This is one of most important Topic in CISSP exam also I would say Risk management is something we all actually do in our “day to day” task. Hence, for every security professional this is a Must topic.
So before we get into the details of Risk Management lets understand below questions.
- What is Risk Management? – It is a process of Identification, Assessment, Analysis, Mitigation or transfer of risk.
- Why Risk Management is required? – If an organisation is negligent in risk management; their assets can be compromised.
- How to do Risk Management? – We will discuss about this in details.
- When to do Risk Management? – It must be performed Annually or more specifically if there are any significant changes in your environment e.g. Acquisition or mergers, Expanding your facility or Moving into new facility.
Before We begin to understand “Risk Management”; Lets take some time to understand “Risk Terminology”
- Asset: Anything which needs to be protected.
- Asset Valuation: Assigning $$ value to an asset.
- Threat: Things that could create an unwanted outcome for a organization/to all or part of an asset.
- Vulnerability: A weakness in an asset; the absence of a safeguard or countermeasure.
- Threat Agent: The entity which carries out the attack. They could be people, program, hardware or systems.
- Threat Events: These are Accidental or intentional exploitation of vulnerabilities. These can be man-made or natural such as fire, earthquake, flood.
- Exposure: is being vulnerable to asset loss.
- Risk: The probability that a threat will exploit vulnerability.
- Controls: Safeguard, countermeasure
- Attack: exploitation of vulnerability by a threat agent.
- Breach: is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Below illustrates the connected & complete picture.
Refer to below mindmap for a summary of Risk Terminology