2.2 Analyzing Risk Scenarios
Risk Scenarios
·
A risk scenario is a process to
identify various risk events and their impact on business processes. For example,
a risk practitioner may determine following risk scenario:
§ What can be impact on business process if network is not available?
§ What can be impact on business process in case of system downtime?
§ What can be impact on business process if database is hacked?
·
Risk scenarios are the
potential risk events which is used determine current state of preparedness and
probable impact on business processes.
·
Analysis of various risk
scenarios helps the organization to keep themselves prepared of possible events
and thus minimizing the impact of the even by taking appropriate measures.
·
Unpreparedness may cause severe
damage and result in much higher recovery costs.
·
A risk register includes status
of all current identified risk along with corrective actions and residual risk.
Policies & Standards
·
Approved policies provide the
direction regarding acceptable and unacceptable behaviors and actions to the
organization.
·
Guidelines and procedures
provide details do’s and don’ts to support the organization’s policies.
·
A standard is a mandatory
requirement to be followed to comply with a given framework or certification.
Standard help to ensure efficient and effective process which results into
reliable products or services. Standards are updated as and when required to
embed with current environment. In absence of documented policies, guidelines
and procedures, it is difficult to achieve intended objective of the
organization.
·
It is very important for a risk
practitioner to determine the availability and adequacy of organization level
policies.
Data Classification Policy
Data classification policy play a
pivotal role in defining the level of controls required for each class of
assets. Data classification policy includes:
·
categories for asset
classification
·
level of protection to be
provided for each category of data
·
roles and responsibilities of
end users
·
roles and responsibilities of
system and data owner
Data Retention Policy
· Data retention policy defines the retention period for each class data. Two major factors on which data retention period is defined are:
§ Business requirements
§ Legal and contractual requirements
Global Policy
· It is very difficult for a multiple national organization to manage different policy for each region. They cannot make a standard policy as different regions have their own local laws.
·
Best approach is to have a
global policy which can be amended by regions as per their local laws and requirements.
Policy Exceptions
·
Exceptions to policy is
required in few cases where benefits exceed the costs or where taking risk is
justified by the relevant benefits.
·
An exception to policies and
procedures should only be allowed through a documented and formal escalation
process.
·
There should be a structured
process for providing exception and not merely on the basis of judgement of
process owner or manager.
·
It is always advisable to
validate the exception before reporting the same. This will help to rule out
any false positives.
Effectiveness of Security Programs
· Adherence to information security requirements is the best way to monitor the effectiveness of security program.
· If exceptions are minimum, then it indicates that employees are aware about the security requirements.
·
More exceptions indicate that
there is lack of awareness among the employees and information security
programs are not effective.
Control Categories
Risk practitioner should evaluate the
current control environment to determine effectiveness, efficiency and adequacy
of the controls implemented. For effective control management, risk
practitioner should determine:
·
Whether controls are adequate
·
Whether controls have any scope
for bypassing
·
Whether controls are reviewed
and tested
·
Whether segregation of duties
is maintained
Risk practitioner should be aware of following control categories:
Control Categories |
Descriptions |
Preventive |
Objective is to prevent an event from occurrence. Example includes locked doors, user authentication, encryption etc. |
Detective |
Objective is to detect an event. Example includes audit, IDS, CCTV cameras, checksum etc. |
Corrective |
Objective is to correct the error or omissions. Example include data backup, forward error control etc. |
Deterrent |
Objective is to deter an event by providing warning Example include warning signs etc. |
Directive |
Objective is to mandate the behavior aspect by specifying do’s and don’ts. Example includes acceptance usage policy. |
Compensating |
Objective is to address the absence of control or weak control in particular domain. Example includes a weak physical control is compensated by a stringent logical access control |
New System and Infrastructure
Most important requirement for setting up an information security infrastructure for a new system is to conduct a risk assessment before implementation. Risk assessment should primarily include:
§ Business justification for new system
§ Capability of existing infrastructure to support new system
§ Security assessment of new systems
Segregation of duties
· Segregation of duty requires more than one person to complete a task. Objective of segregation of duties is to prevent fraud and error.
· Violation of segregation of duties means same person doing two different function which are segregated to prevent fraud.
·
To prevent violation of SoD,
person should be provided with role-based access. He should not have access to
the role for which he is not authorized.
Key aspects from CRISC exam perspective
CRISC Question |
Possible Answer |
Policy
that determines the level of information protection within the
organization |
Data
classification policy |
Most
important requirement for setting up an information security infrastructure
for a new system |
Risk
Assessment |
Primary
influencer for data retention policy |
·
Business Requirement ·
Legal and contractual requirement |
Greatest
risk of inadequate ownership |
Inappropriate
access rights |
Best
approach for creating a policy for global organization |
A
global policy that is locally amended to comply with local laws |
Best
approach for exception management |
Documented
escalation process |
Violation
of segregation of duties can be prevented by |
Role-based
access |
Document
that provides status of all current identified risk along with corrective
actions and residual risk |
Risk
Register |
Primary
influencer for risk appetite of the organization |
The
culture and predisposition toward risk taking |
Example
of Management Control |
Security
Policy |
Primary reason for a policy exception
process is
|
To
allow exception when risk is justified by the benefit |
Best
metric to monitor the information security program |
Adherence
to information security requirements |
Password
is an example of |
Preventive
Control |
Most
important for selecting an appropriate risk management methodology |
Risk
culture of the organization |
Flashcards - 2.2 Analyzing Risk Scenarios
Practice Questions – Analyzing Risk Scenario