Security Governance and Risk Management
Cybersecurity is a structured approach toward Risk Mitigation of Cybersecurity Risks. This Blog will help you understand the Risk Management from a CISSP Exam perspective.
CISSP Objective: 1.10 Understand and apply risk management concepts.
Asset: An asset is any data, personnel, devices, facilities, systems, or another component of an organization's systems that is valuable and enables the organization to enable the business purpose.
Asset Valuation: Asset Valuation (Cost of developing or acquiring, Value to the Business, Value to the adversaries, Competitive value (others are ready to pay) maintenance cost, impact if the asset is not available – financial and reputational (Brand), cost of replacement, Legal/Regulatory liabilities
Why do we need to calculate the asset Value?
Perform Cost/Benefit Analysis | Effective Control Selection | Purchase of insurance | Understand the loss | Comply with legal requirements.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability severity is based on: Ease of Discovery, Ease of exploitation, Awareness (publicly known or obvious) & Propensity for Violence Detection
Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat needs an actor and a vector.
Threat Source: A malicious person with harmful intent or an unintended or unavoidable situation (such as a natural disaster, technical failure, or human error) may trigger a vulnerability
An independent agent with the capability to do harm. Type of threat Actors:
Cybercriminals – Hackers groups (Greed), Script Kiddies
Nation-State Actors – Selective | Advanced | Can compromise organizations to meet their ultimate goals
Hacktivists: Motivated by some ideology | Seek for high visibility | Aim to embarrass government entities or undermine public trust in them.
Internal Actors: People within the organization (High opportunity) | Two types - negligent and malicious
Nature: Covid, Flood, Political situation
A threat vector is a path or a means by which malicious attacks may take to get past the defenses and affect the organization
Impact : Risk impact is an estimate of the potential losses associated with an identified risk. Technical Impact: Loss of CIA, Loss of accountability. Business Impact: Financial, Reputational (Brand), Non-Compliance, People
Risk : Risk is defined as the potential for loss or damage when a threat exploits a vulnerability
Risk Calculation: Risk = Impact x Likelihood
Exposure Factor – the Percentage of damage if risk gets realized once
Inherent Risk
Risk before implementing the security controls (or without risk treatment)
Residual Risk
Risk Remaining after control implementing (risk treatment)
Quantitative – Risk is calculated based on an assumed scale (E.g., 1-5) and the outcome of Risk analysis is represented in terms of Critical, high, Medium or low.
Quantitative – The risk calculation is based on currency value and the output risk calculation is also in Quantitative (currency) terms
The Information Security Risk Management (ISRM) policy should align with the Organization’s Enterprise risk management policy. Most companies have an Enterprise Risk Management (ERM) policy to manager overall risk of the organization (including risk from Information systems)
Information Security Risk Management Policy should include.
• The level of risk the organization will accept and what is considered an acceptable level of risk
• Formal processes of risk identification
• The connection between the ISRM policy and the organization’s strategic planning processes
• Responsibilities that fall under ISRM and the roles to fulfill them
• The mapping of risk to internal controls
• The approach toward changing staff behaviors and resource allocation in response to risk analysis
• The mapping of risks to performance targets and budgets
• Key metrics and performance indicators to monitor the effectiveness of controls
Risk can be managed at various levels (Strategic, Tactical and operational level). The below snip is taken from NIST 800-39 to explain the concept
Risk Management is a structured approach to Identify, Analyze, Respond and Monitor risk in an organization.
Each step is interrelated and must be performed in sequence to achieve the desired outcome. In CISSP Exam, you may be asked about the sequence or activities pertaining to each step in a logical order. This section is highly testable.
Let’s understand these steps:
Before starting the risk assessment, the First step is to identity the purpose of Risk Assessment. E.g., The purpose may to meet the compliance requirements or to routinely identify internal gaps.
The Scope of Risk Assessment will include Infrastructure, Application, Network, and Third parties. If the risk assessment is performed on a particular business process, in that case all elements (Infra, Network etc.) pertaining to that process will be in scope.
How to start the process: You can’t be an expert in all areas as a risk analyst. The way to take up this task is to start communication and collaborate with the stakeholders (Project managers, Subject matter experts etc.) to understand the risk pertaining to their process. this communication and collaboration can be in the form of internal surveys, interviews, or workshops | Questionnaires | Delhi Technique. Delphi methods is an anonymous survey in which no names are revealed during the process. This helps stakeholders to provide open feedback and inputs.
Irrespective of you are going with Qualitative or Quantitative Risk Assessment, you can take guidance from some well-established frameworks (Guidelines).
There are so many well-established methodologies available to access the Risk. Examples include:
NIST SP 800- 30
NIST SP 800-30 suggest the Risk Assessment approach which is focused on IT Security Risk and include the following steps:
Prepare for the Assessment
Conduct the assessment (Identify Threat sources and events – Risk scenarios | identify Vulnerabilities | likelihood assessment | Evaluate Impact Rating | Evaluate Risk
Facilitated Risk Analysis Process (FRAP)
FRAM is best suited if you have limited budget. This is much focused assessments on individual Systems/Processes to save cost. steps involve
Pre-screening to limit assessment to the system which is really required to reduce cost and effort.
One system or process or application at a time
Evaluate Risk based on SME experience and not risk calculation
Failure Mode and Effect Analysis (FMEA)
Understand how a security flow in a system can impact negatively
Method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process (E.g., Identify SPOF)
What we do:
1. Failure Mode (how a system can fail)
2. Evaluate impact
Review block diagram of a system/control | what if one block fails | prepare a matrix on failure and effect | Document controls | Peer and management review
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
OCTAVE is a risk-based strategic assessment and planning method. OCTAVE focuses on assessing organizational risks only and does not address technological risks. OCTAVE has three phases:
Building asset-based threat profiles. (Organizational evaluation). Identifying infrastructure vulnerabilities. (Information infrastructure evaluation) Developing and planning a security strategy. (Evaluation of risks to the company's critical assets and decision-making.)
Risk Analyze includes the Risk Scenario, validate applicability, and examine existing controls for effectiveness, Cost-effectiveness, Timeliness, relevance, and responsiveness.
Risk = Likelihood X Impact
Likelihood: possibility that a risk may occur
Impact: Loss to the organization in terms of Finance, Reputation or regulatory fines, or the morale of the employees
Qualitative Risk Analysis:
In Qualitative Risk analysis, both the Factors (Likelihood and impact) are not measured in terms of currency, instead, they can be measured (rated) based on a scale of 1-5. where 5 is the highest level of likelihood or impact.
Quantitative Risk Analysis:
In this approach, the outcome of the risk is derived in terms of currency (dollar value), hence the inputs also are taken in Quantitative terms (currency)
Asset Value (Cost of purchase including maintenance or Cost of replacement of the asset, Cost of the financial/reputational/competitive loss if the asset is not available)
Exposure Factor (Represented in Percentage and indicates the loss/damage to the asset if the risk realize only once)
Single Loss Expectancy (SLE): impact/loss due to one single Loss event
Annual Rate of Occurrence (ARO): How many times a risk has occurred in a year or is expected to occur in a year. i.e., If a flood hits once in 5 years ARO will be 1/5; If Flood hits twice in a year, then ARO = 2
Annual Loss Expectancy (ALE): Total loss in financial terms in a year due to a particular risk. Remember the risk Formula: Risk = Impact * Likelihood; Implementing the same here:
But how to evaluate the SLE?
In a Qualitative Risk Analysis, both the values once derived are multiplied to evaluate the risk. Once evaluated; to make it easy for leadership to understand, the values are mapped on a heat map (shown below).
This helps leadership to prioritize investment and efforts for risks that are exceeding the risk appetite levels (those in dark orange and red).
There are 4 ways in which a risk can be responded. This is important from an exam perspective.
Risk Avoidance: Leadership tries to avoid the risk by recommending alternate means to achieve the business goal or stop the activity altogether if the risk is very high and the outcome is low.
Risk Transfer: Leadership decided to Transfer the risk to other parties. Please note, a complete transfer of risk is never possible, hence we use a risk-sharing method. E.g., purchasing a Cyber Breach Insurance, or outsourcing operations to a third party with due contract (with appropriate liability clauses)
Risk Mitigation: Leadership decided to mitigate risk. This may happen through a set plan of action and may also require approval of funds for starting a new project. In most organizations, a Management Action plan with milestones is approved by the management with allocation of funds, resources with a central team monitoring the progress on remediation.
Risk Acceptance: Least preferred method. However, if the risk is within the risk appetite level of the organization, leadership may decide to accept the risk. however, since the risk is dynamic in nature, such risk must be monitored periodically to ensure it remains within the acceptance level.
Risk monitoring is the ongoing process of adding new risks, evaluating existing ones, removing moot ones, and continuously assessing the effectiveness of our controls in mitigating all risks to tolerable levels. Risk has to be monitored on a continuous / Periodic basis to evaluate if the risk is under control. A Risk which is within acceptable level today can turn out of risk Appetite due to change in environment.
Continuously monitor the effectiveness of our controls against the risks for which we designed them. This can be achieved through periodically evaluating the Balanced security scorecard | Service Level Agreement (SLA) | Return on Investment (ROI)
Effectiveness monitoring: good indicator is Incidents being reported. However, the effectiveness of controls may change over time.
A control is an arrangement which can prevent, reduce the risk or its impact to the organization. A control may also be referred to as countermeasure or safeguard.
Safeguard – proactive control to prevent the risk from happening.
Countermeasure – relative control to reduce the impact, remediate the root case or recover from the risk.
Based on the Nature of Control, it can be categorized under any of the below category:
Based on the Function (working) of the control, they can be categorized as followings:
Deterrent: A control intended to discourage an attacker.
Preventive: keeps an incident from occurring.
Detective: Identifies the occurrence of an event and possibly the actor
Corrective: Fixes things after the incident
Recovery: A control which returns the environment back to normal operations.
Compensating: A control that provides an alternative means when another control isn’t/can’t be used.
Please note that a control can be part of multiple categories above. E.g., An Antivirus can be preventive, detective and corrective control too. Its is just a concept.
Control selection is important, and it depends on multiple criteria like.
Selection of the right control also is critical, which means a selected control should have the following characteristics:
Always perform a Cost: Benefit Analysis before recommending/selecting a control
Cost Calculation: The cost calculation here should be the Total Cost of Ownership (TCO), which may include the cost of the control (e.g., Purchasing a Firewall), Designing / Planning cost, implementation cost, Modification or upgrade cost, testing, Repair, Operating or replacement, subscription cost or even manhours spent on monitoring and responding to alerts.
Benefit Calculation: Benefit calculation will be decided based on how much risk has been reduced after implementing the control (Residual Risk)
If the Cost of the Control is more than the Benefit – it’s a bad Decision!
If the Cost of the Control is less than the Benefit – it’s a good Decision!
Which means:
Total risk reduction (per year) - TCO of the Control (per year) = should be a (+) positive value for a good decision.
Control Effectiveness: Control Assessments to determine whether the controls are effective as set in their control objective. A control objective is a documented statement mentioning what is expected out of a control with defined metrics for measuring the effectiveness.
Verification answers the question “did we implement the control right?” while validation answers the question “did we implement the right control?”
Congratulations! you have done a great job in completing your daily target. It’s time to Reward yourself! Hope you are enjoying your CISSP Journey 😊. For any feedback, please write to us: manoj@cybernous.com