Risk Management PDF - Chapter 22 - 02
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This chapter discusses risk management phases, focusing on quantitative and qualitative risk analysis methods. It details how to map probabilities, costs, and impacts to evaluate vulnerabilities and risks.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Assessment Steps: Risk Analysis OQO This step involves analyzing the risk of v...
Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Assessment Steps: Risk Analysis OQO This step involves analyzing the risk of vulnerabilities and threats in order to provide an understanding of the inherent and controlled risks O Risk analysis defines the nature of the risk and determines the level of risk exposure Quantitative. Qualitative A numeric assessment A subjective assessment OQ Quantitative risk analysis focuses on mapping the O Qualitative risk analysis focuses on mapping the probability of a specific event occurring to the perceived impact of a specific event occurring to a risk perceived cost of the event rating agreed upon by the organization This approach employs two fundamental elements: This approach employs two fundamental elements: O Most methodologies use interrelated elements such as » the probability of an event occurring threats, vulnerabilities, and controls @@= 7_ » the likely loss should it occur Annual rate of occurrence X Single loss expectancy = I| I I I Annualized loss expectancy °. Risk Assessment Steps: Risk Analysis This step involves analyzing the risk of vulnerabilities and threats in order to provide an understanding of the inherent and controlled risks. Risk analysis defines the nature of the risk and determines the level of risk exposure. Information security risk assessment begins by selecting an approach to evaluate the risks encountered by an organization. The two most common approaches for risk analysis include quantitative risk analysis and qualitative risk analysis. = Quantitative Risk Analysis Quantitative risk analysis focuses on mapping the probability of occurrence for a specific event to the expected cost associated with the event. This analysis is represented as a standard formula in which the annualized rate of occurrence (ARO) is multiplied by the single loss expectancy (SLE) to produce the annualized loss expectancy (ALE). ARO x SLE = ALE = Qualitative Risk Analysis Qualitative risk analysis focuses on mapping the perceived impact of a specific event occurring to a risk rating agreed upon by the organization. This subjective analysis approach is less precise than the quantitative approach; however, probability data and mathematical formulas are not required to estimate information security risks. Most qualitative analysis approaches combine interrelated elements like threat information, vulnerabilities, and control information to support an assessment based on impact. This allows the flexibility to define risk according to categories like low, Module 22 Page 2351 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management moderate, and high (or red, yellow, and green) to facilitate conversations about risk in terms that are understood by most people. ISO 27005 suggests that qualitative risk analysis is appropriate in the following situations: o As an initial screening activity to identify risks that require more detailed analysis o Where this kind of analysis is appropriate for decisions o Where the numerical data or resources are inadequate for a quantitative risk analysis Module 22 Page 2352 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Assessment Steps: Risk Prioritization 01 In order to identify the various risks with the same severity, the risks should be prioritized and rated and rated 02 02 While performing the risk response step, consider the risk prioritization 03 The prioritization depends on the goals and resources of an organization Risk Assessment Steps: Risk Prioritization In order to identify the various risks with the same severity, the risks should be prioritized and rated. This way, an appropriate response plan may be designed. The prioritization depends on the goals and resources of an organization. Consider the following for risk prioritization: * |mmediate and future impact of a risk on an organization’s goals, assets, other organizations, and the nation in order to prioritize risks = Expected loss because of a risk = Relationship of a risk and/or mitigation to other risks and/or mitigations = Managing the impact of threats from a risk Module 22 Page 2353 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Levels © Risks are categorized into different levels according to their estimated impact on the system The impact level of a risk depends on the value of assets and resources it affects, and the severity of the damage * Immediate |Immediate measures should be performed to combat risk Extreme / High Identify and impose controls to reduce risk to a reasonably low level =* |mmediate action is not required, but it should be implemented quickly Medium = Implement controls as soon as possible to reduce risk to a reasonably low level Low = Take preventive steps to mitigate the effects of risk Copyright © by by EC-{ I All Rights Reserved. ReproductionIs Strictly Prohibited Prohibited. Risk Levels Risks are categorized into different levels—“high,” “medium,” and “low,” according to their estimated impact on a system. The impact level of a risk depends on the value of the assets and resources that the risk impacts, and the severity of the damage. The risk levels also present the actions that an organization’s staff should take for each risk level. Risk Level Action = |mmediate measures should be taken to isolate, eliminate, and substitute the risk through effective risk controls = |dentify and impose controls and define strict timelines to reduce risk to Extreme/High a reasonably lower level, though the existing system can continue to operate = Stop the activity unless the risk is reduced to a low or medium level * |mmediate action is not required, but measures should be implemented |Immediate.) quickly Medium.. =* |mplement controls as soon as possible to reduce risk to a reasonably Implement lower level = Take preventive steps to mitigate the impact of a risk Low = |gnore them as they generally do not pose any significant problem, but periodical review is necessary to ensure the controls remain effective Table 22.1: Risk levels and action Module 22 Page 2354 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management oM Risk Matrix IMatrix “ e \ ) el. -y ¢ \ Wl QO A risk matrix is used to scale risk by considering the probability, NA GEMANT J:AN’AGE MA = likelihood, and likelihood, and consequence/impact consequence/impact of of the the risk risk ¥, Q. 4 Insignificant Minor Moderate Major Severe Very High High - L e Probability Probability IIIIII AL High 61-80% probability Probability o.g.-é Equal L T provabilty probability = 0% 0 Low Low = Probability Very Low e el Probability Probability - Risk Matrix A risk matrix is used to scale risk by considering the probability, likelihood, and consequence/impact of the risk. The risk assessment matrix is a useful tool to identify the probability of failure and high-risk areas. In addition to risk levels, a risk-level matrix needs to be developed to measure or assess aa risk. Here, Risk rating = Probability(Likelihood) x Severity, where, probability (Likelihood) measures the likelihood that an uncertain event will occur; and severity is the degree of the impact of damage caused by an uncertain event. It is classified as severe, major, moderate, minor, or insignificant. The priority of an event is classified into five categories and mapped against the severity and probability of the risk. Module 22 Page 2355 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Insignificant Minor Moderate Major Severe soo% Sy Ix'irga::firy SK S5 iy e SATE0N erobabiiy Pr::: I:Illlty ZL0% ZLSO% Prolt;:‘glllty Prot::lllty i L2 prababily prababilty Table 22.2: Risk matrix Module 22 Page 2356 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
