7.2.2 Lab – Risk Management (Answers)
Introduction
An organization’s process of identifying and assessing risk is a continuous effort because types of threats change and they never completely disappear. The goal of risk management is to reduce these threats to an acceptable level. There are different levels of risk management. Organizations must properly manage risk to protect information and information systems. Risk management also helps to prevent legal actions, interruptions to operations, and safeguards the organizations’ reputations.
Objectives
Explore the Risk management process.
Part 1: Explain Risk Action Levels
Part 2: Explain Risk Management Concepts
Part 3: Explain Risk Management Processes
Required Resources
PC or mobile device with internet access
Instructions
Part 1: Risk Action Levels
Risk management is the identification, evaluation, and prioritization of risks. Organizations manage risk in one of four ways. Each may be an appropriate choice, depending on the circumstances and type of risk in question:
- Avoidance (Elimination) – Risk avoidance is the complete removal or elimination of risk from a specific threat. For example, avoiding or eliminating the threat of users sharing or misusing passwords could involve implementing a fingerprint authentication system on all user workstations.
- Mitigation (Reduction) – Risk mitigation involves implementing controls that allow the organization to continue to perform an activity while using mechanisms to reduce the risk from a particular threat. An organization could also increase its technical controls and network oversight to reduce risk from operational threats.
- Transfer- Organizations can transfer risk from specific threats. The financial risk of a threat can be managed by purchasing an insurance policy, or hiring a contractor to deal with specific threats.
- Accept- Accepting risk involves the identification of the threats but not implementing mitigation processes only after a conscious decision has been made to do so. The conscious decision is informed by analyzing the various components of the risk before proceeding.
Step 1: Manage risk.
In this Step, you will describe examples of managing risk associated with specific threats to the organization’s information or information systems.
a. An organization is regularly required to handle sensitive customer information. The release of this information poses a serious risk to the organization.
Question:
What steps could the organization implement to eliminate the risk associated with accidental emailing or transferring of this information?
The organization can implement a policy prohibiting employees to email or transfer any customer data. The organization could also prevent employees from accessing this information. The organization could also screen and block all data emailed or transferred from the organization’s network.
b. The organization has had several issues of employees sharing passwords or using weak passwords.
Questions:
Name two ways to mitigate this risk.
Implement organization password policies and guidelines, enforce the use of strong passwords on all organizational system.Implement organization password policies and guidelines, enforce the use of strong passwords on all organizational system.
Give two examples of an organization transferring risk.
Answers can vary but the use of insurance or service level agreements should be referenced.Answers can vary but the use of insurance or service level agreements should be referenced.
Step 2: Explore risk levels.
An organization’s process of identifying and assessing risk is a continuous effort because types of threats change and they never completely disappear. The goal of risk management is to reduce these threats to an acceptable level. Go to the following website https://mirrorlearning.org/emate2/risk_management/pub/risk_management/Assets/index.html and review the brief Risk Management interactive lesson.
Questions:
Give an example of the following risk management levels:
Negligence:
Answers will vary. Negligence means that no actions or controls are taken to lower risk. The threat is very high, and the cost of an incident could be catastrophic.
Due Care:
Answers will vary. Due care involves taking reasonable steps to lower the level of risk. The risk still exists but reasonable steps lower a potential loss.
Due Diligence:
Answers will vary. Due diligence involves responsible steps taken to eliminate risk. Some risks still exist, but multiple controls are implemented to prevent potential loss.
Part 2: Risk Management Concepts
Risk management is a technique used to identify and assess factors that may threaten information and information systems. The study of risk analysis includes several commonly used terms and concepts, including the following:
Assets – Assets are anything of value that is used in and is necessary for completion of a business task. Assets include both tangible and intangible items such as equipment, software code, data, facilities, personnel, market value and public opinion. Risk management is all about protecting valued organizational assets.
Threats – Threats are a malicious act or unexpected event that damages information systems or other related organizational assets. They can be intentional actions that result in the loss or damage to an asset. Threats can also be unintentional like an accident, natural disaster, or equipment failure.
Vulnerability – Vulnerabilities are any flaw or weakness that would allow a threat to cause harm and damage an asset. Examples could be fault code, misconfigurations, and failure to follow procedures.
Impact – Risk impact is the damage incurred by an event which causes loss of an asset or disruption of service. This damage can be measured quantitatively or qualitatively based on the impact to the organization’s operations.
Risk – Risk is the probability of loss due to a threat to an organization’s assets.
Countermeasures – Countermeasures are an action, device, or technique that reduces a threat or a vulnerability by eliminating or preventing it. An example would be antivirus software, firewalls, policies, and training.
Risk Assessment – Risk assessment is the process of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.
What is a security risk assessment? A risk assessment identifies, quantifies, and prioritizes the risks and vulnerabilities in a system. A risk assessment identifies recognized threats and threat actors and the probability that these factors will result in an exposure or loss.
Case Study:
A business manages a customer database that tracks online purchases of the products. These purchases are made with PayPal accounts or credit cards. The database server has several vulnerabilities. The database is on a server in the server room at the company headquarters. The server cost $25,000. The database consists of all 40,000 customers and over 1.5 million transactions. The server records over 120 transaction per day generating over 25K per day in sales. The data base is backed up daily at 2AM. All orders are also tracked and logged on separate systems in case of server failure. This process can take up to 50-person hours of entry to manually process every day.
Questions:
Name at least two types of vulnerabilities the cybersecurity staff should analyze:
Answers will vary. Vulnerabilities could include hardware failures, attack by hackers, natural disasters, malware, and misconfigurations.
Describe possible threats to the server based on the vulnerabilities you identified:
Answers will vary. Threats to the server should include hardware crash based on equipment failing, a data breach or ransomware attack, fire, tornado, hurricane, earthquake, system corrupted or damage due to malware or system failure or poor performance due to misconfigurations.
Describe the impact to the organization due to the following threats:
Data Breach:
Answers will vary. The impact could range from complete loss of the database server to impacting the sales and revenue to the organization. The impact could also include damage to the business reputation.
Ransomware:
Answers will vary. The impact could range from complete loss of the database server to impacting the sales and revenue to the organizations, and disruption of regular operations. The impact could also include damage to the business reputation.
Hardware failure:
Answers will vary. The impact could range from complete loss of the database server to impacting the sales and revenue to the organization. The impact could also include damage to the business reputation.
List one countermeasure for the following threats to the organization’s database server:
Data Breach:
Answers will vary. Counter measures for data breaches can include updated policies or procedures, data encryption, employee training regarding security measures, security updates and limit access based on need.
Ransomware Attack:
Answers will vary. Counter measures for ransomware attack could include antivirus and antimalware software, updated OS and applications, data backups, enforce security policy, and physical access control mechanisms.
Hardware Failure:
Answers will vary. Counter measures for hardware failure can include hardware redundancy, access control mechanisms, and replace obsolete equipment.
Malware:
Answers will vary. Counter measures could include antivirus and antimalware software, updated OS and applications, data backups, enforce security policy, and physical access control mechanisms.
Part 3: Risk Management Processes
Risk management is a formal process that reduces the impact of threats and vulnerabilities. You cannot eliminate risk completely, but you can manage risk to an acceptable level. Risk management measures the impact of a threat and the cost to implement controls or countermeasures to mitigate the threat. All organizations accept some risk. The cost of a countermeasure should not be more than the value of the asset you are protecting.
Step 1: Frame and Assess Risk
Identify the threats throughout the organization that increase risk. Threats identified include processes, products, attacks, potential failure, or disruption of services, negative perception of organization’s reputation, potential legal liability, or loss of intellectual property.
After a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses. Some threats can bring the entire organization to a standstill while other threats are minor inconveniences. Risk can be prioritized by actual financial impact (quantitative analysis) or a scaled impact on the organization’s operation (qualitative analysis).
In our example, the following vulnerabilities have been identified. Assign a quantitative value to each risk based on your committee answers. Provide justification for the value you determined.
Question:
Use the case study to formulate your answers.
Data breach impacting all customers:
Answers will vary. The impact of a data breach could cost $100,000 or more and 5 working days to restore the data.
Server hardware failure requiring hardware replacement:
Answers will vary. The impact of hardware failure could cost $5,000 or more and 2 working days to replace failed hardware.
Ransomware affecting the entire server database:
Answers will vary. The impact of ransomware attack could cost $20,000 or more and 5 working days to restore the data and remove the ransomware.
Server room flood caused by fire sprinklers being activated:
Answers will vary. The impact of the flood could cost $50,000 or more and 3 working days to replace damaged hardware and restore the data.
Step 2: Respond to Risk
This step involves developing an action plan to reduce overall organization risk exposure. Management ranks and prioritizes threats; a team then determines how to respond to each threat. Risk can be eliminated, mitigated, transferred, or accepted.
Question:
Rank the vulnerabilities and propose possible countermeasure for each threat.
Data breach impacting all customers:
Answers will vary. The impact of a data breach is high. It could cost $100,000 or more and the customer trust and company reputation. Some of countermeasures can be employee training, data encryption, and software and hardware updates.
Server hardware failure requiring hardware replacement:
Answers will vary. The impact of server hardware failure is medium that could cost $5,000 or more and service disruption. Some of countermeasures can be data and system backups.
Ransomware affecting the entire server database:
Answers will vary. The impact of ransomware attack is low that could cost $20,000 or more. It could cause service disruption and data loss. Some of the countermeasures can be security training and data backup.
Server room flood caused by fire sprinklers being activated:
Answers will vary. The impact of ransomware attack is low that could cost $50,000 or more. It could cause service disruption and data loss. Some of the countermeasures can be purchase insurance and back up data.
Step 3: Monitor Risk
Continuously review risk reductions due to elimination, mitigation, or transfer actions. Not all risks can be eliminated, so threats that are accepted need to be closely monitored. It is important to understand that some risk is always present and acceptable. As countermeasures are implemented, the risk impact should decrease. Constant monitoring and revisiting new countermeasures are required.
Question:
What actions could decrease the impact of a ransomware threat?
Answers will vary. Choose two to three countermeasures and explain how they would eliminate potential impact.
Next Lab
7.3.4 Lab – Risk Analysis