5.2 Cybersecurity Processes Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, and welcome back
00:00
to cybersecurity architecture fundamentals.
00:00
Episode 12, cybersecurity process part 2.
00:00
In this session, we will cover
00:00
the very broad topic of risk management.
00:00
As you know, cybersecurity
00:00
is just a way of managing risks.
00:00
I will be covering types of risks,
00:00
how to manage it,
00:00
what is residual risks and so on. Let's start.
00:00
As with audit and compliance,
00:00
risk management is also a very important function.
00:00
While the last two processes I've went through,
00:00
incident response and audit reporting
00:00
are very operational areas,
00:00
risk management is a more strategic area
00:00
and less operational,
00:00
although risk management does drive
00:00
a lot of your audit and compliance behavior.
00:00
There are four phases to risk management.
00:00
First phase, risk assessment.
00:00
This is where you identify all your assets,
00:00
your threats, your vulnerability, and so on.
00:00
If you go back to your threat modeling,
00:00
this is where the results of
00:00
the threat model will play a part.
00:00
This also includes valuation of
00:00
the assets and what is
00:00
the maximum cap you would spend on protecting it.
00:00
Next would be the risk analysis.
00:00
This is where the impact of
00:00
the risks to the asset is measured.
00:00
What is the impact to the organization?
00:00
What is the impact to the system, and so on?
00:00
There are various frameworks to calculate this,
00:00
which is not covered here,
00:00
but resources for them are readily available online,
00:00
and you can search for them if you have the interests.
00:00
The third part is where
00:00
the cybersecurity architect plays a very big part,
00:00
this is in the area of risk mitigation.
00:00
How you deal with the risks.
00:00
I will go through a little bit
00:00
of ways to deal with risks,
00:00
but this area includes
00:00
technical measures or procedural measures,
00:00
or even risk acceptance or rejection.
00:00
Once your controls are in place,
00:00
which brings you to the
00:00
>> fourth phase of risk management,
00:00
>> which will be risk monitoring.
00:00
This goes on forever.
00:00
Risk monitoring would tell you if the controls are
00:00
adequate or sufficient and if necessary,
00:00
feedback to risk assessment again,
00:00
if the situation has changed.
00:00
Now, we're going a little bit detail on risk assessment.
00:00
There are many frameworks and
00:00
methodologies out there for you to use.
00:00
OCTAVE, FRAP,
00:00
the NIST 800-30 standards, and so on.
00:00
All of these are pretty comprehensive and all of
00:00
these are good for certain organizations.
00:00
There is no one-size-fit-all
00:00
in this area of risk assessment.
00:00
Risk assessment can be qualitative or quantitative.
00:00
This all depends on the maturity of your organization
00:00
>> and the skills of resources
00:00
>> available to do the risk assessment.
00:00
I will highly recommend you get
00:00
familiar with the standards used in
00:00
organization and learn how to adapt it and if not,
00:00
please pick one of
00:00
the standard frameworks and
00:00
custom it to your organization.
00:00
There is no point reinventing the wheel in this space.
00:00
This brings me to our last point on this slide,
00:00
which is even the best secure system
00:00
will have some residual risk,
00:00
which will be covered further down this session.
00:00
Risks can be controlled in a few ways.
00:00
Typically, risk control can
00:00
be classified into administrative,
00:00
technical, and physical controls.
00:00
Administrative controls are things
00:00
like training and awareness,
00:00
having disaster recovery plans,
00:00
having background checks on administrators, and so on.
00:00
Technical risk controls are
00:00
those controls more familiar
00:00
to the cybersecurity architect.
00:00
These include access controllers,
00:00
network authentication, encryption, and so on.
00:00
They are more technology focus.
00:00
Lastly, physical controls are those that deter or
00:00
prevent someone from accessing
00:00
the system physically, for example,
00:00
the use of security guards,
00:00
the use of trip wire alarms,
00:00
the use of bio-metric entry points, and so on.
00:00
In terms of classifying risk treatments,
00:00
we look at them in four ways.
00:00
Preventive, detective, corrective, and compensating.
00:00
Examples of preventive controls
00:00
are things like system hardening,
00:00
the use of change management process,
00:00
and the security awareness training
00:00
to prevent misuse of systems.
00:00
Detective treatment is like having locked monitoring,
00:00
trend analysis or security audits on systems.
00:00
The name suggests this is
00:00
detecting a post-breach incident.
00:00
Corrective controls attempt to
00:00
reverse the impact of an incident.
00:00
These are things like
00:00
self-healing system or restore from a backup,
00:00
and compensating controls are alternative controls
00:00
used when the primary system
00:00
is not feasible to be re-used.
00:00
This includes the use of a DR site
00:00
or revert back to pen and
00:00
paper instead of using the computer.
00:00
Now, let's talk about residual risks.
00:00
What is residue risk?
00:00
According to the PMBOK definition,
00:00
it's the risks that are expected to remain
00:00
after the planned response of risks has been taken,
00:00
as well as those that have been deliberately accepted.
00:00
The key here is they are accepted to
00:00
the organizational risk tolerance level.
00:00
An example of this is even if
00:00
your system restricts only access from the web server,
00:00
the residual risk would include
00:00
attack from that particular compromised web server.
00:00
In other words, residual risk
00:00
is the risk that remains after
00:00
all the controls and
00:00
countermeasures have been taken into consideration.
00:00
This diagram shows how
00:00
do you calculate the residual risks.
00:00
You still start with the assets
00:00
and threats as per normal,
00:00
but this time we take into effect
00:00
>> the controls in place.
00:00
>> The difference is this time we measure
00:00
the effectiveness of the controls and come to
00:00
a conclusion of what is the risk that
00:00
remains and that is your residual risk.
00:00
Risk mitigation can also be classified in various ways.
00:00
Reduce, accept,
00:00
transfer, avoidance or rejection.
00:00
If we apply countermeasures to address a risk,
00:00
we are reducing the risk.
00:00
If we do not add any countermeasures,
00:00
we are accepting the risk,
00:00
but that also means we might be budgeting
00:00
extra budget to take care of any post-breach incident.
00:00
Transfer of risk could be outsourcing.
00:00
This could simply be buying
00:00
cybersecurity insurance or outsource
00:00
to a third party and have financial penalties there.
00:00
Risk avoidance could be totally
00:00
changing the way we do things
00:00
or changing the system in use.
00:00
This is in effect,
00:00
abandoning the system and adopting something else.
00:00
Lastly, it could be rejection.
00:00
This is where the stakeholders reject
00:00
the assessment and deem the risk assessment to be wrong.
00:00
Some organizations adopt a scorecard
00:00
to measure effectiveness of risks.
00:00
This is one example from
00:00
Lockheed Martin in their paper
00:00
on a threat-driven approach to cybersecurity.
00:00
If you are interested in the details,
00:00
please visit the link to get a copy of the paper.
00:00
A final note on this is that
00:00
you can never cover all the risks
00:00
at an acceptable level of cost or usability.
00:00
At some point, some risks have to be accepted.
00:00
For example, even with all the technical controls,
00:00
there is a risk that an employee might act maliciously.
00:00
You can increase employee awareness
00:00
of code of conduct and consequences,
00:00
but risks will never be completely eradicated.
00:00
You have to make a judgment call on
00:00
probability and impact and document this.
00:00
As this session only covers
00:00
briefly the very heavy topics,
00:00
here are some reading materials to
00:00
further your education on this.
00:00
There is a NIST page on
00:00
risk management with lots of resources,
00:00
and there's a blog page on
00:00
the Software Engineering Institute on
00:00
seven considerations for cyber risk management.
00:00
Please take the time to read through these resources.
00:00
In this session, we covered the type of risks.
00:00
How do you categorize?
00:00
How do you classify?
00:00
How you do risk management?
00:00
Covered the four phases of
00:00
risk management, risk assessment,
00:00
risk analysis, risk mitigation and risk monitoring.
00:00
We've covered the risk control types,
00:00
administrative controls, technical controls,
00:00
and physical controls, and the treatment of risks.
00:00
Is it a preventive treatment,
00:00
detective, corrective, or compensating?
00:00
Lastly, we went through
00:00
the various risk mitigation classifications,
00:00
reduce, accept, transfer,
00:00
avoidance, or rejection of risks.
00:00
In the next session,
00:00
I would go through how
00:00
we can document all the things you've
00:00
learned earlier into architecture documentation.
00:00
If you have the time, please join
00:00
me in the next session. Thank you.
Up Next
Similar Content
