Stuff to Actually Memorise
What is GRC?
- Set of processes and procedures used by an organisation to achieve business objectives, reduce uncertainty and act with integrity
- Maintains the overall GRC of an organisation
NIST SP 800-30
Risk Identification
- System Characterisation
- Threat Identification
- Vulnerability Identification
Risk Assessment
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
Risk Control
- Control Recommendations
- Result Documentation
Detailed Risk Identification
- Plan and organise the process
- Categorise system components
- Identify and categorise assets
- Classify and prioritise assets
- Identify and prioritise threats
- Specify system vulnerabilities
Risk Control Strategies
- Avoid/Defend — Prevent exploitation through ways such as implementing policies, conducting training and applying technology
- Transfer — Transfer the risk to another process, asset or organisation (i.e.: hiring a consultant; hiring a risk management firm)
- Mitigate — Reduce the impact of the vulnerability through planning & preparation (i.e.: IRP, DRP, BCP)
- Accept — Don’t do anything; Done when proven the most cost-effective option through ways such as CBA
- Terminate — Stop the business activity that introduces risk
Benefits of Effective IS Governance
- Increase in share value
- Optimises the allocation of limited security resources
- Assurance that critical decisions are not based on faulty information
- Protection from civil/legal liabilities
Outcomes of Effective IS Governance
- Strategic Alignment — Business strategies are aligned with objective
- Risk Management — Risk is kept to an acceptable level
- Value Delivery — Optimal IS investments to ensure reasonable profits
- Performance Measurement — Continuous monitoring to ensure objectives are met
- Resource Management — Effective management of limited resources
- Integration — External factors are integrated into processes; Smooth running from end-to-end
Risk Control Cycle
- Identify information assets
- Prepare RVR worksheet
- Develop control strategy and plan
- Implement control
- Access control
- Check if controls are adequate
- Plan for maintenance
- Measure risk to information assets
- Check if risk levels are acceptable
Cost-Benefit Analysis
SLE=Value×EF
ALE=SLE×ARO
CBA=ALE(prior)−ALE(post)−ACS
Risk
Risk=(Likelihood×Value)−Control+Uncertainty
Risk Assessment
TVA Worksheet
- Combines identified & prioritised information assets with identified & prioritised threats and identifies potential vulnerabilities in “triples”
- Incorporates existing and planned controls
RVR Worksheet
- Ranked Vulnerability Risk Worksheet
- Assigns risk ratings to each uncontrolled asset-vulnerability pair
WFA Worksheet
- Prioritises/ranks information assets according to their impact on certain criterias
- List of all information assets with their values/impact on the organisation
Roles & Responsibilities
Board of Directors
- Establish tone of risk / risk appetite
CISO
- Conduct risk assessments
- Develop security policies
Security Steering Committee
- Reviews and advises security initiatives to ensure they align with business objectives
- Improve current security strategies
Executive Management Team
- Implement and integrate security policies with business objectives
Risk Assessment
Factors for Likelihood Determination
- Threat-source motivation and capability
- Nature of vulnerability
- Effectiveness and existence of current control measures
Factors for Impact Determination
- Loss of tangible assets or resources
- Violate, harm or impede an organisation’s mission, reputation or interests
- Injury/Loss of life (for medium and high only)
Risk Control
Control Methods
- Technical — Safeguards implemented into software, firmware or hardware
- Non-technical — Management and operational controls
Control Categories
- Preventive — Stops security violation attempts
- Detective — Alerts when a security violation is attempted
Qualitative vs Quantitative Assessments
- Qualitative — Uses characteristics and non-numerical measures; Uses scales to remove the need for determining/estimating values
- Quantitative — Uses values/estimates for assessment; i.e.: CBA
Cost-Benefit Analysis
- Evaluates the planned control to see if it’s worth the cost incurred
Best Practices
- Security efforts that provide a superior level of information protection
Benchmarking
- Seeking out, studying and adopting practices by other companies
- Metric-based or process-based measurements
- 2 categories — Standard of due care & best practices
Problems w. Benchmarking
- Organisations do not talk with each other (biggest issue)
- No two organisations are identical
- Best practices are constantly evolving
- Best practices might not be future-proof