Risk management involves three primary steps: identify threats and vulnerabilities, assess the risk (risk assessment), and choose whether and how to respond (often the choice is risk mitigation). As part of managing overall risk, the IT team strives to secure the IT environment, provide information to the management teams so that they can make informed decisions, and enable the management team to sign off on the IT environment based on the goals and requirements. Risk management also has a financial component: The management team must balance the risk with the budget. In a perfect world, the company would spend the minimum amount of money and time to minimize risk to an acceptable level for the organization.
Identify threats and vulnerabilities. Threats and vulnerabilities are linked. A threat (such as a hacker taking over a client computer) is possible when a vulnerability (such as an unpatched client computer) is present. That is a known threat. But unknown threats also exist, such as when a hacker is aware of a bug that nobody else knows about in your anti-virus software and can remotely compromise your computer.
Assess risk. You have a risk when you have a threat and a vulnerability. In those cases, you need to figure out the chances of the threat exploiting the vulnerability and the consequences if that does happen. Be familiar with the approaches.
Qualitative. This method uses a risk analysis matrix and assigns a risk value such as low, medium or high. For example, if the likelihood is rare and the consequences are low, then the risk is low. If the likelihood is almost certain and the consequences are major, then the risk is extreme.
Quantitative. This method is more objective than the qualitative method; it uses dollars or other metrics to quantify risk.
Hybrid. A mix of qualitative and quantitative. If you can easily assign a dollar amount, you do; if not, you don’t. This can often provide a good balance between qualitative and quantitative.
Respond to risk. You must formulate a plan of action for each risk you identify. For a given risk, you can choose risk mitigation (reduce the risk), risk assignment (assign the risk to a team or provider for action), risk acceptance (accept the risk) or risk rejection (ignore the risk).
Outside of the three primary steps for applying risk management, you should familiarize yourself with some of the details for those three steps.
Countermeasure selection and implementation. You can use a software or hardware solution to reduce a particular risk by implementing a countermeasure, sometimes referred to as a “control” or a “safeguard.” Suppose you have a password policy that a legacy application cannot technically meet (for example, the app is limited to 10 characters for the password). To reduce the likelihood of that password being compromised, you can implement any of several countermeasures: For instance, you can require that the password be changed more frequently than other (longer) passwords, or mandate that the password be stored in a secure password vault that requires twofactor authentication. For your exam preparation, don’t just understand the words and definitions; understand how you implement the concepts in your environment. You don’t have to provide a step-by-step technical configuration, but you must understand the implementation process — where you start, the order of the steps you take and how you finish.
Applicable types of controls. Be familiar with the 6 types of controls:
Preventive. This type of control is intended to prevent a security incident from happening. For example, you add an anti-virus product to your computers.
Detective. This type of control is used to identify the details of a security incident, including (sometimes) the attacker.
Corrective. A corrective control implements a fix after a security incident occurs.
Deterrent. This type of control attempts to discourage attackers. For example, you lock your office whenever you leave for lunch or go home for the day.
Recovery. A recovery control tries to get the environment back to where it was prior to a security incident.
Compensating. A compensating control is an alternative control to reduce a risk. Suppose you need to enable outside users to get to your SharePoint site, which resides on your local area network. Instead of opening the firewall to permit communication from the internet to your internal SharePoint servers, you can implement a compensating control, such as deploying a reverse proxy to the perimeter network and enabling SharePoint external access through the reverse proxy. In the end, the functionality is typically the same, but the method of getting there is different.
Security Control Assessment (SCA). You need to periodically assess your security controls. What’s working? What isn’t working? As part of this assessment, the existing document must be thoroughly reviewed, and some of the controls must be tested at random. A report is typically produced to show the outcomes and enable the organization to remediate deficiencies.
Monitoring and measurement. Monitoring and measurement are closely aligned with identifying risks. For example, if there are many invalid database query attempts coming from your web server, it might indicate an attack. At a minimum, it is worth investigating. Whether action is required will depend. Without the proper monitoring in place, you won’t know about these types of events. You might not know when a person is probing your network. Even if you are capturing monitoring information, it isn’t enough by itself. You also need a way to measure it. For example, if your monitoring shows 500 invalid logon attempts on your web server today, is that a cause for concern? Or is that typical because you have 75,000 users? While monitoring is used for more than security purposes, you need to tune it to ensure you are notified about potential security incidents as soon as possible. In some cases, it will be too late and a data breach might occur. That’s when the monitoring data becomes valuable from a forensics perspective. You need to be able to look back at the data and figure out why you didn’t see anything during the incident and what adjustments you need to make to minimize the chances of it happening again.
Asset valuation. When you think of assets, don’t just think of physical assets such as computers and office furniture (tangible assets). Assets also include the company’s data and intellectual property (intangible assets). While tangible assets are easy to assess for value (for example, you bought the disk drive for $250), data and intellectual property can be harder to place a value on. Be familiar with the following strategies of intangible asset valuation:
Cost approach. How much would it cost to replace the asset?
Income approach. How much income will the asset produce over its lifetime?
Market approach. How much does a similar asset cost?
Quantitative approach. Assigns a dollar value to assess risk.
Qualitative approach. Assigns a score to assess risk.
Reporting. One of the foundations of an enterprise-grade security solution is the ability to report on your environment (what you have, what the top risks are, what’s happening right now, what happened 3 days ago, etc.). Reporting provides information. And that information is sometimes used to start a continuous improvement process.
Continuous improvement. Continuous improvement is an ongoing, never-ending effort to take what you have and improve it. Often, improvements are small and incremental. However, over time, small improvements can add up. Continuous improvement can be applied to products (for example, upgrading to the latest version), services (for example, expanding your internal phishing testing) or processes (for example, automating processes to save time and improve consistency).
Risk frameworks. A risk framework documents how your organization handles risk assessment, risk resolution and ongoing monitoring. See http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf for an example of a risk framework. There are other risk frameworks, such as the British Standard BS 31100. Be familiar with risk frameworks and their goals. The NIST framework identifies the following steps: categorize, select, implement, assess, authorize and monitor.
8 thoughts on “Understand and Apply Risk Management Concepts”
Nichole
I’m not that much of a online reader to be honest but your sites
really nice, keep it up! I’ll go ahead and bookmark your site
to come back later on.
Many thanks
I am now not sure where you are getting your info, however
great topic. I must spend a while studying much
more
or working out more. Thank you for wonderful information I used to be searching for this
information for my mission.
Hey a i’m for the first time here. I found this board and I find It really useful & it helped me out much. I hope to give something back and aid others like you helped me.
I’m not that much of a online reader to be honest but your sites
really nice, keep it up! I’ll go ahead and bookmark your site
to come back later on.
Many thanks
I am now not sure where you are getting your info, however
great topic. I must spend a while studying much
more
or working out more. Thank you for wonderful information I used to be searching for this
information for my mission.
Vennligst skriv oftere på grunn av det faktum at jeg virkelig elsker dine korte artikler.
Takk!
sikker
Great blog site article. Couldn’t be create far better!
These are in fact wonderful ideas in concerning blogging.
You have touched some nice points here. Any way keep up
wrinting.
Having read this I thought it was rather enlightening.
I appreciate you finding the time and effort to put this content together.
I once again find myself spending way too much time both
reading and commenting. But so what, it was still worth
it!
Hey a i’m for the first time here. I found this board and I find It really useful & it helped me out much. I hope to give something back and aid others like you helped me.