Chapter2: Information Risk Management and Compliance - 33%

Risk Management Overview
Risk management is:
- A process aimed at achieving an optimal balance between realizing opportunities for gain and minimizing vulnerabilities and loss.
- A process to ensure that loss events are either avoided their impact is kept within acceptable limits at acceptable cost.

Risk Management Objective
- Manage risks so that they do not have an adverse material impact on business processes.
- Risk is inherent to all business activities.

Risk Management Challenger
There is a high potential for misuse and misunderstanding of key terms:
- Risk
- Threats
- Vulnerabilities
There are many different approaches and techniques:
- Qualitative
- Quantitative - ALE/VAR --> Value at risk
- Semi-qualitative

Need to operate at multiple levels within the organization:
- Strategic level
- Operational level
- Project level

Risk Model
- All activities have an inherent risk
- Risk has a:
   o Likelihood/probability of occurrence
   o Consequence/business impact

Outcomes of Risk Management
Informed decision making based on understanding of:
- Organization's threat, vulnerability and risk profile
- Risk exposure and potential consequences of compromise

Results in:
- An organizational risk mitigation strategy sufficient to a achieve acceptable consequences.
- Organizational acceptance/deference based on an understanding of potential consequences of residual risk.
- Measurable evidence that risk management resources are used in an appropriate and cost-effective manner.

Risk Management Strategy
A risk management strategy:
- Is an integrated business process.
- Has defined objectives.
- Incorporates all of the risk management processes, activities, methodologies and policies adopted and carried out in an organization.

Developing a Risk Management Program
Developing the program requirements: (ขั้นตอนการทำ RM)
- Establish Context and Purpose
- Define Scope and Charter (ใครมี role อะไร มีผลกระทบอย่างไร)
- Define Authority, Structure and Reporting
- Ensure Asset Identification, Classification and Ownership (ผู้รับผิดชอบสูงสุดต่อ Asset นั้น)
- Determine Objectives
- Determine Methodologies
- Designate Program Development Team

Role and Responsibilities
- Information security risk management is an integral part of security governance:
   o Is the responsibility of the board of directors or the equivalent to ensure that these efforts are effective.
- Management must be involved in and sign off on acceptable risk levels and risk management objectives.

- A steering committee must:
   o Set risk management priorities.
   o Define risk management objectives in terms of supporting business strategy.
- The ISM is responsible for developing, collaborating and managing the information security risk management program to meet the defined objectives.

Concepts
Key information security risk management concepts include:
- Threats               - Criticality
- Vulnerabilities     - Sensitivity
- Exposures          - Recovery Time Objectives (RTOs) -> ระยะเวลากู้ระบบ
- Risk                    - Recovery Point Objectives (RPOs) -> ระยะเวลาที่ยอมให้ Data loss
- Impacts              - Service Delivery Objectives (SDOs) -> จำนวน Service ที่จะทำ DR
- Controls             - Acceptable Interruption Window (AIW) -> ระยะเวลาที่ยอมให้ระบบล่ม
- Countermeasures
- Resource valuation (คน, ของ)
- Information asset classification

Other risk management functions related to information security can include:
- Service level agreements (SLAs)
- System robustness and resilience
- Business continuity/disaster recovery
- Business process reengineering
- Project management timelines and complexity
- Enterprise and security architectures
- IT and information security governence
- Systems life cycle management
- Policies, standards and procedures

Risk Management Process
Risk management usually consists of the following processes:
- Establish scope and boundaries
- Risk assessment
- Risk treatment
- Acceptance of residual risk ----> implement control for mitigate risk
- Risk communication and monitoring

Defining a Risk Management Framework
Risk management frameworks should have similar risk management requirements, including:
- Policy
- Planning and resourcing
- Implementation program
- Management review
- Risk management process
- Risk management documentation

Developing a Risk Profile
A risk profile is essential for effective risk management.
- COBIT 5 approach --> อ้างถึง
- Risk register --> เก็บเป็นตาราง หรือฐานข้อมูล

Risk Assessment
Numerous risk management models are available including
- COBIT
- OCTAVE
- NIST 800-39
- HB 158-2010
- ISO/IEC 31000  ---> ISMS recommendation
- ITIL
- CRAMM

Identification of Risks
In selection a risk identification methodology, the following techniques should be considered:
- Team-based brainstorming where workshops can prove effective in building commitment and making use of different experiences.
- Structured techniques such as flow charting, system design review, systems analysis, hazard and operability studies, and operational modeling.
- "What-if" and scenario analysis for less clearly defined situations, such as the identification of strategic risks and processes with a more general structure.

Threats
Threats are usually categorized as:
- Natural -- Flood, fire, cyclones, rain/hail, plagues and earthquakes
- Unintentional -- Fire, water, building damage/collapse, loss of utility services and equipment failure
- Intentional physical -- Bombs, fire, water and theft
- Intentional nonphysical -- Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing attacks and denial-of-service attacks

Risk Treatment Options
- Terminate the activity:
   o This is exactly what is says -- the activity giving rise to risk is changed or terminated to eliminate the risk
- Transfer the risk:
   o Risk may be reduced to acceptable levels by transferring it to another entity (e.g., an insurance company)
   o Risk may also be transferred by contract to a service provider or other entity
   o The cost of mitigating risk must not exceed the value of the asset
- Mitigate the risk:
   o Controls and countermeasures are used
- Tolerate/accept the risk:
   o Sometimes an identified defined risk may be accepted when the cost of mitigating the risk is too high compared to the value of the asset
   o Accepted risk should be reviewed regularly

Residual Risk
Is the amount of risk that remains after countermeasures and controls have been implemented.

Impact
Impacts are determined by performing a business impact assessment (BIA) and subsequent analysis:
- The BIA helps prioritize risk management.
- When coupled with asset valuations, the BIA provides the basis for the level and types of protection required and the basis for developing a business case for controls.

Costs and Benefits
When considering costs, the total cost of ownership (TCO) must be considered for the full life cycle of the control or countermeasure. This can include such elements as:
- Acquisition costs
- Deployment and implementation costs
- Recurring maintenance costs
- Testing and assessment costs
- Compliance monitoring and enforcement
- Inconvenience to users
- Reduced throughput of controlled processes
- Training in new procedures or technologies as applicable
- End of life decommissioning

Third-party Service Providers
Key clauses that should be part of an SLA must include, but are not restricted to:
- Right to audit vendors books of accounts and premises
- Right to review their processes
- Insistence on standard operating prodedures (SOPs)
- Right to assess the skill sets of the vendor resources
- Advance information if the resource deployed are to be changed

==============================================================
Practice Question 2-1
The overall objective of risk management is to:
   a. eliminate all vulnerabilities, if possible.
   b. determine the best way to transfer risk.
   c. manager risks to an acceptable level.
   d. implement effective countermeasures.

Practice Question 2-2
The information security manager should treat regulatory compliance as:
   a. an organizational mandate.
   b. a risk management priority
   c. a purely operational issue.
   d. just another risk to be treated.

Practice Question 2-3
To address changes in risk, an effective risk management program should:
   a. ensure that continuous monitoring processes are in place.
   b. establish proper security baselines for all information resources.
   c. implement a complete data classification process.
   d. change security policies on a timely basis to address changing risks.

Practice Question 2-4
Information classification is important to properly manage risk PRIMARILY because:
   a. it ensures accountability for information resources as required by roles and responsibilities.
   b. it has a legal requirement under various regulations.
   c. there is no other way to meet the requirements for availability, integrity and auditability.
   d. it is used to identify the sensitivity and criminality of information to the organization.

Practice Question 2-5
Vulnerabilities discovered during an assessment should be:
   a. handled as a risk even though there is no threat.
   b. prioritized for remediation solely based on impact.
   c. a basis for analyzing the effectiveness of controls.
   d. evaluated for threat, impact and cost of mitigation.

Practice Question 2-6
Indemnity agreements (SLA) can be used to:
   a. ensure an agreed-upon level of service.
   b. reduce impacts on organizational resources.
   c. transfer responsibility to a third party.
   d. provide an effective countermeasure to threats.

Practice Question 2-7
Residual risk can be determined by:
   a. assessing remaining vulnerabilities
   b. performing a threat analysis
   c. conducting a risk assessment
   d. implementing a risk transfer

Practice Question 2-8
Data owners are PRIMARILY responsible for creating risk mitigation strategies to address which of the following areas?
   a. Platform security
   b. Entitlement changes  -> custodian เป็นคนดูแล
   c. Intrusion detection
   d. Antivirus controls

Practice Question 2-9
A risk analysis should:
   a. limit the scope to a benchmark of similar companies.
   b. assume an equal degree of protection for all assets.
   c. address the potential size and likelihood of loss.
   d. give more weight to the likelihood vs. the size of loss.

Practice Question 2-10
Which of the following is the FIRST step in selecting the appropriate controls to be implemented in a new business application?
   a. Business impact analysis (BIA)
   b. Cost-benefit analysis
   c. Return on investment (ROI) analysis
   d. Risk assessment