Risk Management Phases PDF
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Summary
This document is about the risk management phases involved in an organization's risk management program. It explains how to identify, assess, analyze, and prioritize risks. It also details risk treatment and tracking. This is part of a larger cybersecurity course material.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow gx;:::s;;nd Risk Management...
Certified Cybersecurity Technician Exam 212-82 Risk Management Module Flow gx;:::s;;nd Risk Management Understand Concepts Discuss Various Risk Management Phases Understand Various Risk Management Frameworks Discuss Various Risk Management Phases This section explains risk management phases involved in an organization’s risk management program. Module 22 Page 2346 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phases Risk Identification Risk Assessment. Risk Assessment Risk Analysis Risk Treatment - Risk Tracking and Review Risk Management Phases Risk management is a continuous process performed by achieving goals at every phase. It helps reduce and maintain risk at an acceptable level utilizing a well-defined and actively employed security program. This process is applied in all stages of the organization, for example, to specific network locations in both strategic and operational contexts. Every organization should follow the below steps while performing the risk management process. 1. Risk identification 2. Risk assessment 3. Risk analysis N 4. Risk prioritization 5. Risk treatment n 6. Risk tracking and review o Module 2222 Page Module Page 2347 2347 Certified Cybersecurity Technician Certified Cybersecurity Technician Copyright Copyright ©© byby EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phase: Risk Identification AARAN Identifying the sources, causes, and consequences of the internal and external risks affecting the ALLAL. i security of the organization » Understand the current posture the organization operates in Establishing » Defining the external and internal Context environment in which the organization is operating "’ B (i Quantifying » Determines the effect of risk ] Risks » Calibrates the possible outcome of risks Risk Management Phase: Risk Identification Risk identification is the foundation and first step of risk management. It lists risks and their characteristics before such risks harm an organization. This process depends on the skill set of individuals and also differs by organization. It identifies the sources, causes, and consequences of all internal and external risks that impact organizational security. The identified risks are recorded in a risk register and further analyzed. Thus, risk identification is an iterative process. The purpose of risk identification is to generate a list of threats and opportunities based on risk events that respectively prevent and enhance the achievement of objectives. Role of Risk Identification = Environment: Risks associated with the environment such as crowded workspaces, clutter, hot/cold environments, smoking, poor lighting, and electrical hazards = Equipment: Risks associated with equipment such as poor condition, non-functioning devices, unavailability, and task-inappropriate equipment = (Client: Risks associated with clients because of conditions changing, unpredictable movements, and poor communication = Tasks: Tasks-related risks include insufficient time allocated, repetitive tasks, work design, task organization, maintaining a fixed posture, poor postures, and insufficient employee numbers Risk Identification Steps = Establishing Context: The employee defines the external and internal environment and understands the current conditions in which an organization operates Module 22 Page 2348 Certified Cybersecurity Technician Copyright © by EG-Bouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management = Quantifying Risks: Determines the impact of risk and calibrates the possible outcome of the risks Main Elements in Risk Identification = Description/Event: An occurrence or a particular set of circumstances = Causes: Factors that may contribute to a risk occurring = Consequences: Impact of an event Priorities of Risk Identification Know what to consider when identifying risks. This ensures the major issues are not missed. Gather the information taken from multiple sources. The security professional needs to discuss the old, current, and evolving issues; data analysis; review of performance indicators; data loss; and scenario planning with an organization’s stakeholders to determine critical risk information. Use risk identification tools and techniques for acquiring relevant and up-to-date information of risks an organization faces. The techniques used for risk identification include checklists, flow charts, and systems analysis. Document the risks, which includes: = Risk description = How and why the risk occurs = Existing internal controls that may mitigate the likelihood or consequences of the risks = Methods that identify the risks = Scope covered by the identification = Participants in the risk identification = The information sources consulted = Analyze the risk identification process’s effectiveness Module 22 Page 2349 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phase: Risk Assessment @ The risk assessment phase assesses the organization’s risk and provides an estimate on the likelihood and impact of the risk @ The risk assessment is an on-going iterative process assigning priorities to risk mitigation and implementation plans