CCSP Domain 1 - Risk Management MindMap

Download a FREE Printable PDF of all the CCSP MindMaps!

Your information will remain 100% private. Unsubscribe with 1 click.

Transcript

Introduction

This is the third of five videos for Domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are just a small part of our complete CCSP MasterClass.

Image of risk management table - Destination Certification

This is the third of five videos for Domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are just a small part of our complete CCSP MasterClass.

Risk Management

Risk management is a super important topic in security, doubly so in the cloud. As security professionals, we have a colossal challenge: how do we best protect all the assets across an entire organization, especially when a bunch of those assets are somewhere in the cloud and are being managed and secured by service providers?

We never have unlimited budgets, or an unlimited amount of time available to perfectly protect everything. And when an organization outsources systems and data they lose a large degree of control over their assets, but they are still accountable for the protection of those assets!

So how do we best protect the assets within the organization, and assets that have been outsourced? One super useful method to help us figure this out is risk management. Risk management is an essential component of any comprehensive security program, as it enables organizations to prioritize their security efforts and allocate resources effectively.

Risk Management can help an organization determine what controls should be in place to protect their assets, and then ensure their service providers are effectively implementing and operating these controls in the cloud.

Risk Profile

Let’s start with some definitions of key risk management terms. Risk profile is a comprehensive evaluation of an organization’s risk tolerance, capacity, and preferences. A risk profile serves as a guide for decision making within an organization. It helps to determine what types and levels of risk are acceptable.

Risk Appetite

Risk appetite is the overall amount and type of risk that an organization is willing to endure in order to meet its strategic goals and objectives.

Risk Tolerance

Risk tolerance is the amount and type of risk that an organization is willing to take in order to meet specific operational objectives. It is focused on specific operational risks.

1. Asset Valuation

Risk management is fundamentally focused on the identification, assessment, and prioritization of risks and the economical application of resources to minimize, monitor, and control the probability and impact of those risks.

At the 10,000 foot level, it's helpful to think about risk management comprising three major steps: asset valuation, risk analysis, and treatment. Let's go through these three steps starting with asset valuation. Asset valuation is conceptually simple: assign a value to each asset. In other words, figure out how valuable each asset is to the organization so that we can then rank the assets from the most valuable down to least valuable. It’s a simple idea, but super hard to do in practice. There are two major ways that we can rank assets: quantitative and qualitative analysis.

Quantitative

Quantitative analysis is where we assign monetary values to each asset.

We say this asset is worth a buck and this asset is worth $1.8 million Canadian.

Quantitative analysis is absolutely the preferred method. We would ideally love to assign a nice dollar value to every asset. Unfortunately, for the vast majority of assets this isn’t possible with any sort of reasonable accuracy. Can you confidently say our organization's reputation is worth 736 million dollars, or this data set is worth exactly 23,849 Pesos, or this critical application is worth 13.18 million Euro. No. For most assets we absolutely cannot assign a monetary value to them. We may know something is valuable but assigning an exact dollar value is nigh impossible.

Qualitative

And that is why the vast majority of the time we use qualitative analysis to rank assets. Qualitative analysis is simply a relative ranking system, where you compare assets and say: well this asset is more valuable than that one, which is less valuable than that one. You rank assets relative to each other and you often create categories like high, medium, and low value and sort assets into these categories.

2. Risk Analysis

Once you have completed asset valuation, you will have a nicely ranked list of assets. Then it’s time to move to step two of risk management: risk analysis. Risk analysis is where you identify the risks associated with each asset. To identify and understand the risks associated with each asset you need to look at four things: threats, vulnerabilities, impact, and likelihood.

Threats

Threats are any potential danger.

Threats are events, situations, or actions that have the potential to cause harm or damage to an organization's assets, operations, or reputation. Threats can come from a wide range of sources, such as natural disasters, cyber attacks, fraud, theft, or human error.

STRIDE & PASTA

We can use threat modeling methodologies to help us systematically identify and prioritize the threats associated with a given asset. We’ll talk about different threat modeling methodologies in the third MindMap of Domain 4

Vulnerabilities

The next major piece that we need to look at as part of risk analysis is vulnerabilities. A vulnerability is a weakness that exists.

Vulnerabilities are weaknesses or gaps in an organization's security or control systems that can be exploited by a threat to cause harm or damage to the organization's assets, operations, or reputation.

Vulnerability / Pen Test

Two techniques that can be used to systematically identify vulnerabilities are vulnerability assessment and penetration testing, which we’ll talk about in detail in the second MindMap video of Domain 4.

Likelihood

Likelihood or probability is simply the chance that a particular risk event will occur. It is a measure of the likelihood of a potential risk turning into an actual event.

Impact

The final piece we have to look at to fully understand a risk is the impact. Impact refers to the potential harm or damage that could result from a particular risk occurring. Impact is essentially whatever bad thing is going to happen to the organization as a result of a risk occurring: downtime, reputational damage, data integrity issues, a breach, ransomware, the list unfortunately goes on, and on, and on.

Quantitative

Alright, so as part of risk analysis we are going to come up with a giant list of risks. We need to rank these risks to figure out which risks are of greater or lesser concern. There are two techniques we can use to rank the risks: quantitative and qualitative analysis. The same techniques we talked about for ranking assets.

Quantitative risk analysis is where we try to calculate exactly how much a given risk is going to cost the organization per year.

It’s super helpful if we can calculate this, as it makes it much easier to determine what controls are economically justified to put in place to mitigate a risk.

ALE = SLE(Value x Exposure) x ARO

There is a super simple formula you can use to calculate how much a risk is going to cost the organization per year. It’s known as the ALE calculation. The annualized loss expectancy calculation. You definitely need to know this formula for the exam.

Image of ALE formula - Destination Certification

To calculate the ALE, you first need to calculate the SLE. The single loss expectancy, which is simply how much a risk is going to cost the organization if the risk occurs once. To calculate the SLE you multiply the asset value by the exposure factor.

The asset value is simply what the asset is worth. And the exposure factor is a percentage that represents what percent of the asset you expect to lose if the risk occurs. An exposure factor of 10% would mean you expect to lose 10% of the asset if the risk occurs. Or an Exposure Factor of 100% would mean you expect to lose all of the asset if the risk occurs.

So, to calculate the SLE, multiply the asset value with the exposure factor and that will tell you how much it’s going to cost the organization if the risk occurs once.

But of course the whole point of this ALE formula is to calculate how much a risk is going to cost the organization annually–per year. So we need to multiply the SLE by the ARO. The ARO is the annualized rate of occurrence. The ARO represents how many times per year you expect a risk to occur. If you expect the risk to occur once per year: the ARO will be one. Five times per year, the ARO would be five and so on.

So, it’s a super simple formula that we would love to use all the time, but we can’t. This is because the three simple numbers we need: asset value, exposure factor, and annualized rate of occurrence are often totally impossible to determine with any sort of reasonable accuracy.

Qualitative

That is what forces us to use qualitative analysis most of the time. Like I said before, qualitative analysis is a relative ranking system. It’s not great, but it’s a whole lot better than nothing.

3. Treatment

Which brings us to the third major step is risk management–treatment. Treatment is where we figure out how to treat the risks we’ve identified. It’s where we do something about the risks. There are four major treatment methods: avoid, transfer, mitigate and accept. Let’s go through them.

Avoid

Starting with risk avoidance. Risk avoidance means implementing measures to prevent the risk from occurring or choosing not to engage in activities that would cause the risk to occur. Don’t want to face the risk of near certain death from jumping out of an airplane with no parachute?

Then don’t jump out of an airplane with no parachute. That’s risk avoidance.

Transfer

Risk transference means buying an insurance policy. An organization can purchase an insurance policy to transfer the financial burden of a particular risk to their insurer. However, it’s super critical to remember from a security perspective that you can never transfer or delegate accountability. So if an organization has purchased an insurance policy, they are not transferring the accountability for a risk to their insurer.

Mitigate

Risk mitigation is what we spend most of our time on as security professionals. Risk mitigation is implementing various controls to reduce the risk. We’ll talk through a bunch of different types of controls in just a moment–preventative controls, detective controls, corrective controls, etc. So risk mitigation is about reducing the risk by implementing various controls. Which raises an important question: can we ever find the perfect set of controls that will completely eliminate a risk? The answer is no. Which brings up another important term: residual risk. Residual risk is the risk that is left over after we have implemented mitigating controls.

There are three major methods we can use to implement mitigating controls.

Administrative

Administrative means policies, procedures, and other organizational practices that we put in place to manage risks. Administrative controls are things like security policies and employee training and awareness.

Technical / Logical

Technical and logical controls are the technologies we put in place to manage risks. Things like firewalls, intrusion detection systems, encryption, automated backups, etc.

Physical

Physical controls are the physical security stuff such as fences, cameras, locks, fire suppression systems, etc.

So we can implement controls using any of those three major methods: Administrative, Technical and logical, and Physical.

Safeguards

There’s one more layer here to define before we get into the actual controls. We can categorize the controls into two major groups: safeguards and countermeasures. Safeguards are the controls we put in place to try and ensure a risk doesn’t occur. So within this category of safeguards we have the following three controls:

Directive

Directive controls are measures that provide guidance and instruction to personnel on how to handle risks. Directive controls direct behavior. How do we tell someone to do something within an organization? Policies. Policies are a perfect example of a directive control.

Deterrent

Deterrent controls discourage individuals from engaging in risky behavior. The keyword here is discourage. Deterrent controls don’t prevent someone from doing something, they discourage them. A perfect example of a deterrent control is a sign that says private property–all trespassers will be shot.

That sign wouldn’t prevent me from walking onto a property but if this was in the US where everyone has at least 37 guns, and there’s no public healthcare, it would definitely discourage me. Sorry for picking on the US here - but I’m Canadian, I’m allowed to. We’re like the annoying younger sibling of the US.

Preventative

Alright, now preventative controls are measures that aim to prevent or stop a risk from occurring. Examples of preventative controls include razor wire topped fences, login mechanisms, and firewalls.

Countermeasures

As I said, we can categorize the controls into two major groups: safeguards and countermeasures. Countermeasures are the controls we put in place to detect and respond to a risk that has occurred. So within this category of countermeasures we have the following three controls:

Detective

Detective controls are measures that help identify risks that have occurred or are currently ongoing. Examples of detective controls include SIEM systems–security information and event management systems, intrusion detection systems, smoke detectors, etc.

Corrective

Corrective controls are measures that aim to reduce the negative impacts of risks after they have occurred. A perfect example of a corrective control would be a fire suppression system that activates to put out a fire.

Recovery

Recovery controls are measures that help organizations recover from the negative impacts of risks–get back to business as usual. A good example of a recovery control is a disaster recovery plan (DRP).

Compensating

Finally, compensating controls are the measures we put in place to mitigate the negative impacts of risks when other controls are not effective or feasible. So, essentially, compensating controls make up for the lack of a better control.

Functional

Okay, and now the final aspect of controls we need to cover: functional and assurance. Every good control is supported by these two key aspects: functional and assurance.

The functional aspect refers to the function that a control is meant to perform. For example, what is the function of a firewall? Firewalls control the flow of traffic between two network segments. So a good firewall control is going to provide this functionality–the ability to control the flow of traffic. Any good control is going to perform some sort of useful function.

Assurance

The second aspect that any good controls needs to provide is assurance. We need to be able to get assurance that a control is working correctly on an ongoing basis. So, going back to a firewall, how would we typically get assurance that a firewall is working correctly on an ongoing basis? By logging and monitoring the firewall. Any good control is going to provide this assurance aspect. So, that finally wraps up discussion of risk mitigation.

Accept

So let's zoom back up to the final risk treatment method: risk acceptance. Risk acceptance is a deliberate decision to accept a certain level of risk and its potential consequences. Who within an organization should be accepting the risk associated with a particular asset? The asset owner. Owners are accountable for the security of an asset, so owners are best positioned to either accept a risk or not.

Residual Risk

And the final item–residual risk–is the risk that remains after compensating controls have been implemented. There is always going to be residual risk as you can never find the perfect set of controls that will completely eliminate a risk. Very importantly, residual risk should be accepted by the asset owner.

Image of risk management table - Destination Certification

That’s it for our overview of risk management in Domain 1, covering the key concepts you need to know.

Image of next mindmap - Destination Certification

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

If you’re looking for the easiest way to achieve your CCSP certification, then checkout our CCSP MasterClass. Link is in the description below.

All the best in your studies!

Image of masterclass video - Destination Certification

The easiest way to get your CCSP Certification 


Learn more about our CCSP MasterClass

>