CISSP Module 1.3 Risk Management Concepts
Вставка
- Опубліковано 31 лип 2024
- This lesson will help CISSP candidates to quickly understand and memorize the various risk management concepts as presented in Domain 1, Security and Risk Management.
/ cisspmicromodules
For free practice exams, go to cissprep.net/
What the heck is risk? Risk is the possibility of something bad happening. Risk is usually stated in terms of high, medium, or low. Your job as the CISSP is to determine the level of risk and explain it to senior management.
Acceptable risk is the amount of risk that senior management is willing to accept, for example, every business has the risk of a break in happening. If your business manufactures valuable goods like TVs or electronics, and if it’s located a high crime area, there is a high risk of break-ins. If management decides not to put any locks on the doors and not hire any security guards, they are basically willing to accept the risk of a break in.
A Vulnerability is a weakness, such as a broken fence. Shon Harris also called a vulnerability a lack of a safeguard. The word safeguard and control are the same thing.
A Threat is something that can take advantage of the vulnerability, such as a thief in our case of the broken fence. It can also be a circumstance, such as the weather. Mitigation refers to the action taken to reduce the risk, such as fixing the fence. A related term is Residual Risk, this refers to the remaining risk after mitigation is performed.
Management can only make four decisions about risk. Mitigate, accept, transfer, or avoid , and we have examples there if you need them, and I believe we have a separate video on how to deal with risk, or at least I remember creating a slideshow for that at one point.
Risk is sometimes rated using three factors, impact, likelihood, and exposure. Impact is the monetary effect that will occur, or it can be expressed as the impact to human health. In our case of the broken fence, the impact would be the cost of making the TV that was stolen. Likelihood is the measurement of possibility, usually calculated from historical data on past occurrences. For example, the likelihood of one person running through our broken fence to steal a TV could be a %.001 chance based on how many similar thefts have occurred in the past. Exposure is when an organization becomes vulnerable to a threat, for example, the broken fence creates an exposure to the threat of burglary.
Risk analysis can be done in two ways, qualitative and quantitative: Qualitative is opinion based and more of a narrative discussion. Quantitative is numeric and value based; this is the preferred method because it is more objective.
The Business Impact Analysis is a tool used to help understand the criticality of assets within an organization, and remember that assets typically refer to data in the CBK, but not always. The BIA aims to answer the questions of which assets or data are critical to the business, and level of criticality.
Now we move on to the traditional risk measurement model, which is a bit outdated, and ISC2 admits this, but it still has value in understanding how it works. Asset Value is of course the asset’s value. Exposure factor is the percent of the asset that can be lost from a certain event. Single loss expectancy is the AV x the EF, measured in money. The annual rate of occurrence is how many times in a year the event occurs, typically a decimal but it can be more. The Annual loss expectancy is the SLE x ARO, which shows how much the business is currently losing without implementing safeguards. If the safeguards are cheaper than the ALE, it’s best to implement the safeguards.
Some other random terms thrown out in Module 1.3 are:
Layered defense or defense in depth - this refers to relying on multiple controls, and multiple types of controls to protect the organization’s assets. For example, if you have firewalls in place but no ACL, no configurations, and no locks on data closet doors, you are not using a layered defense. Risk Framework refers to the model that your organization adopts to manage its risk. I have a separate video that covers the various frameworks and how to memorize them. Supply chain - this refers to the flow of assets or data. Audits, surveys, reviews, and testing can be done in the supply chain, but the CBK says that it’s also acceptable to simply view the resulting reports of those reviews for entities within the supply chain, and recommend enhanced or reduced security to those entities. For example, if your business contracts with IBM for custom computer parts, and there is an intermediary company that delivers those parts especially for you, they may be subject to certain types of audits or reviews. By reviewing their findings, you can discuss additional or more effective approaches to security.
The last concept in this module is "Threat modeling", but specifically STRIDE.
Another good video Is knowing the differences between ECB, CBC, CFB, OFB, and CTR
Somehow I missed this comment and I'm very sorry! UA-cam can be a bit quirky sometimes. This is a great idea and I will jump on this next. Thanks for your patience :)
Here you go, hopefully better late than never: ua-cam.com/video/soatRmpccPk/v-deo.html
Thank you. It would be great if you get a chance to make a module showing the difference between Risk register, risk profile , risk tolerance and risk appetite .
Will do, thanks for the recommendation. Currently finishing up another Domain 4 video and then I will take a stab at this.
A good video would be what is good way to know due diligence and due care.
Thanks! Here ya go: ua-cam.com/video/isgMdHd29mU/v-deo.html
Acs is $ /year
You didn’t mention safeguard which is (ale1-ale2)-acs
This was removed from the 2018 CBK update.