Cyber Risk Analysis.md - Juan-bit94/Ops401D10 GitHub Wiki

Cyber Risk Analysis

Why does this topic matter?

  • This topic matters because risk analysis is an important part of the risk management lifecycle. This lifecycle reduces the chances of an incident to happen in an organization such as leaks or data breaches.
  • Stakeholders in an organization will base their decisions upon Quantitative analysis of risk to an organization. With this data, decisions such as supporting the development of a security program, or accepting risk as is can be made.

Consider a bank ATM that allows users to access bank account balances. What measures can the ATM incorporate to cover the principles of the CIA triad?

  • ATMs incorporate various processes to cover the CIA triad principles as I will outline in the following examples.
  1. For confidentiality, ATMs protects the information from disclosure to unauthorized parties by encrypting communication between its self and the banks server. ATMs also implement authentication in the form a of a card with a PIN only the account holder should know.
  2. For integrity, ATMs protects the information from being modified by unauthorized parties by conducting transaction integrity checks to ensure the data has not been altered during the transaction process. ATMs also leverages digital signatures to sign critical data and transactions to provide a means to verify the authenticity of information.
  3. For availability, ATMs ensure that the clients are able to access information when needed. ATMs are designed with redundancy and failover to ensure continuous availability in the event of a hardware or network failures. Banks will also employ regular maintenance and continues monitoring to ensure it can respond to potential security incidents.

Name three best practices that support the CIA triad.

  • Here are three best practices for CIA triad support.
  1. Separation of duties: This is a preventative control, it provides singleness of focus and prevents collusion from individuals with discrete capabilities. For example, a network administrator who provides users access to resources should never be the security administrator.
  2. Job rotation: prevents an operator from having exclusive use of a system, while cross training. the user relegates control of the system to someone else. This is a detective control.
  3. Least privilege: Allowing users to have only the required access to do their job.

What are the three stages of the risk management lifecycle? What is each stage’s main goal or objective?

  • The three stages of the risk management lifecycle are risk assessment, risk analysis, risk mitigation/response. The main goal/objective of each stage is as follows.
    • Risk assessment: This stage looks at risks corresponding to identified parameters for a specific period and must reevaluated periodically. This is an ongoing process and has steps outlined in NIST 800-30.
    • Risk analysis: The goal of this stage is to analyze risk through a qualitative and quantitative lens.
      • Qualitative analysis is subjective in nature and uses words such as high, medium, and low to describe the likelihood and severity of the impact of a threat exposing a vulnerability.
      • Quantitative analysis is objective and numbers driven. This requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are driven by this type of analysis.
    • Mitigating risk: This stage of the risk management lifecycle has three acceptable responses to risk mitigation: reduce, transfer, and accept.

Things I want to know more about.

  • I would like to know how to prepare documentation in order to get top management support. As I have read articles about risk management, it states how important it is for security management to be directed and supported by top management else security efforts will be doomed.