Lesson 15: Risk Management Processes

Risk Identification and Assessment

Risk Identification:

Process of pinpointing potential threats

• Technical Risks: Software vulnerabilities, network breaches
• Nontechnical Risks: Poor employee training, outdated policies

Risk Analysis:

Quantitative Analysis:

Uses numerical values to calculate risk (financial loss)

Key Metrics:

• SLE (Single Loss Expectancy): Cost of one incident (e.g., $10,000)
• ARO (Annual Rate of Occurrence): Number of times risk occurs yearly (e.g., 2 times)
• ALE (Annualized Loss Expectancy): SLE × ARO (e.g., $20,000)

Note: Each incident type has its own SLE, ARO, and ALE

Qualitative Analysis:

Uses subjective judgment to prioritize risks ("high," "medium," "low")

Tools:

• Heat Maps: Visual grids ("traffic light" charts) ranking risks by likelihood and impact

Key Terms:

• Inherent Risk: Risk level before applying controls
• Residual Risk: Risk remaining after mitigation (after implementing firewalls)

Risk Management Strategies

Risk Responses:

1. Avoid: Eliminate the risk (discontinuing vulnerable service)
2. Accept: Acknowledge risk without action (low-impact risks, e.g., "minor web vulnerability costs $500 if exploited")
3. Mitigate: Reduce risk impact (installing antivirus)
4. Transfer: Shift risk to third party (purchasing cyber insurance)

Risk Appetite vs Tolerance vs Threshold:

• Risk Appetite: General level of risk organization willing to accept to achieve goals (high-level, strategic)

  • Example: "We accept moderate risks to pursue innovative technologies"
  • High Risk Appetite = Low and Medium risks often accepted
  • Low Risk Appetite = Even small risks require action

• Risk Tolerance: Specific range/degree of variation from appetite that is acceptable (operational boundaries)

  • Example: "System can tolerate up to 5 hours downtime per year"

• Risk Threshold: Quantitative point where risk becomes unacceptable and triggers action (action trigger)

  • Example: "If downtime exceeds 5 hours, mitigation must occur"

Analogy:

• Risk Appetite: "I'm comfortable driving up to 80 mph" (strategic comfort)
• Risk Tolerance: "But I prefer staying between 60-75 mph" (acceptable range)
• Risk Threshold: "If I hit 76 mph or more, I'll slow down immediately" (action line)

Risk Management Processes

Risk Register:

Document listing identified risks, severity, owners, mitigation plans

• Example: Risk: Phishing Attacks | Severity: High | Owner: IT Team | Mitigation: Employee training, email filters

Key Risk Indicators (KRIs):

Metrics predicting potential risks (e.g., increased failed login attempts)

Risk Reporting:

Communicate risk status to stakeholders (quarterly risk reports)

Business Impact Analysis (BIA)

Key Metrics:

• MTD (Maximum Tolerable Downtime): Longest time system can be offline before major impact (full time from outage to operation)

  • Example: Business can survive up to 6 hours before serious loss

• RTO (Recovery Time Objective): Time to restore systems after disaster (how fast systems running again)

  • Example: Systems must be restored in 2 hours to meet SLA

• RPO (Recovery Point Objective): Maximum acceptable data loss in time (how recent last backup needs to be)

  • Example: Acceptable to lose no more than 30 minutes of data

• WRT (Work Recovery Time): Time to restore workflows after systems are up (time for people/processes to resume work)

  • Example: After systems restored, 1 hour needed to re-enter transactions

Vendor Management

Vendor Selection:

Third-Party Vendor Assessment:

Key element of Governance, Risk, and Compliance (GRC), provides documented evidence of due diligence

Due Diligence: Carefully researching, evaluating, and verifying security, legal, financial aspects before committing

• Example: Review breach history, check encryption/access policies, confirm GDPR/HIPAA compliance

Conflict of Interest:

Occurs when individual/vendor has competing interests (vendor has financial interest in competitor) Can compromise objectivity and introduce bias

Vendor Assessment Methods:

• Evidence of Internal Audits: Vendors demonstrate internal control checks
• Independent Assessments: External audits by third parties
• Penetration Testing: Ethical hacking to uncover weaknesses
• Supply Chain Analysis: Evaluate upstream/downstream risks
• Right-to-Audit Clause: Allows organization to audit vendor's systems/processes/controls

Vendor Monitoring:

Continuous evaluation ensuring vendors remain compliant with security policies and agreements

Legal Agreements

Initial Agreements:

• MOU (Memorandum of Understanding): Informal, non-legally binding, mutual intentions
• MOA (Memorandum of Agreement): More formal than MOU, can be legally binding (by lawyers)
• NDA (Nondisclosure Agreement): Prevents sharing confidential information
• BPA (Business Partnership Agreement): Governs how business partners operate together
• MSA (Master Service Agreement): Sets general terms for ongoing vendor services

Operational/Performance Agreements:

SLA (Service-Level Agreement):

Specifies performance expectations, includes metrics, penalties, support terms

• Examples:
  • Cloud provider guarantees 99.9% uptime
  • Helpdesk responds to critical tickets within 30 minutes
  • Backup service completes daily backups by 2:00 AM
  • Provider pays 10% monthly credit if response time exceeds SLA

SOW/WO (Statement of Work / Work Order):

Lists exact deliverables, timeline, cost, responsibilities for specific project

• Examples:
  • Deploy 50 new laptops with security baselines in 10 business days
  • Consultant audits 3 remote sites, delivers report by June 15
  • Pen tester conducts black-box test, submits findings in 5 days
  • Contractor migrates on-prem servers to Azure, budget $15,000

Expectations:

RoE (Rules of Engagement): Defines scope, boundaries, permissions for security testing to avoid legal/operational issues

Audits and Assessments

Attestation:

Formal process verifying accuracy, reliability, effectiveness of security controls Conducted by internal staff or external auditors

Internal vs External Assessment:

• Internal Assessment: Conducted by organization's employees, customizable, easier to schedule
• External Assessment: Performed by independent third parties, unbiased, often required for compliance (ISO 27001, SOC 2)

Internal vs External Audits:

• Internal Audit: Done by internal teams (security/compliance departments), focuses on internal controls and policy compliance
• External Audit: Conducted by third-party organizations, part of certification/regulatory processes (PCI DSS, ISO 27001)

Penetration Testing:

Uses authorized hacking to identify exploitable weaknesses

• Active (hands-on) and passive (observation) reconnaissance

Test Types:

• Known Environment (White Box): Full access and system knowledge
• Partially Known Environment (Gray Box): Limited insight or partial access
• Unknown Environment (Black Box): No internal knowledge, like external attacker

Penetration Testing Types:

• Internal: Threats from inside organization
• Physical: Tests physical security (building/server room access)
• Integrated: Combines multiple types (network + physical + social engineering)

Exercise Teams:

• Red Team: Offensive team simulating real-world attacks, identifies vulnerabilities
• Blue Team: Defensive team detecting and responding to attacks, focuses on protecting systems

Key Standards and Frameworks:

• NIST SP 800-37: Risk management steps (Identify, Assess, Respond, Monitor)
• ISO 31000: International standard for risk management
• MITRE ATT&CK: Framework mapping adversary tactics for penetration testing