ZenGRC

Simply Powerful GRC

Risk Management

Risk Management Process

· ·

Not too long ago, “risk management” was considered mainly an insurance term.

The risks a business might incur covered a fairly small and discrete range of scenarios, including the following:

  • Natural disaster risk – the potential risks you’d often buy insurance to ameliorate: tornadoes, earthquakes, fire, floods;
  • Investment risk – positive (gains) or negative (loss) due to changes in financial markets;
  • Credit risk – The risk that someone who has borrowed money from your organization will default;
  • Security risk – the risk of an unauthorized person or persons entering the building or grounds and causing harm to the business or its workers;
  • Legal risk – the risk of lawsuits;
  • Safety risk – the risk that employees will be injured on the job.

The times have changed, however, and so have risks.

With the advent of the digital age come a plethora of new risks as well as an increase in the complexity of existing ones. Every digital connection; every portal into and out of your systems, networks, and devices; every third party with whom you do business: these add layer upon layer of risk.

Every project, every business unit, every enterprise must now involve itself in the risk management process. No organization is an island; small and large, all are vulnerable.

And no longer is risk management solely the purview of the audit department: it’s an essential part of project management, human resources, information security, public relations and communications, finance – every function and department entity-wide, as well as stakeholders, business partners, and the board.

What Is the Risk Management Process?

The risk management process aims to minimize the negative effects of unfortunate events on a project, program, or business or to prevent those events from occurring altogether. At its best, it’s a proactive system for dealing with risks and potential risks before they materialize and become threats, incidents, or events.

The risk management process involves a series of actions, like stepping stones, each leading to the next and each important to your risk management program.

Those steps are, in order:

Risk assessment. Risk assessment comprises risk identification and risk analysis.

Risk identification means naming the risks that could harm your project, function, or enterprise. In this step, you make a list, using your imagination to think of every bad thing that could happen.

Of course, we can’t anticipate every occurrence. So it’s important to review this list on a regular basis and establish contingency plans for new and unforeseen risks.

In the risk analysis phase, you’ll examine each identified risk and assign it a score based on four factors:

  • Likelihood: What’s the probability of occurrence, i.e., that the risk will materialize?
  • Impact: How hard would your project, function, or enterprise be hit if the event occurred?
  • Velocity: How quickly would your project, function, or enterprise feel the impact?
  • Materialization: What’s the potential severity of the impact? To arrive at this score, add the impact and velocity scores and divide by 2.

Scores for impact and velocity – and, therefore, materialization – can be reduced with mitigations or risk controls.

Risk prioritization. Some risks are potentially more damaging, and so deserve more of your attention. Others may pose little danger and can be accepted or ignored. An effective risk management strategy requires risk prioritization according to levels of risk, to avoid wasting time and expense and let you focus on the risks that pose the greatest threat.

Risk mitigation. List each risk, its materialization score and rank, and your risk response or treatment on a risk register so you know where things stand. Typically, risk treatment consists of four options:

  • Risk acceptance
  • Risk avoidance, perhaps by not performing the action that incurs it
  • Risk transfer, usually to an insurance company
  • Risk reduction, usually by using risk controls.

A risk management framework such as COSO‘s Enterprise Risk Management – Integrated Framework or ISO 31000:2018, Risk management, can help guide you through decision-making in the risk management process.

Risk monitoring. Circumstances change. Regulations and industry standards get updated. Cybercriminals adopt new techniques for breaching systems. Staying on top of risk is a continuous process, and can be challenging.

Fortunately, digital solutions can do much of the work for you, automating your risk management and leaving you free to focus on the business at hand: keeping your clients and customers satisfied and maximizing profits.

7 Pandemic Risk Management Tips to Implement Now

· ·

Stand up your risk program

As COVID-19 continues to spread worldwide, not only disrupting health and life but also business continuity up and down the supply chain, economic and cyber risk have taken on pandemic proportions, as well.

Many enterprises are struggling just to keep essential services functioning as they send employees home to work with new, hastily procured technologies. At the same time, they’re battling a surge in cybercrime by threat actors seeking to take advantage of the chaos.

Risk management right now can feel, to these organizations, like a frantic game of whack-a-mole: mitigate one risk, and another pops up.

Add in the wild fluctuations in financial markets the pandemic has caused, and organizations in almost every sector—healthcare, banking, education, and more—find themselves managing risk at an unprecedented scale and scope, and not sure what to do next.

Even those with an enterprise risk management (ERM) or integrated risk management program in place may feel at a loss.

Whose ERM plan predicted an outbreak of one of the most contagious and deadly infectious diseases in history?

Which program foresaw a crisis that touches every aspect of business and society, from pandemic preparedness to a shift to a work-from-home (WFH) business model to crippling financial losses after a decade-long period of economic growth?

Some enterprises did respond quickly to pandemic risk warnings from the World Health Organization (WHO) or the U.S. Centers for Disease Control and Prevention (CDC), taking action before the novel coronavirus even touched U.S. shores.

Other organizations delayed responding, indicating a weakness in their ERM program or a failure to activate it as they should. Either way, these organizations will need to prepare themselves for the next crisis: Because of world travel, Bill Gates has said, we can now expect a new viral outbreak every 20 years. (Gates predicted a soon-to-strike pandemic in a 2015 TED Talk.)

Before turning your attention to the long-term, though, every enterprise must take quick action to mitigate the risks it faces now. We recommend the following steps:

  1. Appoint an emergency response team. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recommends that every organization begin its COVID-19 response by designating a response coordinator and assigning team members with specific responsibilities. This team’s primary act will be to activate the enterprise’s emergency response or resiliency plan or, if none exists, to create one, starting with a risk assessment that includes production, procurement, supply/ logistics, worker safety, and financial capital.
  2. Backup your supply chain. What will your organization do if the production of a needed raw material or component halts because of COVID-19? Do you have a backup source of those materials or components? How will you maintain inventory and cash flow during the pandemic? These and other questions should be on your business continuity checklist.
  3. Tighten your security. Threat actors are busier than ever right now, working hard to infiltrate systems and networks and access your data while your attention is elsewhere. Stay vigilant. Enlist your CISO to strengthen your cybersecurity with tools such as virtual private networks (VPN), Firewall-as-a-Service software, enhanced cloud security tools, employee security awareness training, identity and access management, and other cybersecurity solutions.
  4. Communicate, communicate, communicate. Everyone—suppliers, vendors, board members, partners, employees, clients, customers—needs to hear from you now. They need to know what you’re doing to keep your workplace safe; how you’re protecting your business operations and finances during this crisis; what services and products you have available to them; and what you’re doing to help the community. Your public relations and communications efforts have never been more critical.
  5. Help your employees. This is a stressful time for many juggling home and work life, parenting children who are out of school, dealing with social isolation, worrying about the health and well-being of friends and family, struggling with reduced pay, and much more. Reaching out to assist those who work for you, including offering confidential health monitoring, will demonstrate your commitment to them and increase their loyalty to you. We are all in this together.
  6. Consult your attorneys and risk managers. As remote work, business facility lockdowns, and supply-chain interruptions affect your business, how are you honoring your contracts and staying compliant with regulatory and industry standards? What are your rights and responsibilities right now?
  7. Modernize your risk management program. The best risk management programs today use digital solutions to help with risk assessments, test controls, find gaps and issue alerts in real-time, provide detailed risk mitigation checklists, and manage workflows—all automatically, freeing you to focus on keeping your business, personnel, and customers safe and healthy during the COVID-19 pandemic.
    ZenGRC performs all these tasks and more, including unlimited self-audits, audit trail documentation, and integration with all of your business applications. Contact us today for a free consultation, and embark on the path to the worry-free, comprehensive risk and compliance management.

The Difference Between Vulnerability Assessment and Vulnerability Management

· ·

In today’s constantly evolving cybersecurity threat landscape, you have to do everything possible and then some to protect your critical data assets.

Performing a vulnerability assessment and implementing a vulnerability management program can help your organization effectively deal with cybersecurity vulnerabilities.

However, it’s important to understand the difference between vulnerability assessment and vulnerability management.

What is Vulnerability Assessment?

A vulnerability assessment is a one-time project with a specific start and end date. Generally, an external information security consultant will review your IT environment to uncover any vulnerabilities that cybercriminals could potentially exploit.

The information security consultant will document these vulnerabilities in a detailed report and offer recommendations to remediate those vulnerabilities. Once the information security consultant prepares the report, the vulnerability assessment is over.

A vulnerability assessment identifies the security vulnerabilities in your network, systems, and hardware rates according to technical severity and provides the steps necessary to fix those security vulnerabilities. Additionally, a vulnerability assessment should consider the business processes that could be impacted by cybersecurity vulnerabilities.

A vulnerability assessment offers information that your information security and information technology teams can use to better mitigate and prevent cybersecurity threats.

Even the most secure IT environment typically has some cybersecurity vulnerabilities lurking inside. Vulnerability scanning tools can uncover host cybersecurity vulnerabilities along with network cybersecurity vulnerabilities.

A vulnerability assessment that aims to identify cybersecurity threats and the risks they pose is generally conducted via automated vulnerability scanning tools, such as network vulnerability scanners, whose results are listed in the consultant’s vulnerability assessment report. However, a network vulnerability assessment should also include the technical assessments of your information security staff.

Typically, a vulnerability assessment is followed by penetration testing since it doesn’t make sense to conduct penetration testing before you fix the security vulnerabilities identified by vulnerability assessment. The goal of penetration testing is to examine the network environment after you remediate security vulnerabilities. The main objective of penetration testing is to identify security weaknesses or “weak spots” in an organization’s security posture that your team may not already be aware of.

Types of Vulnerability Assessments

The vulnerability assessment process includes using a variety of tools, scanners, and methodologies to identify vulnerabilities, threats, and risks.

Some of the different types of vulnerability scans include:

  • Network-based scans that identify possible network cybersecurity attacks.
  • Host-based scans that locate and identify cybersecurity vulnerabilities in your workstations, servers, and other network hosts.
  • Wireless network scans of your Wi-Fi network that center around attack vectors in your wireless network infrastructure.
  • Web application scans that test websites to detect known software vulnerabilities as well as network or web applications that aren’t configured correctly.

Because the risk environment is constantly changing, you should conduct regular vulnerability assessments along with vulnerability scanning and penetration testing as part of your company’s cybersecurity plan.

You should implement vulnerability testing regularly to ensure the security of your network, particularly when you make changes, e.g., add services, install new equipment, or open new ports.

What is Vulnerability Management?

As opposed to the vulnerability assessment that has a specific start and end date, a vulnerability management process is an ongoing, comprehensive program that continuously manages cybersecurity vulnerabilities.

The purpose of a vulnerability management program is to establish controls and processes that will help you identify vulnerabilities within your organization’s technology infrastructure and information system components.

Vulnerability management is a best practice that’s recommended to protect your company and its sensitive corporate data. As such, implementing a comprehensive vulnerability management process represents the starting point of an effective program that can help you boost your organization’s cybersecurity.

Basically, vulnerability management is the continual process of identifying, evaluating, remediating, and reporting on cybersecurity vulnerabilities in systems and the software that runs on those systems. After the vulnerability management process verifies that the remediation has been done, the discovery process starts again.

There are a variety of vulnerability scanning tools on the market that you can use to perform the vulnerability scans required by the discovery stage. An information security consultant often uses these vulnerability scanning tools to assess the current state of an enterprise’s security posture.

However, it’s important to understand that as soon as the information security consultant presents you with the report, the content is already out of date because new cybersecurity vulnerabilities are being uncovered constantly.

That’s why vulnerability management has to be a continual process that requires vulnerability scanning to assess vulnerabilities on an ongoing basis to ensure you understand exactly where your weaknesses are and what you are doing about them.

Steps for Vulnerability Management

A vulnerability assessment program is a critical part of a comprehensive vulnerability management strategy. An effective vulnerability management process generally includes the following steps that should be repeated continually:

  1. Asset inventory
  2. Information management
  3. Risk assessment
  4. Vulnerability assessment.

Asset inventory

One of the first steps in the vulnerability management process is conducting an inventory of your assets. As a result of mergers and acquisitions, for example, your company may not have an accurate inventory of all the assets that need to be protected. Too often, companies have unknown assets in their environments that could compromise their cybersecurity over the long run. A centralized asset inventory function enables you to understand your company’s asset inventory and helps strengthen its security posture.

Information management

Once you’ve identified all your assets and continue to manage them on a regular basis, another critical step in the vulnerability management process is to manage the information related to your cybersecurity.

To ensure you implement an effective vulnerability management program, you need to establish a dedicated computer security incident response team. This team publishes security advisories, leads regular conference calls with stakeholders to talk about malicious activity, and simplifies and distributes security alerts. Your team should also create effective incident response guidelines that all of your employees can understand.

Risk assessment

Another critical part of an effective vulnerability management program is proper risk assessment or risk management. However, many companies don’t have the necessary documentation to enable them to manage their risk. Another problem is that individual business units don’t share information about their critical assets and the value of those assets with each other.

A risk assessment is a key to understanding the various cybersecurity threats to your systems, determining the level of risk your systems are exposed to, and recommending how to protect them.

A comprehensive risk assessment will also help you conduct a proper risk review and ensure the owners of the assets sign off on acceptable levels of risk in the event remediation isn’t necessary. A risk assessment will also assign approval of high-level risks to executives. If your company doesn’t have dedicated risk management software in place, you can use checklists or Excel spreadsheets to simplify risk analysis.

Vendor risk management is also a primary component of cybersecurity compliance. A robust vendor risk management program can also protect your data, reputation, and business. Generally, major regulations, including the Health Insurance Portability and Accountability Act (HIPAA), require that you implement formal vendor risk management policies and programs.

Vulnerability assessment

A vulnerability assessment is a major part of a vulnerability management framework and one of the best ways to improve your IT cybersecurity. Many companies continue to grapple with unknown assets, poorly configured network devices, disconnected IT environments, and way too much data to process and analyze.

A vulnerability assessment will identify the key information assets of your organization, determine the vulnerabilities that threaten the security of those assets and provide recommendations to strengthen your security posture and help mitigate risk.

Vulnerability scanning will allow you to conduct a full inventory of all your software and the exact versions of that software. Your IT environment is constantly changing, for example, because of software updates or system configuration changes, potentially introducing new cybersecurity risks. As such, you should perform new vulnerability assessments and scans regularly.

Bottom Line

A vulnerability assessment is a key part of vulnerability management, allowing organizations to protect their systems and data from cybersecurity breaches and unauthorized access. However, while a vulnerability assessment has a specific start and end date, vulnerability management is a continual process that aims to manage an organization’s cybersecurity vulnerabilities long-term.

Because cybersecurity vulnerabilities can enable hackers to access your IT systems and applications, it’s critical that you identify and remediate cybersecurity vulnerabilities before they can be exploited.

A comprehensive vulnerability assessment along with a continual vulnerability management program can help your organization improve the security of its IT infrastructure.

What is a Dynamic Risk Assessment?

· ·

A Dynamic Risk Assessment (DRA) is a continuous process used in decision making to assess and analyze a work environment in real-time with the goal of removing risk. The idea behind a DRA is to identify risk on the spot and make quick decisions on how best to mitigate the risk. 

Dynamic Risk Assessment is often used by emergency services in health and safety for risk management. The assessment is most often leveraged when new equipment or resources are introduced, supervisors change, work is reallocated, or when there are clear threats to safety and security. 

There are several control measures that should be observed when conducting a dynamic standard risk assessment:

  1. Identify hazards or anything that may cause harm.
  2. Decide who and what may be harmed and how it may occur.
  3. Assess the risks and take appropriate actions.
  4. Make a record of the findings for later review.
  5. Review the risk assessment.

All stages of the risk assessment should be documented to better prepare for future hazards and identify warning signs. Technology plays a large role in making the DRA process repeatable and useful for enabling safe systems.

Pros and Cons of the FAIR Framework

· ·

The Factor Analysis of Information Risk (FAIR) framework was developed by Jack Jones. FAIR is a risk management framework championed by the open group that enables organizations to analyze, measure, and understand risk. The FAIR model evaluates factors that contribute to IT risk and how they impact each other while breaking down risk by identifying and defining the risk model. FAIR is most often used to establish probabilities for the frequency and magnitude of data loss. 

The framework is complementary to information security programs as well as existing risk analysis processes and helps to strengthen an overall analysis. FAIR functions best when an organization understands what risk is. Once risk is understood, FAIR discusses operational risk concepts for better analysis and probability of the risk related to cybersecurity.

The Main Concepts of FAIR

The old saying goes “You can’t manage what you can’t measure”. FAIR promotes the concept that risk is uncertain and organizations should instead focus on how probable it is that an event will occur before moving to decision making. Probability is the key when it comes to FAIR and the analysis is deeply based on understanding the factors and the probability of asset loss. In order to measure risk via risk scenarios, there are several steps that need to happen.

  • Definition: Define the risks.
  • Measurement: Measure the risks.
  • Comparison: Compare the risks to past, present, and future risks.
  • Informed Decision: Make informed decisions about risks.
  • More Effective Management: Management of risks is more effective because of the previous steps.

The FAIR approach to Risk Taxonomy and Technical Standard are laid out as follows:

Risk: The probable frequency and magnitude of future loss:

  • Loss Event Frequency — time-based occurrence of loss due to threat against an asset
    • Threat Event Frequency — time-based occurrence of a threat or action against an asset
      • Contact — time-based occurrence of a threat that may contact an asset
        • Random — it just “happens”
        • Regular — actions of the threat agent are predictable
        • Intentional — targeted threat seeks a specific target
      • Action — probability that a threat will act against an asset
        • Value — the perceived value of the asset to the threat
        • Level of Effort — the threat level of effort to accomplish an act
        • Risk — if the threat acts, what is the risk to the attacker
    • Vulnerability — probability that an asset will be unable to resist a threat actor
      • Control Strength — how strong are the controls protecting an asset
      • Threat Capability — how much damage can a threat do to an asset
  • Probable Loss Magnitude — the likely outcome of a successful threat
    • Primary Loss Factors — what can be lost from an asset
      • Asset Loss Factors — value and liability of an asset
        • Value — what is an asset worth
          • Criticality — productivity impact
          • Sensitivity — the potential harm of a threat
            • Embarrassment
            • Competitive Advantage
            • Legal/Regulatory
            • General
          • Cost — the value of an asset
        • Volume — how much of an asset
      • Threat Loss Factors — What factors can influence the loss of an asset by a threat
        • Competence
        • Action
          • Access
          • Misuse
          • Disclose
          • Modify
          • Den Access
        • Internal versus External
    • Secondary Loss Factors — What other factors can influence the loss of an asset
      • Organizational Loss Factors
        • Timing
        • Due Diligence
        • Response
          • Containment
          • Remediation
          • Recovery
        • Detection
      • External Loss Factors
        • Detection
        • Legal & Regulatory
        • Competitors
        • Media
        • Stakeholders

FAIR Basic Risk Assessment Methodology:

  1. Stage 1: Identify scenario components
    1. Identify the asset at risk
    2. Identify the threat community under consideration
  2. Stage 2: Evaluate Loss Event Frequency (LEF):
    1. Estimate the probable Threat Event Frequency (TEF)
    2. Estimate the Threat Capability (TCAP)
    3. Estimate Control Strength (CS)
    4. Derive Vulnerability (Vuln)
    5. Derive Loss Event Frequency (LEF)
  3. Stage 3: Evaluate Probable Loss Magnitude (PLM)
    1. Estimate worst-case loss
    2. Estimate Probable Loss Magnitude (PLM)
  4. Stage 4: Derive and articulate risk:
    1. Derive and articulate risk

The Pros and Cons of the FAIR Framework

Why FAIR makes sense:

  • FAIR plugs in and enhances existing risk management frameworks.
  • FAIR has a solid taxonomy and technology standard.
  • FAIR leverages analytics to determine risk and risk rating.
  • FAIR allows for organizations to make decisions when hard information is lacking based on the formula Risk = (Threat * Vulnerability) / Controls.

Why some may not see the benefit:

  • FAIR is not a methodology for performing organizational or individual risk assessments.
  • FAIR does a great deal of “estimating” which can be perceived as guessing.
  • FAIR requires a tightly defined taxonomy to function.
  • FAIR technical standards describe risk and relationships but lack real measurements and assessment methodologies.

A risk management program is critical to an organization’s information security strategy. The FAIR model has been shown to augment and strengthen existing risk management initiatives, especially ones that focus on analytics. Like most models, FAIR is far from perfect. Some find the reliance on estimates and lack of metrics difficult to justify.

Others look at the model as a great way of building on top of an existing risk management framework with the goal of enhancing analysis and having a common taxonomy. The Open Group continues to champion the use of the FAIR framework for foundational risk analyses. Chief Information Security Officers (CISOs) are continually challenged to provide risk mitigation strategies that board members are able to understand. Overall, FAIR is a good way of communicating clear taxonomy and technology standards to board level executives while providing important risk mitigation strategies.