Chapter 22 - 02 - Discuss Various Risk Management Phases - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Risk Management

Risk Management Phase: Risk Treatment

Risk treatment is a process of selecting and implementing
appropriate controls on the identified risks

Risks are addressed and treated based on its
severity level

Decisions made in this phase are based on the results of a risk
assessment

L All Rights Reserved. ReproductionI Strictly Prohibited

Risk Management Phase: Risk Treatment
Risk treatment is the process of selecting and implementing appropriate controls on the
identified risks in order to modify them. The risk treatment method addresses and treats the
risks according to the risks’ severity level. Some of these measures are discussed below.
Decisions made in this phase are based on the results of a risk assessment. This step identifies
treatments for risks that fall outside the department’s risk tolerance and provide an
understanding of the level of risk along with controls and treatments. It identifies the priority
order in which individual risks should be treated, monitored, and reviewed. Before treating the
risk, the security professional needs to gather the information about the
= Appropriate method of treatment;
= Users responsible for treatment;
= Costs involved;
= Benefits of treatment;

= Likelihood of success; and
= Ways to measure and assess the treatment.
Once the security professional has decided how to treat the identified risks, develop and
regularly review the risk management plan. The different options for risk treatment include
avoiding the risk itself (avoiding the activities that lead to increased risk probability), reducing
the risk (reducing the likelihood of the risk occurring and reducing the impact if the risk occurs),
transferring the risk (shifting the risk responsibilities to another party through insurance or
partnership), and accepting the risk (if it cannot be avoided or transferred).

Module 22 Page 2357 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Actions to Minimize or Eliminate Risk

= Develop a risk control plan

= Find the impact of risk control on a service delivery
= (Constraints required for risk control are identified and considered when completing the
risk control plan
= Implementation of risk control strategies
= Uncontrollable risks
= (Client resistance to risk control
= Communicate with support workers/other workers during risk control

= Completely document the risk control plan as a part of the risk control process

Module 22 Page 2358 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Risk Treatment Process/Options
m A risk treatment process can change the likelihood of risk occurrence owing to the risk treatment options available

Risk Modification QO Modification relates to efforts to modify risk exposure by applying controls to the
or Risk
or Risk Mitigation
Mitigation process, system, or environment

O
QO Risk acceptance occurs when the organization acknowledges the existence of a
Risk l;:tention
xtenfionor or Risk risk and chooses deliberately to operate without applying alternative risk
B
SRR treatment strategies

Risk Avoidance or O Risk avoidance relates to adjustments in organizational strategy or processes
QO
x Risk Elimination to eliminate or reduce the risk
|. QO Risk sharing relates to reassigning accountability for a risk to another entity or
:
—— g organization
Risk Sharing or Risk.. B S
L T for “"
Th“mgl'e:u = Risk sharing = insurance
fl
% QO Risk transfer is an acceptable strategy to manage risks that are easy to define or
bh | clearly understood

Risk Treatment Process/Options
A risk treatment process can change the likelihood of risk occurrence owing to the risk
treatment options available. These options help us understand what risk treatment constitutes
and help mitigate or manage the risks.

Risk Treatment Options

Risk Modification or Risk Mitigation

Risk modification is the most common risk treatment option. An organization seeks to
change risk exposures or outcomes by applying security controls to a process, system, or
environment when they are performing risk modification. Some risk management
frameworks describe modification in terms of mitigation—the extent to which the
severity of the risk has been reduced. Because modification is commonly associated
with the application of security controls, it is important that the security professional
understanding the types of controls available and the objectives of those controls.
Risk Retention or Risk Acceptance

Risk acceptance often occurs when an organization acknowledges the existence of a risk
and chooses deliberately to operate without applying one of the other treatment
options available. The organization accepts the potential outcome of the identified risk
while understanding the potential impact to the organization. Some level of risk always
exists, even after applying controls to support mitigation. Risk acceptance in these cases
applies to the residual risk that remains.
Risk acceptance often maps to the organization’s perceptions or feelings about risk. The
security professional must communicate the risks and potential outcomes that exist, but
the organization has the responsibility to choose whether or not to accept risk as a

Module 22 Page 2359 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

treatment strategy. Organizations should define policies and procedures for risk
acceptance as part of corporate governance. Optimally, the policies and procedures
should define requirements for escalation and approval of risk acceptance to ensure
accountability for the decision.
Risk Avoidance or Risk Elimination

Avoidance is a risk treatment option that occurs when an organization makes changes or
avoids an activity to remove risk and eliminate its effect on the activity altogether. For
example, an organization may choose not to build a new facility because of the outcome
of a risk assessment. Instead of applying controls to address natural disasters or other
physical threats, the organization chooses to build in another location to eliminate the
identified risk.
Risk Sharing or Risk Transfer
Risk sharing relates to reassigning accountability for a risk to another entity or
organization. Most often, this is accomplished by purchasing insurance that will reduce
the direct costs of a covered event or reduce the cost of remediation. This risk
treatment option also applies to distribution of risk between business partners.
Although shared or transferred risk can reduce costs associated with risk management,
an organization cannot transfer risk entirely to another organization. The organization
ultimately owns the risk, and shares the cost of potential outcomes.
Risk transfer is an acceptable strategy to manage risks that are easy to define or clearly
understood. Risks that are difficult to quantify may increase the risk profile because a
loss of influence or control is assumed when an organization transfers or shares risk
with another entity. For example, cyber insurance may cover a data breach, but the
policy only pays if specific criteria are met for an event with a root cause and outcome
that varies widely from one organization to the next.
The steps taken in risk treatment differ by each case. Stakeholders and process owners
mutually decide these steps. The key points while considering risk treatments are as follows:

Implement an appropriate risk treatment option

Ensure adequate resources are available while implementing the risk treatment plan
The risk treatment plan should reduce the risk factor to a certain acceptable level
Remedial actions should be taken for risks that need to be handled immediately
Note : The risk treatment options do not always mitigate risks completely. Often, residual risks
persist, and these need to be considered as well.

Module 22 Page 2360 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Risk Categories
]I
][}

The two primary categories of risk are as follows
][}
]I
:[}
[}

© ©,
|
)
)
]1
|1
:|
'
'

i
:

Inherent Risk Residual Risk :!
|
]
:

|
]
Q Inherent risk defines the risk Q Residual risk is what remains |[
that exists before controls are after controls are |
implemented implemented !
O Understand the potential risk QO
Q The most important |:
impact that exists before consideration for residual risk E
controls are implemented to is the understanding that !
understand the value and some quantity of risk always |
effectiveness of the mitigation remains after applying |
strategy mitigation |

Copyright © byby EC-( EC-( |I, All Rights Reserved,
Reserved. Reproduct!
ReproductionIs Strictly Prohibited,
ictly Prohibited

Risk Categories
The two primary categories of risk are as follows:
* |nherent Risk

Inherent risk defines the risk that exists before controls are implemented. The
organization must understand the potential risk impact that exists before controls are
implemented to understand the value and effectiveness of the mitigation strategy.
= Residual Risk

The idea that some quantity of risk remains after controls are applied is the most
important idea about residual risk. Risk mitigation exists to reduce risk to an acceptable
level, but that level is rarely zero unless the organization chooses avoidance as the risk
treatment strategy. Risk acceptance, therefore, applies as a a normal outcome of reducing
risk to the lowest acceptable residual level.

Module 22 Page 2361 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Risk Treatment Plan
—_— Q Itis the action plan describing how you plan to respond to
potential risks
P O Arisk treatment plan document must be produced as part of a
certified ISO 27001 information security management system

Risk Treatment Plan
EA
Proposed security controls with priorities and
deadlines

Required resources

Roles and responsibilities of stakeholders
responsible for the proposed action

Performance

Reporting and monitoring requirements

Copyright © by EC-L cll. All Rights Reserved, Reproductions Strictly Prohibited

Risk Treatment Plan

The risk treatment plan is the action plan that describes the plan to respond to potential risks. It
provides a summary of the identified risks, every risk’s designed response, parties responsible
for all risks, and target date for risk treatment. It is one of the essential documents an
organization should produce as part of a certified ISO 27001 information security management
system.

Steps for Risk Treatment Plan
Developing a risk treatment plan requires determining the level of treatment plan at each risk
level. For example, what treatment level would be necessary for moderate, minor, or high risks,
respectively? Or what improvement opportunities are available to offset risks?
To ensure risk treatment plans are implemented corrected and monitored accurately, the
security professionals needs to ensure
= Whether the right structure is used to support the treatment plan;
*= Availability of adequate resources for those involved in mitigating risks;
= Communication within the treatment plan and with key stakeholders;
= That the right risk treatment plan is implemented through accurate and timely risk
analysis;
= The owner of the treatment plan can specify how the implementation will be
monitored, including increasing or decreasing risk levels; and
*» The treatment plan is routinely reviewed for effectiveness and risk levels.

Module 22 Page 2362 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Risk Management Phase: Risk Tracking and Review

» The risk tracking phase identifies the E+ » The review phase evaluates the —r—
e
chance of a new risk occurring - ‘ performance of the implemented risk
» 8 management strategies
» The tracking phase ensures
appropriate controls are fi » Risk reporting ensures management is
implemented to handle risks aware of the top risks, enabling them
to plan to reduce the risk
>» Risk tracking also includes monitoring appropriately
appropriately
the probability, impact, status, and
exposure of risk

Risk Management Phase: Risk Tracking and Review
For the risk management process, well-planned and regular monitoring and review are required
in order to identify new risks and reduce them appropriately.
= Risk Tracking
Risk tracking identifies the chance of a new risk; it includes monitoring the probability,
impact, status, and exposure of risks. In this step, the identified risks are regularly
reviewed and the changes in the actions or events are documented—for example, the
risk evaluation is modified when security controls that reduce risk and record new
identified risks are implemented.
= Risk
Risk Review

Reviewing the effectiveness of the implemented risk management strategies regularly
helps understand the shortcomings of the security controls and enhance the
implemented security controls. It enables an organization to maintain its risk
management objectives as well as keep its context up-to-date and accurate.

Module 22 Page 2363 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.