Which of the following best describes a responsibility of a cybersecurity risk manager
Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cybersecurity perspective, industries such as energy, healthcare, banking, insurance and retail involve a lot of risks that impede the adoption of technology and need to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time. Show
Both simple and advanced devices are now part of our everyday lives, ranging from road signs to intelligent vending machines to advanced diagnosing medical services. Each of these types of devices needs to be secured since they all have their own requirements regarding Confidentiality, Integrity, and Availability of the data or resources they provide. Risk management involves comprehensive understanding, analysis and mitigation of risk to help organizations achieve their information security objective. Risk is fundamentally inherent in every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature. CISSP domain 1: Security and risk managementSecurity and risk management is the first domain of eight domains covered on the CISSP certification exam. The exam was last updated in May 2021, and the updated exam subdomains include:
Below is additional information on security and risk management that will help you prepare for the CISSP certification exam. Additional information can be found in the CISSP exam outline. Goals of a security modelThe two primary objectives of information security within the organization from a risk management perspective include:
Strategy leads to tactics, tactics lead to operationsThen, the strategic goals may refer to having all domains centrally administered and implementing VPNs and RADIUS servers to provide a highly secure environment that provides a good amount of assurance to the management and employees. A security model has different layers, but it also has different types of goals to accomplish in different time frames.
This technique and approach to strategy is called the planning horizon. A company cannot usually implement all changes at once, and some changes are larger than others. Several times there arises a situation wherein certain changes cannot happen until some other changes take place. If an organization whose network is currently decentralized, and works in workgroups without any domain trust, wants to implement its own certificate authority (CA) and public key infrastructure (PKI) enterprise-wide, this cannot happen in a week’s time. The operational goals are to keep production running smoothly and make small steps towards readying the environment for a domain structure. The tactical goal would be to put all workstations and resources into a domain structure and centralize access control and authentication. The strategic goal is to have all workstations, servers, and devices within the enterprise use the public key infrastructure to deliver authentication, encryption, and additional secure communication channels. Generally, security works best if its operational, tactical and strategic goals are defined and work to support each other. This can be more difficult than it appears. Security fundamentals: CIAConfidentiality, integrity and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization. 1. Confidentiality: Prevent unauthorized disclosureConfidentiality of information refers to protecting the information from disclosure to unauthorized parties. Key areas for maintaining confidentiality:
2. Integrity: Detect modification of informationThe integrity of information denotes protecting sensitive information from being modified by unauthorized parties. Key areas for maintaining confidentiality:
3. Availability: Provide timely and reliable access to resourcesAvailability of information signifies ensuring that all the required or intended parties are able to access the information when needed. Key areas for maintaining availability:
Best practices to support CIA
Risk management and the CISSPRisk management is the process of identifying, examining, measuring, mitigating or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as assessment, analysis, mitigation and ongoing risk monitoring, which we will discuss in the latter part of this article. The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. Risk assessment ensures that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities. Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And finally, as with all elements of a security policy, ongoing evaluation is essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date. Best practices to support risk management
The following definitions are crucial for risk management:
Multiple scenario-based use cases are evaluated in the CISSP exam, based on the following general sources of risk:
Lifecycle of risk management
Each section within the lifecycle is crucial for CISSP and has been further defined below. 1. Risk assessmentLooks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically. Managing risks is an ongoing process. The following steps are officially part of a risk assessment as per NIST 800-30:
2. Risk analysisRisk can be analyzed through a qualitative and quantitative lens. Qualitative analysis is subjective in nature and uses words like “high,” “medium,” “low” to describe the likelihood and severity of the impact of a threat exposing a vulnerability. Quantitative analysis is objective and numbers-driven. It requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are fundamentally driven by this type of analysis. It is essential in order to conduct a cost/benefit analysis Key pointers to be remembered for risk analysis include:
3. Mitigating riskThere are three acceptable responses to risk mitigation:
Organizations need to continue to monitor for risks. How an organization decides to mitigate business risks becomes the basis for security governance and policy. Security governance and policyThe goal of security governance is to ensure that security strategies, goals, risks and objectives are assessed according to a top-down model. By doing so, we ensure that those ultimately responsible for the success or failures of a security program are directly involved. To achieve security governance, security blueprints have to be created to allow organizations to implement practices and procedures to support their security goals and the overall mission of the organizations. Various industry consortiums have provided insight into the goals, objectives, and means of developing successful information security management systems (ISMS). The following industry standards are some of those which provide multiple frameworks that could be reviewed when creating security baselines to achieve security governance.
Approach to security managementPoor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach because, without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start. Information Management Security Program primarily consists of the following key areas to be aware of:
Senior management’s roles and responsibilities across the following areas are generally evaluated for CISSP and are crucial for the overall understanding of the security risk management for any organization.
For more information on the CISSP certification, view our CISSP certification hub. What is the role of risk management in cybersecurity?Cybersecurity risk management is a strategic approach to prioritizing threats. Organizations implement cybersecurity risk management in order to ensure the most critical threats are handled in a timely manner.
Which best describes cybersecurity risk?Cybersecurity risk is the probability of exposure or loss resulting from a cyber attack or data breach on your organization. A better, more encompassing definition is the potential loss or harm related to technical infrastructure, use of technology or reputation of an organization.
Who has the final responsibility for the cyber risk management?Cybercrime is a senior executive responsibility. It's important to remember that when a data protection breach or attack takes place, it is the CEO who is liable. It is still common for senior level management to become involved only after a breach and not before.
What are the different responsibilities of the risk manager?Duties/Responsibilities:
Reviews and assesses risk management policies and protocols; makes recommendations and implements modifications and improvements. Recommends and implements risk management solutions such as insurance, safety and security policies, business continuity plans, or recovery measures.
|