5.4 Risk Management Process and Concepts

Risk Management Types

Identify assets that could be affected by an attack Risk assessments for external, internal threats and legacy systems are needed

Risk management strategies - acceptance = we'll take the risk - risk-avoidance = stop using risky applications - transference = buying security insurance - act of transferring the risk to a third party - mitigation = decrease the risk level

Risk Analysis

Risk register identifies and documents the risk associated with each step and you can apply possible solutions to the identified risks.

RCSA (Risk and Control Assessment) is a process that organizations use to assess and examine both potential risks, and the effectiveness of controls used to prevent or defend against those risks.

Audit risk model - inherent risk = impact + likelihood (risk that exists in the absence of controls) - residual risk = inherent risk + control effectiveness (risk that exists after controls are considered) - control risk = represents the risk that our mitigation controls may actually fail at mitigating the risk - risk appetite = amount of risk and organization is willing to take

Business Impact Analysis

Recovery time objective (RTO) = maximum acceptable amount of time that a system, application, or function can be unavailable after a disruption occurs - how long will your system get back up? - entire recovery process, which not only includes repair but also restoring data from backups, checking that systems are functioning normally, and confirming that operational capacity meets the required levels

Recovery point objective (RPO) = maximum acceptable amount of data loss measured in time - how much unavailability is acceptable in our system? - how much data can we afford to lose?

Mean time to repair (MTTR) = the time required to fix the issue we encounter in our system. average time required to repair a failed component or system and return it to operational status

Mean time between failures (MTBF) = predicted elapsed time between inherent failures of a system during operation - predicting the time between outages

Mean time to failure (MTTF) = average time a non-repairable product or system remains in operation until it needs to be replaced

Mean time to detect (MTTD) = measure of how long a problem exists in an IT deployment before the appropriate parties become aware of it

Disaster recover plan (DRP) = detailed plan for resuming operations after a disaster

Annual Loss Expectancy (ALE) = company's expected losses in a year, such as devices stolen per year

Annual Rate of Occurance (ARO) = frequency of the threat happening per year