Analyzing Risk: CompTIA Security - morgan-hanrahan/Tech-Journal GitHub Wiki

Risk Identification

Requires identifying the threats and vulnerabilities that exist in their operating environment

  • External risks
    • Originate from a source outside the organization.
    • Broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters.
  • Internal risks
    • Originate from within the organization
    • Includes malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.
  • Multiparty risks
    • Impact more than one organization
  • Legacy systems
    • Unique type of risk to organization
    • Often don't receive security updates and cybersecurity professionals must take extra measures to protect them against unpatchable vulnerabilities
  • Intellectual Property (IP) Theft risks
    • Occurs when a company possess trade secrets or other proprietary information that could compromise the organization's business advantage
  • Software compliance/licensing risks
    • Occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk

Risk Calculation

  • Evaluate any risk we can do so via two different factors
    • The likelihood of occurrence
    • The magnitude of the impact

Risk Severity = Likelihood * Impact

Risk Analysis

  • Inherent risk
    • Original level of risk that exists before implementing any controls
  • Residual risk
    • Remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk
  • Risk appetite
    • Level of risk that is willing to accept as a cost of doing business

Organizations can implement these concepts only if they have a high degree of risk awareness.

Disaster Recovery Planning

Discipline in developing preparations to resume activities as soon as possible after a catastrophe.

  • Creates a formal, broad disaster recovery plan for the organization, as well as specialized functional recovery plans for important business processes as needed.

Business Impact Analysis

Formal procedure for identifying mission-critical functions inside an organization and facilitating the identification of vital systems that support those functions.

  • There are four key metrics used in the BIA process
    • The Mean Time Between Failures (MTBF): measure of reliability of a system.
    • The Mean Time to Repair (MTTR): average amount of time to restore a system to its normal operating state after a failure
    • The Recovery Time Objective (RTO): amount of time that the organization can tolerate a system being down before it is repaired.
    • The Recovery Point Objective (RPO): amount of data that the organization can tolerate losing during an outage.