reflection 4

profiletamerrabee3
sy0-601-19v1.0.pptx

Summarizing Risk Management Concepts

Lesson 19

1

Explain Risk Management Processes and Concepts

Topic 19A

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

5.4 Summarize risk management processes and concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Risk Management Processes

Phases of risk management

Identify mission essential functions

Identify vulnerabilities

Identify threats

Analyze business impacts

Identify risk response

Risk assessment

Likelihood and impact

Enterprise risk management (ERM) frameworks

Risk and control self-assessment (RCSA)

Risk and control assessment (RCA)

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Risk Types

External

Cyber threat actors and natural or person-made disaster

Internal

Risks that arise from assets that are owned/managed

Multiparty

Ripple impacts in the supply chain

Intellectual property (IP) theft

Software compliance/licensing

Shadow IT

Legacy systems

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Quantitative Risk Assessment

Quantitative versus qualitative assessments

Concrete values to risk factors

Single Loss Expectancy (SLE)

Exposure Factor (EF)

Annualized Loss Expectancy (ALE)

Annualized Rate of Occurrence (ARO)

Difficulty of forecasting likelihood

Difficulty of assessing impact/cost

Image © 123RF.com.

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Qualitative Risk Assessment

Seeks opinions and uses broad categorizations

Heat map or traffic light impact matrix

Security Categorizations (FIPS 199)

Low

Medium

High

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Risk Management Strategies

Inherent risk

Level of risk before any type of mitigation has been attempted

Risk posture and prioritization

Regulatory requirements

High value asset, regardless of threat likelihood

Threats with high likelihood

Procedures, equipment, or software that increase the likelihood of threats

Return on Security Investment (ROSI)

Risk mitigation/remediation

Deploy countermeasure

Reduce likelihood or impact or both

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Avoidance

Stop doing the risky activity

Transference

Assign risk to a third-party

Cybersecurity insurance

Limits to transference

Risk Avoidance and Risk Transference

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Risk acceptance/tolerance

Risk is assessed and monitored, but no countermeasure is put in place

Do not ignore risk

Residual risk

Likelihood and impact after mitigation

Risk appetite

Willingness to tolerate a certain level of risk

Established at an organization or project level

Control risk

Loss of countermeasure effectiveness over time

Risk Acceptance and Risk Appetite

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Risk Awareness

Communicate risk factors to stakeholders

Risk registers

Risk matrix/heat map

Graphs

Relevance to workflows

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Risk Management Processes and Concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Review Activity

Explain Business Impact Analysis Concepts

Topic 19B

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

13

5.4 Summarize risk management processes and concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Business Impact Analysis

Business impact analysis (BIA) reports for threat scenarios

Calculate impact as costs

Justifies and prioritizes investment in security controls

Business continuity planning/continuity of operations planning (COOP)

Identifies controls and processes that maintain critical workflows

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Business activities that cannot be deferred

Contrast primary business functions (PBF)

Metrics

Mission Essential Functions

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

Images © 123rf.com.

Identification of Critical Systems

Supporting asset types

People, tangible assets, intangible assets, procedures

Business process analysis (BPA)

Inputs

Hardware

Staff and other resources

Outputs

Process flow

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Asset that causes the entire workflow to fail if it is damaged or otherwise not available

Mean time to failure (MTTF) and mean time between failure (MTBF)

Determine how likely failures are to occur

Provision redundancy

Mean time to repair (MTTR)

Time to correct fault

Affects recovery time objective (RTO)

Single Points of Failure

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Disasters

Internal versus external

Whether or not threat actor/source has privileged access

External disasters affecting supply chain

Person-made

Internal or external disaster due to human agency

Malicious or accidental

Environmental

Could not be prevented by human agency

Site risk assessment

Risk from natural disaster

Resiliency of utility supply

Health and safety risks

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Disaster Recovery Plans

Identify specific scenarios for disaster-level incidents

Risk and cost assessment

Threat modeling

Identify tasks, resources, and responsibilities for response

Train staff in disaster recovery and change management

Notifications to stakeholders and agencies

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Functional Recovery Plans

Demonstrate effectiveness through walkthroughs and exercises

Walkthroughs, workshops, and orientation seminars

Presentation and description-oriented

Tabletop exercises

Facilitator-led discussion scenarios

Functional exercises

Action-based engagements using simulations

Full-scale exercises

Action-based engagements simulating major events

More typical of public agencies

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Business Impact Analysis Concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Review Activity

Summary

Lesson 19

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

23