2 hours 41 minutes
Hi and welcome back to Cyber Security Architecture Fundamentals
Cybersecurity process Part two.
In this session,
we were covered a very broad topic off risk management.
And that's, you know, cybersecurity is just a way of managing risk.
I will be covering types off wrists, how to manage it. What is residue will risk and so on.
So let's stop
us with audit and compliance. Risk management is also a very important function,
while the last two processes I've went through incident response and audit reporting off very operational areas.
Risk management. It's a more strategic area
and less operational.
Risk management does drive a lot off your audit and compliance behavior.
There are four phases to risk management.
First phase risk assessment.
This is where you identify all your assets, your threats, your vulnerability and so on.
If you go back to attract modeling,
this is where the results off the track model will play a part.
This also includes valuation of the assets, and what is the maximum cap you would spend on protecting it?
Next would be the risk analysis.
This is where the impact off the risk to the asset is measured.
What is the impact to the organization.
What is the impact to the system and so on? They are various frameworks to calculate this, which is not covered here,
but resource is for them, are ready, readily available online, and you can search for them if you have two interests.
The third part. It's where the cyber security architect plays a very big part.
This this in the area off risk mitigation.
How you deal with the risks.
I would go through a little bit often ways to deal with risk. But this area includes technical measures or procedural measures, or even risk acceptance or rejection.
Once your controls are in place, we brings you to the four face of risk management, which would be risk monitoring.
This goes on forever.
Risk monitoring would tell you if the controls are adequate, are sufficient
and, if necessary, feet back to rece assessment again. If the situation has changed
now we're going to the bit detail on risk assessment.
There are many frameworks and methodologies out there for you to use
than this 830 standards and so on.
All of these are pretty comprehensive, and all of these are good for certain organizations.
There is no one size fits all in this area. Off risk assessment
Reese assessment can be qualitative. Quantitative.
This all depends on the maturity of the organization, and the skills off resource is available to do the risk assessment.
I will highly recommend you get familiar with the standards using organization
and learn how to adapt it.
And if not,
please pick one off the standard frameworks
and custom it to the organization.
There is no point reinventing the wheel into space.
This brings me to a last point on the slide, which is even the best secure system will have some residual rich, which will be covered further down this session
risks can be controlled in a few ways. Typically,
risk control can be classified into administrative, technical and physical controls. Administrative controls are things like training and awareness,
having disaster recovery plans,
having background checks on administrators and so on.
Technical risk controls are those controls more familiar to the cyber security architect?
These includes access controllers, network authentication, encryption and so on. They are more technology focus,
and lastly, physical controls are those that deter or prevent someone from accessing the system physically, for example, the use of security guards, the use of trip. Why alarms the use off biometric entry points and so on
off classifying risk treatments? We look at them in four ways.
Preventive detective corrective and compensating
examples. Off preventive controls
are things like system hardening,
the use of change management process and security awareness training to prevent misuse or systems.
Detective treatment is like having lot monitoring,
trend analysis or security audits on systems.
The name suggests this is detecting
opposed breech incident.
Corrective controls attempt to reverse the impact of an incident.
These are things like self healing system. All restore from a backup
and compensating controls are alternative controls use when the primary system
it's not feasible to be reused. This includes the use off the D L. Psych. Aw, revert back dependent paper instead, off using the computer.
Let's talk about residue LRIs
What this residue arrests.
According to the Pym Bach definition, it's the risk that expected to remain after the plant respond off wrist has been taken a swell of those that have been deliberately accepted.
The key here is they are accepted to the organizational risk tolerance level
an example off. This is even if your system
restricts only excess from the Web server,
the residue a risk would include attack from that particular compromise Web server.
In other words, residue will risk is the risk that remains. After all, the controls and counter measures have been taken into consideration.
How do you calculate the residual risk?
You still start with the SS and Threats s Pinot meow,
but this time we take into effect the controls in place. Difference is this time we measure the effectiveness off the controls and come to a conclusion off. What is the risk that remains?
And that is your residual risk.
Risk mitigation can also be classified in various ways
reduced except transfer, avoidance or rejection.
If we apply countermeasures to address a risk, we are reducing the risk.
If we do not at any countermeasures, we're accepting the wrists. But that also means we might be budgeting extra budget to take care off Any post breech incident
transfer off risk could be outsourcing. This could simply be buying cybersecurity insurance or outsourced to attack party and hair financial penalties.
Rhys Avoidance could be totally changing the way we do things are changing the system in use.
This is, in effect abandoning the system and adopting something else,
and lastly, it could be rejection. This is where the stakeholders reject the assessment and deem the risk assessment to be wrong.
Some organizations adopt a scorecard
to measure effectiveness off wrists.
This is one example
from Lockheed Martin in their paper on a truck driven approach of cybersecurity.
If you're interested in the details, please visit the link to get a copy off the paper.
A final note on this is that
you can never cover all the risk at an acceptable level or cost for usability.
At some point, some risk has to be accepted.
even with all the technical controls, there is a risk that employees might maliciously.
You can increase employ awareness, off course of conduct and consequences. But risks will never be completely eradicated.
You have to make a judgment call on probability and impact and document this
as this session only covers briefly these very heavy topics.
Here are some reading materials to further your education, and it's the reason this page in risk management with lots of resources
and it's a blocked page on the Software Engineering Institute
on Seven Considerations for cyber risk Management.
Please take the time to reach you. These resource is
in this session recovered the type of risk. How do you categorize? How do you classify?
How do you do? Risk management
covered the four phase of rich management risk assessment, risk analysis, risk mitigation and risk monitoring.
We'll cover it
the risk control types, administrative controls, technical controls and physical controls
and the treatment off risk. Is it a preventive treatment, detective? Corrective or compensating?
And lastly, we went through the various risk mitigation classifications reduced except transfer of islands or rejection off risk.
In the next session,
I would go true how we can document all the things you've learned earlier
into architectural documentation.
If you have the time, please join me the next session. Thank you.
Fundamentals of Cybersecurity Architecture
This cyber security architecture class aims to give an appreciation of the various aspects of consideration that goes into a proper security architecture.