Risk management steps involve all employees, not just those who work for you directly, but the contractors. Third parties should be providing you with service information, regional legislation, and regulations, as well as the security of the IT systems themselves. This is the cyber risk management component.
To do this, we must follow five key risk management steps. These all start with understanding the infrastructure and identifying the assets. And these assets include the buildings, the IT systems, the data, and the people that we have to run those systems.
The first of those five steps then is to analyze potential events that could disrupt the infrastructure which is a threat assessment. Assess the likelihood of the threat being successful. That is, how vulnerable is the target system? And how likely is it that the threat could actually gain access to that target system?
Agree on the potential impact of such an event. This is the impact analysis or consequence analysis. Develop an improvement program to manage those risks. That is to reduce the likelihood of those risks happening, and finally, monitor and review the risk program.
The thing to be most aware of when we’re looking at these risk management components is be consistent. Don’t assume that a weakness in a cyber system is a risk. This may be a problem, but it is only can only be determined by validating the impact on the business and assessing what could happen to stop them as it’s working.
Step 1: Risk Idenfication
- What is the asset—a computer or network system, data, a physical location, or personnel?
- What is the threat—
- What is the likelihood of it happening (threat and vulnerability assessment)? Could the threat take advantage of a flaw?
Step 2: Risk Assessment
Identify and describe the threats to a specific asset. That is, what kinds of circumstances could occur that would put that asset in jeopardy? These are likely to include intentional, natural, and unintentional incidents. These threats must be classified according to their likelihood of occurrence. When dealing with natural catastrophes, risk management should examine the likelihood of such occurrences occurring in a certain place, such as earthquakes, landslides, or tsunamis. Deliberate cyber attacks can also be evaluated by evaluating the frequency of such events as reported by various cyber threat agencies, the expense of conducting such an attack, and the level of competence necessary. All security events’ should ideally be logged in order to identify any modifications or escalation.
Considers how vulnerable the asset is to various threat situations. This is divided into two parts:
- The flaws or weaknesses in the asset that could be exploited by the threat or attacker. In the cyber world, this would often refer to known vulnerabilities identified by system suppliers that should be patched. It might also be constructing a data centre in a dried-up river bed that was occasionally flooded, but infrequently.
- The asset’s vulnerability to danger. For example, a completely unpatched and unprotected system with no external network connections can be regarded as relatively safe. Vulnerability assessments are typically accompanied by infrastructure scans or penetration tests. It should be noted that the scans and tests are not risk assessments, but rather a component of the broader company risk assessment.
Step 3: Risk Ranking
- the significance
- the probability of a successful threat event
- the expense of remediation,
- its effectiveness,
- the ease of remediation activity,
- and its alignment with the overall plan.
Step 4: Risk Treatment
- Accept the risk (aware of its danger).
- Offset the risk to a third party (but not accountability).
- Treat the risk.
Step 5: Monitor and Evaluate