Managerial

avatar
Created by
EarlyHorse17571

Subdecks (1)

Cards (148)

    • Governance: Managing and directing an organisation or system to achieve its objectives and ensure compliance with laws, regulations, and standards.
    • Regulation: A rule or law enforced by a governing body to ensure compliance and protect against harm.
    • Compliance: The state of adhering to laws, regulations, and standards that apply to an organisation or system.
  • Information Security Governance
    • Strategy: Developing and implementing a comprehensive information security strategy that aligns with the organisation's overall business objectives.
    • Policies and procedures: Preparing policies and procedures that govern the use and protection of information assets.
    • Risk management: Conduct risk assessments to identify potential threats to the organisation's information assets and implement risk mitigation measures.
  • Information Security Governance
    • Performance measurement: Establishing metrics and key performance indicators (KPIs) to measure the effectiveness of the information security governance program.
    • Compliance: Ensuring compliance with relevant regulations and industry best practices.
  • Information security regulation refers to legal and regulatory frameworks that govern the use and protection of information assets. Regulations are designed to protect sensitive data from unauthorized access, theft, and misuse. Compliance with regulations is typically mandatory and enforced by government agencies or other regulatory bodies. Examples of information security regulations/standards include the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Personal Information Protection and Electronic Documents Act (PIPEDA), and many more.
  • Here comes the role of the Governance and Risk Compliance (GRC) framework. It focuses on steering the organisation's overall governance, enterprise risk management, and compliance in an integrated manner. It is a holistic approach to information security that aligns with the organisation's goals and objectives and helps to ensure that the organisation operates within the boundaries of relevant regulations and industry standa
    • Governance Component: Involves guiding an organisation by setting its direction through information security strategy,  which includes policies, standards, baselines, frameworks, etc., along with establishing appropriate monitoring methods to measure its performance and assess the outcomes.\
    • Risk Management Component: Involves identifying, assessing, and prioritising risks to the organisation and implementing controls and mitigation strategies to manage those risks effectively. This includes monitoring and reporting on risks and continuously evaluating and refining the risk management program to ensure its ongoing effectiveness.
    • Compliance Component: Ensuring that the organisation meets its legal, regulatory, and industry obligations and that its activities align with its policies and procedures. This includes developing and implementing compliance programs, conducting regular audits and assessments, and reporting on compliance issues to stakeholders.
  • GRC
  • Develop GRC Program - Generic Guidelines 
    1. Define the scope and objectives:
    2. Conduct a risk assessment
    3. Develop policies and procedures
    4. Establish governance processes
    5. Implement controls
    6. Monitor and measure performance
    7. Continuously improve
  • An Example - GRC Framework in Financial Sector
    • Governance-Related Activities: Nominate the governance level executives, and make financial-related policies such as bank secrecy act, anti-money laundering policy, financial audit policies, financial reporting, crisis management, and many more.
    • Risk Management Activities: Identify potential risks, their possible outcomes, and countermeasures such as financial fraud risks, fraudulent transactions through cyber-attack, stolen credentials through phishing, fake ATM cards, etc.
  • An Example - GRC Framework in Financial Sector
    • Compliance Activities: Take measures to meet legal requirements and industry standards such as PCI DSS, GLBA, etc. Moreover, this also includes implementing correct methods like SSL/ TLS to avoid Man in the Middle (MITM) attacks, ensuring automatic patch management against unpatched software, creating awareness campaigns for users to protect them from phishing attacks, and many more.
    • Threat: an intentional or accidental event that can compromise the security of an information system. Examples include hacking, phishing attacks, human error, and natural disasters.
    • Vulnerability: a software, hardware, or network weakness that cybercriminals can exploit to gain unauthorised access or compromise a system.
    • Asset: a valuable resource or component (tangible or intangible) that an organisation relies upon to achieve its objectives.
    • Risk: the probability of a threat source exploiting an existing vulnerability and resulting in adverse business effects.
    • Risk Management (RM): the process of identifying, assessing, and mitigating risk to maintain acceptable levels.
    • Human-made threats: These threats are caused by human activities or interventions. Example: Terrorism
    • Technical threats: These threats result from technological failures, malfunctions, or vulnerabilities. Example: Power Outage
    • Natural threats: These are threats caused by natural events or phenomena. Example: Earthquakes
  • Risk
    • Risk is the probability of a threat source exploiting an existing vulnerability (in an asset) and resulting in adverse business effects.
  • Risk Management
    • As mentioned earlier, risk management is a process of identifying, assessing, and responding to risks associated with a particular situation or activity. It involves identifying potential risks, assessing their likelihood and impact, evaluating possible solutions, and implementing the chosen solutions to limit or mitigate risk. It also involves monitoring and assessing the effectiveness of the solutions put in place.
    • A Risk Management Policy is a set of procedures and processes designed to minimise the chances of an adverse event or outcome for an organisation. It helps organisations identify, assess, and manage potential and actual risks related to their operations, financial activities, and compliance with applicable laws and regulations. The policy provides guidance on identifying and assessing risks, as well as assigning tasks and responsibilities to those involved in managing them.
    • Information Systems Risk Management is a system of policies, procedures, and practices that seek to protect a company’s computer system from various internal and external threats. It includes identifying threats, assessing the probability of their occurrence, and evaluating the effectiveness of various measures that can be taken to limit the damage they could cause. The process also involves determining the resources that should be allocated to respond to potential threats, as well as monitoring and maintaining the integrity of the system.
    • Failure Modes and Effect Analysis (FMEA): A risk assessment methodology commonly used in engineering and manufacturing. It involves identifying potential failure modes for a system or process and then analysing the possible effects of those failures and the likelihood of their occurrence
  • Based on NIST SP 800-30, the risk management process entails four steps:
    1. Frame risk: First, we must establish the context within which all risk activities occur.
    2. Assess risk: We must identify, analyse, and evaluate potential risks and their likelihood and impact. This step is crucial to help decide on a proper response later.
    3. Respond to risk: We need to take the steps necessary to mitigate the likelihood or impact of the risk. The response depends on many factors, and we will cover them separately.
  • Based on NIST SP 800-30, the risk management process entails four steps: Final Step: Monitor risk: Finally, we continue tracking and evaluating the effectiveness of risk responses, identifying new risks, and ensuring that our risk management activities are effective. Monitoring is an ongoing process, as many criteria might change over time.
    • Risk management begins with establishing a risk context, i.e., framing risk. The purpose of risk framing is to develop a risk management strategy.
    • Organisations must define a risk frame to set the groundwork for managing risk and provide limits to risk-based decisions.
    • To create a reasonable risk frame, organisations must identify the following:
    • Risk Assumptions: What are the assumptions about threats and vulnerabilities? What is the likelihood of occurrence? What would be the impact and consequences?
    • Risk Constraints: What are the constraints on assessing, responding, and monitoring risks?
    • Risk Tolerance: What are the acceptable levels of risk? What is the acceptable degree of risk uncertainty?
    • Priorities and Trade-offs: What are the high-priority business functions? What are the trade-offs among the different types of faced risks?
  •  In this example, we will only focus on one risk: data theft.
    • Risk Assumptions: The fact that this company handles the accounting data of its clients increases the risk of being targeted by adversaries that would try to profit from stealing such data. Unless proper measures are taken, the likelihood of success is relatively high, and the impact would be disastrous for the company’s image.
  •  In this example, we will only focus on one risk: data theft.
    • Risk Constraints: The primary constraints are expected to be budget-related. Safeguarding the data requires improving physical and cyber security; it entails conducting cyber security training and hiring new personnel.
    • Risk Tolerance: Considering the type of business, the risk of data theft cannot be tolerated. Tolerating data theft would lead to the whole company going out of business.
  •  In this example, we will only focus on one risk: data theft.
    • Priorities and Trade-offs: The priority is to maintain a trustworthy image of a company that can conduct its business with confidentiality and integrity.
  • Threats:
    • Physical damage: From natural causes to human-made, accidents happen. Examples include water leakage, fire, and power loss.
    • Outsider threat: There are always adversaries interested in your systems; even if your data is only valuable to you, they can still try to infect your system with ransomware.
    • Threat: Tsunami
    • Vulnerability: The office is near the seashore
    • Impact: Destruction of office equipment
    • Likelihood: Negligible
    Example 2
    • Threat: Ransomware Groups
    • Vulnerability: Data is stored on computer systems
    • Impact: Disrupting the work of faculty and staff (till the data is recovered from backup)
    • Likelihood: High
    • Qualitative Risk Analysis, where we assign ratings to risks. The ratings can be a qualitative adjective, such as high, medium, and low. Alternatively, it can be something symbolic, such as red, yellow, and green.
    • Quantitative Risk Analysis, where we assign monetary values and use that as a basis for decision-making.
  • Qualitative Risk Analysis
    As the name suggests, qualitative risk analysis uses qualitative adjectives to describe:
    • Probability of a risk-taking place, i.e., probability of a threat exploiting a vulnerability
    • Impact of the risk, if realised, which can range between trivial to extreme
  • The figure below shows a table matching impact with probability. We would allocate fewer resources to respond to a risk that is unlikely to occur and has a trivial effect; however, it is the opposite case if the risk is likely to occur and has a significant impact. The former case is a low risk, while the latter is a high risk. Consequently, the response is decided accordingly.
  • Quantitative Risk Analysis: Single Loss Expectancy
    Using quantitative analysis, we need to assign monetary values and numeric percentages. Let’s start with the following equation:
    SLE = AssetValue × EF
    Where:
    • Single Loss Expectancy (SLE) is the loss incurred due to the realisation of a threat represented as a monetary value.
    • Asset Value is the monetary valuation of an asset
    • Exposure Factor (EF) is the percentage of loss a realised threat can cause to an asset.
  • SLE Numeric Example:
    Consider the following numeric example for a work laptop considering the threat of a ransomware virus.
    • Asset Value = $10,000; the laptop is worth $1000, and the data are worth $9000.
    • EF = 90%; a ransomware infection would cause all the data to be unusable.
    Consequently,
    SLE = AssetValue × EF = $10, 000 × 90% = $9, 000.
    • In other words, a ransomware infection for such a work laptop would cause the company to lose $9000, assuming there is no backup copy.
  • Annualised Loss Expectancy
    • However, this information is insufficient for us to decide on countermeasures. We need to find the expected loss per year.
    ALE = SLE × ARO
    Where:
    • Annualised Loss Expectancy (ALE) is the loss the company expects to lose per year due to the threat.
    • Annualised Rate of Occurrence (ARO) is the expected number of times this threat is realised yearly, i.e., frequency per year.
  • ALE Numeric Example
    Let’s revisit our example and calculate the ALE.
    • We have already calculated the SLE as $9000; we need to figure out how often we expect this incident to happen yearly.
    • Based on experience, a work computer is infected with ransomware once every two years. Hence, the annualised rate of occurrence is 0.5.
    Consequently,
    ALE = SLE × ARO = $9000 × 0.5 = $4, 500.
    • Avoid Risk: If a company decides to eliminate the activity that leads to the risk, that would be risk avoidance. A bank might decide that all employees’ computers cannot access the Internet to protect its systems against all online threats. An organisation might instruct its employees to work exclusively using the workstations on its premises to prevent data from being stolen.
    • Transfer Risk: A company might consider the risk too high to handle, so it decides to purchase insurance. That would be risk transference or risk sharing. A publishing house might buy insurance against fire, for instance.
    • Mitigate Risk: A company might invest in countermeasures to reduce risk to an acceptable level; this would be risk mitigation. To protect against computer viruses, a company might install antivirus on all its computers instead of blocking access to the Internet and glueing the USB ports.
    • Accept Risk: Sometimes, the countermeasure cost exceeds the loss incurred if the risk is realised.
    • It is important to stress that “Ignore Risk” is not a valid choice. Accepting a risk does not mean the risk is ignored. It means the risk is analyzed along with its impact and countermeasures; however, some reasons justify keeping things unchanged. One reason might be that the countermeasure is too expensive compared to the potential loss. Another reason might be that implementing a countermeasure would significantly alter the business process.