5.4 Summarize risk management process and concepts

Question 1

Risk Types

Answer 1

Risk types can be broken down into six categories. Let’s now look at each of these in turn, starting with external risks

Question 2

External

Answer 2

There are many different threat actors, ranging from competitors and script kiddies to criminal syndicates and state actors. Their ability to attack depends on the level of sophistication of their tools, and this is very much dependent on how much funding they have. If it is a foreign government, they are well organized and well-funded and have many assets at their disposal. There are also external environmental threats, such as fire and floods, and man-made threats, such as the accidental deletion of data or lasers.

Question 3

Internal

Answer 3

One type of internal threat is a malicious insider; that is, a threat actor who, for instance, has been overlooked for promotion or is not happy with their current salary. The other internal threat is human error, which is when data is accidentally deleted.

Question 4

Legacy Systems

Answer 4

The risk with legacy systems is that they might not have any vendor support because the vendor has deemed that the system has reached the end of its service life and there will be no more patches. As technologies improve, so do the hacking tools, and the legacy systems may have limited or no protection against them.

Question 5

Multiparty

Answer 5

This is where a contractor wins a contract and then sub-contracts some of the parts of the contract to other companies, who in turn subcontract again. Sometimes that can mean many contractors being involved in a single contract, and if any of them becomes bankrupt, then they can no longer provide that service and cause disruption to the company. Each party in the contract needs to ensure that their security is as strong as that of the customer and the main contractor.

Example: A contract is awarded to us to build a row of houses. Water, gas, electricity, and roads may be contracted out to other agencies. Many different parties would be involved, and we could be attacked by anyone working in the supply chain.

Question 6

Intellectual Property (IP) Theft

Answer 6

An IP theft could steal your copyright material, trade secrets, and patents. This would result in a loss of revenue. This data could be used in other countries where a legal route to recover your data or seek damages is impossible. We should use Data Loss Protection (DLP) or document management systems to protect against this.

Question 7

Software Compliance/Licensing

Answer 7

Software should only be purchased from reputable vendors to ensure that the software purchased is exactly what was ordered. Software purchased elsewhere may not be licensed, and this would lead to a regulatory fine, or the software itself may contain malware and attack you. One of the risks to your company is that employees may use more copies of the company-purchased software than the licenses that you purchase, sometimes for personal use. This is called a license compliance violation. Exam TipIP theft can steal your patents, secrets, and copyright material, and these can be taken to a country where you cannot mount a legal challenge. From there, they can manufacture your products.

Question 8

Risk Management Strategies

Answer 8

In a risk treatment, the risk owner, who is the best person to classify an asset, looks at each individual risk; they (the risk owner) will then decide what action is best to reduce the risk to the company. The risk will then be included in the company’s risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every 6 months because risks change as frequently as technology changes. Let’s look at risk management strategies, starting with risk acceptance

Question 9

Risk Acceptance

Answer 9

This entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low. For example, say I had company premises in Scotland and I was quoted $1,000 a year to insure the building against earthquakes. I would not take the insurance and would accept the risk as Scotland last had an earthquake in 1986, and the magnitude was 2.0, which means it was generally not felt.

Question 10

Risk Transference

Answer 10

Risk transference is where you decide that the risk is great and you want to offload the responsibility to a third party. This could be insurance or outsourcing any of your IT functions. For example, say I purchase a car and decide that there is a high risk of someone crashing into the car, so I take out car insurance to transfer the risk to the insurance company. The car is insured, but I am still the owner. Companies are now taking out cybersecurity insurance that would cover financial loss due to cyberattacks, legal fees due to lawsuits, and the ability to employ a private investigator to catch the criminal.

Question 11

Cybersecurity insurance

Answer 11

Cybersecurity insurance helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage. Traditional insurance policies often exclude cybersecurity risks such as the loss of data or extortion from criminals using ransomware. Organizations purchase cybersecurity insurance to cover the gaps left by traditional insurance.

Question 12

Risk Mitigation

Answer 12

Risk mitigation is where you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack. For example, say you leave your home in the morning to go to work – if you leave the door open, someone will enter your property and take some of your possessions. You then adopt risk mitigation by closing and locking the door. Another example is if you purchase 50 new laptops for your company, with software installed, but there is no anti-virus software. There is a high risk that you could encounter a virus; therefore, you decide to mitigate the risk by installing anti-virus software on all laptops. Risk mitigation is a technical control.

Question 13

Risk Analysis

Answer 13

Risk analysis is the use of techniques to analyze risks so that you have an overall picture of the risks that your company may face. Let’s look at each of these in turn, starting with the risk register:

Exam Tip

Insurance of any kind, whether it is for a car or cybersecurity, is risk transference.

Question 14

Risk Register

Answer 14

When we look at the overall risk for a company, we use a risk register. This is a list of all of the risks that a company could face. The risk to the finance department with be assessed by the financial director, and IT-related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners – they are responsible for the risk. The risk register must be updated on an annual basis to make it effective.

Question 15

Risk Matrix/Heat Map

Answer 15

A risk matrix is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red

Question 16

Risk Control Assessment

Answer 16

This occurs when a company checks that the risk controls that they have in place are still effective with changing technology.

Question 17

Risk Control Self-Assessment

Answer 17

This is a process where all company employees decide to have a meeting or send out a survey. Management encourages the employees to evaluate existing risk controls so that they can decide whether the current risk controls are adequate and report back to the management. This is a bottom-up approach.

Question 18

Risk Awareness

Answer 18

This is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks and making recommendations to management on how to reduce those risks.

Question 19

Inherent Risk/Residual Risk

Answer 19

Inherent risk is the raw risk, prior to any risk mitigation strategies being implemented. Residual risk is the amount of risk remaining after you mitigate the risk. Remember that you cannot eliminate risk completely.

Question 20

Control Risk

Answer 20

This is where a risk control is measured after it has been in place for some time, to evaluate whether it is still effective.

Question 21

Risk Appetite

Answer 21

This is the amount of risk mitigation that a company is willing to do so that they can be compliant with current regulations and also be protected.

Question 22

Regulations that affect risk posture

Answer 22

Regulations that affect risk posture include EU GDPR, Sarbanes-Oxley Act (SOX), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry (PCI), and Data Security Standard (DSS) regulations.

Question 23

Risk Assessment Types

Answer 23

There are two risk assessment types: qualitative and quantitative. Let’s look at each of these in turn

Question 24

Qualitative Risk Analysis

Answer 24

A qualitative risk analysis is where the risk is identified as a high, medium, or low risk. The words start with most of the word quality.

Question 25

Quantitative Risk Analysis

Answer 25

A quantitative risk analysis is where you look at the high qualitative risks and give them a numeric value so that you can associate them with a cost for the risk. This is calculated by multiplying the probability with the impact of the risk. Sometimes probability is known as likelihood. The words start with most of the word quantity.

Question 26

Impact

Answer 26

Impact is the magnitude of harm resulting from a risk. It includes the negative results of an event, such as the loss of confidentiality, integrity, or availability of a system or data.

Question 27

Asset value

Answer 27

The asset value is an important element in a quantitative risk assessment. It may include the revenue value or replacement value of an asset. A web server may generate $10,000 in revenue per hour. If the web server fails, the company will lose $10,000 in direct sales each hour it’s down, plus the cost to repair it. It can also result in the loss of future business if customers take their business elsewhere. In contrast, a library workstation’s failure may cost a maximum of $1,000 to replace.

Question 28

Single Loss Expectancy (SLE)

Answer 28

The SLE is to do with the loss of one item. For example, if my laptop is worth $1,000 and I lose it while traveling, then my SLE would be $1,000.

Question 29

Annualized Rate of Occurrence (ARO)

Answer 29

The ARO is the number of times that an item has been lost in a year. If an IT team loses six laptops in a year, the ARO would be six.

Question 30

Annualized Loss Expectancy (ALE)

Answer 30

The ALE is calculated by multiplying the SLE by the ARO – in the previous examples, we have $1,000 x 6 = $6,000. The ALE is the total loss in a year.

Question 31

Disasters

Answer 31

There are different types of disasters that pose a risk to companies. Let’s look at these, starting with environmental threats

Question 32

Environmental Threat

Answer 32

This threat is based on environmental factors, for example, the likelihood of a flood, hurricane, or tornado. If you live in Florida, there is a peak season for hurricanes from mid-August to October. However, if you live in Scotland, hurricanes are very infrequent. Florida has a high risk of having a hurricane, whereas Scotland would be extremely low risk.

Question 33

Man-Made Threat

Answer 33

This is a human threat – it could be a malicious insider attack, where an employee deliberately deletes data, or it could just be an accidental deletion by an incompetent member of staff. Lasers and bombs are also man-made threats.

Question 34

Internal Threat versus External Threat

Answer 34

An internal risk could be a flood, power failure, or maybe internal structural damage to a building. An external risk could be threat actors or natural disasters such as an earthquake or hurricanes.

Question 35

Business Impact Analysis

Answer 35

Business Impact Analysis (BIA) is the process of looking into disasters and calculating the loss of sales, regulatory fines, and the purchase of new equipment. BIA looks at financial loss following a disaster.

Question 36

Recovery Time Objective (RTO)

Answer 36

The RTO is the time that a company needs to be returned to an operational state. In the preceding RPO scenario, we would like the RTO to be before 16:00. If the RTO is beyond 16:00, then once again it has an adverse effect on the business.Exam TipThe most important factor that an auditor will look at when assessing BIA is the single point of failure. They will also take the RPO and RTO into consideration.

Question 37

Recovery Point Objective (RPO)

Answer 37

The RPO is how long a company can last without its data before the lack of data starts to affect operations. This is also known as acceptable downtime; if a company agrees that it can be without data for 3 hours, then the RPO is 3 hours. If the IT systems in a company suffer a loss of service at 13:00, then the RPO would be 16:00. Any repair beyond that time would have a negative impact on the business as the company cannot operate without its data beyond that point.

Question 38

Mean Time to Repair (MTTR)

Answer 38

The MTTR is the average amount of time it takes to repair a system. If my car breaks down at 14:00 and it was repaired at 16:00, the MTTR would be 2 hours.

Question 39

Mean Time Between Failures (MTBF)

Answer 39

The MTBF shows the reliability of a system. If I purchased a new car for $50,000 on January 1, then it breaks down on January 2, 4, 6, and 8, I would take it back to the garage as the MTBF would be pretty high. For $50,000, I want a more reliable car. MTBF measures reliability.

Question 40

Functional Recovery Plans

Answer 40

Functional recovery plans use structure walkthroughs, tabletop exercises, and simulations.

Question 41

Single Point of Failure

Answer 41

The single point of failure is any single component that would prevent a company from remaining operational. This is one of the most critical aspects of BIA

Question 42

Disaster Recovery Plan (DRP)

Answer 42

There are many different types of disasters and there needs to be a DRP for each of them to recover from a failure as quickly as possible. Any downtime will have a financial impact on a company.

Question 43

Mission Essential Functions/Identification of Critical Systems

Answer 43

When we look at BIA as a whole, we have to see what the company’s mission-essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail, it would result in a loss of revenue. Critical systems for the airline would be the server that the website was placed on and its ability to contact a backend database server, such as SQL, that holds ticketing information, processes credit card transactions, and contains the order history for each customer.

Question 44

Identification of critical systems

Answer 44

A business impact analysis (BIA) is an important part of a BCP. It helps an organization identify critical systems and components that are essential to the organization’s success. These critical systems support mission-essential functions. Mission-essential functions are the activities that must continue or be restored quickly after a disaster.

Question 45

Site Risk Assessment

Answer 45

This is an assessment of all of the risks and hazards that could happen on a construction site. This could be the spillage of chemicals, power outages, floods, fires, and earthquakes. The site losing its health and safety certificate should be considered a site risk.Exam TipWhen purchasing a new system, the MTBF measures the reliability of the system. You might also seek a system with a low MTTR so that it is reliable and can be repaired quickly.