The risk management process is a way of achieving a structured approach to the management of risk in IT corporations. Consistently implemented, it allows risks to be identified, analyzed, evaluated, and managed in a uniform, efficient and focused manner. In this article, we will describe most of the risk management processes addressed in the CompTIA Security+ Certification which is a standard for recognizing competence in IT security landscape.
Understanding the Context of Risk Management
Risk assessment and a mitigation strategy is part of the process of managing risks in many organizations worldwide. This type of approach represents a critical piece of work within the security horizon, as it includes the identification and evaluation of a potential risk and its impact. The risk process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong.
Three concepts are important to consider when risk assessment is established, namely:
The external context: the environment in which the entity operates (e.g., the type of companies, such as, cultural, financial, political) and the potential impact that a risk can produce.
The internal context: includes factors within the entity that are relevant to the risk assessment such as objectives, strategy, organizational capabilities, culture, etc.
The risk management context: the goals and objectives of the risk management activity. For example, determining who is responsible for each component and what is in scope.
Risk Management Concepts
Throughout this section, some of the most well-known concepts in risk management are described. These concepts are adopted by IT companies, and by information security specialists. Figure 1 below depicts the concepts herein discussed.
Figure 1: General workflow of the risk management process.
The main goal of risk identification is to recognize all the possible risks, and not to eliminate risks from analysis neither to develop solutions for mitigating risks (because those functions are carried out during the risk treatment and mitigation steps). A disciplined process typically involves the use of checklists of potential risks and evaluating the likelihood that those events might happen. For example, some companies develop risk checklists based on experience from past incidents and projects.
The following activities can conduct risk identification:
- Identification of assets: anything that has value to the organization and which therefore requires protection (software or hardware) — network, website, organization’s infrastructure, business processes, web servers, computers, mobile devices, etc.
- Identification of threats: theft of media or documents, tampering with hardware and software, eavesdropping, software malfunction, etc.
- Identification of existing controls: work costs, infrastructure security plan — in general, it’s an opportunity to make a check to ensure that the controls are working correctly (e.g., information obtained from previous audits).
- Identification of vulnerabilities: via pentesting audits, code review, management routines, etc.
- Identification of consequences: damage or consequences to the organization that could be caused by an incident scenario should be identified.
A Risk analysis quantifies the statistical likelihood of an impact of a particular risk and its frequency of occurrence Afterwards, using the combination of these two factors one can determine the severity of the risk, which may be either positive or negative. Although there are many ways of calculating risk, there is a generic form based on a matrix called risk heat map, illustrated in Table 1 below.
Table 1: Example of a risk heat map matrix.
This table is a vital piece of work that provides for all organizations the capacity to map the risk of its ecosystem and get an overview of security risk its internal processes and strategy.
Risk evaluation allows determining the tolerability of each risk. It should be noted that tolerability is different from severity. Tolerability allows determining which risks need treatment and relative priority. This can be achieved by comparing the risk severity established in the risk analysis step with the risk criteria generally found in the consequence criteria already defined in Table 1 above.
Risk Treatment / Risk Reduction
Once the particular risk has been identified, a risk mitigation plan should be developed. This is a plan to minimize and contain the impact of an unexpected event.
Risk can be grouped into different categories:
- Risk avoidance: involves the developing of alternative strategies that have a higher probability of success, but a higher cost associated.
- Risk Partnering: involves working with others to mitigate risk.
- Risk mitigation: it is an investment of funds to reduce the identified risks.
- Risk transfer: this is a risk reduction method that shifts the risk to another party.
Communication and Consultation
Risk communication is a process that interacts bidirectionally with all other processes of risk management. Communication and consultation is an essential attribute of good risk management. Risk management cannot be controlled and managed in an isolated environment — it’s fundamentally communicative and consultative.
Good risk communication:
- encourages stakeholder engagement and accountability
- should be used fully
- meets the requirements of all internal and stakeholders that are involved in the process
- Allows for expert opinion to be brought in and finally
- allows informing other entity processes such as corporate planning and resource allocation.
Monitoring and Review
This represents an ongoing process where security controls are monitored on an ongoing basis. Business requirements, vulnerabilities, and threats can change all the time. Monitoring and review can be both periodic and based on trigger events or changing circumstances.
In this sense, the key objectives of risk monitoring and review can include:
- Changes in the Cyber threat landscape
- capacity to identify new types and kinds of Cyber-attacks and threats
- Maintaining a proactive stance of the Cyber risk environment;
- analyzing and learning lessons from events, including near-misses, successes, and failures.
It is important to note that any updates, revisions, or modifications made to the Risk Management Process should be documented; and a version history kept as well.
Sources http://ki.pwr.edu.pl/kubiak/slides.pdf  http://resources.infosecinstitute.com/select-implement-effective-risk-management-standards-frameworks/  https://en.wikipedia.org/wiki/IT_risk_management  https://wiki.en.it-processmaps.com/index.php/Risk_Management [5 ]https://iaonline.theiia.org/understanding-the-risk-management-process  https://en.wikipedia.org/wiki/IT_risk#Standards_organizations_and_standards  https://pm4id.org/chapter/11-2-risk-management-process/  https://www.heflo.com/blog/risk-management/what-is-the-risk-management-process/
Article published in Infosec Institute by Pedro Tavares
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.