3. INFORMATION RISK
Data Breaches: This occurs when sensitive or confidential information is accessed, disclosed,
or stolen by unauthorized individuals or entities.
Phishing Attacks: Phishing is a type of cyber attack where attackers impersonate legitimate
entities to trick individuals into revealing sensitive information such as passwords or credit card
numbers.
Malware Infections: Malware is malicious software designed to disrupt, damage, or gain
unauthorized access to a computer system.
Insider Threats: Insider threats occur when individuals within an organization misuse their
access to sensitive data for malicious purposes.
Physical Security Breaches: Information stored in physical form (e.g., printed documents,
portable storage devices) can be vulnerable to theft or unauthorized access if proper security
measures are not in place.
Third-Party Risks: When organizations rely on third-party vendors or service providers to handle
their data or IT infrastructure, they introduce a risk if those third parties do not adequately
protect the information.
4. THREATS TO, AND VULNERABILITIES
OF, INFORMATION SYSTEMS
A threat is something that may happen, and that may
cause some undesirable consequence.
Threats must be realistic and may have already
occurred, with records of incidents supporting their
validity.
What is perceived as a threat to one party could be an
opportunity for another.
THREATS
5. Threat categorization
Threats can be categorized into two main areas – accidental threats and
deliberate threats.
Each of these areas may contain two further choices – internal
threats and external threats.
In information assurance,accidental threats include a number of
conditions, such as human error, system malfunctions, fire and
floods.
The implication is that there has been no deliberate attempt to
carry out the threat – it has simply happened.
6. Threat categorization
Deliberate threats: Occur when someone sets out with every intention of
carrying out the threat. This type of threat includes hacking, malicious
software, sabotage, cyber terrorism, hi-tech crime, and so on
Internal threats arise – The organization itself, or from business partners and
suppliers who have some degree of access to the organization’s information
systems environment.
External threats arise -- from outside the organization and its less closely
linked business partners and suppliers. Typical external threats may arise
from hackers (of various kinds), competitors and protest groups.
7. Vulnerabilities
A vulnerability is a weakness in a system that, if exploited,
could lead to undesirable consequences.
For instance, writing passwords on Post-It notes creates
vulnerability to unauthorized access.
Vulnerabilities can arise from poor software design, leaving
systems open to attacks.
Popular software and operating systems are often targeted by
hackers due to their widespread use and accessibility.
8. Vulnerabilities categorization
Vulnerabilities are divided into general and information-
specific categories. General vulnerabilities encompass
weaknesses in software, hardware, facilities, people,
processes, and procedures.
Information-specific vulnerabilities pertain to unsecured
computers, servers, operating systems, network devices,
wireless systems, web servers, email systems, and physical
storage units.
Assets become vulnerable due to inadequate security
measures or ineffective fixes. Threats exploit vulnerabilities to
achieve their objectives.
9. Assets
Information assets can take various forms, ranging from tangible
items like systems or buildings to intangible ones such as
intellectual property, business services, or brand reputation.
Incidents impact assets, whether they are tangible or intangible,
emphasizing their critical importance to the organization's well-
being.
10. Impact
Understanding the potential impact of a risk is crucial in information
assurance.
If the impact is minimal, it might be acceptable to accept the risk and
monitor it periodically.
However, significant potential impacts, such as loss of vital company
information, require appropriate countermeasures.
Business impacts of threats include loss of confidentiality, integrity,
and availability, leading to financial loss, brand damage, and loss of
customer confidence.
11. Likelihood or probability
Risk management involves assessing the likelihood of events
occurring, which can vary from very likely to highly improbable.
Likelihood assessment can be quantitative, relying on clear metrics
and statistical data, or qualitative, based on subjective opinions.
The risk of breach without password protection is deemed high, even
without exact incident numbers.
Both assessment methods are valuable as long as they follow agreed
criteria.
12. Risk
The combination of a vulnerability being exploited by a threat results in
an impact or consequence. Risk assessment for a threat considers both
the impact and the likelihood of it being carried out.
Multiple circumstances can compound risks, potentially leading to more
serious security breaches.
For instance, if files contain lists of usernames and passwords, it could
exacerbate security vulnerabilities.
13. Calculating the overall risk
When assessing the risk for an information asset, factors such as
threats, potential impacts, and vulnerabilities must be considered.
This process involves identifying threats and estimating their potential
impacts, as well as identifying vulnerabilities associated with the asset to
determine the likelihood of threats being realized.
The initial stage, known as a business impact analysis (BIA), evaluates
the impact of threats on business assets
Ms. Jackson, the chairperson, has been reminded that all GANT’s
information is held on a single computer system that was recently
compromised by a teenage hacker.
GANT has no backup of the information and no suitable paper
documentation from which to easily recreate its records.
14. RISK MANAGEMENT
Risk management process - involves four key areas: identifying threats,
analyzing their impact, assessing risks, treating them, and continually
monitoring outcomes.
Risk assessments occur at various levels such as corporate, business
system, or physical location, each requiring different approaches but with
similar methodologies and applications of results.
16. Identification
To initiate a risk management process, identifying threats is crucial,
alongside understanding existing vulnerabilities.
This may reveal multiple threats or consolidate various vulnerabilities into
one.
Each identified threat is then evaluated based on its impact on the asset at
risk; for instance, a server breach could lead to service disruption, data
loss, or web page defacement, impacting profitability.
Another approach involves listing critical organizational assets and
assessing potential threats against them.
Subsequently, the resulting list of assets, threats, and potential impacts
guides further analysis.
17. Analysis
Having identified the impact (or impacts) for each threat, the next task is to
assess the likelihood of it occurring.
It must be remembered that this is ongoing work and that, if the patching
falls behind, the likelihood of an attack being successful will increase.
19. Options for treating risks
The risk matrix guides four potential courses of action for treating risks:
1. Avoid or terminate the risk: This involves refraining from actions that pose risks,
such as implementing policies to prohibit unauthorized software installation on
company computers.
2. Accept or tolerate the risk: When risks are assessed to be low, organizations may
consciously decide to tolerate them, ensuring accountability through formal sign-off
processes and regular monitoring.
3. Reduce or modify the risk: Actions to reduce risks include minimizing threats,
vulnerabilities, or impacts through controls such as security patches, firewall
settings, or implementing redundancy measures like disaster recovery systems.
4. Transfer or share the risk: Risks can be transferred via insurance policies or
outsourcing to third-party specialists, although ultimate responsibility and
ownership of the risk remain with the organization. Insurance helps mitigate
financial impacts, but may not cover all consequences, particularly consequential
20. Monitor
The last step in the risk management cycle is monitoring the outcomes of the
risk treatment plan.
Monitoring frequency depends on the threat type; rapidly changing threats
require frequent checks, while others need occasional monitoring.
The cycle should be periodically repeated to account for disappearing threats
and emerging ones.
Monitoring intervals are determined by the organization's risk appetite and
may be outlined in a risk management strategy or policy document.
21. Approaches to risk assessment
Qualitative
Qualitative risk assessment, though subjective, is valuable when hard data is
scarce. Establishing clear definitions for risk levels like 'high', 'medium', and
'low' ensures rationality and ease of justification in the assessment process.
Quantitative risk assessments rely on statistical evidence to gauge both
impact and likelihood, such as using data from antivirus vendors for virus
attack risks.
While statistical information is widely available, it should be approached
cautiously due to the potential for manipulation or misinterpretation.
23. Software tools
Various software tools exist for conducting risk assessments, but the book
refrains from endorsing any specific ones, encouraging readers to explore
and determine which suits their needs best.
It warns against overcomplicating the process with elaborate analyses,
suggesting that a simple spreadsheet-based tool can often suffice and be
more adaptable to organizational needs
Simplifying the process helps make the results more understandable to a
wider audience, avoiding the perception of risk assessment as a mysterious
or inaccessible practice.
24. Questionnaire
When conducting a risk assessment, preparing a questionnaire helps gather
information from relevant areas of the organization.
Starting with open-ended questions about processes and procedures can
reveal crucial details and potential points of failure.
Subsequently, closed questions delve deeper to uncover facts and figures,
aiding in a detailed analysis of potential risks.
While some information may seem trivial initially, it could be essential for
building a business case to secure funding for risk mitigation measures.
25. Identifying and accounting for the value of
information assets
Before conducting a risk assessment on an organization's information, it's
essential to identify and document each information asset.
Information from questionnaires aids in listing responsibilities for collecting
and storing data, its location, usage, backup procedures, and the role of
individuals as information assets.
Assessing the value of information assets involves considering their
function, downtime tolerance, recovery difficulty, and frequency of changes.
Key questions include assessing the potential loss or impact on the
organization if the asset becomes unavailable.
26. Information classification policies
Information classification categorizes data based on its sensitivity and
access restrictions.
Public domain information like product lists typically have a low
classification, while customer account details may be labeled as confidential.
Highly critical information, such as documents related to mergers or
acquisitions, may have a higher classification level, like 'highly confidential'
or 'secret.'
Companies can define multiple classification levels, but simplicity is crucial.
Each information asset must align with the classification policy, and assets
not marked as 'unmarked' or 'unrestricted' must be labeled accordingly.
The policy should outline procedures for handling, storing, and disposing of
protectively marked information.
27. Assessing the risks in business terms
When conducting risk assessments, it's crucial to avoid using complex risk
management terminology, especially when communicating with individuals
unfamiliar with the jargon.
Instead, risk assessors should articulate outcomes in language easily
understood by managers within the organization, tailoring the terminology to
suit different departments' specific contexts
This approach optimizes impact and buy-in, ensuring assessments focus on
areas recognized by individual departments to avoid wasted efforts.
28. Balancing the cost of information
security against the potential losses
After conducting risk assessments, recommendations for mitigating higher-
level risks are provided, accompanied by rough cost estimates to present a
balanced perspective for decision-makers.
Decision-making regarding risk mitigation depends on factors such as
anticipated losses, cost of controls, and organizational risk appetite.
Some cases may require detailed cost breakdowns, and legal or regulatory
requirements may also influence decision-making.
Experienced risk managers anticipate such complexities but must also
consider non-financial factors in risk treatment decisions.
29. The role of management in accepting
risk
Organizations must differentiate between accepting and ignoring risk,
ensuring conscious decisions with thorough documentation.
It's best practice to have multiple managers, especially one from a different
discipline, sign off on high-impact risks to provide objective confirmation.
Regular review of accepted risks is essential to ensure alignment with the
organization's risk appetite and to account for any changes in threat, impact,
or likelihood.
30. Contribution to risk registers (e.g. Turn
bull conformance)
Risk registers are essential for formal documentation of all identified risks,
providing visibility to authorized observers such as auditors.
They facilitate ongoing monitoring of risk status and serve as management
reports on risk mitigation progress.
Key components of a risk register include details of the threat, assessed
impact and likelihood, overall risk, recommended treatment, responsible
party, and expected completion date
Regular review and updates, typically monthly or quarterly, ensure alignment
with external changes and regulatory requirements.
