Risk - dennisholee/notes GitHub Wiki
- Vulnerabilities
- Threats and threat agents
- Impact
- Likelihood
Risk is the combination of the probability of an event and its consequence. Governance is the accountability for the protection of the assets of an organization.
Directors are accountable for governance. The senior management team is responsible for managing the day-to-day operations.
the objective of a governance system is to enable organizations to create value for their stakeholders or to promote value creation
Governance answers four questions:
- Are we doing the right things?
- Are we doing them the right way?
- Are we getting them done well?
- Are we getting the benefits?
Four Objectives
- Establish and maintain a common risk view
- Integrate risk management into the enterprise
- Make risk-aware business decisions
- Ensure that risk management controls are implemented and operating correctly
Risk management is defined as the coordinated activities to direct and control an enterprise with regard to risk.
IT risk management is the implementation of a risk strategy that reflects the culture, appetite and tolerance levels of organizational management.
| # | Step |
|---|---|
| 1 | Categorize Information System |
| 2 | Select Security Controls |
| 3 | Implement Security Controls |
| 4 | Assess Security Controls |
| 5 | Authorize Information Systems |
| 6 | Monitor Security Controls |
Business continuity is concerned with the preservation of critical business functions and the ability of the organization to survive an adverse event that may impact the ability of the organization to meet its mission and goals.
An audit provides management with assurance regarding the effectiveness of the control framework, IT risk management program and compliance.
Risk controls are chosen to mitigate risk, but if the control is not operating correctly then the control may not prevent a failure or compromise.
The IT risk management program should be: • Comprehensive (thorough, detailed) • Complete (carried through to the end) • Auditable (reviewable by an independent third-party) • Justifiable (based on sound reasoning) • Compliant (with policy, laws, and/or regulations) • Monitored (subject to review and accountability) • Enforced (consistent, mandated, and required) • Up to date (current with changing business processes, technologies, and laws) • Managed (adequately resourced, with oversight and support)
IT Risk Identification - risk context, risk framework, the process of identifying and documenting risk IT Risk Assessment - assess and prioritize risks Risk Response and Mitigation - seek and implement cost-effective ways to address the risk Risk and Control Monitoring and Reporting
- Is a technique for assessing business risk.
- Risk register's potential threats help develop a risk scenario.
- Threat and vulnerability assessment uses risk scenarios to estimate the likelihood and impact of the risk.
| Component | Descriptions |
|---|---|
| Actor | Actor is the element that generates the threat. Actor can be internal or external to the organization. |
| Threat Type | Type of threat i.e. natural, system failure, external attack, accidental etc. |
| Threat Event | Nature of the incident i.e. data leakage, system down, theft etc. |
| Asset | Asset that is being impacted i.e. IT infrastructure, organization’s reputation, data compromised etc. |
| Time | Impact on the basis of time element i.e. immediate impact of network failure, long term impact of system unavailability etc. |
| Threat actor | Describes the individual or group that can act against an asset. A threat actor can be an individual internal to the organization, like an employee. It can also be external, such as a cybercriminal organization. The intent is usually defined here, for example, malicious, unintentional, or accidental actions. Force majeure events are also considered threat actors. |
| Asset | An asset is anything of value to the organization, tangible or intangible. For example, people, money, physical equipment, intellectual property, data and reputation. |
| Effect | Typically, in technology risk, an adverse event can affect the confidentiality, integrity, availability, or privacy of an asset. The effect could extend beyond these into enterprise risk, operational risk and other areas. |
| Method | If appropriate to the risk scenario, a method can also be defined. For example, if the risk analysis is specifically scoped to malicious hacking via SQL injection, SQL injection can be included as the method. |
- Prepare the risk register at the risk Identification phase.
- The risk register should be centrally kept.
- Risk registers help drive the risk response plan and improve decision-making for risk.
Common elements in a Risk Register:
| # | Elements | Descriptions | Risk Lifecycle Management |
|---|---|---|---|
| 1. | Risk identification ID | A name or ID number to identify the risk. | IT Risk Identification |
| 2. | Risk description | A brief explanation of the risk. | IT Risk Identification |
| 3. | Risk breakdown structure | A risk breakdown structure is a chart that allows you to identify all your project risks and categorize them. | IT Risk Identification |
| 4. | Risk categories | There are many risk categories that can impact a project such as a schedule, budget, technical and external risks. | IT Risk Identification |
| 5. | Risk analysis | The purpose of risk analysis is to determine the probability and impact of a risk. You can either do a qualitative risk analysis or a quantitative risk analysis. | IT Risk Assessment |
| 6. | Risk probability | You’ll need to estimate the likelihood of each risk and assign a qualitative or quantitative value. | IT Risk Assessment |
| 7. | Risk priority | The risk priority is determined by assigning a risk score to each risk, which is obtained by multiplying the risk impact and probability values. If you’re using qualitative measurements, you’ll need to prioritize risks with the highest impact and highest probability. | IT Risk Assessment |
| 8. | Risk response | Each risk needs a risk response to mitigate its effect on your project. Those risk responses are also documented in a risk response plan. | Risk Response and Mitigation |
| 9. | Risk Ownership | Each risk needs to be assigned to a team member who becomes a risk owner. The risk owner is responsible for deploying the appropriate response and supervising it. | Risk Response and Mitigation |
Src:
- https://www.projectmanager.com/blog/guide-using-risk-register
- https://www.logicgate.com/blog/simple-steps-for-setting-up-a-project-risk-register/#:~:text=You'll%20notice%20that%20the,(4)%20solutions%20and%20monitoring.
| Parameter | Descriptions |
|---|---|
| Risk Capacity | Maximum risk an organization can afford to take. |
| Risk Tolerance | Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. |
| Risk Appetite | Amount of risk an organization is willing to take. |
Src: http://www.criscexamstudy.com/2020/10/11-risk-capacity-risk-appetite-and-risk.html
- Mitigate
- Avoid
- Transfer
- Accept