Unit6 - Subjective Questions

Risk Management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents, and natural disasters.

The Risk Management Lifecycle includes:

1. Risk Identification: Determining which assets are at risk and what threats could exploit vulnerabilities. This involves creating an inventory of assets and recognizing potential threats.
2. Risk Assessment: Analyzing the identified risks to determine their potential impact and likelihood. This can be quantitative (numerical) or qualitative (categorical).
3. Risk Treatment (Response): Deciding how to handle the risk. Strategies include:
   • Avoidance: Discontinuing the activity causing the risk.
   • Mitigation: implementing controls to reduce likelihood/impact.
   • Transfer: Moving risk to a third party (e.g., insurance).
   • Acceptance: Acknowledging the risk and operating within it.
4. Risk Monitoring and Review: Continuously tracking identified risks and monitoring for new risks. This ensures compliance and efficacy of controls over time.

Quantitative Risk Assessment:

• Nature: Objective and numerical.
• Methodology: Uses mathematical formulas and historical data to calculate risk value.
• Key Metrics: Uses metrics like Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE).
• Formula:
• Usage: Best for cost-benefit analysis and financial justification.

Qualitative Risk Assessment:

• Nature: Subjective and descriptive.
• Methodology: Uses expert judgment, brainstorming, and scenarios to rank risks.
• Key Metrics: Uses scales such as High, Medium, Low, or color-coded heat maps (Red, Yellow, Green).
• Usage: Best for prioritizing risks quickly when hard data is unavailable or for intangible assets (like reputation).

The relationship is often expressed as:

• Asset: Anything of value to the organization (data, hardware, software, people, reputation) that needs protection.
• Threat: A potential cause of an unwanted incident that may result in harm to a system or organization (e.g., hackers, malware, natural disasters).
• Vulnerability: A weakness in an asset or control that can be exploited by a threat (e.g., unpatched software, open ports, weak passwords).
• Risk: The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability.

1. Risk Avoidance: The organization decides to terminate the activity or system that introduces the risk. Example: Deciding not to store customer credit card data to avoid the risk of a breach.
2. Risk Acceptance: The organization acknowledges the risk but decides the cost of mitigation outweighs the potential loss. Example: Accepting the risk of a minor server outage because redundancy is too expensive.
3. Risk Transference (Sharing): The organization shifts the burden of loss to a third party. Example: Purchasing cyber liability insurance or outsourcing a risky process to a vendor.
4. Risk Mitigation: The organization implements controls to reduce the likelihood or impact of the risk. Example: Installing a firewall and antivirus software to reduce the risk of malware.

Supply Chain Risk Management (SCRM) involves identifying, assessing, and mitigating risks associated with the distributed and interconnected nature of IT products and service supply chains.

Importance in Vendor Management:

• Third-Party Vulnerabilities: Attackers often target smaller vendors with weaker security to gain access to larger target organizations (e.g., the Target breach via an HVAC vendor).
• Dependencies: Organizations rely on vendors for software, hardware, and cloud services. A failure or compromise at the vendor level impacts business continuity.
• Compliance: Organizations are often liable for data breaches that occur within their supply chain under regulations like GDPR or HIPAA.
• Hardware Tampering: SCRM helps prevent the introduction of compromised hardware (implants/backdoors) during the manufacturing or shipping process.

The Vendor Lifecycle Management process ensures security is maintained throughout the relationship with a third party:

1. Onboarding/Due Diligence: Before signing a contract, the organization assesses the vendor's security posture, financial stability, and compliance certifications (e.g., SOC 2, ISO 27001).
2. Contracting: Establishing Service Level Agreements (SLAs) and security clauses. This defines the right to audit, data breach notification timelines, and liability.
3. Ongoing Monitoring: Continuously reviewing the vendor's performance and security. This may involved periodic questionnaires, reviewing third-party risk ratings, or independent audits.
4. Termination/Offboarding: The process of ending the relationship safely. It involves ensuring the vendor destroys or returns all organization data, revoking access credentials (VPNs, accounts), and settling final obligations.

Security Audit:

• Purpose: To verify compliance against a specific standard, regulation, or policy (check-box approach).
• Outcome: Pass/Fail or Compliant/Non-Compliant.
• Scope: Rigid, defined by the standard (e.g., PCI-DSS audit).
• Audience: Regulators, Board of Directors, External Stakeholders.

Security Assessment:

• Purpose: To identify vulnerabilities and risks to improve the security posture.
• Outcome: A list of findings, risk ratings, and recommendations for remediation.
• Scope: Flexible, defined by the organization's needs (e.g., Vulnerability assessment).
• Audience: IT Teams, Security Managers, Internal Stakeholders.

Internal Audit:

• Conducted by: Employees of the organization (Internal Audit Department).
• Objective: To prepare for external audits, improve internal processes, and ensure policy adherence.
• Cost: Lower cost (part of operational expenses).
• Bias: Potential for bias or conflict of interest.

External Audit:

• Conducted by: Independent third-party firms (e.g., Big 4 accounting firms, specialized security firms).
• Objective: To provide an unbiased opinion for certification or regulatory compliance.
• Cost: Higher cost (contracted service).
• Bias: Generally considered objective and impartial.

Data Classification is the process of organizing data into categories for its most effective and efficient use and protection. It allows organizations to apply appropriate security controls based on the value and sensitivity of the data.

Typical Commercial Classification Scheme:

1. Public: Data available to the general public. Disclosure causes no harm (e.g., Marketing brochures on a website).
2. Internal/Private: Data for internal use only. Unauthorized disclosure could cause minor embarrassment or inconvenience (e.g., Organizational charts, internal memos).
3. Confidential: Sensitive data. Disclosure could negatively impact the company’s operations, finances, or reputation (e.g., Pricing strategies, vendor contracts).
4. Restricted/Top Secret: Highly sensitive data. Disclosure would cause severe financial or legal damage (e.g., Trade secrets, PII, merger acquisitions).

Data Loss Prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

DLP protects data in three states:

1. Data at Rest: Protecting data stored on hard drives, servers, or databases. Controls: Encryption, Access Control Lists (ACLs).
2. Data in Motion (Transit): Protecting data moving across networks (internal or internet). Controls: TLS/SSL encryption, Network DLP monitoring.
3. Data in Use: Protecting data currently being processed by an endpoint or application. Controls: Endpoint DLP agents, restricting copy/paste functions, blocking USB drives.

GDPR is a regulation in EU law on data protection and privacy. It is important globally because it applies to any organization that processes the data of EU citizens, regardless of the organization's location. Non-compliance can result in massive fines (up to 4% of global turnover).

Key Principles:

1. Lawfulness, fairness, and transparency: Data must be processed legally and the subject must be informed.
2. Data Minimization: Only collect data that is strictly necessary for the specified purpose.
3. Storage Limitation: Data should not be kept longer than necessary.
4. Integrity and Confidentiality: Data must be processed securely.
5. Accountability: The data controller is responsible for demonstrating compliance.

These are fundamental internal control concepts:

1. Separation of Duties (SoD):

• Concept: No single individual should have the authority to complete a critical task from start to finish. The task is divided among two or more people.
• Goal: To prevent fraud and error.
• Example: The person who authorizes a purchase order should not be the same person who signs the check to pay for it.

2. Principle of Least Privilege (PoLP):

• Concept: Users, systems, and processes should be granted only the minimum level of access (privileges) necessary to perform their job functions.
• Goal: To limit the blast radius if an account is compromised.
• Example: A marketing employee should not have administrative access to the HR payroll database.

Job Rotation:

• Function: Moving employees between different jobs or tasks at regular intervals.
• Security Benefit: It reduces the risk of fraud/collusion because a new person taking over the role may discover irregularities or unauthorized activities conducted by the previous person. It also ensures redundancy in skills (availability).

Mandatory Vacation:

• Function: Requiring employees to take consecutive days off work where they have no access to systems.
• Security Benefit: It is primarily a fraud detection mechanism. If an employee is maintaining a fraud (e.g., cooking the books or hiding alerts), the fraud often collapses when they are not present to cover their tracks. Auditors can review the logs during their absence.

Onboarding (Hiring):

• Background Checks: verifying identity, criminal history, and references.
• NDA (Non-Disclosure Agreement): Signing legal documents to protect trade secrets.
• AUP (Acceptable Use Policy): Employee agrees to rules regarding system usage.
• Training: Initial security awareness training (phishing, passwords).
• Provisioning: Granting access rights based on the principle of least privilege.

Offboarding (Termination):

• Immediate Access Revocation: Disabling accounts (Active Directory, VPN, Cloud apps) immediately upon termination.
• Asset Return: Collecting laptops, badges, tokens, and keys.
• Exit Interview: Reminding the employee of ongoing NDA obligations.
• Data Wipe: Remote wiping of BYOD devices if they contained corporate data.

Zero Trust is a security framework that requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. It moves away from the 'castle-and-moat' perimeter defense.

Core Tenets:

1. Never Trust, Always Verify: Treat every access attempt as if it originates from an open network.
2. Least Privilege Access: Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA).
3. Assume Breach: Operate with the mindset that the network is already compromised; inspect all traffic and segment the network (micro-segmentation) to limit lateral movement.

Remote work has dissolved the traditional network perimeter, expanding the attack surface significantly.

Impacts:

• Increased use of unsecured home Wi-Fi networks.
• Higher reliance on personal devices (BYOD) for work.
• Lack of physical oversight.

Necessary Policies/Controls:

• VPN/ZTNA Policy: Mandating encrypted tunnels for accessing corporate resources.
• Endpoint Security: Enforcing Antivirus/EDR on remote devices before allowing connection.
• BYOD Policy: Clearly defining rights and liabilities for personal devices used for work.
• Strong Authentication: Mandating Multi-Factor Authentication (MFA) for all remote access.

Data Sovereignty refers to the concept that data is subject to the laws and governance structures within the nation it is collected or stored.

Relevance in Cloud Computing:

• Cloud providers often distribute data across servers globally for redundancy and speed.
• However, laws like GDPR (Europe) or local privacy acts may restrict transferring citizen data outside the country.
• Compliance Challenge: Organizations must ensure their cloud provider allows them to pin data to specific geographic regions (e.g., 'US-East' only) to avoid violating sovereignty laws. Failure to do so can result in legal penalties.

1. Calculate Single Loss Expectancy (SLE):

2. Calculate Annualized Loss Expectancy (ALE):

Result: The expected financial loss per year for this specific risk is $5,000.

AI is transforming Risk Management by automating complex tasks and predicting threats.

Key Roles:

• Predictive Analytics: AI analyzes historical data to predict future risk scenarios and potential breach vectors.
• Automated Threat Detection: AI/ML algorithms can process vast amounts of log data in real-time to identify anomalies that indicate a cyberattack (e.g., User and Entity Behavior Analytics - UEBA).
• Compliance Monitoring: AI tools can scan internal documents and configurations to automatically flag non-compliance with standards like ISO or NIST.
• Vendor Risk Scoring: AI scans the open web and dark web to assess the security posture of third-party vendors continuously.

Shadow IT refers to the use of information technology systems, devices, software, applications, and services without explicit IT department approval. Examples include employees using personal Dropbox accounts for work files or unauthorized Trello boards.

Risks:

• Data Leakage: IT cannot protect data they don't know exists. Shadow IT bypasses DLP controls.
• Compliance Violations: Storing sensitive data on unapproved platforms violates regulations like HIPAA or GDPR.
• Lack of Patching: Unapproved software is not updated by the IT team, leaving it vulnerable to exploits.
• Inefficiency: Creates data silos where information is not accessible to the wider organization.