CISM Domain 2 - Risk Management MindMap
Download FREE Audio Files and Printable PDFs of our MindMaps
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Nick from Destination Certification, and I’m here to help YOU pass the CISM exam.
In this video, we’re going to go through a review of the major topics related to Risk Management in Domain 2, to understand how they interrelate, and to guide your studies.
Risk Management
Risk Management. This is a super important topic in security. We as security professionals have a colossal challenge: how do we best protect all the assets across an entire organization.
We never have unlimited budgets, or an unlimited amount of time available to perfectly protect everything.
So how do we best protect the assets within the organization given our limited budgets and time? One super useful method to help us figure this out is Risk Management. Risk Management is an essential component of any comprehensive security program, as it enables organizations to prioritize their security efforts and allocate resources effectively.
Risk management is fundamentally focused on the identification, assessment, and prioritization of risks and the economical application of resources to minimize, monitor, and control the probability and/or impact of those risks.
At the 10,000 foot level, it's helpful to think about Risk Management comprising three major steps: Asset Valuation, Risk Analysis, and Treatment . Let's go through these three steps
1. Asset Valuation
Starting with Asset Valuation. Asset Valuation is conceptually incredibly simple: assign a value to each asset. In other words, figure out how valuable each asset is to the organization so that we can then rank the assets from most on down to least valuable. Simple idea - super hard to do in practice. There are two major ways that we can rank assets. Quantitative & Qualitative analysis.
Quantitative
Quantitative analysis is where we assign monetary values to each asset.
Quantitative analysis is absolutely the preferred method. We would ideally love to assign a nice dollar value to every asset. Unfortunately, for the vast majority of assets this isn’t possible with any sort of reasonable accuracy. Can you confidently say our organization's reputation is worth $736 million dollars, or this data set is worth exactly 23,849 pesos, or this critical application is worth €13.18 million euro. No. For most assets we absolutely cannot assign a monetary value to them. WE may know something is valuable but assigning an exact dollar value is nigh impossible.
Qualitative
And that is why the vast majority of the time we use qualitative analysis to rank assets. Qualitative analysis is simply a relative ranking system, where you compare assets and say: well this asset is more valuable than that one, which is less valuable than that one. You rank assets relative to each other. And you often create categories like high, medium, and low value and sort assets into these categories.
2. Risk Analysis
Once you have completed asset valuation, you will have a nicely ranked list of assets. And it is now time to move to step two of Risk Management: Risk Analysis. Risk Analysis is where you identify the risks associated with each asset. To identify and understand the risks associated with each asset you need to look at four things: threats, vulnerabilities, impact, and likelihood.
Threats
Threats are any potential danger.
Threats are events, situations, or actions that have the potential to cause harm or damage to an organization's assets, operations, or reputation. Threats can come from a wide range of sources, such as natural disasters, cyber attacks, fraud, theft, or human error.
Threat Modeling
A useful tool we can use to help us systematically identify the threats related to an asset is Threat Modeling Methodologies. There have been many different Threat Modeling Methodologies created over the years, and there are three you should know about in particular.
STRIDE
STRIDE is essentially the quick & easy, but not super thorough methodology you can use to identify threats. For the exam make sure you know that the S in STRIDE stands for Spoofing, and that spoofing is a violation of integrity, and the T in STRIDE stands for Tampering, which is a violation of integrity, and so forth.
PASTA
PASTA - the Process for Attack Simulation and Threat Analysis is the super time consuming, super in-depth methodology for threat modeling. PASTA is a seven-step, risk-centric methodology. PASTA provides way more useful results and it takes into account the business value of assets, compliance issues, and provides a strategic threat analysis. So STRIDE is the quick and easy way of systematically identifying threats and PASTA is the super time consuming method that produces way more useful and nuanced results.
DREAD
The third methodology you should know about is DREAD - . DREAD is different than STRIDE and PASTA. DREAD is not used to identify threats, rather it is used to prioritize a list of threats that have already been identified. STRIDE and DREAD are often used together. STRIDE is used to identify the threats, and DREAD is used to prioritize the identified threats.
Vulnerabilities
The next major piece that we need to look at as part of Risk Analysis is Vulnarbilites. A vulnerability is a weakness that exists.
Vulnerabilities are weaknesses or gaps in an organization's security or control systems that can be exploited by a threat to cause harm or damage to the organization's assets, operations, or reputation.
Vulnerability Assessment & Pen Testing
Two techniques that can be used to systematically identify vulnerabilities are Vulnerability Assessment and Penetration Testing which I’ll talk about in detail in the second MindMap video of Domain 6 - link in the description below.
Likelihood
Likelihood or probability is simply the chance that a particular risk event will occur. It is a measure of the likelihood of a potential risk turning into an actual event.
Impact
And the final piece we have to look at to fully understand a risk is the impact. Impact refers to the potential harm or damage that could result from a particular risk occurring. Impact is essentially whatever bad thing is going to happen to the organization as a result of a risk occurring: downtime, reputational damage, data integrity issues, a breach, ransomware, the list unfortunately goes on, and on, … and on.
Quantitative
Alright, so as part of risk analysis we are going to come up with a giant list of risks. We need to rank these risks to figure out which risks are of greater or lesser concern. There are two techniques we can use to rank the risks: Quantitative & Qualitative analysis. The same techniques we talked about for ranking assets.
Quantitative risk analysis is where we try to calculate exactly how much a given risk is going to cost the organization per year.
It’s super helpful if we can calculate this, as it makes it much easier to determine what controls are cost justified to put in place to mitigate a risk.
ALE = SLE(Value x Exposure) x ARO
There is a super simple formula you can use to calculate how much a risk is going to cost the organization per year. It’s known as the ALE calculation. The Annualized Loss Expectancy Calculation. And you definitely need to know this formula for the exam.
To calculate the ALE, you first need to calculate the SLE. The single loss expectancy, which is simply how much is a risk going to cost the organization if the risk occurs once. To calculate the SLE you multiply the Asset Value times the Exposure Factor.
The asset value is simply what the asset is worth. And the Exposure Factor is a percentage that represents what percent of the asset you expect to lose if the risk occurs. And exposure factor of 10% would mean you expect to lose 10% of the asset if the risk occurs. Or an Exposure Factor of 100% would mean you expect to lose ALL of the asset if the risk occurs.
So to calculate SLE, multiply the Asset Value with the Exposure factor and that will tell you how much it’s going to cost the organization if the risk occurs once.
But of course the whole point of this ALE formula is to calculate how much a risk is going to cost the organization annually - per year. So we need to multiply the SLE times the ARO. The ARO is the Annualized Rate of Occurrence. The ARO represents how many times per year you expect a risk to occur. If you expect the risk to occur once per year: the ARO will be one. Five times per year, the ARO would be 5, and so on.
So super simple formula that we would love to use all the time, but we can’t. Because the three simple numbers we need: Asset Value, Exposure Factor, and ARO are often totally impossible to determine with any sort of reasonable accuracy.
Qualitative
And that is what forces us to use Qualitative analysis most of the time. And like I said before, qualitative analysis is a relative ranking system. Not great, but a whole lot better than nothing.
3. Treatment
Which brings us to the third major step is Risk Management. Treatment. Treatment is where we figure out how to treat the risks we’ve identified - do something about the risks. This is a very important topic and we’ll cover it in a separate MindMap at the end of this domain.
Risk Frameworks
Moving on, risk management frameworks provide a structured and systematic approach to managing risks within an organization. In what is sadly another cliffhanger that we hope will have better reviews than Game of Thrones season 7, I have to tell you that this is another rather large topic we cover in the same MindMap as Risk Response. Don’t worry, unlike a certain author associated with the previously-mentioned show, we actually finished our materials and you’ll have an entire MindMap discussing Risk Framework ready and waiting for you very soon.
And that is an overview of Risk Management within Domain 2, covering the most critical concepts you need to know for the exam.
Something really cool we are providing with these MindMap videos is a completely FREE downloadable version of all the MindMaps in PDF format. We even include a blank version of each MindMap in case you want to print them out and take notes as you listen along. Link to download the MindMaps is in the description below.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies
