IT:AD:Risk

Summary

Discussing Risk is essentially incomplete – potentially meaningless/unactionable – without including in the conversation the following:

  • the likelihood of it occurring
  • the impact of it happening without any controls
  • controls in place to minimize the chance of it happening
  • controls in place to it does happens

There are two categories of risk that have to be woven into the above:

  • Inherent (or gross) risk is the level of risk if all the measures and controls were failing.
  • Residual (or net) risk is the level of risk with all the measures and controls in place.

Finally, there is a broad concepts of Risk Assessment, Risk Avoidance and Risk Management (of it occurring), which can be subcategorized as:

  • Risk Assessment (assess the likelihood, impact, controls
  • Risk Avoidance (ensuring it does not happen)
  • Risk Reduction
  • Risk Control
  • Risk Sharing
  • Risk Transfer (
  • Risk Acceptance (cost in the outcome)

Likelihood/Impact Grid:

1.Trivial 2.Trivial 3.Significant 4.Major 5.Disaster
5.V.Likely 5 10 15 20 25
4.Likely 4 8 12 16 20
3.Possible 3 6 9 12 15
2.Low Likely 2 4 6 8 10
1.Unlikely 1 2 3 4 5
1+ 5+ 15 +
Sign Off: BO+CSO BO+CSO CIO

PlantUML Graph

Notorious Nine

  • Data Breach
  • Data Loss
  • Account/Service Hijacking
  • Insecured Interfaces
  • Malicious Insiders
  • Shared Technology Vulnerabilities
  • Inefficient Due Diligence
  • Insufficient Identity/Credential & Access Management
  • System Vulnerabilities
  • Advanced Persistent Threats
  • Abuse and Nefarious Use of Cloud Services

PlantUML Graph

Data Lifecycle

  • Create
  • Store
  • Use
  • Share
  • Archive
  • Destroy

Information/Data Governance

  • Information Classification (What?)
  • Information management Poliies (How?)
  • Localtion and Jurisdictional Policies (WHere?)
  • Authroisation (Who?)
  • Custodianship (Custody?)

SLA

  • Escalation Process
  • RTO/RPO
  • Penalty Clauses
  • Right to Audit
  • Loss of Integrity

Continuous Optimisation

  • Audit Logging
  • Refine the Rules
  • Reduce False Positives (in order to see what are genuine security breaches).
  • Contract Maintenance
  • Secure Disposal (of Data at the end of the Data LifeCycle)
  • Legal Preparation
    • Forensic
    • Chain of Custody
    • Presentation of Data for Legal/court requirements

Chain of Custody

  • Collection
  • Possession
  • Condition
  • Location
  • Transfer
  • Access
  • Analysis Performed

Non-Repudiation

  • Confirm Data Authenticity
  • Digital Signatures
  • Hashing

PEST-LER

Governance and Enterprise Risk

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environment
  • Regulatory

STRIDE

HARDEN PHYSICAL/VIRTUAL HARDWARE

  • Build|Configure|Harden|Patch|Lockdown