-
Notifications
You must be signed in to change notification settings - Fork 283
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12 from suvamdebnath/patch-1
Update Risk Management.md
- Loading branch information
Showing
1 changed file
with
37 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,71 +1,39 @@ | ||
| # Risk Management | ||
| ## Understanding risks | ||
| - Internal Risks: Arise from **within** the organization. | ||
| - External Risks: Arise from **outside** the organization. | ||
| - Multiparty Risks: Affect **more than one** organization. | ||
| - Intellectual property therft : poses a risk to **knowleage-based** organizations. | ||
| - Software license compliance: issues risk fines and legal action. | ||
|
|
||
|
|
||
| ## Risk assessment | ||
| Risk assessment **identifies** and **triages** risks. | ||
|
|
||
| - **Threats**: are external forces that jeopardize security. | ||
| - **Vulnerabilities**: are weaknesses in your security controls. | ||
| - **Risks** : are the combination of a threat and a vulnerability. | ||
|
|
||
| Risks rank by **Likelihood** and **Impact**. | ||
| - **Likelihood**: is the probability a risk will occur. | ||
| - **Impact**: is the amount of damamge a risk will cause. | ||
|
|
||
| we have two different categories of technique that we can use to assess the likelihood and Impact of a risk. | ||
| 1. Qualitative Risk Assessment: Uses subjective ratings to evaluate risk likelihood and impact. | ||
|
|
||
| ![[Qualitative Risk assessment.png]] | ||
|
|
||
| 2. Quantitative Risk Assessment: Uses Objective numeric ratings to evaluate risk likelihood and impact. | ||
|
|
||
|
|
||
| ## Risk treatment | ||
| Risk treatment analyzes and implements possible responses to control risk. | ||
|
|
||
| Risk Treatment Options | ||
| 1. Risk avoidance | ||
| - Risk avoidance changes business practices to make a risk irrelevant. | ||
| 2. Risk transference | ||
| - Risk treatment analyzes and implements possible responses to control risk. | ||
| 3. Risk mitigation | ||
| - Risk mitigation reduces the likelihood or impact of a risk. | ||
| 4. Risk acceptance | ||
| - Risk acceptance is the choice to continue operations in the face of a risk. | ||
|
|
||
| ## Selecting security controls | ||
| Security controls reduce the likelihood or impact of a risk and help identify issues. | ||
|
|
||
| Two different ways of security controls | ||
| 1. Control Purpose | ||
| 1. Preventive | ||
| - Preventive controls stop a security issue from occcurring. | ||
| 2. Detective | ||
| - Detective controls identify security issues requiring investigation. | ||
| 3. Corrective | ||
| - Recovery controls remediate security issues that have occurred. | ||
| 2. Control Mechanism | ||
| 1. Technical | ||
| - use technology to achieve control objectives. | ||
| 2. Administrative | ||
| - use processes to achieve control objectives. | ||
| 3. Physical | ||
| - Impact the physical world. | ||
|
|
||
| ## Configuration managment | ||
| Tracks specific device settings | ||
| - Baselines: Provide a configuration snapshot. | ||
| - Versioning: Assigns numbers to each varsion. | ||
| - Diagrams serve as important configuration artifacts. | ||
| - Standardize Device Configurations | ||
| - Naming conventions | ||
| - IP adderessing schemes | ||
| - Change and management help ensure a stable operating environment. | ||
|
|
||
| ## Understanding Risks | ||
|
|
||
| Risks within an organization can broadly be categorized into two types: Internal Risks, which originate from within the organization, and External Risks, which stem from factors outside the organization's control. Additionally, there are Multiparty Risks that affect more than one organization, as well as risks specific to knowledge-based organizations such as Intellectual Property Theft and Software License Compliance issues. | ||
|
|
||
| ## Risk Assessment | ||
|
|
||
| Risk assessment is the process of identifying and evaluating potential risks. It involves analyzing Threats, which are external forces that pose security risks, and Vulnerabilities, which are weaknesses in the organization's security controls. Risks, therefore, arise from the combination of a Threat and a Vulnerability. Risks are typically assessed based on their Likelihood, the probability of occurrence, and their Impact, the potential damage they may cause. | ||
|
|
||
| There are two primary techniques for assessing risks: | ||
|
|
||
| 1. **Qualitative Risk Assessment**: This method utilizes subjective ratings to evaluate the likelihood and impact of risks. It often involves qualitative descriptions or ranking scales to assess risks. | ||
|
|
||
| 2. **Quantitative Risk Assessment**: In contrast, quantitative risk assessment employs objective numeric ratings to evaluate the likelihood and impact of risks. It involves mathematical models and statistical analysis to quantify risks more precisely. | ||
|
|
||
| ## Risk Treatment | ||
|
|
||
| Risk treatment involves analyzing and implementing responses to manage and control identified risks. There are four main options for treating risks: | ||
|
|
||
| 1. **Risk Avoidance**: This strategy involves altering business practices to make certain risks irrelevant, effectively eliminating them from consideration. | ||
|
|
||
| 2. **Risk Transference**: Risk transference involves shifting the financial burden of a risk to another party, such as through insurance or contractual agreements. | ||
|
|
||
| 3. **Risk Mitigation**: Risk mitigation aims to reduce the likelihood or impact of a risk through various measures, such as implementing security controls or enhancing protective measures. | ||
|
|
||
| 4. **Risk Acceptance**: Sometimes, organizations choose to accept certain risks, acknowledging them as part of doing business while implementing measures to monitor and manage them effectively. | ||
|
|
||
| ## Selecting Security Controls | ||
|
|
||
| Security controls play a crucial role in reducing the likelihood or impact of risks. They can be categorized based on their purpose and mechanism: | ||
|
|
||
| 1. **Control Purpose**: Controls can be preventive, detective, or corrective, depending on whether they aim to prevent security issues, identify them, or address them after they occur. | ||
|
|
||
| 2. **Control Mechanism**: Controls can be technical, administrative, or physical, utilizing technology, processes, or physical measures, respectively, to achieve control objectives. | ||
|
|
||
| ## Configuration Management | ||
|
|
||
| Configuration management involves tracking and maintaining specific device settings to ensure a stable operating environment. It includes activities such as establishing baselines, versioning configurations, and standardizing device settings through naming conventions and IP addressing schemes. Change management processes help implement and track changes to configurations, ensuring consistency and stability. |