Cyber Security Risk Management
How do we know that a risk has been addressed? Name at least two of the four conditions.
AAEA • Approval of an Exception Request (Accept) • Approval of a Mitigation Plan (Mitigation or Transfer) • Elimination of the Vulnerability (Remediation, a form of Mitigation) • Activity Causing the Exposure is Ceased (Avoid)
Name risk mitigation plan approaches and describe each briefly.
ALP • Alleviation - Implement controls to prevent the threat • Limitation - Limit likelihood or effects with controls • Planning - Formal plan to prioritize, implement, and maintain controls.
Name three of the cyber-security program goals and explain each briefly.
BCC • Business Units to Identify & Remediate Risks. • Capability to Track Risks. • Consistency of Risk Assessments.
Name the three phases of the risk assessment engagement process and describe each briefly.
BIE+D • Build Asset-Based Threat Profiles • Identify Vulnerabilities • Evaluate Risks and * Develop Security Strategy
Define security risk reviews and name five high-level steps to implement this process.
EGARR • Gap Analysis of established policies and standards. Establishes an understanding of Cyber Security expectations and prioritizes areas with the greatest business exposure. Defines must-haves vs. nice-to-haves. - Establish an asset inventory. - Generate Findings - Analyze Risk - Risk Decision - Risk Exceptions
Describe threat and vulnerability management workflow.
FRA • The workflow defines how you will handle risk exposures. Three main steps: - Filter out low and moderate exposures. - Risk decision and mitigation planning - Action and tracking
Name three components of threat and vulnerability management.
SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities
What are the essential steps in building a cyber-security program?
SEDPD • Select a standard/baseline • Establish an asset inventory • Define your risk scales • Profile your environments (sensitivity) • Define a workflow for assessing vulnerabilities
List the cyber-security program prerequisites.
SMECE • Security Policies, Standards and Baselines • Mapping of Risk Domains to Business Objectives • Establish an asset inventory. • Common Risk Formula • Enterprise Risk Committee
What is cyber-security's role in business and IT decision making?
UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer.
Define risk evaluation and name steps that leaders can take to manage identified risks.
UMPS • Understand immediate versus high likelihood. • Map risk exposure to business objectives. • Providing knowledgeable facts. • Soft Costs (costs that aren't directly visible...e.g. reputation). • Fear, uncertainty and doubt (FUD) - not to be used as a hammer. • Steps: - Avoid - Accept - Mitigate - Transfer
Name at least three of the main cyber security components to incorporate into the project life cycle.
VRR • During the planning part of the life-cycle: - Vendor Due Diligence - Review of ERDs and DFDs - Risk Planning
Name two risk assessment techniques and describe the concept of active vs passive testing.
• Active testing - Actively attacking/testing your network: Penetration Testing • Passive testing - No impact on the network. Application code security review
Name two of the pitfalls to avoid and explain each briefly.
• Don't run a security scan of the entire environment. A 200 page report helps no one and scares execs off (not actionable). • Don't try to identify and profile every system. That will come with time. Focus on priorities first.
Explain the security zoning principle.
• Should be a part of defense-in-depth strategy. • Put layers of security between the outside (attackers) and your most secure resources. • Example: three zones - low trust, lightly trusted, and secure trusted. • Ensure connectivity between layers has appropriate security controls.