Chapter 22 - 03 - Understand Various Risk Management Frameworks - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Risk Management

Module Flow

Understand Risk Management
Concepts

Discuss Various Risk
Management Phases

Understand Various
Understand Various Risk
Management Frameworks

Understand Various Risk Management Frameworks
Organizations establish an RMF to understand the overall risk level. Every organization has
different infrastructure and potential risks specific to their infrastructure. An organization’s
strategic objectives and stakeholders needs determine the RMF required. Understanding
various frameworks will enable an organization to choose the most appropriate framework.
This section explains various risk management frameworks.

Module 22 Page 2364 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Enterprise Risk Management Framework (ERIM)

The RMF defines the implementation activities specific to how an organization
handles risk

The ERM provides a structured process integrating information security
and risk management activities

ERM frameworks identify, analyze, and perform the following
actions:
* Risk avoidance by aborting the actions that lead to risk
» Risk reduction by minimizing the likelihood or impact of risk
= Provides risk management process standards

Copyright © by EC I,l. All Rights Reserved. Reproductions Strictly Prohibited.

Enterprise Risk Management Framework (ERM)
Enterprise Risk Management (ERM) includes the methods and processes implemented by an
organization to minimize the impact of risks. It involves planning, organizing, leading, and
controlling organizational activities to manage risks. ERM can be considered a risk-based
approach for managing organizational risks. It provides a framework for risk management that
involves
= |dentifying events or circumstances relevant to an organization's objectives (risks and
opportunities);
= Assessing the identified events for likelihood and magnitude of impact;
= Determining a response strategy; and
= Monitoring process.

The ERM framework helps in identifying and proactively addressing the identified risks. It
identifies, analyzes, and performs the following actions:

= Risk avoidance by aborting the actions that lead to risks
= Reducing risks by reducing the likelihood or impact of risks
= Standardizing the risk management process
The key activities involved in managing enterprise-level risk, that is, the risk resulting from the
operation of an information system, are as follows:
= (Classification of the information system
= Selection of appropriate security controls

Module 22 Page 2365 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Refining the selected security control set based on the risk assessment

Maintaining the document for all selected security controls in a system security plan
Implementation of the security controls

Security controls assessment
Determining agency-level risk and risk acceptability
Authorizing information system operation

Monitoring security controls on a continuous basis
This ERM framework helps an organization understand the following:
Risks coverage

Risk appetite

Risk governance (culture, governance, and policies)

Risk data and infrastructure
Risks control environment
Risk measurement and evaluation

Risks response

Goals of the ERM Framework

Organizations manage risks and have several departments or risk functions that help in
identifying and managing risks. A common goal or the challenge of ERM is improving capability
and coordination, while integrating the output to provide a unified picture of risk for
stakeholders. The ERM should improve an organization's ability to manage risks effectively.
Integrate the ERM with an organization’s performance management

Communicate the benefits of risk management
Define the roles and responsibilities in an organization to manage risks

Standardize the risk-reporting and escalating process
Set a standard approach to manage risks in an organization

Assist the resources in managing the risk

Set the scope and application of risk management in an organization

Mandate periodic reviews and verification for improvements of the ERM
Convey an organization’s policies, approach, and attitude toward risk management

Ensure that an organization should meet risk-reporting commitments

Module 22 Page 2366 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

NIST Risk Management Framework
L3

O NIST RMF is a structured and continuous process that integrates information security and risk management activities into
the system development life cycle

Define criticality/sensitivity of information system according to
Categorize potential worst-case and adverse impact to mission/business

Saltot
Select Select baseline security controls; apply tailoring guidance and ‘ ,
supplement controls as needed based on risk assessment 1
‘1 6'6 5
l ya y
d
Implement security controls within enterprise architecture CiagorA
e &‘\‘T | [giertes
Menftar J\j

Ly> 'mmmm‘
S——— Ly>
L,/> e
S ]
Authorize individuals, other organizations, and the nation; if acceptable,
authorize operation Pitps/esre.nist.gov
itpay/cre it gov

Monitor Continuously track changes to the information system that may
Monitor affect security controls and reassess control effectiveness

Copyright © by EC{EC{ cll.. AlAl Rights Reserved. Reproduction
Reproduction Is Strictly Prohibited
Prohibited.

NIST Risk Management Framework
Source: https://csrc.nist.gov

The National Institute of Standards and Technology (NIST) RMF is a set of information security
policies and standards for the federal government developed by NIST. It is a structured and
continuous risk management process that is integrated into a system development life cycle.
The RMF process helps early detection and resolution of risks.
—
( ) -
( ‘ —
( )
1 6 5
y
da__ y4
Categorize |\ 4< Monitor | \(\< J Authorize \
R J4
\_\ l4 \\. lJ
“\_

—l
_’ urity Life Cyc
Security
Sec le
Cycle “ N
- >
"

‘ 4 )
2
( 2 )
3
[ 3 |
4
\ A \ A \
Select F
r > Implement r Assess
|4 4 Vv| 4

Figure 22.1: NIST RMF security system lifecycle

It identifies the following processes (tasks) for managing organizational risk, which can be
applied to both new and legacy systems:
= (Categorize: Categorize the information system and the information processed, stored,
and transmitted by a system according to potential worst cases, adverse impact to an
organizations mission/business functions, and a system.

Module 22 Page 2367 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

= Select: Select the appropriate baseline security controls based on the categorization in
the first step, and implement security controls based on the risk assessment.
* Implement: Implement security controls and integrate security controls with legacy
systems using sound system engineering practices; then apply security configuration
settings and document the implemented security controls and their impact on the
environment.

= Assess: Evaluate the implemented security controls for effectiveness using appropriate
procedures and determine if the controls implemented are working correctly and
effectively; check if they are producing the desired outcome with respect to meeting the
security requirements for a system.

o Steps in Assessment

e Develop the security assessment plan
e Determine which controls are to be assessed
e Select appropriate procedures to assess those controls

e Determine depth and coverage needed for assurance

e Tailor the assessment procedures
¢ Finalize the plan and obtain approval

e Conduct the assessment
e Analyze the results
e Create the security assessment report
= Authorize: Determine the risks to organizational operations and assets, individuals,
other organizations, and the nation based on the accepted risk appetite with respect to
operations and assets (how much risk an organization is willing to tolerate) if
acceptable; then, authorize the operation or decide on the required needs.

* Monitor: Continuously track changes to the information system for signs of attacks that
may impact security controls, and regularly monitor the security controls to access their
effectiveness.

Module 22 Page 2368 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.