Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level.

The first step in risk management is to identify the asset. Is it a top secret document? If that was the case you'd limit access to the document. The top secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it.

For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24-carat gold and you left it outside your house at night, it would...

Creating policies, plans, and procedures is a part of risk management and helps to reduce the attack surface and prevent incidents from happening. Let's look at the different type of policies that can be used.

Standard Operating Procedures (SOP) give us step-by-step instructions about how an activity is to be carried out. An example would be how to back up data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours, whereas archive data may be backed up monthly. The SOP would also state the medium to be used for the backup; it may be backed up to a NetApp or network share...

Role-based awareness training is mandatory training that an employee carries out on an annual basis; an example of this would be security awareness training that is used by companies to reduce their security risks. During the training, employees will learn about social engineering attacks where the employee is targeted, for example, a phishing email. There will be more information about attacks in Chapter 8, Protecting Against Attacks and Vulnerabilities.

General security policies affecting...

Business impact analysis (BIA) looks at the financial loss relating to an incident and does not look at how the threat or how an event occurred. It measures the additional cost due to various factors.

Financial loss factors include the following:

• Loss of sales
• Regulatory fines and contract penalties
• Purchase of new equipment to return to an operational state
• Additional labor required until returning to an operational state
• Do we need to seek a new property to operate in?

Impact factors include the following:

• Loss of company brand or reputation
• Loss of life
• Were safety procedures in place?

Personal data use, storage, and access are regulated, and a company will be fined if they do not handle data properly. There are two policies that we need to look at, and these are the privacy threshold assessment and the privacy impact assessment. Let's now look at these:

• Privacy Threshold Assessment: This assessment is to help identify personal information, described as either Personally Identifiable Information (PII), Sensitive Personal Information (SPI), or Public Health Information (PHI), as used in information security and privacy laws.

• Privacy Impact Assessment (PIA): A PIA is an analysis of how personally identifiable information is collected, used, shared, and maintained. Should you have a project that requires access to the PII, SPI, or PHI information, you may need to fill in a PIA screening form justifying...

Your supply chain is the companies that you totally rely upon to provide the materials for you to carry out a business function or make a product for sale. Let's say that you are a laptop manufacturer and Company A provides the batteries and Company B provides the power supplies. If either of these runs short of either batteries or power supplies it stops you from manufacturing and selling your laptops.

Company C provides your broadband internet access and you are totally reliant upon them for the internet - you may mitigate the risk of the internet failing by adopting vendor diversity, where you purchase broadband from Company D so that if either of your suppliers fails you still...

The following concepts are used to carry out the business impact analysis:

• Recovery Point Object (RPO): RPO is how much time a company can last without its data before it affects operations. This is also known as acceptable downtime; if a company agrees that it can be without data for three hours, then the RPO is three hours. If the IT systems in a company suffer a loss of service at 13:00 hours, then the RPO would be 16:00 hours. Any repair beyond that time would have an adverse impact on the business.
• Recovery Time Object (RTO): RTO is the time that the company has been returned to an operational state. In the RPO scenario, we would like the RTO to be before 16:00 hours. If the RTO is beyond 16:00 hours, then once again it has an adverse impact on the business.
• Mean Time to Repair (MTTR): MTTR is the average amount of time it takes to repair...

Risk is the probability that an event will happen - it could bring profit to you. For example, if you place a bet in roulette at a casino then you could win money. It is, however, more likely that a risk will result in financial loss or loss of service. Companies will adopt a risk management strategy to reduce the risk they are exposed to, but may not be able to eliminate the loss completely. In IT, new technology comes out every day and poses new risks to businesses, and therefore risk management is ever evolving.

The main components are assets, risks, threats, and vulnerabilities:

• Asset: The first stage in risk management is the identification and classification of the asset. If the asset is a top secret document, you will handle and store it differently than an asset that is unclassified and available for free on the internet.
• Risk: Risk is the...

When we look at the overall risk for the company we will use a risk register. This is a list of all of the risks a company could face. The risk to the finance department with be assessed by the financial director and IT-related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners - they are responsible for them:

There are two different approaches to risk management and they are qualitative and quantitative risk assessments. Let's look at both of them:

• Qualitative Risk Analysis: Qualitative risk analysis is when the risk is evaluated as a high, medium, or low risk.
• Quantitative Risk Analysis: Quantitative risk analysis is where you look at the high qualitative risks and give them a number value so that you can associate them with a cost for the risk.

In this example, we are going to grade a risk and its probability from 1 - 9, with 1 being low and 9 being high. If we look at the impact of losing a mail server, the qualitative risk analysis would say that it is high, but the probability of losing it would be low:

1. What is the purpose of standard operating procedures?
2. What is the purpose of BPA?
3. What is the difference between an MOU and an MOA?
4. What is the purpose of an ISA?
5. What is the benefit of introducing separation of duties into the finance department?
6. What is the purpose of a risk register?
7. What is the purpose of job rotation?
8. What is the purpose of mandatory vacations?
9. What is the first stage in risk assessment?
10. Why would a company introduce a clean desk policy?
11. If someone brought their own laptop to be used at work, apart from an on-boarding policy, what other policy should be introduced?
12. What is the purpose of an exit interview?
13. When would you adopt risk avoidance?

14. What is the purpose of risk transference?
15. What are rules of behavior?
16. Why would a company run an annual security awareness training program?
17. What is cognitive hacking and what should we avoid to mitigate...

1. Standard operating procedures are step-by-step instructions about how a task should be carried out so that employees know exactly what to do.
2. A BPA is used by companies in a joint venture and it lays out each party's contribution, their rights and responsibilities, how decisions are made, and who makes them.
3. A memorandum of understanding is a formal agreement between two parties but it is not legally binding, whereas the memorandum of agreement is similar but is legally binding.
4. An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how to secure it; for example, they may use a VPN to communicate.
5. If we adopted separation of duties in the finance department, we would ensure that nobody in the department did both parts of a transaction. For example...