Risk Management Processes: CompTIA Security - morgan-hanrahan/Tech-Journal GitHub Wiki

Risk Assessments involve four main phases:

  • Asset Identification: Identify and quantify the company's assets
  • Risk Analysis: Determine possible security vulnerabilities and threats
  • Determine risk likelihood and impact: Rate your various risks according to how likely they are to occur and their impact
  • Identify cost of solutions: Identify a cost-effective solution to protect assets

Asset Identification

Identifying and calculating asset value for both types of assets.

  • Asset valuations must be created that go beyond simple capital costs and take into account the following factors::
    • The cost to repair the asset versus replacing the asset outright
    • The depreciation of the asset over time
    • The amount of revenue generated by the asset
    • The value of the asset to a competitor
    • The exposure factor (percentage of the asset that could be lost during an event)

Business Continuity Plan

  • To create a business continuity plan you should include the following phases:
  1. Creating a disaster recovery team
  2. Performing a risk analysis
  3. Performing a business impact analysis
  4. Creating a disaster recovery plan
  5. Preparing documentation
  6. Testing the plan
  7. After-action reporting

Documentation

Each phase of your organization's disaster recovery plans should be meticulously recorded and securely stored in both hard and software copies.

  • The disaster recovery plan should be accurate and detailed enough that anyone can follow the instructions without further explanation.
  • The DRP documentation should include:
    • Notifications lists: A list of people and businesses to notify in case of a disaster
    • Contact information: Phone numbers and contact information for employees, vendors, data recovery agencies, and offsite facilities.
    • Networking and facilities diagrams: Blueprints and diagrams of all networking and facilities infrastructure so they can be re-created at the new site.
    • Systems configurations: Configuration information for all servers, applications, and networking equipment.
    • Backup restoration procedures: Step-by-step information on how to restore data from the backup media.
    • Location of backup and licensing media: To reinstall the servers, you will need the operating system software, the appropriate keys, and the backup media.