Chapter 22 - Risk Management PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document is about various risk management frameworks, including ISO 27005, ISO 31000, and others. It discusses the concepts of threat agent risk assessment (TARA) and how to manage information security risks within different frameworks. It also describes how to implement various risk management approaches, including OCTAVE Allegro, FAIR, and ITIL.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management Other Risk Management Frameworks ISO 27005 OQO 150 27005 provides information guidelines d...
Certified Cybersecurity Technician Exam 212-82 Risk Management Other Risk Management Frameworks ISO 27005 OQO 150 27005 provides information guidelines designed to provide broadly acceptable guidance for information security risk management O The standard applies globally, supports wide adoption across industries, and maps directly to the strategy and recommendations outlined in 1SO 27001 ISO 31000 O 150 1S0 31000 is a framework that provides generic guidelines for enterprise risk management (ERM) with a universally recognized risk paradigm for practitioners and companies Threat Agent Risk Assessment (TARA) O TARA distills the immense number of possible information security attacks into a digest of only those exposures most likely to occur to support the development of optimal security strategies Other Risk Management Frameworks (Cont’d) Operationally Critical Oa OCTAvVE Allegrq OCTA\(E Allegrc? is a lean risk assessment method and does not provide guidance in Threat, Asset, and selecting security controls Vulnerability Evaluation |§ 0 The framework supports a simple qualitative risk assessment and a structured threat (OCTAVE) Allegro analysis, primarily suitable for smaller organizations O FAIR selects at least one object within an environment and quantifies the strength of its FAIR representation of controls information Security Risk O This is done by quantifying authentication controls, authorization controls, and then QO structural integrity Q QO ITILis an acceptable solution to support information security risk management ITIL Risk Management O Formerly known as the Information Technology Infrastructure Library, ITIL is a set of practices for IT service management that focuses on aligning IT services with the needs of a business Other Risk Management Frameworks = 1SO 27005 Source: https://www.iso.org ISO 27005 provides information guidelines designed to provide broadly acceptable guidance for information security risk management. The standard applies globally, supports wide adoption across industries, and maps directly to the strategy and Module 22 Page 2374 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management recommendations outlined in I1ISO 27001. The I1SO 27005 risk management workflow directs a structured sequence of steps to manage information security risks for a process, a system, or an enterprise. ISO 27005 Risk Management Workflow 1. Design controls on the basis of risks clearly understood and measured (as much as possible) given existing threats that could potentially exploit vulnerabilities to organizational assets. Systematic deployment of controls to reduce risks to an acceptable level of residual risk after approval by business leadership. Manage controls to maintain an acceptable level of mitigation. Provide ongoing analysis of controls to confirm continued effectiveness in light of changing operational conditions. L T SecEssscsssesssssssEssEssEsEssRssEssRssssnane € X I d Con sul tation......-.'..-.‘....’a < W = EE E E (.T_) é::;‘:. I & °. e g : : : 5 P B.,._ "munication : an : - : i E : 8 E I..II.I-I.-I: RISkDeC|SI°nP°Int1 ll..Nlo...ll-I.l.lI.II..I-. E ::: Assessment Satisfactory % GYes : = DI F - (o~ " Ri )4 No RISkDeCls'OHPOIntZ R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R ) Treatment Satisfactory * Yes ~Il..l'.l'll'..lllll...llll-.l'm.lilllll.ll'll.'lll.ll.l..llllf End of First or Subsequent Iterations Figure 22.4:1SO 27005 Risk management workflow ISO 31000 Source: https://www.iso.org ISO 31000 is a framework that provides generic guidelines for enterprise risk management (ERM) with a universally recognized risk paradigm for practitioners and Module 22 Page 2375 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management companies. The standard replaces a myriad of conflicting standards, methodologies, and paradigms that differ between industries, subject matters, and regions. A chief risk officer (CRO) is more likely to use ISO 31000 to manage enterprise risk; however, a security professional can use this framework as an alternative to ISO 27005 or another framework dedicated to information security risk management. ISO 31000 is applicable and adaptable for any public, private, or community enterprise as well as any association, group, or individual. The scope of this standard is not limited to information security but extends to address all potential risks within an organization. It defines risk management practices using with an internationally recognized benchmark. Three documents make up the 1ISO 31000 family: o IS0 31000:2009 Principles and Guidelines on Implementation o ISO/IEC 31010:2009 Risk Management—Risk Assessment Techniques o 1SO Guide 73:2009 Risk Management-Vocabulary * Threat Agent Risk Assessment (TARA) Source: https://www.mitre.org TARA distills the immense number of possible information security attacks into a digest of only those exposures most likely to occur to support the development of optimal security strategies. TARA identifies threat agents pursuing reasonably obtainable objectives that could cause unsatisfactory losses. The approach concentrates on threat agents and their motivations, methods of attack, attack objectives, and how they map to existing controls. It does not focus on weak points associated with specific vulnerabilities. Conducting TARA It would be prohibitively expensive and impractical to defend every possible vulnerability. By using a predictive methodology to prioritize specific areas of concern, we can both proactively target the most critical exposures and efficiently apply our resources for maximum results in information security risk management. Specifically, the TARA methodology identifies which threat agents pose the greatest risk, what they want to accomplish, and the likely methods they will employ. These methods are cross- referenced with existing vulnerabilities and controls to pinpoint the areas that are most exposed. The TARA methodology uses the following six steps to find the critical areas of exposure that an organization must address. By identifying the most important threat agents, objectives, and methods, the TARA methodology can help direct the information security strategy to the most critical exposures. Module 22 Page 2376 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management (7 D Measure current threat agent risks to Intel Distinguish threat agents that exceed baseline acceptable risks. , % r et —\ Derive primary objectives Do s of those threat agents — \ , y, L N\ Identify methods e '_”w“h" - likely to manifest R s 1 4 Determine the Soa Exposures most important o collective exposures. < Align strategy j to target the most ——— e significant exposures A Controls J Figure 22.5: TARA methodology Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro Source: https://ntrl.ntis.gov OCTAVE Allegro is a lean risk assessment method and does not provide guidance in selecting security controls. The framework supports a simple qualitative risk assessment and a structured threat analysis, primarily suitable for smaller organizations. OCTAVE Allegro Roadmap OCTAVE Allegro consists of eight steps organized into four phases. The framework allows an organization to focus on the most important assets by ensuring they are selected for review through a systematic and consistent process. By focusing on information assets exclusively and other assets (such as people, technology, and facilities) through association with information assets, the organization has a better opportunity to define a manageable scope. This potentially reduces the effort required for threat identification, risk analysis, and mitigation planning. 1. Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors. 2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies its containers. Module 22 Page 2377 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management 3. Identify threats to each information asset in the context of its containers. 4. |dentify and analyze risks to information assets and begin to develop mitigation approaches IDENTIFY ESTABLISH PROFILE IDENTIFY AND DRIVERS ASSETS THREATS MITIGATE RISKS Step 1 - Establish Step 2 - Develop Step 4 - |dentify Step 6 - Identify Risk Measurement » Information Asset A4 Areas of Concern Risks Criteria Profile h 4 o Y Step 3 - Identify Step 5 - Identify Step 7 - Analyze Information Asset | Threat Scenarios Risks Containers x Step 8 - Select Mitigation Approach Figure 22.6: OCTAVE Allegro workflow FAIR representation of information Security Risk Source: https://www.fairinstitute.org FAIR is a tool that complements existing risk management frameworks by providing a model to understand, analyze, and quantify information risk in financial terms. FAIR’s risk model components are specifically designed to support quantitative risk management. FAIR representation of information Security Risk FAIR selects at least one object within an environment and quantifies the strength of its controls. This is done by quantifying authentication controls, authorization controls, and then structural integrity. Next, global variables are set up for the environment. For example, determination is made as to whether the environment is subject to regulatory laws. Then, selecting at least one threat community, information risk is calculated. This calculation is accomplished by performing a statistical analysis using the strengths of controls on at least one object, the characteristics of at least one threat community, and the global variables of the environment. This is used to compute a value representing information risk. The method identifies the salient objects within a risk environment. It defines their characteristics, considering how they interact with each other. Using a statistically Module 22 Page 2378 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management sound mathematical calculation to emulate these interactions, FAIR derives probabilities. The method then represents the security risk as an integer, distribution, or some other variable. Risk | Loss Event Loss Frequency Magnitude | | Threat Event Vulnerability Primary Secondory Frequency Loss Risk Figure 22.7: FAIR Risk Model = |TIL Risk Management Source: https://www.axelos.com ITIL is an acceptable solution to support information security risk management. Formerly known as the Information Technology Infrastructure Library, ITIL is a set of practices for IT service management that focuses on aligning IT services with the needs of a business. Because business alignment is a security goal, a security professional can leverage mature IT service delivery practices to provide information security services to the organization. ITIL's Service Operation (SO) processes are particularly helpful to support security objectives by outlining best practices for delivering value in regard to event management, identity management, problem management, and incident management processes. Module 22 Page 2379 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Enterprise Network Risk Management Policy OQO Enterprise network risk management policy assists in developing and establishing essential processes and procedures to address and minimize information security risks QO Q 1tIt outlines different aspects of risk and identifies people to manage the risk in the organization i @ @ | @ Objectives: » Equip the organization with the » Manage the risks with adequate » Accomplish the strategic and required skills to identify and risk mitigation techniques operational goals of the I g i rganization R LT » Combat the existing and OfEMEIRCON orgarmto » Provide a consistent RMF emerging risks » Assist in taking strategic » Provide the overall direction » Integrate operational risks into Ut o s ) and purpose of performing risk the risk management process » Meet legal and regulatory management requirements Enterprise Network Risk Management Policy An enterprise network risk management policy is a written statement created to protect an organization’s assets from accidental or malicious threats. Enterprise network risk management policy assists in developing and establishing essential processes and procedures to address and minimize information security risks. It outlines different aspects of risk and identifies people to manage the risk in the organization. An organization should ensure they include network risk management policies in their risk management policy that should comply with the security policies of an organization. Enterprise network risk management policy establishes essential procedures and processes to address and minimize information security risks. This policy addresses information security issues and their impact. It also suggests measures to secure the assets from both internal and external risks. Objectives of Enterprise Network Risk Management Policy = Legal and regulatory adherence |Legal = Strategic management decision assistance = Achieve organizational strategic/operational goals *= Integrate operational risks into risk management |Integrate = Combat existing and emerging risks = Manage the risks with adequate risk mitigation techniques = Provide overall direction and purpose for risk management = Provide a consistent RMF = Equip an organization with skills to identify and treat risks Module 22 Page 2380 EG-Council Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Best Practices for Effective Implementation of Risk Management Track and monitor internal and external risks of the organization at regular intervals cfejejejejejojofe efcjojojejojefoje Establish a risk management policy for the organization Implement a framework for risk assessment and mapping Use ERM for decision-making Incorporate ERM into the strategic planning process Identify the potential risks to the network Prioritize the risks based on its impact on the enterprise network Specify the responsibilities for risk managers with their respective domains Regularly review and update the risk management policy Best Practices for Effective Implementation of Risk Management Implementing ERM involves establishing a proper ERM system. Best Practices for Effective Risk Management Track and monitor internal and external risks of an organization at regular intervals Establish a risk management policy for an organization Implement a framework for risk assessment and mapping Use ERM for decision-making Incorporate ERM into the strategic-planning process Identify the potential risks to a network Create a common language and reporting system for communicating KRls KRIs Prioritize the risks based on its impact on the enterprise network Specify the responsibilities for risk management with their respective domains Regularly review and update the risk management policy Identify the threats and risks arising from user errors and analyze the risks caused in normal and fault conditions Always ensure risk assessment is conducted by experienced and trained professionals Always identify the risk in its initial stage in order to provide a quick response Proper metrics are chosen in order to measure the effectiveness of a risk management system Module 22 Page 2381 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.