Why is risk management important? 

Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. 

      Risk Management framework and Risk assessment two are different aspect. Establish risk management framework is center of risk management process and Risk assessment and others are around this process.

        Major Types of IT Risk Management Framework:

                 4.  Implement Control

       This is one of time taking stage in the whole process

                        a) To implement control refer guideline NIST.SP.800-53 Guideline 

                          b) Create an System Security Plan (SSP) for each implemented control in details. Refer guideline : NIST 800-18

                          c)  Each control should be written in details in SSP documents to cover the entire requirement for that category. 

            5.  Access Control

 Independent Internal Audit can be perform to access the control . Refer guidelines NIST 800 53a

    6.  Authorize System

                 Some authorize person or governance body of the organization can authorize/verify all the system

    7.   Monitor Control

               Continuously review and monitor the control and update the risk management framework.

What is Exception handling in Risk Management ?

One example of Risk Exception :

Exception handling can be easily explained using real world scenarios. Assume that there is a requirement for your company to get a service from a third service provider where they process and sanitizes your data on behalf of you. This third party service provider does not use encryption for your data at rest. Assume that in your supplier management policy you only allow three months to fix such issue. Even though third party supplier have a logical solution to this issue, in reality to fix this kind of issue third party supplier might required much time. This can be considered as a violation to your policy, but due to the business requirement you need to get the service from this third party service provider. This is precisely where we start to follow the exception handling process.

Lets Understand how data flow during card transaction and we have comply PCI DSS within this cycle

In high level PCI DSS have 12 requirements within 6 different categories : 

There are multiple IT security standards and frameworks

ISO 27000 Series

The ISO 27000 series was developed by the International Organization for Standardization. It is a flexible information security framework that can be applied to all types and sizes of organizations.

For ISO 27001 more details refer : ISO 27001 Implementation 

NIST SP 800-53

NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 series addresses virtually every aspect of information security, with an increasing focus on cloud security.

NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector. SP 800-53 has helped spur the development of information security frameworks, including NIST Cybersecurity Framework

NIST CSF

NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. It was developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness, as they have all been targeted by nation-state actors due to their importance.

COBIT

COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. It's the most used framework to achieve SOX compliance. Numerous publications and professional certifications address COBIT requirements.

CIS Controls

Center for Internet Security (CIS) Critical Security Controls, Version 8 -- formerly the SANS Top 20 -- lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and technical infrastructures.

The 18 CIS Controls include the following:

• Inventory and Control of Enterprise Assets.

• Data Protection.

• Audit Log Management.

• Malware Defenses.

• Penetration Testing.

GDPR

The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business .

Before we dig deep into TPRM, we first need to address a very common question: “What’s the difference between vendor risk management (VRM) and third-party risk management (TPRM)?”

VRM is all about vetting partners, suppliers and vendors to make sure they meet certain conditions. These conditions, along with the expectations for each party, are detailed within the vendor contract, and include things like information security and regulatory compliance requirements. For example, you might specify how often a vendor audit needs to take place, or the password complexity requirements for anyone accessing your data. TPRM goes even deeper and includes every single third party, like partners, government agencies, your franchises, or charities in which you donate your time or money, as well as all of your vendors. In this case, these organizations may require access to sensitive company data (e.g., to demonstrate compliance with government regulators), but you often have no ability to define who accesses it or how they use it—and there’s a good chance you can’t audit it. TPRM often starts with VRM; it’s the foundation on which TPRM is built. Organizations will begin with a VRM program and, as they grow and mature, they’ll identify a need to address the specific and frequently disparate risks that a growing list of third parties present.

What Types of Risks Do Third-Parties Introduce?

• Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents. Cybersecurity risk is often mitigated via a due diligence process before onboarding a vendor and continuous monitoring throughout the vendor lifecycle.

• Operational risk: The risk of a third-party causing disruption to the business operations. This is typically managed through contractually bound service level agreements (SLAs) and business continuity and incident response plans.  Depending on the criticality of the vendor, you may opt to have a backup vendor in place, which is common practice in the financial services industry.

• Legal, regulatory, and compliance risk: The risk of a third-party impacting your compliance with local legislation, regulation, or agreements. This is particularly important for financial services, healthcare, government organizations, and business partners.

• Reputational risk: The risk of negative public opinion due to a third party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor data security.

• Financial risk: The risk that a third party will have a detrimental impact on the financial success of your organization. For example, your organization may be unable to sell a new product due to poor supply chain management.

• Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.

Antivirus and End Point Security 

In the Endpoint security vs. Antivirus comparison, you can say that the Antivirus is the starting point of your security suit, but the Endpoint security is the advanced step. 

Antivirus – uses a signature-based threat detection, so more advanced threats, like fileless malware, can bypass this security solution. Once infiltrate into an endpoint, a malware can infect an entire network.

Endpoint security – uses a firewall to identify even the most sophisticated threats. It detects even the newest ones, that are not included in a threat signature database.

Fileless infections are exactly what they seem to be: malware or virus infections that don’t use any files in the process.

To understand their name, all we need is a very quick recap of how traditional antivirus products work:

• The infection places files on the hard drive

• The antivirus analyzes the malicious files (aka the payload)

• If identified, the antivirus quarantines and/or removes the malicious files, keeping your computer safe.

These infections were called fileless because no files are dropped onto the system.

Let’s dive deeper into the features that set Antivirus and Endpoint security apart. This way, you will have a better understanding of these two options and will take an informed decision regarding your company’s security.

Monitoring

Antivirus – will monitor the device in which it is installed to find viruses or malware. It will do so at a certain time, as scheduled.

Endpoint security – will scan all the devices from a network for threats, anomalies, and suspicious behavior. This solution is more efficient because it does a continuous scan on your endpoints, leaving less room for error.

Threat detection

Antivirus – uses a signature-based threat detection, so more advanced threats, like fileless malware, can bypass this security solution. Once infiltrate into an endpoint, a malware can infect an entire network.

Endpoint security – uses a firewall to identify even the most sophisticated threats. It detects even the newest ones, that are not included in a threat signature database.

Threat response

Antivirus – when a virus is found, the Antivirus software will send an alert so the user could deal with the threat.

Endpoint security – once a threat is detected, the software removes it immediately. Doing this without human assistance, it is saving precious time. Endpoint security solutions can also sandbox a suspicious file, isolating it until categorized as innocent or malicious software.

Compatibility

Antivirus – usually, this type of security software stands alone. Antivirus will not integrate with any other tools or programs that could enhance its features.

Endpoint security – it is designed to easily integrate other security components. This will create a smooth security system that will offer better protection to your endpoints and the entire network.

Data loss prevention

Antivirus – it focuses only on malware protection, with no other data protection features. If a file does not contain malware, it is not of interest to an Antivirus solution.

Malware – can mitigate data loss on your endpoints. For this it uses data traffic monitoring, identifies suspicious patterns, and encrypts information.

Risk and Control Self Assessment steps

1. Identify business objectives

2. Identify operating model

3. Identify the risk

4. Assess the risk (using likelihood and impact)

5. Evaluate against the appetite

6. Identify issues and actions

7. Monitor and review

8. Incident management

So step number one, is identification of the business's objectives. Step number two is to identify the operating model, the key processes that need to be working to be able to deliver against those objectives and only now can we then go to step three, identify the risks that could cause the operating model to fail or not deliver the expected outcome.

Once we've identified the risks, we then need to assess the risks typically using likelihood and impact. Once we've assessed and analysed the size of risk, we need to evaluate it against our risk appetite, risk evaluation and determine whether we need to make any improvements if it is outside of appetite.

If we do need to make improvements, this allows us to identify any issues, risk assessment control weaknesses, and control gaps and from there, we can identify the actions required to remediate those. This then moves us onto this process being repeated on a periodic basis, ongoing monitoring, and review. And finally, the importance of recording and reporting the risk assessment. This is often done on a traffic light report using red, amber and greens.

They're the basic building blocks of the risk assessment process.

Worked RCSA example: employee data breach

Let’s take a specific sample risk example, particularly common in today’s work: the risk of unauthorised access to sensitive or employee data. We can go through the key steps of the risks and controls process to identify the risk, identify the controls, assess and analyse the risk, evaluate against risk appetite, and determine issues and actions.

• Risk: The risk of sensitive data and employee data being exposed due to unauthorised access resulting in a breach of regulation

• Cause: People – accidental mistake

• Impact: Financial – regulatory fines

• Risk owner: Head of IT

• Key controls: Access to system requires authentication, data is encrypted

• Controls rating: Effective

• Risk likelihood: Unlikely

• Risk consequence: Extreme

• Overall risk rating: Moderate

• Accept or treat: Accept – controls are in place to mitigate risk to acceptable level

• Action plans: Continue monitoring IT data access on a fortnightly basis

As you’ll see when you download our RCSA framework template, the structure of the template prompts you to fill out the example in the way that brings out risks and controls most effectively.