it:ad:risk:home

IT:AD:Risk

Summary

Discussing Risk is essentially incomplete – potentially meaningless/unactionable – without including in the conversation the following: * the likelihood of it occurring * the impact of it happening without any controls * controls in place to minimize the chance of it happening * controls in place to it does happens

There are two categories of risk that have to be woven into the above: * Inherent (or gross) risk is the level of risk if all the measures and controls were failing. * Residual (or net) risk is the level of risk with all the measures and controls in place.

Finally, there is a broad concepts of Risk Assessment, Risk Avoidance and Risk Management (of it occurring), which can be subcategorized as: * Risk Assessment (assess the likelihood, impact, controls * Risk Avoidance (ensuring it does not happen) * Risk Reduction * Risk Control * Risk Sharing * Risk Transfer ( * Risk Acceptance (cost in the outcome)

Likelihood/Impact Grid:

1.Trivial 2.Trivial 3.Significant 4.Major 5.Disaster
5.V.Likely @yellow: 5 @yellow: 10 @red: 15 @red: 20 @red: 25
4.Likely @green: 4 @yellow: 8 @yellow: 12 @red: 16 @red: 20
3.Possible @green: 3 @green: 6 @yellow: 9 @yellow: 12 @red: 15
2.Low Likely @green: 2 @green: 4 @green: 6 @yellow: 8 @yellow: 10
1.Unlikely @green: 1 @green: 2 @green: 3 @green: 4 @yellow: 5
1+ 5+ 15 +
Sign Off: @green: BO+CSO @yellow: BO+CSO @red: CIO


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

Cloud -UP- Risk
Cloud -RIGHT- Compliance
Cloud -DOWN- Privacy
Cloud -LEFT- Ecosystem

* Data Breach * Data Loss * Account/Service Hijacking * Insecured Interfaces * IT:AD:DoS * Malicious Insiders * Shared Technology Vulnerabilities * Inefficient Due Diligence * Insufficient Identity/Credential & Access Management * System Vulnerabilities * Advanced Persistent Threats * Abuse and Nefarious Use of Cloud Services


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

class "Data Breaches"
class "Data Loss"
class "Account/Traffic Hijacking"
class "Insecure Interfaces"
class "Infrastructure or Economic DoS"
class "Malicious Insiders"
class "Shared Technology Vulnerabilities"
class "Insufficient Due Diligence"
class "Insufficient Credential/Access Management"
class "System Vulnerabilities"
class "Advanced Persistent Threat"
class "Mass use of Cloud Infrastructure Service for Nef"

* Create * Store * Use * Share * Archive * Destroy

* Information Classification (What?) * Information management Poliies (How?) * Localtion and Jurisdictional Policies (WHere?) * Authroisation (Who?) * Custodianship (Custody?)

* Escalation Process * RTO/RPO * Penalty Clauses * Right to Audit * Loss of Integrity

  • Audit Logging
  • Refine the Rules
  • Reduce False Positives (in order to see what are genuine security breaches).
  • Contract Maintenance
  • Secure Disposal (of Data at the end of the Data LifeCycle)
  • Legal Preparation
    • Forensic
    • Chain of Custody
    • Presentation of Data for Legal/court requirements

* Collection * Possession * Condition * Location * Transfer * Access * Analysis Performed

* Confirm Data Authenticity * Digital Signatures * Hashing

Governance and Enterprise Risk

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environment
  • Regulatory
  • Build|Configure|Harden|Patch|Lockdown