Tutorial Questions for Topic 5 and 6

1. Explain what is risk management ?

- Risk management is the process of identifying vulnerabilities in an
organization’s information systems and taking carefully reasoned steps to
assure the confidentiality, integrity, and availability of all the components in
the organization’s information systems.
2. What is the main output from risk assessment activities ?
- A list of documented vulnerabilities, ranked by criticality of impact.
3. Explain four basic strategies to control the risk from the vulnerabilities identified.
Prepare it in infographic.

Threat agents will try to abuse and/or damage the assets owned by the asset
owners. Threat agents will pose threats to the assets, and the threats will be
evaluated as a risk. The asset owners which have monetary values on the assets
want to reduce the risk pose by the threat agents, asset owners will try to impose
some countermeasures in-place to reduce the risk. This is because they wish to
minimize the risk.

- Apply safeguards (avoidance)

o Avoidance attempts to prevent the exploitation of the vulnerability
o This is the preferred approach, as it seeks to avoid risk in its entirety
rather than dealing with it after it has been realized
o Three Areas of control :
 Policy
 Training and Education
  Technology
- Transfer the risk (transference)
o Transference is the control approach that attempts to shift the risk to
others assets, other processes, or other organizations
o This allows the organization to transfer the risk associated with the
management of these complex systems to another organization with
established experience in dealing with those risks.
- Reduce the impact (mitigation)
o Mitigation attempts to reduce the impact of exploitation through
planning and preparation.
o Three types of plans :
 Disaster Recovery Planning (DRP)
 Business Continuity Planning (BCP)
 Incident Response Planning (IRP)
- Inform themselves of all of the consequences and accept the risk without
control or mitigation (acceptance)
o Acceptance of risk is doing nothing to close a vulnerability and to
accept the outcome of its exploitation
o Acceptance is valid only when :
 Determined level of risk
 Assessed the probability of attack
 Estimated the potential damage
 Performed a thorough cost benefit analysis Evaluated controls
using each appropriate feasibility
 Decided that the particular function, service, information, or
asset did not justify the cost of protection

4. Summarize the mitigation plan in table below.

Plan Description Example Possible Timeframe

deployment
Incident Actions an - Lists of steps to be As incident Immediate
Response organization taken during or disaster and real-
Plan (IRP) takes during disaster unfolds time
incidents - Intelligence reaction
(attacks) gathering
- Information analysis
Disaster Preparations - Procedures for the Immediately Short-term
Recovery for recovery recovery of lost data after the recovery
Plan should a - Procedures for the incident is
(DRP) disaster re-establishment of labeled a
occur; lost services disaster
strategies to - Shut-down
limit losses procedures to
before and protect systems and
during data
 disaster;
step-by-step
instructions
to regain
normalcy.
Business Steps to - Preparation steps Immediately Long-term
Recovery ensure for activation of after it is recovery
Plan continuation secondary data determined
(BCP) of the overall centers that the
business - Establishment of a disaster
when the hot site in a remote affects the
scale of location continued
disaster operations
requires of the
relocation organization

5. Explain the Mitigation Strategy selection

- The level of threat and value of the asset play a major role in the selection of
strategy
- The following rules of thumb can be applied in selecting the preferred
strategy:
o When a vulnerability can be exploited, apply layered protection,
architectural design, and administrative controls to minimize the risk or
prevent this occurrence.
o When the attacker’s cost is less than his/her potential gain apply
protections to increase the attacker’s cost
o When potential loss is substantial, apply design principles, architectural
designs, and technical and non-technical protections to limit the extent
of the attack, thereby reducing the potential for loss.
6. Explain why do we do CBA ?
- The most common approach for a project of information security controls and
safeguards is the economic feasibility of implementation.
- Begins by evaluating the worth of the information assets to be protected and
the loss in value if those information assets are compromised.
- It is only common sense that an organization should not spend more to
protect an asset than it is worth
- The formal process to document this is called a cost benefit analysis or an
economic feasibility study.
7. How do we conduct CBA ?

CBA : Asset Valuation

- Asset Valuation is the process of assigning financial value or worth to each

information asset.
 - The valuation of assets involves estimation of real and perceived costs
associated with the design, development, installation, maintenance,
protection, recovery, and defense against market loss and litigation.
- These estimates are calculated for each set of information bearing systems or
information assets.
- There are many components to asset valuation
CBA : Loss Estimates
- Once the worth of various assets is estimated examine the potential loss that
could from the exploitation of vulnerability or a threat occurrence
- This process results in the estimate of potential loss per risk
- The questions that must be asked here include :
o What damage could occur, and what financial impact would it have ?
o What would it cost to recover from the attack, in addition to the costs
above ?
o What is the single loss expectancy for each risk ?

CBA : ALE & ARO

- The expected value of a loss can be stated in the following equation :
o Annualized Loss Expectancy (ALE) =
o Single Loss Expectancy (SLE) * Annualized rate of Occurrence (ARO)
where :
o SLE = Asset Value * Exposure Factor (EF)
- ARO is simply how often you expect a specific type of attack to occur, per
year
- SLE is the calculation of the value associated with the most likely loss from an
attack
- EF is the percentage loss that would occur from a given vulnerability being
exploited.

8. Explain the flow and cycle of risk control in organization as Figure 5.3
 1. We need to identify the information assets.
2. Then, prepare the ranked vulnerability risk worksheet.
3. Proceeding later, we need to develop the control strategy and plan.
4. We implement the controls.
5. We later assess the controls implemented.
6. We ask the question of “Is the control adequate ?”.
7. If no, we need to go back to develop control strategy and planning. Vice
versa.
8. If yes, we can proceed for planning on maintenance.
9. We would then have to measure the risks to information asset.
10. We then later be prompted a question, “Is the risk acceptable ?”.
11. If no, we would have to go back to develop control strategy and planning.
Vice versa.
12. If yes, we will have to proceed to measure the risks to information asset.
9. Read the example given (attachment-cybersecurity risk assessment). Summary
the activities on identifying and assessing risk and suggestion of control to
overcome the risk.
- This assessment addresses the three most important factors in determining
“information risk” that affects the confidentiality, integrity and availability of
systems and data :
o An evaluation of natural & man-made threats;
 o The existence and operational state of reasonably-expected
cybersecurity controls; and
o The overall maturity of the IT security program that focuses on the
current capabilities of people processes and technologies relied upon
to protect ACME.
Assessment of Natural & Man-Made Threats
When taking compensating factors into account, ACME’s exposure to natural &
man-made earn a MODERATE risk rating
Assessment of Cybersecurity Controls
When taking compensating factors into account, ACME’s implementation of
reasonably-expected cybersecurity controls would earn a MODERATE risk
rating.
Assessment of IT Security Program Maturity
ACME would earn a technology capability maturity rating of level 2, based on the
composite score for maturity of the assessed cybersecurity controls utilized in
this assessment.
In summary, taking into account the assessed factors that are covered in this
report, ACME’s overall IT security capabilities are in the early stages of maturity,
which exposes ACME to a moderate level of risk. This is based on the existing
people, processes and technologies in place to protect the confidentiality,
integrity and availability of ACME’s data and systems.