Skip to content

Latest commit

 

History

History
34 lines (34 loc) · 3.39 KB

Chapter 19 - Risk Management.md

File metadata and controls

34 lines (34 loc) · 3.39 KB
Raw

Risks are organized and identified based on where they come from and where they are targeting.

  • External
  • Internal
  • Multi-party
  • Intellectual Property Theft
  • Software licensing and compliance
  • Legacy systems Risks can be calculated as Quantitative Risk - numerical values to show how likely an issue is to occur and how damaging it would be.
  • Single Loss Expectancy (SLE): Amount lost in a single incident. SLE = Asset Value x Exposure Value (how likely that the issue will occur)
  • Annualized Loss Expectancy: SLE x annual expected rate of occurrence Qualitative Risk is an opinion based measurement of risks, seen as Critical, High, Medium or Low probability for Irreplaceable, High Value, Medium Value and Low Value assets.
  • Low: minor damage or loss
  • Moderate: Significant damage or loss
  • High: Major damage or loss of capability to perform essential functions (total loss) Risk is inherent in all systems and actions. Inherent risk is risk that is in the system before any remediation is attempted (gross risk). Risk mitigation, remediation and deterrence reduces the overall risk. Risk that remains after all attempts to reduce it is known as Residual Risk. Whether this is acceptable is based on the organization's Risk Appetite. Assessments of inherent, residual risks for all assets should be stored in a document known as a risk register for comparison to an organization's risk appetite. Multiple risk registers may show how much less effective a security control has become over time - the difference or inflationary effect of a system is known as the control risk.
  • Avoidance: stop doing things that generate risk
  • Transference: make the risk another group's problem (insurance)
  • Acceptance/Tolerance: no countermeasures because of cost or capability The process of analyzing the effects and potential losses for various scenario is a Business impact analysis. A major criteria for a BIA could be if mission essential functions would be impacted during an event.
  • Maximum tolerable downtime : longest period that an outage should occur without causing irrecoverable failure.
  • Recovery time objective : period following a disaster that a system may remain offline (time to identify a problem and fix it)
  • Work Recovery Time: time to reintegrate systems that are being recovered.
  • Recovery Point Objective: time to last safe backup/image. Mean time to Failure, Mean time between Failures: expected lifetime of a product/system. MttF is used for systems that are non-repairable Mean time to Repair is time to restore full operation.

Building a Disaster Recovery Plan

Disaster Recovery Plans (DRPs) are supposed to define procedures to recover functionality of one or more systems after a disaster level event. 1. Identify potential disaster/non-disaster events and options for protecting against them. Like incident response, the first step is identifying potential threats. 2. Identify tasks, resources, responsibilities, stakeholders 1. What needs to be done and how fast does it need to be done. What priorities are there, where should effort be prioritized. 2. What do we have available to do it, how much do we need to purchase to cover the gap, will the disaster make supplies harder to acquire? 3. Who is in charge of doing it, how can we contact them and who is the backup 3. Do dry runs of DRPs - workshops, drills, meetings - to find any holes in the planning.