Scribd
Upload
212 views21 pages

Sy0 601 19

Uploaded by

MEN'S ARENA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
212 views21 pages

Sy0 601 19

Uploaded by

MEN'S ARENA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Lesson 19

Summarizing Risk Management Concepts


Topic 19A
Explain Risk Management Processes and Concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 5.4 Summarize risk management processes and concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Risk Management Processes

• Phases of risk management


1. Identify mission essential functions
2. Identify vulnerabilities
3. Identify threats
4. Analyze business impacts
5. Identify risk response
• Risk assessment
• Likelihood and impact
• Enterprise risk management (ERM) frameworks
• Risk and control self-assessment (RCSA)
• Risk and control assessment (RCA)

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Risk Types

• External
• Cyber threat actors and natural or person-made disaster
• Internal
• Risks that arise from assets that are owned/managed
• Multiparty
• Ripple impacts in the supply chain
• Intellectual property (IP) theft
• Software compliance/licensing
• Shadow IT
• Legacy systems

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Quantitative Risk Assessment

• Quantitative versus qualitative


assessments
• Concrete values to risk factors
• Single Loss Expectancy (SLE)
• Exposure Factor (EF)
• Annualized Loss Expectancy (ALE)
• Annualized Rate of Occurrence
(ARO)
• Difficulty of forecasting likelihood
• Difficulty of assessing impact/cost
Image © 123RF.com.

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Qualitative Risk Assessment

• Seeks opinions and uses broad


categorizations
• Heat map or traffic light impact
matrix
• Security Categorizations (FIPS 199)
• Low
• Medium
• High

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Risk Management Strategies

• Inherent risk
• Level of risk before any type of mitigation has been attempted
• Risk posture and prioritization
• Regulatory requirements
• High value asset, regardless of threat likelihood
• Threats with high likelihood
• Procedures, equipment, or software that increase the likelihood of threats
• Return on Security Investment (ROSI)
• Risk mitigation/remediation
• Deploy countermeasure
• Reduce likelihood or impact or both

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Risk Avoidance and Risk Transference

• Avoidance
• Stop doing the risky activity
• Transference
• Assign risk to a third-party
• Cybersecurity insurance
• Limits to transference

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Risk Acceptance and Risk Appetite

• Risk acceptance/tolerance
• Risk is assessed and monitored, but no countermeasure is put in place
• Do not ignore risk
• Residual risk
• Likelihood and impact after mitigation
• Risk appetite
• Willingness to tolerate a certain level of risk
• Established at an organization or project level
• Control risk
• Loss of countermeasure effectiveness over time

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Risk Awareness

• Communicate risk factors to stakeholders


• Risk registers
• Risk matrix/heat map
• Graphs
• Relevance to workflows

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Topic 19B
Explain Business Impact Analysis Concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Syllabus Objectives Covered

• 5.4 Summarize risk management processes and concepts

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Business Impact Analysis

• Business impact analysis (BIA) reports for threat scenarios


• Calculate impact as costs
• Justifies and prioritizes investment in security controls
• Business continuity planning/continuity of operations planning (COOP)
• Identifies controls and processes that maintain critical workflows

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Mission Essential Functions
• Business activities that cannot be deferred
• Contrast primary business functions (PBF)
• Metrics

Images © 123rf.com.

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Identification of Critical Systems

• Supporting asset types


• People, tangible assets, intangible assets, procedures
• Business process analysis (BPA)
• Inputs
• Hardware
• Staff and other resources
• Outputs
• Process flow

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Single Points of Failure

• Asset that causes the entire workflow to fail if it is damaged or otherwise


not available
• Mean time to failure (MTTF) and mean time between failure (MTBF)
• Determine how likely failures are to occur
• Provision redundancy
• Mean time to repair (MTTR)
• Time to correct fault
• Affects recovery time objective (RTO)

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Disasters

• Internal versus external


• Whether or not threat actor/source has privileged access
• External disasters affecting supply chain
• Person-made
• Internal or external disaster due to human agency
• Malicious or accidental
• Environmental
• Could not be prevented by human agency
• Site risk assessment
• Risk from natural disaster
• Resiliency of utility supply
• Health and safety risks

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Disaster Recovery Plans

• Identify specific scenarios for disaster-level incidents


• Risk and cost assessment
• Threat modeling
• Identify tasks, resources, and responsibilities for response
• Train staff in disaster recovery and change management
• Notifications to stakeholders and agencies

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Functional Recovery Plans

• Demonstrate effectiveness through walkthroughs and exercises


• Walkthroughs, workshops, and orientation seminars
• Presentation and description-oriented
• Tabletop exercises
• Facilitator-led discussion scenarios
• Functional exercises
• Action-based engagements using simulations
• Full-scale exercises
• Action-based engagements simulating major events
• More typical of public agencies

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Lesson 19
Summary

CompTIA Security+ Lesson 19 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21

You might also like