Analyzing Risk: Analyze Organizational Risk Analyze The Business Impact of Risk

Analyzing Risk
• Analyze Organizational Risk

• Analyze the Business Impact of Risk
Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 1
Risk Management
The process of identifying risks, analyzing them, developing a response

strategy for them, and mitigating their future impact.
• Helps prevent or lessen the effects of security incidents.

• Four phases
Assessmen
t
Mitigation Analysis
Response
Components of Risk Analysis
• Determine the vulnerabilities that a threat can exploit.

• Determine the possibility of damage occurring.
• Determine the extent of the potential damage.
Phases of Risk Analysis
Risk analysis: The process used for assessing risk damages that can affect
an organization.
11 22 33
Asset Vulnerability Threat

ID ID Assessment
44 55 66
Probability Impact Countermeasure
Quantification Analysis Determination
Categories of Threat Types
Threat Category Description

Related to weather or other uncontrollable events that are residual
Natural occurrences of the activities of nature.
Residual occurrences of individual or collective human activity. Can be
Man-made
intentional or unintentional.
System Related to any weakness or vulnerability found in a network, service,

application, or device.
Risk Analysis Methods
Method Description
• Uses descriptions and words to measure the amount and impact of risk,
such as High, Medium, and Low.
Qualitative
• Usually scenario-based.
• Can be subjective and hard to test.
• Based on solely numeric values.
Quantitative • Risk data is compared to historic records, experiences, industry best
practices, statistical theories, and tests.
• Uses descriptions and numeric values.
Semi-quantitative • Attempts to find middle ground between qualitative and quantitative
risk analysis.
Risk Calculation
SLE: The financial loss expected from a single adverse event.

ALE: The total annual cost of a risk to an organization.
ARO: The number of times per year that a particular loss is expected to
occur.
• ALE = SLE x ARO
• Risk calculation depends on both costs of losses and costs of mitigation.
• Vulnerability tables can help document risk calculation factors.
Risk of Impact
Vulnerability Identification Occurrence Estimate (US Mitigation
Source
(1/Low; 5/High) Dollars)
Physical adjustments
Flood damage Physical plant 5 $950,000
and flood insurance
Generator,
Electrical failure Physical plant 2 $100,000 Uninterruptible power
supply (UPS)
Flu epidemic Personnel 4 $200,000 Flu shots
Risk Response Techniques
Response
Technique Description
• Acknowledgement of the risk and consequences that come with it.
Accept • Acceptance does not mean leaving a system completely vulnerable.
• Acceptance is recognizing that the risk involved is not entirely avoidable
or the cost of mitigation or avoidance is prohibitive.
Transfer • Allocate the responsibility of risk to another agency, or to a third party,

such as an insurance company.
Avoid • Eliminate the risk altogether by eliminating the cause.
• Actions to protect against possible attacks.
Mitigate • Implemented when the impact of a potential risk is substantial.
• Active defenses (IDSs), or cautionary measures (backing up at-risk data).
Risk Mitigation and Control Types
Technical controls: Hardware or software installations that are

implemented to monitor and prevent threats and attacks to computer
systems and services.
Management controls: Procedures that are implemented to monitor
the adherence to organizational security policies.
Operational controls: Security measures that are implemented to
safeguard all aspects of day-to-day operations, functions, and activities.
Loss/damage controls: Security measures that are implemented to
prevent key assets from being damaged.
Change Management
A systematic way of approving and executing change to assure maximum

security, stability, and availability of information technology services.
• Changes in hardware, software, infrastructure, and documentation can have

ripple effects on an organization’s security.
• Quantify the costs of training, support, maintenance, and implementation.
• Analyze the benefits and complexities of each change.
11 22 33
Analyze Plan Implement
Need for change Change roles Manage transition

phase
Type of change Change duties Confirm adoption

of change
Organizational Address resistance Conduct post-
culture project review
Change Management (Cont.)
• New service pack fixes several security vulnerabilities for a production server.
• Server hosts a custom app that must remain available.
• Change management policy requires form approval for all service packs.
• The new service pack must be tested on a lab server prior to deployment.
• Test results indicate the service pack crashes the custom app.
• The custom app must be revised and retested before the service pack is deployed to the
production server.
Service Service
Pack Pack
Guidelines for Analyzing Risk
• Clearly define organizational expectations for security.

• Identify assets requiring protection, and determine their values.
• Look for possible vulnerabilities that could adversely affect the organization’s security
goals.
• Determine possible threats to assets.
• Determine the likelihood of the threats exploiting any vulnerabilities.
• Determine the threat impact.
• Identify the optimal risk analysis method.
• Identify possible countermeasures.
• Clearly document all findings and decisions.
Activity: Analyzing Risks to the Organization
• Develetech has concerns about the security of a server room.

• Server room is on the first floor at main headquarters.
• Room is next to main lobby, has no windows, and has a numeric keypad for access.
• Room contains employee data server and client data server.
• You'll conduct a full risk analysis of the server room's physical security.
BIA
A systematic activity that identifies organizational risks and determines

their impact on ongoing, business-critical operations and processes.
• Vulnerability assessments and evaluations

• Determine risks and their effects
• Cover all aspects of a business
• Can be part of a business continuity plan (BCP)
Prioritization
Prioritization of
of Estimation
Estimation of
of
critical
critical processes
processes tolerable
tolerable downtime
downtime
BIA
Probability
Probability of
of Effect
Effect of
of financial
financial
reduced efficiency
reduced efficiency loss
loss
Resources
Resources needed
needed
to
to restore
restore
Impact Scenarios
Impact Description
Natural disasters and intentional man-made attacks.
• Severe weather events
Life • Seismic events
• Arson and other fires
• Terrorist attack
Natural disasters and intentional man-made attacks:
• Seismic events
Property • Arson and other fires
• Terrorist attacks
• Break-ins
• Equipment damage
Natural disasters, intentional man-made attacks, and unintentional man-
made risks.
Safety • Seismic events
• Arson
• Excessive employee illnesses or epidemics
Impact Scenarios (Cont.)
Impact Description
Natural disasters, intentional man-made attacks, unintentional man-made
risks, and system risks:
• Seismic events
• Arson and other fires
• Break-ins
• Theft
Finance • Equipment damage
• File destruction
• Information disclosure (intentional or inadvertent)
• User error
• Social networking and cloud computing
• Excessive employee illnesses or epidemics
• Unsecure mobile and networking devices
• Unstable virtualization environments
• Email and account-management vulnerabilities
Impact Scenarios (Cont.)
Impact Description
Man-made risks and system risks.
• Response time for restoration of disrupted services or damaged files
• Frequent information disclosure
• Perception of recurring problems
Reputation
• Perception of susceptibility
Organizational response to risks:
• Price gouging during natural disasters
• Response time for addressing information disclosure
Privacy Assessments
Privacy impact assessment (PIA): A tool for identifying and analyzing

risks to privacy during the life cycle of a program or system.
Privacy threshold assessment (PTA): A document used to determine
when a PIA is required.
Personally identifiable information (PII): Information that a company
uses to identify or contact employees and other individuals.
• Required for any US agency that collects PII online.

• Other regulations might require them for different organizations.
Critical Systems and Functions
• Mission-essential
• Quantitative comparison
• MTD: Maximum tolerable downtime
• MTTF: Mean time to failure
• MTTR: Mean time to repair/replace
• MTBF: Mean time between failures
• RTO: Recovery time objective
• RPO: Recovery point objective
Maximum Tolerable Downtime
The longest time period that a business outage can occur without
causing irrecoverable business failure.
• An MTD for each business process.

• Can range from minutes, to hours, to days.
• Vary by company and event.
Event
Event MTD
MTD
Business Failure
Time
Recovery Point Objective
The longest period of time that an organization can tolerate lost data
being unrecoverable.
• Usually expressed in hours.

• Helps to determine backup frequency.
Longest
Longest tolerable
tolerable time
time
since
since last
last backup
backup
RPO
RPO Event
Event MTD
MTD
Time
Recovery Time Objective
The length of time it takes after an event to resume normal business

operations and activities.
• RPO plus time spent preparing to resume processing.

• Must be achieved before MTD.
RPO
RPO Event
Event RTO
RTO MTD
MTD
Time
Mean Time to Failure
The average time that a device or component is expected to be in

operation.
• Measure of reliability for non-repairable devices and components.

• Total hours of operation/number of failures
Event MTTF
MTTF Event
Event Event
Time
Mean Time to Repair
The average time it takes for a device or component to recover from

failure.
• Less than RPO when the component is relevant to the recovery effort.
• Also referred to as mean time to recover (or replace).
RPO
RPO Event
Event RTO
RTO MTD
MTD
MTTR
MTTR
Time
Mean Time Between Failures
The rating on a device or component that predicts the expected time

between failures.
• Measure of reliability.
• Can indicate need for redundancy measures.
• MTBF = MTTF + MTTR
Reliability
MTBF
Guidelines for Performing a Business Impact Analysis
• Identify mission-essential functions and critical systems.

• Identify impact scenarios.
• Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF.
• Conduct a privacy threshold assessment and privacy impact assessments when
required.
• Identify single points of failure.
Activity: Performing a Business Impact Analysis
• Develetech's storefront is its largest source of revenue.

• On Monday at 9:00 A.M., an admin accidentally wiped all storefront servers.
• The store was taken down for all customers.
• Additional info:
• Last backups performed on Sunday at 9:00 P.M.
• Loss of transaction data for more than 6 hours could have serious consequences.
• All servers require full restart and restoration, which could take around 8 hours per server.
• Not all servers can be restored at once.
• Develetech believes it can recover the storefront in 2 days.
• Develetech cannot go without the storefront for more than 3 days.
Reflective Questions
1. What types of risk does your organization face, and what methods would
you use to analyze those risks?
2. If you were developing a BIA for your organization, what types of systems
and functions would you deem essential to operations? Why?

Analyzing Risk: Analyze Organizational Risk Analyze The Business Impact of Risk

Uploaded by

Copyright:

Available Formats

Analyzing Risk: Analyze Organizational Risk Analyze The Business Impact of Risk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Analyzing Risk: Analyze Organizational Risk Analyze The Business Impact of Risk

Uploaded by

Copyright:

Available Formats

Analyzing Risk

• Analyze Organizational Risk

The process of identifying risks, analyzing them, developing a response

• Helps prevent or lessen the effects of security incidents.

• Determine the vulnerabilities that a threat can exploit.

Asset Vulnerability Threat

Threat Category Description

System Related to any weakness or vulnerability found in a network, service,

SLE: The financial loss expected from a single adverse event.

Transfer • Allocate the responsibility of risk to another agency, or to a third party,

Technical controls: Hardware or software installations that are

A systematic way of approving and executing change to assure maximum

• Changes in hardware, software, infrastructure, and documentation can have

Analyze Plan Implement

Need for change Change roles Manage transition

Type of change Change duties Confirm adoption

• Clearly define organizational expectations for security.

• Develetech has concerns about the security of a server room.

A systematic activity that identifies organizational risks and determines

• Vulnerability assessments and evaluations

Privacy impact assessment (PIA): A tool for identifying and analyzing

• Required for any US agency that collects PII online.

• An MTD for each business process.

• Usually expressed in hours.

The length of time it takes after an event to resume normal business

• RPO plus time spent preparing to resume processing.

The average time that a device or component is expected to be in

• Measure of reliability for non-repairable devices and components.

The average time it takes for a device or component to recover from

The rating on a device or component that predicts the expected time

• Identify mission-essential functions and critical systems.

• Develetech's storefront is its largest source of revenue.

You might also like