IT:AD:Risk
- See also:
Summary
Discussing Risk
is essentially incomplete – potentially meaningless/unactionable – without including in the conversation the following:
* the likelihood of it occurring
* the impact of it happening without any controls
* controls in place to minimize the chance of it happening
* controls in place to it does happens
There are two categories of risk that have to be woven into the above: * Inherent (or gross) risk is the level of risk if all the measures and controls were failing. * Residual (or net) risk is the level of risk with all the measures and controls in place.
Finally, there is a broad concepts of Risk Assessment, Risk Avoidance and Risk Management (of it occurring), which can be subcategorized as: * Risk Assessment (assess the likelihood, impact, controls * Risk Avoidance (ensuring it does not happen) * Risk Reduction * Risk Control * Risk Sharing * Risk Transfer ( * Risk Acceptance (cost in the outcome)
Likelihood/Impact Grid:
1.Trivial | 2.Trivial | 3.Significant | 4.Major | 5.Disaster | |
---|---|---|---|---|---|
5.V.Likely | @yellow: 5 | @yellow: 10 | @red: 15 | @red: 20 | @red: 25 |
4.Likely | @green: 4 | @yellow: 8 | @yellow: 12 | @red: 16 | @red: 20 |
3.Possible | @green: 3 | @green: 6 | @yellow: 9 | @yellow: 12 | @red: 15 |
2.Low Likely | @green: 2 | @green: 4 | @green: 6 | @yellow: 8 | @yellow: 10 |
1.Unlikely | @green: 1 | @green: 2 | @green: 3 | @green: 4 | @yellow: 5 |
1+ | 5+ | 15 + | |||
---|---|---|---|---|---|
Sign Off: | @green: BO+CSO | @yellow: BO+CSO | @red: CIO |
Notorious Nine
* Data Breach * Data Loss * Account/Service Hijacking * Insecured Interfaces * IT:AD:DoS * Malicious Insiders * Shared Technology Vulnerabilities * Inefficient Due Diligence * Insufficient Identity/Credential & Access Management * System Vulnerabilities * Advanced Persistent Threats * Abuse and Nefarious Use of Cloud Services
Data Lifecycle
* Create * Store * Use * Share * Archive * Destroy
Information/Data Governance
* Information Classification (What?) * Information management Poliies (How?) * Localtion and Jurisdictional Policies (WHere?) * Authroisation (Who?) * Custodianship (Custody?)
SLA
* Escalation Process * RTO/RPO * Penalty Clauses * Right to Audit * Loss of Integrity
Continuous Optimisation
- Audit Logging
- Refine the Rules
- Reduce False Positives (in order to see what are genuine security breaches).
- Contract Maintenance
- Secure Disposal (of Data at the end of the Data LifeCycle)
- Legal Preparation
- Forensic
- Chain of Custody
- Presentation of Data for Legal/court requirements
Chain of Custody
* Collection * Possession * Condition * Location * Transfer * Access * Analysis Performed
Non-Repudiation
* Confirm Data Authenticity * Digital Signatures * Hashing
PEST-LER
Governance and Enterprise Risk
- Political
- Economic
- Social
- Technological
- Legal
- Environment
- Regulatory
STRIDE
HARDEN PHYSICAL/VIRTUAL HARDWARE
- Build|Configure|Harden|Patch|Lockdown