9.2: Risk Assessment & Management

Risk Management is the systematic process of identifying, analyzing, mitigating, and monitoring risks to organizational assets. It ensures that security efforts are aligned with business objectives and resources are allocated efficiently to reduce potential harm.

Effective risk management combines technical, administrative, and procedural controls and is continuous rather than one-time.

1. Risk Identification

Risk identification is the first and foundational step, focusing on discovering what could go wrong.

Key Components:

  1. Asset Inventory

    • Catalog all critical assets: servers, applications, data, personnel, and network components.
    • Include both physical and digital assets.

  2. Vulnerability Identification

    • Detect weaknesses that could be exploited: unpatched systems, misconfigured firewalls, default passwords.
    • Use vulnerability scanners (e.g., Nessus, Qualys) and manual assessments.

  3. Threat Identification

    • Identify sources of potential harm: malware, insider threats, phishing campaigns, natural disasters.
    • Consider internal and external threat actors (hackers, competitors, nation-states).

  4. Exposure Assessment

    • Determine which assets are exposed and how.
    • Example: Legacy web servers with outdated software facing the public internet are high-risk.

Output: Risk register or inventory mapping assets to vulnerabilities and threats.

2. Risk Analysis

Risk analysis evaluates the likelihood and impact of identified threats.

Approaches:

  1. Quantitative Risk Analysis

    • Assigns numerical values to potential loss and probability.

    • Metrics include:

      • Monetary loss: e.g., potential fines, data breach costs.
      • Downtime: estimated business impact in hours or days.

    • Formula:

      $$ \text{Risk} = \text{Likelihood} \times \text{Impact} $$

  2. Qualitative Risk Analysis

    • Uses descriptive scales: High / Medium / Low risk based on business impact and threat probability.
    • Useful for prioritization when precise data is unavailable.

Example:

  • Asset: Customer database on unencrypted legacy server.
  • Threat: Data breach via SQL injection.
  • Analysis: High likelihood (vulnerable server) and high impact (customer data exposure → regulatory fines).

3. Risk Mitigation

Mitigation focuses on reducing risk to an acceptable level using controls.

Types of Controls:

  1. Technical Controls

    • Firewalls and intrusion detection/prevention systems (IDS/IPS)
    • Endpoint Detection and Response (EDR)
    • Encryption of sensitive data
    • Secure configuration and patch management

  2. Administrative Controls

    • Security policies and standard operating procedures
    • Employee training and awareness programs
    • Access control and role-based permissions

  3. Physical Controls

    • Secure server rooms, surveillance, and access badges

Strategies for Risk Treatment:

  • Avoidance: Remove the risky asset or function entirely.
  • Reduction: Apply controls to reduce likelihood or impact.
  • Sharing/Transfer: Transfer risk via insurance or third-party services.
  • Acceptance: Acknowledge low-impact risks without further mitigation.

Example Implementation:

  • Unencrypted customer data on a legacy server:

    1. Encrypt sensitive data.
    2. Restrict access to only authorized personnel.
    3. Patch the server and remove unnecessary services.
    4. Monitor for suspicious access attempts.

4. Risk Monitoring

Risk monitoring is continuous oversight to ensure new threats are identified, controls remain effective, and risk levels are acceptable.

Key Practices:

  • Continuous vulnerability scanning and patch management
  • Monitoring for new threats (Threat Intelligence integration)
  • Periodic audits and risk re-assessments
  • Incident reporting and lessons learned loops

Example:

  • After securing the legacy server, monitor logs for unusual access, check for unpatched vulnerabilities, and review new threat advisories relevant to the server.

Best Practices for Risk Management

  1. Document Everything

    • Maintain a detailed risk register with asset mapping, threats, controls, and residual risk.

  2. Prioritize Based on Business Impact

    • Allocate resources to high-impact, high-likelihood risks first.

  3. Integrate with Governance

    • Risk management should align with broader GRC programs and compliance requirements.

  4. Continuous Improvement

    • Treat risk management as a dynamic, iterative process, updated with new intelligence, incidents, and changes in assets.

Key Takeaways

  • Risk Identification: Know your assets, threats, vulnerabilities, and exposure.
  • Risk Analysis: Assess likelihood and impact (quantitative or qualitative).
  • Risk Mitigation: Apply technical, administrative, or physical controls to reduce risk.
  • Risk Monitoring: Continuously track threats and adjust controls as needed.
  • Effective risk management protects business operations, aligns security with strategy, and supports compliance.
← 8.2: Log Analysis: The Core of IR and Forensics
4.3: Digital Signatures & Certificates →