IT1914

Risk Management
Elements and Categories of Risks
Risk management is a concept that has been around as long as companies have had assets to protect. The simplest
example may be insurance. Life, health, auto, and other insurance are all designed to help a person protect against losses.
Risk management also extends to physical devices, such as doors, to protect homes and autos, vaults to protect money
and precious jewels, and police, fire, and security to protect against other physical risks.
Cybersecurity Risk Management
Rather than doors, locks, and vaults, IT departments rely on the combination of strategies, technologies, and user
education to protect an enterprise against cybersecurity attacks that can compromise systems, steal data and other
valuable company information, and damage an enterprise’s reputation. As the volume and severity of cyberattacks grow,
the need for cybersecurity risk management grows with it.

Basic Steps of Risk Assessment

• Characterize the System (Process, Function, or Application) – Characterizing the system will help you determine
viable threats. This should include asking the following questions:
o What is it?
o What kind of data does it use?
o Who is the vendor?
o Who uses the system?
o What are the internal and external interfaces that may be present?
o What is the data flow?
o Where does the information go?
• Identify Threats – Some basic threats are going to be in every risk assessment; however, depending on the system,
additional threats could be included. Common threat types include the following:
o Unauthorized access (malicious or accidental) – This could be from a direct hacking attack/compromise,
malware infection, or internal threat.
o Misuse of information (or privilege) by an authorized user – This could be the result of unapproved use
of data or changes made without approval.
o Data leakage or unintentional exposure of information – This includes permitting the use of unencrypted
USB and/or CD-ROM without restriction, deficient paper retention and destruction practices, transmitting
Non-Public Personal Information (NPPI) over unsecured channels, or accidentally sending sensitive
information to the wrong recipient.
o Loss of data – This can be the result of poor replication and backup processes.
o Disruption of service or productivity.
• Determine Inherent Risk and Impact – This step is done without considering the control environment. Factoring
on how the system is characterized, the impact on an organization could be determined if the threat was
exercised. Examples of impact ratings are as follows:
o High – The impact could be substantial.
o Medium – The impact would be damaging, but recoverable, and/or would be inconvenient.
o Low – The impact would be minimal or non-existent.
• Analyze the Control Environment – Look at several categories of information to assess the control environment
adequately. Ultimately, threat prevention, mitigation, detection, or compensating controls and their relationship
to identified threats need to be identified. A few examples include the following:
o Organizational Risk Management Controls
o User Provisioning Controls
o Administration Controls

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 1 of 6
 IT1914

o User Authentication Controls

o Infrastructure Data Protection Controls
o Data Center Physical and Environmental Security Controls
o Continuity of Operations Controls
Control assessment categories may be defined as follows:
o Satisfactory – meets control objective criteria, policy, or regulatory requirement
o Satisfactory with Recommendations – meets control objective criteria, policy, or regulatory requirement
with observations for additional enhancements to existing policies, procedures, or documentation
o Needs Improvement – partially meets control objective criteria, policy, or regulatory requirement
o Inadequate – does not meet control objective criteria, policy, or regulatory requirements.
• Determine a Likelihood Rating – The likelihood of the given exploit must be determined while taking into account
the control environment that an organization has in place. Examples of likelihood ratings are as follows:
o High – The threat-source is highly motivated and sufficiently capable, and the controls to prevent the
vulnerability from being exercised are ineffective.
o Medium – The threat-source is motivated and capable, but the controls are in place to prevent, or at least
significantly impede, the vulnerability from being exercised.
o Low – The threat-source lacks motivation or capability, or the controls are in place to prevent, or at least
significantly impede, the vulnerability from being exercised.
• Calculate the Risk Rating – Even though there is a ton of information and work that goes into determining the risk
rating, it all comes down to a simple equation:
Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk Rating
Some examples of risk ratings are as follows:
o Severe – A significant and urgent threat to the organization exists, and risk reduction remediation should
be immediate.
o Elevated – A visible threat to the organization exists, and risk reduction remediation should be completed
in a reasonable period.
o Low – Threats are normal and generally acceptable but may still have some impact on the organization.
Implementing additional security enhancements may provide further defense against potential or
currently unforeseen threats.

Five (5) Categories to a Cybersecurity Risk Assessment

• Strategic risk is related to adverse business decisions or the failure to implement appropriate business decisions
in a manner that is consistent with the institution’s strategic goals.
• Reputational risk is related to negative public opinion.
• Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems or
external events.
• Transactional risk is related to problems with service or product delivery.
• Compliance risk is related to violations of laws, rules, or regulations, or noncompliance with internal policies or
procedures or business standards.

Risk Monitoring and Response

Monitoring of Cyber Risk Management
The monitoring program of the future is focused on cyber risks to the business. This change is an outgrowth of executive
and often board-level involvement to set the tone and priorities around cyber risk as part of an organization’s larger

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 2 of 6
 IT1914

business risk management programs. To achieve this transformation, changes are needed in these four (4) key functional
areas:
• Alignment – It refers to the whole organization, horizontally and vertically, around top cyber risks.
• Data – This is to support business event detection rather than technology event detection.
• Analytics – This is to transform from an indicator-driven approach to a pattern-detection approach.
• Talent – It is also a talent model to enable evolution from reactive to proactive action models.

Addressing the Alarming Level of Cyber Risks

1. Start by understanding and addressing common pitfalls.
• Delegating problem to IT/CISO – A lot of organizations treat cyber risk as a technical issue and leaves it all for the
IT department or the Chief Information Security Officer (CISO) to deal with and resolve. Cybersecurity may be a
technical problem at its core, but defending a business is different from simply protecting its servers.
Security has to be embedded across the whole business; it is no longer just an IT component. Defending a business
requires an understanding of a company’s business model, value chain, the relevant risks to be faced, the files and
responsibilities of each person involves, and proper governance. Given this, IT alone will not be enough to handle
cybersecurity since it affects and encompasses all these business aspects.
• Throwing resources at the problem – The problem with this approach is that it doesn’t take into account the
current level of protection and vulnerability a company has and does not establish nor consider what the goal is
for setting up the organization’s risk management program.
Organizations purchase state of the art malware detection systems, antivirus software, and network firewalls for
protection even if these acquisitions don’t suit the company’s needs and address the company’s vulnerabilities.
• Treating the problem as a compliance issue – There are lots of existing cybersecurity protocols, frameworks, and
checklists that are being recommended by other organizations. However, these solutions are tailored to their
organizations; which means that even if it is working for them, it doesn’t guarantee that it can protect their
organization from future cyberattacks. Their company’s cyber risk and vulnerabilities may be entirely different
from others.
The easy, traditional response of blindly following a checklist has proven inadequate in the growing landscape of
cyber risks and threats today. To keep up with the times and counter the growing threat of cybercrime effectively,
companies should accommodate the growing complexity of corporate networks by constantly assessing their
cybersecurity posture.
• Other reasons why cybersecurity often breaks down in companies:
o The company does not have an inventory of the company’s digital assets.
o The company does not know or take note of which third parties it digitally connects with.
o The company does not identify who is most likely to come after its data.
o The company does not resolve or patch up known system vulnerabilities.
o The company has a wide attack surface without having security plans in place.
o Employees are not oriented or trained in their role in security.

2. Device a more proactive, collaborative approach.

A more proactive and collaborative approach to cyber risk not only helps alleviate costs but also enables companies
to lessen the disruption of operations that current cybersecurity initiatives often bring about.
Here are the following cybersecurity principles from their experience working with some of the world’s leading
cybersecurity players:
o Cyber risk needs to be treated as a risk management issue like any other complex, critical, nonfinancial risk.
o Cyber risk needs to be addressed within a business context.

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 3 of 6
 IT1914

o Cyber risk needs to be dealt with on multiple levels.

o Cyber risk calls for adaptive defenses.
o Cyber risk calls for holistic, collaborative governance.

Incident Handling and Documentation

Security incident management is the process of identifying, managing, recording, and analyzing security threats or
incidents in real-time. It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure.
A security incident can be anything from an active threat to an attempted intrusion to a successful compromise or data
breach.
Policy violations and unauthorized access to data such as health, financial, social security numbers, and personally
identifiable records are all examples of security incidents.
Here is the five-step process for security incident management/handling:
1. Prepare for handling incidents.
2. Identify potential security incidents through monitoring documents and all incidents.
3. Assess identified incidents to determine the appropriate next steps for mitigating the risk.
4. Respond to the incident by containing, investigating, and resolving it.
5. Learn and document key takeaways from every incident.

Best Practices for Security Incident Management

• Develop a security incident management plan and supporting policies that include guidance on how incidents are
detected, reported, assessed, and responded to. Have a checklist ready for a set of actions based on the threat.
Continuously update security incident management procedures as necessary, particularly with lessons learned
from prior incidents.
• Establish an incident response team, including clearly defined roles and responsibilities. The incident response
team should include functional roles within the IT/security department as well as representation for other
departments such as legal, communications, finance, and business management or operations.
• Develop a comprehensive training program for every activity necessary within the set of security incident
management procedures. Practice the security incident management plan with test scenarios consistently and
make refinements as needed.
• After any security incident, perform a post-incident analysis to learn from your successes and failures and make
adjustments to the security program and incident management processes where needed.

Incident Documentation/Report
It is the process of documenting all workplace injuries, near misses, and accidents. This should be completed at the time
an incident occurs no matter how minor the incident. It is also a tool that documents any event that may or may not have
caused injuries to a person or damage to a company asset and is used to capture injuries and accidents, near misses,
property and equipment damage, health and safety issues, security breaches and workplace misconduct.

What is considered an incident?

• It causes disruption or interference to an organization.
• It causes significant risks that could affect members within an organization.
• It impacts on the systems and operation of workplaces.
• It attracts negative media attention or negative profile for the workplace.
Organizations should have a formal, focused, and coordinated approach when responding to incidents, including an
incident response plan that provides the roadmap for implementing the incident response capability. The incident
response plan should include the following elements:
• Mission

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 4 of 6
 IT1914

• Strategies and goals

• Senior management approval
• Organizational approach to incident response
• How will the incident response team communicate with the rest of the organization and with other
organizations?
• Metrics for measuring the incident response capability and its effectiveness
• Roadmap for maturing the incident response capability
• How does the program fit into the overall organization

Once an organization develops a plan and gains management approval, it should implement and review the plan at least
annually to ensure the organization is following the roadmap for maturing the capability and fulfilling their goals for
incident response.

Backup and Recovery

Backup and recovery is a representative copy of data at a specific time. The phrase “backup and recovery” usually refers
to the transfer of copied files from one (1) location to another, along with the various operations performed on those files.
A good backup strategy is essential for data security. Backup is the last defense against data loss, providing a way to restore
original data. It also has the following advantages:
• Protecting a user in the event of hardware failure, accidental deletions, or disaster.
• Protecting a user against unauthorized changes made by an intruder.
• Providing a user with a history of an intruder’s activities by looking through archived or older backups.

Importance of Data Backup and Recovery in Any Security Strategy

• Identify prime backup targets – Data protection is not a “set-it-and-forget-it” type of function. Often, it is a
complex undertaking that requires many steps. The first step in a data protection strategy should be identifying
which data is most sensitive to an organization. Tapping into the knowledge of users, typically employees can be
hugely beneficial. Users often know more about the data being used than IT simply because they are the ones
consistently using it. This type of data identification can be especially beneficial when looking at unstructured
data.
• Create a backup and recovery strategy – Once sensitive data has been identified, the second step is to create a
comprehensive backup and recovery strategy with scheduled backups of critical data. Most large organizations
with an IT team will already have a backup in place and a schedule for periodic backups.
The third step is to ensure backups are always tested. Many well-intentioned IT teams have very good backup
strategies but fail to test their backups. If a user can’t recover a backup, the entire exercise is unproductive.
Backups must be reliable and easy to recover. It is critical to perform routine tests of backups. If backups are
encrypted, it is doubly important simply because, in case of an emergency such as ransomware attack, recovery
of a previous backup could be the only solution.
• Create a comprehensive security strategy – Data protection through backup and recovery is a basic IT function—
one that most IT teams should already be performing—yet many backups go untested which can lead to a disaster
that they called into service. With the abundance of unstructured data on most corporate networks, it is possible
that critical data also go unprotected.

General Steps for Backup and Recovery

• Plan and prepare

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 5 of 6
 IT1914

• Identify assets and backup requirements

• Select and develop a backup strategy
• Implement and monitor a backup strategy
• Recovery drill test
References:
Abrams, T. (2017, May 18). The importance of data backup and recovery in any security strategy [Web log post]. Retrieved from https://www.dgtechllc.com/blog/the-
importance-of-data-backup-and-recovery-in-any-security-strategy on May 17, 2019
Cichonski, P., Grance, T., Millar, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. National Institute of Standards and Technology, U.S. Department
of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf on May 19, 2019
Cipher Cyber Security Blog. (n.d). 3 reasons why you need an incident response plan [Web log post]. Retrieved from http://blog.cipher.com/3-reasons-why-you-need-
an-incident-response-plan on May 21, 2019
Escano, S. & Safety Culture Team (n.d). Incident report guide: 5 elements of a good incident report. In Safety Culture. Retrieved from
https://safetyculture.com/topics/incident-report/ on May 17, 2019
Lord, N. (2018, September 12). What is security incident management? The cybersecurity incident management process, examples, best practices, and more [Web log
post]. Retrieved from https://digitalguardian.com/blog/what-security-incident-management-cybersecurity-incident-management-process on May 17, 2019
Metivier, B. (2017, April 11). 6 Steps to a cybersecurity risk assessment [Web log post]. Retrieved from https://www.sagedatasecurity.com/blog/6-steps-to-a-
cybersecurity-risk-assessment on May 15, 2019
Protecting your business. (n.d). In InfoSec. Retrieved from https://www.infosec.gov.hk/english/business/backup.html on May 17, 2019
SkillMaker. (2013, December). Risk monitoring. Retrieved from https://www.skillmaker.edu.au/risk-monitoring/ on May 21, 2019
What is backup and recovery? (n.d). In NetApp. Retrieved from https://www.netapp.com/us/info/what-is-backup-and-recovery.aspx on May 21, 2019

07 Handout 1 *Property of STI

 student.feedback@sti.edu Page 6 of 6