Information Risk Management

CHAPTER 3

1
Learning Outcomes
1. Establish and/or maintain a process for information asset
identification and classification.

2. Participate in and/or oversee the risk identification, risk

assessment, and risk treatment process.

3. Identify, recommend, or implement appropriate risk treatment and

response options to manage risk to acceptable levels based on
organizational risk appetite.

4. Determine whether information security controls are appropriate

and effectively manage risk to an acceptable level.

5. Facilitate the integration of information risk management into

business and IT processes.

6. Monitor for internal and external factors that may require

reassessment of risk.

7. Report on information security risk, including noncompliance and

other changes in information risk, to key stakeholders to facilitate
the risk management decision-making process.

2
This Chapter Cover:
Analyzing Risk
Risk Treatment and Response
Risk Analysis
Information Classification

3
 Analyzing Risk
Threats: any possible events that might have an adverse impact on CIA
Vulnerabilities: weaknesses in our systems or controls
Risks: occur at the intersection of a vulnerability and a threat that might
exploit that vulnerability

4
 External Risks: cybersecurity adversaries,
malicious code, and natural disasters

Internal Risks: malicious insiders, human

error, equipment failures

Multiparty Risks: power outage to a city block

Risk
Identification
Legacy Systems: outdated systems often do
not receive security updates

Intellectual Property Theft: trade secrets

Software Compliance/licensing risks: runs

afoul of usage

5
Risk Calculation

Likelihood of occurrence

Magnitude of the impact

Risk Severity = Likelihood x

Impact

6
Risk Assessment

Quantitative risk assessments use numeric data in

the analysis

Qualitative risk assessments substitute subjective

judgments and categories for strict numerical
analysis.

7
Quantitative Risk Assessment
Determine the asset value of the asset affected by the risk

Determine the likelihood that the risk will occur

Determine the amount of damage that will occur to the asset if

the risk materializes

Calculate the single loss expectancy

Calculate the annualized loss expectancy

8
 Quantitative Risk Assessment (2)
Metrics for each risk are:
◦ Asset value ($)
◦ Exposure Factor (EF): portion of asset damaged
◦ Single Loss Expectancy (SLE) = Asset ($) x EF (%)
◦ Annualized Rate of Occurrence (ARO)
◦ Probability of loss in a year, %
◦ Annual Loss Expectancy (ALE) = SLE x ARO

Practice example from Book (page 69)

9
Qualitative Risk Assessment
For a given scope of assets, identify:
◦ Vulnerabilities
◦ Threats
◦ Threat probability (Low / medium / high)
◦ Impact (Low / medium / high)
◦ Countermeasures

10
Risk Assessment Chart

11
Qualitative Risk Assessment

12
 Risk Assessment Methodologies
NIST 800-30, Risk Management Guide for Information Technology Systems

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)

FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening

Spanning Tree Analysis

– visual, similar to mind map (invented by Vulcans)

NIST- National Institute of Standards and Technology

13
 Risk treatment is the
process of systematically
responding to the risks
facing an organization
Risk
Treatment
Consider financial risk
and business risk

14
Risk Treatment (Response)
Four general approaches to risk response:
◦ Risk Acceptance
◦ “yeah, we can live with that”
◦ Risk Avoidance
◦ Discontinue the risk-related activity
◦ Risk Reduction
◦ Mitigate through security control
◦ Risk Transfer
◦ Buy insurance

Risk treatment (response) is often a blended

approach

15
Risk Analysis
The inherent risk facing an organization is the
original level of risk that exists before
implementing any controls
The residual risk is the risk that remains after
an organization implements controls
An organization’s risk appetite is the level of
risk that it is willing to accept as a cost of
doing business

16
Risk Reporting

17
Risk Matrix

18
 Software and systems
development

Enterprise
Risk Procurement
Management

Project management

19
Disaster Recovery Planning (DRP)

A disaster is any event that has the potential to disrupt an

organization's business.

Developing plans to recover operations as quickly as possible in the

face of a disaster

The goal of these plans is to help the organization recover normal

operations as quickly as possible in the wake of a disruption.

As part of the DRP process, organizations should conduct site risk

assessments for each of their facilities.

20
Business Impact Analysis (BIA)
Four core metrics are used in the BIA process:
◦ Mean time between failures (MTBF)
◦ a measure of the reliability of a system
◦ Mean time to repair (MTTR)
◦ the average amount of time to restore a system
◦ Recovery time objective (RTO):
◦ the amount of time that the organization can tolerate
◦ Recovery point objective (RPO)
◦ the amount of data that the organization can tolerate losing during
an outage

21
 The protection and proper
handling of sensitive personal
information

Requires proper technology for

protection

Privacy
Requires appropriate business
processes and controls for
appropriate handling

Inappropriate uses
Issues Unintended disclosures to
others

22
 Personally identifiable
information (PII)

Protected health information

(PHI)
Sensitive
Information
Inventory
Financial Information

Government Information

23
Personally Identifiable
Information (PII)
Refers to the items that comprise a person’s
identity, including:
◦ Full name
◦ National identification number (e,g. SIN)
◦ Telephone number
◦ Driver’s license number
◦ Passport number
◦ Residential address
◦ Bank account numbers
◦ Credit card numbers

24
 Organize data into categories based on the
sensitivity and impact
◦ Top Secret: highest degree of protection
◦ Secret: substantial degree of protection
◦ Confidential: requires some protection
◦ Unclassified: is still not publicly releasable
without authorization
Information
Classification

25
Data Roles and Responsibilities
Data Controllers
◦ entities who determine the reasons for processing personal information and
direct the methods of processing that data
Data Stewards
◦ individuals who carry out the intent of the data controller and are delegated
both authority and responsibility from the controller
Data Custodians
◦ responsible for the secure safekeeping of information
Data Processors
◦ service providers that process personal information on behalf of a data
controller (e.g. credit card)
Data Subjects
◦ individuals about whom data is collected, stored, and processed

26
Information Lifecycle
Data minimization: collect the smallest possible amount of
information necessary to meet their business requirements
Purpose limitation: information should be used only for the
purpose that it was originally collected
Data retention: data should be kept for only if it remains
necessary

27
Privacy-Enhancing Technologies
Data obfuscation is an alternative to the de-identification
process, transforming it into a format where the original
information can't be retrieved
◦ Hashing
◦ uses a hash function to transform a value in our dataset to a
corresponding hash value
◦ Tokenization
◦ replaces sensitive values with a unique identifier using a lookup
table
◦ Data masking
◦ replacing some or all sensitive fields with blank characters

28
Summary
▪ Techniques that cybersecurity analysts use to identify, assess,
and manage a wide variety of risks.

▪ Differences between risk mitigation, risk avoidance, risk

transference, and risk acceptance and when it is appropriate to
use each.

▪ How the disaster recovery planning process can help prevent

disruptions to a business

▪ Role of security professionals in protecting the privacy of

personally identifiable information.

29
Reference
CISM CERTIFIED INFORMATION SECURITY
MANAGER STUDY GUIDE BY MIKE CHAPPLE

30