reflection 4
Summarizing Risk Management Concepts
Lesson 19
1
Explain Risk Management Processes and Concepts
Topic 19A
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
5.4 Summarize risk management processes and concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Risk Management Processes
Phases of risk management
Identify mission essential functions
Identify vulnerabilities
Identify threats
Analyze business impacts
Identify risk response
Risk assessment
Likelihood and impact
Enterprise risk management (ERM) frameworks
Risk and control self-assessment (RCSA)
Risk and control assessment (RCA)
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Risk Types
External
Cyber threat actors and natural or person-made disaster
Internal
Risks that arise from assets that are owned/managed
Multiparty
Ripple impacts in the supply chain
Intellectual property (IP) theft
Software compliance/licensing
Shadow IT
Legacy systems
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Quantitative Risk Assessment
Quantitative versus qualitative assessments
Concrete values to risk factors
Single Loss Expectancy (SLE)
Exposure Factor (EF)
Annualized Loss Expectancy (ALE)
Annualized Rate of Occurrence (ARO)
Difficulty of forecasting likelihood
Difficulty of assessing impact/cost
Image © 123RF.com.
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Qualitative Risk Assessment
Seeks opinions and uses broad categorizations
Heat map or traffic light impact matrix
Security Categorizations (FIPS 199)
Low
Medium
High
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Risk Management Strategies
Inherent risk
Level of risk before any type of mitigation has been attempted
Risk posture and prioritization
Regulatory requirements
High value asset, regardless of threat likelihood
Threats with high likelihood
Procedures, equipment, or software that increase the likelihood of threats
Return on Security Investment (ROSI)
Risk mitigation/remediation
Deploy countermeasure
Reduce likelihood or impact or both
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Avoidance
Stop doing the risky activity
Transference
Assign risk to a third-party
Cybersecurity insurance
Limits to transference
Risk Avoidance and Risk Transference
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Risk acceptance/tolerance
Risk is assessed and monitored, but no countermeasure is put in place
Do not ignore risk
Residual risk
Likelihood and impact after mitigation
Risk appetite
Willingness to tolerate a certain level of risk
Established at an organization or project level
Control risk
Loss of countermeasure effectiveness over time
Risk Acceptance and Risk Appetite
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
Risk Awareness
Communicate risk factors to stakeholders
Risk registers
Risk matrix/heat map
Graphs
Relevance to workflows
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Risk Management Processes and Concepts
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Review Activity
Explain Business Impact Analysis Concepts
Topic 19B
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
13
5.4 Summarize risk management processes and concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Business Impact Analysis
Business impact analysis (BIA) reports for threat scenarios
Calculate impact as costs
Justifies and prioritizes investment in security controls
Business continuity planning/continuity of operations planning (COOP)
Identifies controls and processes that maintain critical workflows
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Business activities that cannot be deferred
Contrast primary business functions (PBF)
Metrics
Mission Essential Functions
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Images © 123rf.com.
Identification of Critical Systems
Supporting asset types
People, tangible assets, intangible assets, procedures
Business process analysis (BPA)
Inputs
Hardware
Staff and other resources
Outputs
Process flow
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Asset that causes the entire workflow to fail if it is damaged or otherwise not available
Mean time to failure (MTTF) and mean time between failure (MTBF)
Determine how likely failures are to occur
Provision redundancy
Mean time to repair (MTTR)
Time to correct fault
Affects recovery time objective (RTO)
Single Points of Failure
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Disasters
Internal versus external
Whether or not threat actor/source has privileged access
External disasters affecting supply chain
Person-made
Internal or external disaster due to human agency
Malicious or accidental
Environmental
Could not be prevented by human agency
Site risk assessment
Risk from natural disaster
Resiliency of utility supply
Health and safety risks
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Disaster Recovery Plans
Identify specific scenarios for disaster-level incidents
Risk and cost assessment
Threat modeling
Identify tasks, resources, and responsibilities for response
Train staff in disaster recovery and change management
Notifications to stakeholders and agencies
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Functional Recovery Plans
Demonstrate effectiveness through walkthroughs and exercises
Walkthroughs, workshops, and orientation seminars
Presentation and description-oriented
Tabletop exercises
Facilitator-led discussion scenarios
Functional exercises
Action-based engagements using simulations
Full-scale exercises
Action-based engagements simulating major events
More typical of public agencies
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Business Impact Analysis Concepts
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Review Activity
Summary
Lesson 19
CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
23