it:ad:risk:home

IT:AD:Risk

Summary

Discussing Risk is essentially incomplete – potentially meaningless/unactionable – without including in the conversation the following: * the likelihood of it occurring * the impact of it happening without any controls * controls in place to minimize the chance of it happening * controls in place to it does happens

There are two categories of risk that have to be woven into the above: * Inherent (or gross) risk is the level of risk if all the measures and controls were failing. * Residual (or net) risk is the level of risk with all the measures and controls in place.

Finally, there is a broad concepts of Risk Assessment, Risk Avoidance and Risk Management (of it occurring), which can be subcategorized as: * Risk Assessment (assess the likelihood, impact, controls * Risk Avoidance (ensuring it does not happen) * Risk Reduction * Risk Control * Risk Sharing * Risk Transfer ( * Risk Acceptance (cost in the outcome)

Likelihood/Impact Grid:

1.Trivial 2.Trivial 3.Significant 4.Major 5.Disaster
5.V.Likely @yellow: 5 @yellow: 10 @red: 15 @red: 20 @red: 25
4.Likely @green: 4 @yellow: 8 @yellow: 12 @red: 16 @red: 20
3.Possible @green: 3 @green: 6 @yellow: 9 @yellow: 12 @red: 15
2.Low Likely @green: 2 @green: 4 @green: 6 @yellow: 8 @yellow: 10
1.Unlikely @green: 1 @green: 2 @green: 3 @green: 4 @yellow: 5
1+ 5+ 15 +
Sign Off: @green: BO+CSO @yellow: BO+CSO @red: CIO

CloudRiskCompliancePrivacyEcosystem

Notorious Nine

* Data Breach * Data Loss * Account/Service Hijacking * Insecured Interfaces * IT:AD:DoS * Malicious Insiders * Shared Technology Vulnerabilities * Inefficient Due Diligence * Insufficient Identity/Credential & Access Management * System Vulnerabilities * Advanced Persistent Threats * Abuse and Nefarious Use of Cloud Services

Data BreachesData LossAccount/Traffic HijackingInsecure InterfacesInfrastructure or Economic DoSMalicious InsidersShared Technology VulnerabilitiesInsufficient Due DiligenceInsufficient Credential/Access ManagementSystem VulnerabilitiesAdvanced Persistent ThreatMass use of Cloud Infrastructure Service for Nef

Data Lifecycle

* Create * Store * Use * Share * Archive * Destroy

Information/Data Governance

* Information Classification (What?) * Information management Poliies (How?) * Localtion and Jurisdictional Policies (WHere?) * Authroisation (Who?) * Custodianship (Custody?)

SLA

* Escalation Process * RTO/RPO * Penalty Clauses * Right to Audit * Loss of Integrity

Continuous Optimisation

  • Audit Logging
  • Refine the Rules
  • Reduce False Positives (in order to see what are genuine security breaches).
  • Contract Maintenance
  • Secure Disposal (of Data at the end of the Data LifeCycle)
  • Legal Preparation
    • Forensic
    • Chain of Custody
    • Presentation of Data for Legal/court requirements

Chain of Custody

* Collection * Possession * Condition * Location * Transfer * Access * Analysis Performed

Non-Repudiation

* Confirm Data Authenticity * Digital Signatures * Hashing

PEST-LER

Governance and Enterprise Risk

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environment
  • Regulatory

STRIDE

HARDEN PHYSICAL/VIRTUAL HARDWARE

  • Build|Configure|Harden|Patch|Lockdown
  • /home/skysigal/public_html/data/pages/it/ad/risk/home.txt
  • Last modified: 2023/11/04 03:30
  • by 127.0.0.1