Project Name: Principle Methods of Risk Management
Description: – Cyber Risk Management is revolved around categorization of controls, selecting security controls, Implementation controls & monitoring of security controls. This blog will explain methods of risk management. Principle Methods of Risk Management is a exercise in which risks are identified and ruled proactively. It allows enterprises to enhance their chances of success by minimizing threats and maximizing opportunities.
Author: Rohit D Sadgune / Amruta Sadgune
FAQ:-
- What are the principle risk assessment activities?
- What are system characterization?
- What is threat identification?
- What is vulnerability Identification?
- What is control analysis and likelihood determination?
- Understanding Impact analysis
- What is risk determination?
- What is control recommendations?
- Why documentation of results is required?
Risk Assessment Activities
Risk Comprises of a situation which involves exposure to danger, harm or a loss. Risk assessment in simple terms is nothing but the evaluation of a specific situation. Below are the simple steps described to understand the steps considered for the proper risk assessment.
- System Characterization
Defines the resources and the environment considered to make the system. This should involve the possible systems which may be exposed to threat.
Input
- Hardware
- Software
- System Interfaces
- Data and Information
- People
- System Missions
Output
- System Boundary
- System Functions
- System and Data Criticality
- System and Data Sensitivity
- Threat Identification
Once the possible systems are identified which are vulnerable to loss then a decision can be made on how to protect them from possible risks. Various methods can be considered in order to understand the sources of the attacks. Threat can be categorized as physical or logical threats depending upon the affected system.
Input
- History of System Attacks
- Data from Intelligence agencies
Output
Threat Statement
- Vulnerability Identification
Understanding the vulnerable areas in the organization.
Input
- Reports from prior risk assessment
- Any audit Comments
- Security requirement
- Security test results
Output
List of potential vulnerabilities
- Control Analysis
This phase includes assessment of controls which are already in place and planned. The output is used to identify the likelihood of vulnerability.
Input
- Current Controls
- Planned Controls
Output
List of Current and Planned Controls
- Likelihood Determination
Probability that the vulnerability could be exploited by a threat.
Input
- Threat source motivation
- Threat Capacity
- Nature of Vulnerability
- Current Controls
Output
Likelihood Ratings
- Impact Analysis
Understanding the scope of the vulnerability which would affect the organization. This should assume the worst case scenarios
Input
- Mission impact Analysis
- Asset Criticality Assessment
- Data Criticality
- Data sensitivity
Output
Impact Rating
- Risk Determination
Determination of the estimation of the risk including the probability of the loss or magnitude
Input
- Likelihood of threat exploitation
- Magnitude of impact
- Adequacy of Planned or current controls
Output
Risk Associated Risk Levels
- Control Recommendations
Measures in order to control the vulnerability to Risk
Output
Recommended Controls
- Results Documentations
Documentation is an important aspect for tracking the analysis and findings to community or an organization.
Output
Risk Assessment Report
