In this course, we continue covering risk management because understanding risk is key to the implementation of the risk management framework. To understand the principles and concepts of risk management and how to apply them under multiple scenarios. It is also important to understand what activities the risk professional is expected to perform. Such as provide accurate reporting on the levels of risk based on the risk identification, assessment and analysis. To facilitate the risk assessment process, we use threat modeling. Threat modeling basically looks at the environment, systems or applications from an attacker's point of view and try to determine the vulnerabilities the attacker would exploit. Proactive approach to threat modeling, also known as defensive threat modeling takes place in the early stages of assistant development. We'll discuss system development life cycles later in this course. Reactive approach to threat modeling, also known as adversarial takes place after the product has been created and deployed. This is the core concept behind penetration testing, ethical hacking, fuzzy testing and source code reviews. We then recommend the use of mitigating information systems controls or enabling the deployment of new business systems and initiative. Remember senior management ultimately makes the final decision on the level of security expenditures and the risk it is willing to accept. But they rely on information security professionals to act as advisers to management. They provide competent risk assessment, manage the information security program and function and recommend controls that support the organization security requirements and are cost effective. Remember, vulnerabilities and risks are evaluated based on their threat against one or more of the triad components, confidentiality, integrity and availability. Set another way, all security controls, mechanisms and safeguards are implemented to provide one or more of these principles. And all risks, threats and vulnerabilities are measured for their potential capability to compromise one or more of the triad principles. We classify and categorize our systems and establish the impact a threat or vulnerability may pose to our business or mission if they materialized. An excellent example of categorization can be found in NIST, Federal Information Processing Standards, FIPS 199. And NIST special publication 860, Guide for Mapping Types of Information and Information Systems and Security Categories, which we discussed in a previous module. Classification and categorization is used to help standardize defensive baselines for information systems and the level of suitability and trust. An employee may need to access information by consolidating data of similar categorizations and classifications. You'll be able to realize the scale of security controls needed for the specific threats and vulnerabilities identified during your vulnerability assessments. Under that categorization is the process of determining the impact of loss of confidentiality, integrity and availability of information to an organization. Public information on the web page may be categorized as having low impact if they were not available. However, the system with designs for the company's new clean power plant if it was lost could cause the company to go bankrupt. So it might be categorized as high impact. 51 to 99 classifications include low impact, which means limited adverse effect on operations, missions, assets, financial loss or individuals. Moderate impact, which means serious adverse effect on operations, missions, assets, financial loss or individuals. And high impact, which means severe or catastrophic adverse effects on operations, mission, assets, financial loss or individuals. In other words, loss of life or life threatening. This is the NIST 830 process for conducting risk assessments within organizations. This is a generic model based on NIST 837 and is right out of NIST 830 guide for conducting risk assessments. This screen illustrates activities associated with the risk assessment process. You should be familiar with this process, which in a nutshell is. Determining the value of assets and information, identifying threats, identifying vulnerabilities, determining the likelihood, determining the impact, determining the risk, reporting findings and selecting countermeasures. If we're looking at this picture, the first step is prepare for the assessment. Here you're establishing the context for the risk assessment. You're identifying the purpose in the scope of the assessment and identifying the assumptions, constraints, inputs, the risk model, etcetera. The second step is where the assessment is conducted. You analyze threats and vulnerabilities, impacts likelihoods and gather essential information to identify risks that can be prioritized by risk level and used for the risk response decision. We identify the threat sources and threat events produced by those sources. Identify vulnerabilities that could be exploited. Determine the likelihood that the threat source would initiate an event and be successful at it. Determine the impacts to the organization and conduct the risk assessment. The third step is to communicate the assessment results. And finally, the fourth step is to maintain the assessment. Here is where we keep the specific knowledge of the risk current, incorporating any changes detected through the risk monitoring process. This screen shows you the four steps I just described. Here you see that each step is divided into a set of tasks. For each task supplemental guidance provides additional information for organizations conducting the risk assessment. We're going to spend some time here and I will talk through these tasks and the sub tasks. The first task prepare, here's where we're identifying the purpose of the assessment. What we're looking for here is information that the assessment is intended to produce and decisions the assessment is intended to support. Organizations can provide guidance on how to capture and present the information produced during the risk assessment, such as an organizational template. Appendix K of the National Institute of Standards and Technology, Special Publication 830 provides an example of a risk assessment report template or the preferred vehicle for risk communications. The next subtask is identify scope. Under this task we're looking at the organizational applicability, time frame supported and architectural or technology considerations. Here the organization is identifying the scope of the risk assessment in terms of organizational applicability, period supported and architectural or technology considerations. The scope of the risk assessment determines what will be considered in the assessment. The next sub task, under the prepared task is identify assumptions and constraints. Here we look at assumptions, constraints, risk tolerance and priorities, or trade offs. We also consider threat sources, threat events, vulnerabilities and predisposing conditions as well as likelihood, impact, risk tolerance and uncertainty taking an analytical approach. As part of the risk framing step in the risk management process, organizations make explicit the specific assumptions, constraints, risk tolerances and priorities. Or trade offs used within the organization to make investment and operational decisions. This information guides the information organizational risk assessment. But when an organizational risk management strategy cannot be sided, risk assessment, identity and document assumptions and constraints need to be identified. By making assumptions and constraints explicit, There is a greater clarity in the risk model selected for the risk assessment, and it increases reproducibility and repeatability of the assessment results. As well as an increased opportunity for reciprocity among organizations, threat sources considered during risk assessments are identified and any assumption related to the threat identification process has to be documented. Vulnerabilities and predisposing conditions considered during risk assessments are documented with enough detail, so that it doesn't need to be repeated in each individual risk assessment. The final sub task under the prepare task is identify information sources. This entails providing descriptions of threats, vulnerabilities and impact, descriptive information enables organizations to be able to determine the relevance of threats and vulnerability information. Task two is conduct, the first sub task under task two is identify threat sources. In this step, organizations identify threat sources of concern and determine the characteristics associated with them. For adversarial threat sources, the organization should assess the capabilities, intentions and targeting associated with the threat source. For non adversarial threat sources, the organization should assess the potential range of effectiveness from the threat Source Nist Special Publication 830 appendix D. Provides a set of tables for use in identifying threats sources. Table one d provides a set of Inputs to the threat source identification task. Table 2D provides a taxonomy that can be used to identify and categorize threat sources. Table D3, D4 and D5 all provide assessment scales to assess the risk factors of adversarial threat sources with regards to capability Intent and targeting. Table D six provides an assessment scale for assessing the ranges of effects from threat events initiated by non adversarial threat sources and table D seven and D eight. Both provide templates for summarizing and documenting the results of threat sources, identification and characterization. The next sub task under conduct is identify potential threat events. Threat events are characterized by the threat sources that could initiate the event, and for adversarial events that tactics, techniques and procedures also known as T T P S used to carry out the attacks, organizations defined these threat events with sufficient detail to accomplish the purpose of the risk assessment. Appendix E of Nist Special Publication 830 provides a set of tables for use in identifying threat events. Table E one provides a set of inputs to the threat events identification Task. Table E two provides representative examples of adversarial threat events expressed as tactics techniques and procedures. In other words, T T P S. Table E three provides representative examples of non adversarial threat events. Table E four provides values for the relevance of threat events to organizations, and finally, table E five provides a template for summarizing and documenting the results of threat events identification. The next sub task under conduct is identify vulnerabilities and predisposing conditions. The primary purpose of vulnerability assessment is to understand the nature and degree to which organizations, missions or business processes and information systems are vulnerable to threats sources identified in Task 2-1 of Nist special publication 830. The threat events identified in task 2-2 that can be initiated by those threats sources. Once a risk associated with a particular vulnerability have been assessed, the impact severity and exposure of the vulnerability given the security controls implemented and other vulnerabilities can be taken into consideration in assessing vulnerability severity. The next sub task under conduct is determined likelihood. In this task, organizations assess the likelihood of threat event initiation by taking into consideration the characteristics of the threat sources of concern, including capability intent and targeting. Using the tables in appendix D, if a threat event requires more capabilities than the adversary possesses, then the adversaries are not expected to initiate the event. If adversaries do not expect to achieve the intended objectives by executing the threat events, then the adversaries are not expected to initiate the event. And finally, if adversaries are not actively targeting specific organizations or their missions or business functions, adversaries are not expected to initiate the events. Organizations use the assessment scale in table G2 of Nist Special Publication 830, and provide a rationale for the assessment, allowing explicit considerations of deterrence and threats shifting, organizations can assess the likelihood of threat events occurrence. Non Adversarial using Table G3 and provide a similar rationale for the assessment, the overall likelihood of threat events is a combination of the likelihood that the event will occur due to human error or natural disaster or be initiated by an adversary. And the likelihood that the initiation or occurrence will result in an adverse impact. The next subtask is determined impact. For this task, organizations described adverse impacts in terms of potential harm caused to the organization's operations and assets, individuals, other organizations or the nation where the threat event occurs and whether the effect of the event are contained or spread will influence the severity of the impact, assessing impact. Also known as impact magnitude can involved identifying assets or potential targets of threats sources including information resources, people, the physical resources which could be affected by the threat event. The impact magnitudes are based on the Phipps 1 99 assessment. The impact is determined based on the impact from the vulnerability, for example high if it results in high costly loss of major tangible assets or resources significantly violates harms or impedes the organization's mission, reputation or interest or results in human death or serious injury medium. If results in costly loss of tangible assets or resources, violates, harms or impedes the organization's missions reputation or interest or results in human injury low, if it results in the loss of some tangible assets or resources, or noticeably affects an organization's mission reputation or interest. The last subcategory under tasked to conduct is determined risk. In this task, the organization assesses the risk from threat events as a combination of likelihood and impact. The level of risk associated with identified threat events represents a determination of the degree the organizations are threatened by the threat event. Organizations can prioritize a list of threat events based on their concern and impact to the organization as a result of the threat, as a result of the risk assessment, with the greatest attention going to the highest risk events. In general, the risk level is typically not higher than the impact level and likelihood can serve to reduce the risk below that impact level. Appendix I of missed special publication 830 provides a set of tables an organization can use for determining risk. Task three reporting, communicate has two sub tasks, communicate risk assessment results, in this task we're communicating the risk assessments either formally or in an informal manner, executive briefing, risk assessment reports, dashboards, etcetera. The organization prioritizes risks at the same level or with similar scores as Depicted in Appendix J of Nist, Special Publication 830 Appendix K of 830. Provides an example of types of information that could be included in a risk assessment report or preferred vehicle for risk communication. The second task is share risk related results. This task is about sharing, organizations share source information and immediate results and provide guidance on sharing risk related information. Information sharing occurs primarily within organizations through reports briefings or by updating risk related data repositories with supporting evidence for the risk assessment result. Information sharing is also supported by documenting the source of information, analysis process, and immediate results, so that risk assessments can be easily maintained. If the organization follows the cybersecurity framework CSF, the information sharing may also occur with other organizations or vendors. The final task is task for maintained. It has two sub tasks. Monitor risk factors. This is where we get into continuous monitoring the organization monitors risk factors which they deem important or high impact on an ongoing basis to ensure that the information needed to make credible risk based decisions continues to be available over time. Monitoring risk factors can provide critical information on changing conditions that could potentially affect the ability of the organizations to conduct core mission and business functions. Information derived from the ongoing monitoring of risk factors can be used to refresh risk assessments at whatever frequency they deem appropriate. The objective is to maintain ongoing situational awareness of the organizations, governance structures and activities. Missions or business processes, information systems and environment of operation and all of the risk factors that may affect or impact the organization and its systems. The second one is update risk assessment, for this task, organizations determine the frequency and the circumstances under which risk assessments are updated. This can include for example, the current level of risk to and the importance of core organizational missions or business functions. If significant changes have occurred since the risk assessment was conducted, organizations can revisit the purpose, scope, assumptions and constraints of the assessment to determine whether all tasks in the risk assessment process need to be repeated. Otherwise, the updates constitutes subsequent risk assessments, identifying and assessing only how selected risk factors have changed and then the organization communicates the results of subsequent risk assessments. Two entities across all risk management tears to ensure that responsible organizational officials have access to critical information needed to make ongoing risk based decisions. This screen simply states the benefits of the risk management framework process. It reduces risk through the use of a standard approved process and it reduces documentation and training through standard forms and signal procedures. As we move towards the risk management framework process. You need to understand the difference between responsibility and accountability. Responsibility belongs to those who must ensure that the activities are completed successfully. Maybe the CISO, the Chief Information Security Officer or the CIO, Chief Information Officer. Accountability applies to those who either own the required resources or those who have the authority to approve the execution and accept the outcomes of an activity within specific risk management processes. This could be the authorizing official AO who grants the authorization to operate. On the screen, we have the risk management hierarchy. Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization. This figure illustrates three tiered approach to risk management, from strategic to tactical that addresses risk related concerns. Tier 1, is the organization level for example, senior leadership providing the strategic vision and top level goals and objectives for the organization. Tier 2, is the mission and business process Level. For example Middle Leaders Planning and Managing Projects and Tier three is the information system level. For example, individuals on the front lines developing, implementing and operating the systems supporting the organization's core mission and business processes. In order for this process to be successful, you need senior management commitment, full support and participation of IT team's competence of risk assessment, teams, user community awareness and cooperation and an ongoing evaluation and assessment of related mission risk. In summary, in this course we discussed risk management, potential risk impacts such as low moderate or high the risk assessment process and tasks associated in this process.
