, RAID, 

 

Deterrent: Discourage attackers E.g.- Fencing, Security guard, Guard dog, 

 

Compensating Controls: used in addition to or in leu of primary control - many not fully mitigate the risk. but to certain level.

Control Implementation

Most common Risk response option
 Selection and implementation of one or more controls around People, process and Technology. Factors to consider
 
Security Effectiveness: Will the control address the identified risk?
 E.g., Encrypting all the data is good, but is that effective if the risk pertains to Availability?
 
Cost Effectiveness: is the control cost effective?
 Perform Cost: Benefit Analysis
Control Cost Effectiveness: ALE after implementing control (Residual Risk) + Cost of control < ALE before Control Implementation (Inherent Risk)
 
Operational Impact: IS there a Negative operational impact.
 E.g., you Noticed that the Identity thefts are increasing and many of the employee passwords have been compromised in recent time. As a CISO you decided to increase password length from 8 Character to 15 characters, with complexity. As a result, you see an increased count of helpdesk support tickets related to password reset. 

 

Cost Effectiveness Use Case:

 

Cost Effectiveness: 
 Cybernous is facing 05 Laptop Theft in a Year.
 Asset cost (Information + Laptop) under the scope of threat = 10,000 USD
 EF is 10%
 Cost of implementation and maintenance of Encryption = 8500 USD

Control Assessment

Controls must be tested periodically
 Self assessments or through external assessments (Examination, Interview and test)
 Examine: understand, clarify and obtain evidences
 Interview: Discussions with individuals/group
 Test: Compare actual with expected output | implemented as documented

Monitoring and Measurement

Monitoring control effectiveness through KPI and KRI, security Scorecards

Reporting

Report the performance of controls to top management
 Formal reports of assessments and audits
 Document and report risk to Leadership

Continuous Improvement

Continuously improve the security posture and ROI - controls implementation should be at optimal level (not too many - not too less)
 How we do it
Risk Maturity Assessments 

How to select the right Framework?

 

ISO 31000:2018

Consistent: Control environment should be consistent with IS and privacy requirements
Measurable: Set goals and measure progress, Framework should provide control assessment standards
Standardization: Bring your security program or RM program to be compared with industry standards
Comprehensive: Should address minimum legal, regulatory and industry requirements in line with your line of Business
Modular: Framework should be flexible enough to changes or integrating with other frameworks.

 

ISO 31000:2018 - Applicable for all type of organisations arrest to governance structure or industry. ISO 31000:2018 is more generic - enterprise wide
 Aligned with ISO 27001
 

8 principles of ISO/IEC  31000:2018
customized - Framework can be customized as per the organisation requirement (structure / risk levels)
Inclusive: All stakeholders should come together for success
Comprehensive : Structured and complete coverage
 Integrated: Integrate Risk Management in all organisation activities
Dynamic: Anticipate, detect, acknowledge and respond to risk timely
Best Available information: Consider if the information is limited
Human and Culture Factors: Improve overall risk culture and shared responsibility
Continual improvement: optimize RM function through learning and experience

 

ISO 27005 - “Information technology—Security
 techniques —Information security risk management,”
  Provides detail and structure to the information security risks by defining the context for information security risk decision-making.

NIST RMF

NIST Risk Management Framework (NIST RMF)
 800-37 - “Guide for Applying the Risk Management Framework to Federal Information Systems,”
 6 steps
1. Categorize Systems - categorise all information Systems based on value to organoiron and impact (CIA)| Systems must be inventories along with Value |
2. Select Control: Prepare baseline set of controls (based on category and impact) for implementation
3. Implement Controls: Implement control
4. Assess Controls: evaluate effectiveness and appropriateness
5. Authorise System: once assurance is obtained that the control is operating as expected and able to minimize risk to acceptable level - Management provides formal approval for use of the control
6. Monitor - Continuously monitor

 

See the source image

COBIT and Risk IT (ISACA)

COBIT can be implemented for Enterprise IT
 Differentiate Governance (5 process) with Management (32 process)
 Highly flexible framework and is compatible with other frameworks like ISO 27001, ITIL, SOX, TOGAF)
 RISK IT: Contains 3 domains with 3 process each
 1. Risk Governance  
 2. Risk Evaluation
 3. Risk Response