# Explain Risk Management Process and Concepts ## Risk Management Processes - **Phases of risk management** - Identify mission essential functions - Identify Vulnerabilities - Identify threats - Analyze business impacts - Identify risk response - **Risk Assessment** - likelihood and impact - Enterprise risk management **(ERM)** frameworks - Risk and control self-assessment **(RCSA)** - Risk and control assessment **(RCA)** ## Risk Types - **External** - Cyber threat actors and natural or person-made disaster - **Internal** - Risk that arise from assets that are owned/managed - malicious insider, accidental insider mistake - **Multiparty** - Ripple impacts in the supply chain - supermicro hack (spychip) - SolarWinds update system compromised - supply chain drying up - Intellectual property (IP) theft - Software compliance/licensing - Shadow IT - Legacy systems ## Quantitative Risk Assessment - Quantitative vs qualitative assessments - **QUAN**titate -> actual numbers to assess - **QUAL**itative -> sort of subjective numbers to assess "oh risk is at a 7" - Concrete values to risk actors - **Asset Value (AV)** - how much is the asset worth - Not how much to buy the asset but how much it is worth to the company, for example if the server goes down you lose sales and employee productivity. So the value may be more then the actual physical value of the asset itself - **Exposure Factor (EF)(%) - the percent of value the asset would take if the risk is realized - how much value in % if the risk happens, for example 50% of the value of the server is lost - **Single loss Expectancy (SLE)** - when the risk happens what we lose. AV x EF% - Annualized Rate of Occurrence **(ARO)** - How often do we expect the risk to happen - Annualized Loss Expectancy **(ALE)** - <u>SLE x ARO</u> - Difficulty of forecasting likelihood - Difficulty of assessing impact/cost ![[QUALitativeRiskAssessment.png]] ## Qualitative Risk Assessment - Seeks opinions and uses broad categorizations - Heat map or traffic light impact matrix - Security categorizations (FIPS 199) - Low - Medium - High ![[Pasted image 20230712100310.png]] ## Risk Management Strategies - Inherent risk - Level of risk before any type of mitigation has been attempted - for example there is an inherent level of risk when driving a car - Risk posture and prioritization - Regulatory requirements - High value asset, regardless of threat likelihood - Threats with high likelihood - Procedures, equipment, or software that increase the likelihood of threats - Return on Security Investment (ROSI) - do we want to implement the mitigation, depends on the $ - Risk mitigation/remediation - Deploy countermeasure - Reduce likelihood or impact or both ## Risk Reponses - Avoidance - Stop doing the risky activity - Transference - Assign risk to a third-party - Cybersecurity insurance - Limits to transference - Risk acceptance/tolerance - Risk is assessed and monitored, but no countermeasure is put in place - Do not ignore risk - Residual risk - Likelihood and impact after mitigation - Risk appetite - Willingness to tolerate a certain level of risk - Established at an organization or project level - Control risk - Loss of countermeasure effectiveness over time ## Risk Awareness - Communicate risk factors to stakeholders - Risk registers - Risk matrix/heat map - Graphs - Relevance to workflows ![[riskAwarenessMatrix.png]] # Explain Business Impact Analysis Concepts ## Business Impact Analysis - **Business impact analysis (BIA)** reports for threat scenarios - If the risk happens what is the impact to the business - Calculate impact as costs - Justifies and prioritizes investment ins security controls - **Business continuity planning (BCP)/continuity of operations planning (COOP)** - Identifies controls and processes that maintain critical workflows - commonly kicks off the <u>Disaster Recovery Plan</u> ## Mission Essential Functions - Business activities that cannot be deferred - Contrast primary business functions (PBF) - Metrics ![[Pasted image 20230712101712.png]] ## Identification of Critical Systems - Supporting asset types - People, tangible assets, intangible assets, procedures - Business process analysis (BPA) - Inputs - Hardware - Staff and other resources - Outputs - Process flow ## Single Points of Failure - Asset that causes the entire workflow to fail if it is damaged or otherwise not available - **Mean time to failure (MTTF)** and **mean time between failure (MTBF)** - Determine how likely failures are to occur - Provision redundancy - **Mean time to repair (MTTR)** - Time to correct fault - Affects recovery time objective **(RTO)** ## Disasters - Internal versus external - Whether or not threat actor/source has privileged access - External disasters affecting supply chain - Person-made - Internal or external disaster due to human agency - Malicious or accidental - Environmental - Could not be prevented by human agency - Site risk assessment - Risk from natural disaster - Resiliency of utility supply - Health and safety risks ## Disaster Recovery Plans - Identify specific scenarios for disaster-level incidents - Risk and cost assessment - Threat modeling - Identify tasks, resources, and responsibilities for response - Train staff in disaster recovery and change management - Notifications to stakeholders and agencies ## Functional Recovery Plans - Demonstrate effectiveness through walkthroughs and exercises - **Walkthroughs, workshops, and orientation seminars** - Presentation and description-oriented - **Tabletop exercises** - Facilitator-led discussion scenarios - **Functional exercises** - Action-based engagements using simulations - **Full-scale exercises** - Action-based engagements simulating major events - More typical of public agencies